GPEP Privacy policy

28th Jan 2021

Our aim at GPEP Ltd (“we, us, GPEP”) is to provide accessible and affordable general muscle and joint health advice to enable you to start your rehab journey. GPEP is not a healthcare provider and does not screen content posted by healthcare providers.

Your privacy is also very important to us and we take our obligations under applicable data protection law very seriously (including the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).

Please take time to read this policy (“Privacy Policy”) to understand how GPEP collects, uses and shares personal information when providing our services via our mobile application and website (“Services”).

Please also read our Terms of Service which sets out the terms governing the Services.

Who we are

The GPEP app and website are products of GPEP LTD, a registered company (Number 10480769).

We are registered with the Information Commissioners Office (“ICO”) under registration number ZA790045 and you can view more information about our registration online https://ico.org.uk/ESDWebPages/Entry/ZA790045.

What Information we collect and how we use it

The information you provide us

To monitor use of our services we ask users to create an account in order to access the app and website. To create an account, we ask you to provide a username and your email address. We do not share your email address but may use it to send you technical notices, updates, security alerts, and support and administrative messages and to respond to your comments, questions, and customer service requests;

We do not share your username outside of the platform however if you choose to participate in the My community function of the app then your username and profile information, including picture and rehab graphs are visible to other users, so you should use caution in deciding what name to use. We believe that there are significant benefits from peer support achieved by completing your rehab as part of a community. You can choose not share your profile in the ‘My community section’ and would therefore not be visible to other users. It will, however, still be visible to the healthcare provider of the classes you attend and the videos you view. They will be able to connect with you by using the ‘like’ and ‘messaging’ functions on you profile page.

We do not collect or process credit or debit card (“Payment Card”) data. Apple and Google collect Payment Card data with respect to subscription purchases made through the Apps, and our payment processor collects Payment Card data with respect to purchases made through the Websites. Such payment processors generally provide us with some limited data related to you, such as a unique, anonymous token that enables you to make additional purchases using the data they’ve stored, and your card’s type, expiration date, billing address, and the last four digits of your card number.

Information about your rehab

We collect information about the exercise sections, classes and videos you select, your progress, your exercise completion rate, the ‘likes’ & comments that your profile makes and receives, your video and class ratings and chat made during live classes. Whatever you do, we collect and store information about that activity.

We use the information we collect to provide, maintain, and improve our Services such as the information on your profile page to connect and engage with other users in the ‘My community section’, to enable healthcare providers to monitor attendance, views, ratings and chat relating the content they provide, aggregated and anonymised video ratings/views as feedback to improve the standard of selfcare guidance both we and the health providers using the platform provide.

Information automatically collected

When you access or use our Services, we automatically collect information about you, including:

• Log Information: We collect log information about your use of the Services, including the type of browser you use, app version, access times, pages viewed, your IP address and the page you visited before navigating to our Services.
• Device Information: We collect information about the computer or mobile device you use to access our Services, including the hardware model, operating system and version, unique device identifiers, and mobile network information.

How do we use your information?

We use the information we collect for the following purposes:

• To provide the Services to you
• Monitor and analyse trends, usage, and activities in connection with our Services;
• Detect, investigate, and prevent fraudulent transactions and other illegal activities and protect the rights and property of GPEP and others;
• Personalise and improve the Services and provide advertisements, content, or features that match user profiles or interests;
• Carry out any other purpose described to you at the time the information was collected.

Legal Basis for Processing Personal Data under the General Data Protection Regulation (GDPR)

If you are from the European Economic Area (EEA), GPEP Ltd legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.

GPEP Ltd may process your Personal Data because:

• We need to perform a contract with you
• You have given us permission to do so. We rely on your explicit consent to collect and use personal information concerning your general muscle and joint health. Where we rely on your consent to collect and use your information you are not obliged to provide your consent and you may choose to subsequently withdraw your consent at any stage once provided. However, where you refuse to provide information that we reasonably require to provide the Services, we may be unable to offer you the Services and/or we may terminate the Services provided with immediate effect
• The processing is in our legitimate interests (e.g. in providing the Services, operating our business and managing and developing our relationships with customers; understanding and responding to queries; improving our Services; understanding how you and our customers use our Services). Where we rely on this legal basis, we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the GDPR and DPA
• Processing is necessary to enable us to meet our legal and regulatory obligations, and for preventing and detecting fraud.

Sharing your personal data

In addition to providing general rehabilitation exercises and advice we enable you to connect with other users within a virtual environment (Community Rehab section). This means that GPEP is a social platform and that your profile information, information about the exercise programmes you complete, the videos you view, the classes you attend and your progress are shared with other users and healthcare providers registered to use the GPEP platform. You can choose not to share this information through the setting option on your profile or by logging out of the community rehab section.

We do not share your information outside of GPEP community rehab except in the following circumstances:

With vendors, consultants, and other service providers who need access to such information to carry out work on our behalf;

In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law or legal process, including lawful requests by public authorities to meet national security or law enforcement requirements;

If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property, and safety of GPEP or others; and

In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

We may also share aggregated information, which cannot reasonably be used to identify you.

How we store and protect your information

We store your data on servers located within the UK.

GPEP takes appropriate technical and organisational measures to protect your (personal) data against loss or any form of unlawful use. Because of the medical nature of some of the personal data, GPEP has incorporated a very high level of security.

To protect the confidentiality and integrity of your personal data, we:

• Have internal policies that keep your data private and confidential.
• Limit information access inside our company to the absolute minimum necessary.
• Use an electronically and physically secured data center.
• Use a firewall which blocks access by attackers and unauthorized users.
• Require all of our users to choose strong passwords
• Use a world-class CDN (content distribution network) which filters out possible attackers
• Use state-of-the art development and testing systems.
• Use best-in-class server management technologies.

Data retention

Any personal data that we collect from you (whether submitted directly or collected through your use of our system) will be reviewed on a regular basis to ensure that we only continue to store and process it under lawful grounds and for an appropriate time period.

Data collected through your use of our system will be stored for up to 2 years after you terminate your use of our services for the purpose of being able to reactivate the licence if needed, or in order to respond to any complaints / queries that may arise.

Your rights

You have certain rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances as set out in more detail below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and within one month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please email info@gpep.co.uk.

The right to be informed- We review this policy routinely to ensure that it is upto date in informing you about the data we collect and why, how we use it, the legal basis for doing so, whether it is shared and who with, how it is stored and for how long, how we protection your data.

The right of access- You have the right to know whether we process personal data about you and, if we do, to access personal data we hold about you and certain information about how we use it and who we share it with. Your right of access can be exercised by contacting us at info@gpep.co.uk.

The right to rectification-You have the right to correct any personal data held about you that is inaccurate. Where you request correction, please explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required. Please note that whilst we assess whether the personal data we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.

The right to erasure- You may request that we erase the personal data we hold about you in the following circumstances:

You believe that it is no longer necessary for us to hold the personal data we hold about you.

We are processing the personal data we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the personal data.

We are processing the personal data we hold about you, your emergency contacts, and your family and friends on the basis of our legitimate interest and you object to such processing.

You no longer wish us to use the personal data we hold about you in order to send you marketing information such as news or invitations to events.

You believe the personal data we hold about you is being unlawfully processed by us.

Also note that you may exercise your right to restrict our processing the data whilst we consider your request as described below.

Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure. Please note, however, that we may retain the personal data if there are valid grounds under law for us to do so (for example, for the defence of legal claims or freedom of expression) but we will let you know if that is the case.

You may also contact us info@gpep.co.uk in order to provide us with specific instructions regarding the conservation, deletion, and/or communication of your personal data in the event of your death.

The right to restrict processing -You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in certain circumstances. Please note, however, that if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (for example, for the defence of legal claims or for another’s protection).

You may request we stop processing and just store the personal data we hold about you where:

You believe the personal data is not accurate for the period it takes for us to verify whether the data is accurate.

We wish to erase the personal data as the processing we are doing is unlawful, but you want us to retain the personal data to store it but not to process it.

We wish to erase the personal data as it is no longer necessary for our purposes, but you require it to be stored for the establishment, exercise, or defence of legal claims.

You have objected to us processing personal data we hold about you on the basis of our legitimate interest, and you wish us to stop processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.

The right to data portability- You have the right to receive a subset of the personal data we collect from you in a structured, commonly used, and machine-readable format, and a right to request that we transfer such personal data to another party. The relevant subset of personal data is data that you provide us with your consent or for the purposes of performing our contract with you.

If you wish for us to transfer the personal data to another party, please ensure you detail that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal data or its processing once received by the third party. We also may not provide you with certain data if providing it would interfere with another’s rights (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property).

The right to object- At any time, you have the right to object to our processing of data about you in order to send you marketing, including where we build profiles for such purposes, and we will stop processing the data for that purpose.

You also have the right to object to our processing of data about you and we will consider your request in the circumstances as detailed below if you contact us at info@gpep.co.uk

You may object where:

We are processing the data we hold about you (including where the processing is profiling) on the basis of our legitimate interest and you object to such processing. Please provide us with detail as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims.

We are processing the data on the basis of historical/scientific research or statistics and you have a particular reason to object. Your right would not apply where we have been tasked with, and it is necessary for us to undertake, such processing in the public interest.

A right to restriction of processing- in some cases, you have the right to obtain restriction of the processing of your personal data.

You have a right to data export - you have the right to receive the personal data concerning you which you have provided to GPEP, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from GPEP. This right only applies when the processing of your personal data is based on your consent or on a contract and such processing is carried out by automated means.

A right to lodge a complaint with the competent supervisory authority: you have the right to contact the supervisory authority to complain about GPEP’s personal data protection practices.

A right to give instructions concerning the use of your data after your death: as required by applicable law, you may have the right to give GPEP instructions concerning the use of your personal data after your death. To exercise one or more of these rights, you can email info@gpep.co.uk.

You may access your personal data to modify or update at any time via an online account, or by emailing info@gpep.co.uk.

We will respond to your request in a reasonable timeframe in accordance with applicable law.

Children’s Privacy

Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Changes to this Privacy Policy

This Privacy Policy is not contractual, and we reserve the right to reasonably amend it from time to time to ensure it continues to accurately reflect the way we collect and use personal information about you. Any updates or changes to this Privacy Policy will be made available to you. You should periodically review this Policy to ensure you understand how we collect and use your personal information.

This Privacy Policy was last updated on [01/04/2021]

CONTACT US

If you have any questions about this Privacy Policy, please contact us at

Data Protection Officer,
20B Westlands Grove,
Portchester,
Hampshire, PO16 9AD