Extensor Privacy Policy
Latest revision: 19 May 2025
1 · Who we are
Extensor Applications LTD (“Extensor,” “we,” “our”) develops and operates the Extensor mobile and web platform. Physiotherapists use the platform to record, review and manage patients’ home-exercise videos.
- Registered office: 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
- Contact e-mail: support@extensor.app
Role under data-protection law. When Extensor handles information about physiotherapists themselves—such as account credentials, subscription details or billing records—Extensor acts as the data controller under the EU GDPR, the UK GDPR and comparable laws. When a physiotherapist uploads or records patient data (for example a video of an exercise session), the physiotherapist is the data controller and Extensor is the data processor that processes that material strictly on the physiotherapist’s instructions.
2 · What personal data we collect and why we use it
2.1 Account and profile information
When you sign up for Extensor, we ask for your name, e-mail address, practice name and other details that identify you or your clinic. We need this information to create and administer your account, authenticate you, display the correct practice name in the app, and send essential service messages (for example “reset your password” or “your subscription is about to renew”). The lawful basis for this processing is performance of a contract (Article 6 (1)(b) GDPR).
2.2 Patient exercise data and health information
Physiotherapists may record or upload videos, still images, range-of-motion notes and other exercise-related information about their patients. Such content can include health data, which under the GDPR is classed as “special category” data. The physiotherapist must obtain the patient’s consent, and where health information is involved that consent must be explicit (Article 9 (2)(a) GDPR). Extensor processes this content solely to deliver the core features of the service: hosting the media securely, synchronizing it between devices and allowing the physiotherapist to review progress.
2.3 Device information and log data
Whenever you use the app or website, we automatically collect technical data such as your device’s IP address, unique device identifier, operating-system version, the time you accessed the service, and crash or error logs. We process these items because we have a legitimate interest in keeping Extensor reliable, preventing fraud and understanding how our users interact with the service.
2.4 Payment information
Subscriptions are processed via Stripe or another PCI-DSS-compliant gateway. Extensor itself never stores full card numbers; we receive only limited details, such as the last four digits and a transaction identifier. We need these records to bill you, apply VAT/GST correctly and satisfy our legal obligations under accounting and tax law.
2.5 Cookies, SDKs and analytics identifiers
The mobile and web apps incorporate Firebase Analytics, Google services, Expo push-notification SDKs and (if you enable it) Meta/Facebook login or analytics. Depending on the jurisdiction, certain analytics or marketing cookies require consent; where that is the case, Extensor honors your choice and will not set optional cookies unless you opt in. Our legitimate interest in running usage analytics is to improve performance, diagnose problems and plan new features.
3 · How we share data and where it travels
Extensor does not sell personal data. We disclose information only to carefully selected sub-processors that help us deliver the service:
- Google Cloud / Firebase — hosting, encrypted storage, analytics, crash reporting
- Stripe — secure payment processing
- Expo — mobile build pipeline and push-notification delivery
- Meta (Facebook) — optional social-login and analytics (enabled only by the clinic)
Each sub-processor is bound by a written data-processing agreement that imposes GDPR-compliant confidentiality and security obligations. Whenever data is transferred outside the UK or EU/EEA, we rely on the EU Standard Contractual Clauses (SCCs) together with the UK International Data-Transfer Addendum where applicable, or another recognized transfer mechanism.
4 · Retention periods
- Physiotherapist account data is stored while the account remains open and for six years afterwards—the ordinary limitation period for contractual claims.
- Patient exercise files stay in Extensor until the physiotherapist deletes them or asks us to remove them. Encrypted backups are retained for a maximum of 30 days longer to guard against accidental loss, after which they are automatically purged.
- Analytics and log data are kept in identifiable form for 24 months and then aggregated or anonymised.
- Financial and tax records must, by law, be preserved for seven years.
5 · Children and parental consent (patients under 16)
5.1 Absolute restriction on patients under 13
Extensor must not be used with patients who are younger than thirteen (13) years old. Recording, uploading or processing data for anyone below that age is prohibited.
5.2 Written consent for patients aged 13–15
If a patient is at least 13 but still under 16, the treating physiotherapist must first obtain verifiable, written permission from the patient’s parent or legal guardian. The consent document must:
- Explain clearly what personal data will be collected and why;
- Reference this Privacy Policy so that the parent/guardian can review it;
- Contain the dated signature (wet-ink or qualified e-signature) of the parent/guardian.
The physiotherapist must retain the signed consent for a minimum of six (6) years after the patient’s data has been deleted from Extensor, or for any longer period required by local medical-records regulations. Extensor reserves the right to demand proof of consent and may suspend an account that fails to provide it. This policy aligns with the GDPR’s child-consent rules (which allow Member States to set the age up to 16) and with COPPA’s “verifiable parental consent” standard for users under 13 in the United States.
6 · Security measures
Extensor employs industry-standard safeguards, including:
- TLS 1.2+ encryption for all data in transit;
- AES-256 encryption for all media and database content at rest;
- Strict role-based access control—staff can view data only when required for support or maintenance, and every access is logged;
- Policies and procedures aligned with ISO-27001 best practice;
- Regular penetration tests by independent specialists;
- A documented incident-response plan that promises to notify affected users and (where legally required) supervisory authorities within 72 hours of discovering a personal-data breach.
7 · Your privacy rights
Depending on your location, you may have the right to:
- Access the personal data Extensor holds about you;
- Rectify inaccurate or incomplete data;
- Erase certain data (“right to be forgotten”);
- Restrict or object to specific processing activities;
- Port your data to another service in a machine-readable format;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with a supervisory authority (for example, the UK Information Commissioner’s Office).
To exercise any of these rights, contact us at support@extensor.app. We aim to respond within 30 days.
8 · Regional add-ons (California and others)
Extensor does not sell personal information in the sense defined by the California Consumer Privacy Act (CCPA) or similar state laws. Residents of California, Colorado, Virginia and any other jurisdiction that grants additional privacy rights may request:
- Disclosure of categories and specific pieces of personal information we have collected;
- Deletion of personal information (subject to statutory exceptions);
- Opt-out of any future sale of personal information (not applicable, but the right is honoured).
Requests can be submitted to support@extensor.app. We will not discriminate against you for exercising a statutory privacy right.
9 · Changes to this policy
We may revise this Privacy Policy from time to time. If a change reduces your rights or introduces a new purpose for processing, we will give you at least 14 days’ notice by e-mail or an in-app banner before the new terms take effect. The most recent version is always available at extensorapp.com/privacy.