Privacy and data protection

RehabVision is a knee-rehabilitation telemedicine platform operated by Solutia s.r.o. as the data controller. Because the platform processes special-category health data within the meaning of GDPR Article 9, this notice goes beyond what a typical SaaS publishes. The platform is currently in pre-pilot phase; live patient data is processed only at participating clinics that have signed a data processing agreement with Solutia.

The data controller for the RehabVision platform is Solutia s.r.o. The Data Protection Officer is the single point of contact for any privacy-related question, request, or complaint about the platform itself. Where the platform is used inside a clinic, the clinic is typically the controller for the clinical relationship and Solutia acts as a processor under Article 28; that arrangement is documented in the clinic's data processing agreement.

We process the following categories of personal data. Special-category (health) data is highlighted; processing of those categories is subject to the additional safeguards in Article 9.

Account creation and platform use rests on contractual necessity (Article 6(1)(b)). Processing of health data rests on the patient's explicit informed consent (Article 9(2)(a)) and, where applicable, on processing necessary for the provision of health care under the responsibility of a health professional (Article 9(2)(h)). Anonymised outputs may be further processed for scientific research under Article 9(2)(j) read with Article 89, with the safeguards described in §13. Consent can be withdrawn at any time; past processing remains lawful, and withdrawal does not affect data already irreversibly anonymised.

Each category is retained only as long as necessary for the purpose for which it was collected. Retention periods are enforced automatically by scheduled retention jobs (UC-ADM-06).

Account, audit and backup periods are operating proposals and need formal sign-off before publication. Raw video and anonymised periods are fixed by BRULE-04/05 and the platform's retention scheduler.

We engage a small number of sub-processors strictly necessary to operate the platform. Each sub-processor is bound by a written contract under Article 28, processes data only on documented instructions, and is subject to the same security obligations as Solutia. The current list is below.

Hosting, email and monitoring providers are pending procurement decisions. The list will be finalised before the first live patient signs up and republished here whenever it changes.

Personal data is processed and stored within the European Economic Area. Anonymised aggregate research metrics may be shared with the Auckland University of Technology research partner in New Zealand. Where a transfer of personal (non-anonymised) data outside the EEA is unavoidable, the transfer is governed by Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c). [DRAFT — confirm transfer scope and mechanism with DPO and AUT counsel]

We apply the technical and organisational measures required by Article 32, taking into account the state of the art and the special-category nature of the data. The current measures include:

• Encryption in transit using TLS 1.3 for every connection.
• Encryption at rest for the application database and backups.
• Per-tenant row-level security in the database, so a clinic can only see its own data even in the event of an application bug.
• Authentication based on JWT bearer tokens with short expiry, rotation, and server-side invalidation on suspend / role change.
• Multi-factor authentication required for elevated platform-operator access (UC-TEN-08 break-glass).
• Append-only audit log for every action that touches health data, with pseudonymised subject identifiers (BRULE-10).
• Role-based access control with least-privilege defaults; tenant isolation enforced at API and database level.
• Independent penetration test before each major release [DRAFT — confirm cadence].
• Data Protection Impact Assessment under Article 35 completed before the clinical pilot begins.

Under the GDPR you have the following rights, which you can exercise by contacting our DPO (see §02):

• Access (Art. 15): Confirmation of whether we process data about you, and a copy of that data.
• Rectification (Art. 16): Correction of inaccurate data, including completion of incomplete data.
• Erasure (Art. 17): Deletion of personal data, subject to overriding obligations such as clinical record-keeping.
• Restriction (Art. 18): Limitation of further processing while a dispute is being resolved.
• Portability (Art. 20): A machine-readable export of data you provided to us.
• Objection (Art. 21): Objection to processing based on legitimate interests, including profiling.
• Withdraw consent (Art. 7(3)): Withdrawal of consent at any time; past processing remains lawful.
• Complaint (Art. 77): Lodge a complaint with the Czech Office for Personal Data Protection (ÚOOÚ) at uoou.gov.cz, or with the supervisory authority of your habitual residence or place of the alleged infringement.

Requests are handled within one month under Article 12(3). We may extend the period by two further months for complex requests and will tell you why if we do.

RehabVision uses AI to score the execution quality of rehabilitation exercises (range of motion, correctness, repetition count). The output is presented to the clinician as decision support and to the patient as feedback, but it is not a sole automated decision producing legal or similarly significant effects within the meaning of Article 22(1). A clinician reviews the AI output before it informs any clinical action, and the patient retains the right to a human review of any concern.

Where the platform is used in paediatric rehabilitation, the clinic acting as controller is responsible for obtaining and recording the consent of the holder of parental responsibility under Article 8 and applicable national rules. Solutia processes paediatric session data only on the documented instructions of the clinic and applies the same retention and security measures as for adult data. [DRAFT — confirm with paediatric pilot partners]

The website and the workspace set only the cookies strictly necessary for authentication, session continuity, and CSRF protection. We do not use marketing trackers and do not embed third-party analytics. The locale toggle stores a preference cookie (NEXT_LOCALE) so that the chosen language survives across visits. [DRAFT — confirm before publication]

Anonymised outputs (stick-figure overlay video, CSV time series, aggregated metrics) may be used for scientific research under Article 9(2)(j) and Article 89, with the following safeguards: pseudonymisation at source (BRULE-10), append-only audit logging of every read, pre-approved Data Management Plan versions, FAIR-formatted exports controlled by access policy, and a contractual prohibition on re-identification. The platform never exposes raw video or directly identifying information for research purposes.

Personal data breaches are handled under Article 33 and Article 34. We notify the supervisory authority (ÚOOÚ) without undue delay and, where feasible, within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons. Where a breach is likely to result in a high risk, we notify affected data subjects directly. The DPO maintains the breach register required by Article 33(5).

Material changes to this notice are announced on this page with a new version number and last-updated date. Where the change affects data subjects, we notify affected users by email or in-product notification before the change takes effect.