Privacy Policy

1. Introduction

Open Doors Access ("ODA," "we," "our," or "us") is an AI-powered physiotherapy platform that connects patients with licensed physiotherapists and delivers personalised exercise rehabilitation programmes. This Privacy Policy describes how ODA collects, uses, stores, and protects information obtained through our platform and related services (collectively, the "Services").

By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use our Services.

2. Information We Collect

2.1 Account Information

When you register, we collect your full name, email address, password (hashed, never stored in plain text), phone number, state of residence, and your role on the platform (patient or physiotherapist).

2.2 Health Information

To generate your personalised rehabilitation programme, we collect health-related information you provide during onboarding and monthly check-ins, including your condition or injury, pain levels, mobility, goals, and any concerns you share with your physiotherapist. This information is sensitive and is treated with the highest level of care.

2.3 Session and Activity Data

We record your completed exercise sessions, programme progress, and session feedback to track your rehabilitation and improve your programme over time.

2.4 Communications

Messages exchanged between patients and physiotherapists through the ODA platform are stored to support continuity of care.

2.5 Usage Data

We automatically collect technical data including pages visited, features used, session duration, browser type, operating system, and error logs. This data is used to maintain platform security and improve the Services.

2.6 Physiotherapist Credentials

For physiotherapists, we collect professional information including specialisation, licence number, years of experience, and any credential documents uploaded for verification.

2.7 Camera and Form Coaching Data

When you use the Form Coaching feature, your device camera is used to analyse your exercise technique in real time. Your camera feed is processed entirely on your device — no video footage is ever transmitted to ODA's servers or stored. The feature uses on-device pose detection (MediaPipe) to identify joint positions and movement patterns.

The only data we store from Form Coaching sessions is derived, anonymised information: form quality scores, detected joint angle summaries, and AI-generated text feedback. This data is stored against your session record to track your rehabilitation progress and is subject to the same protections as your other health information.

Camera access is optional. You will be explicitly prompted to grant permission before the feature activates, and you may decline without affecting any other part of the Services. You can revoke camera access at any time in your browser or device settings.

3. How We Use Your Information

• Service Delivery: To generate and personalise AI-powered rehabilitation programmes, facilitate physiotherapist review, and deliver your sessions.
• Communication: To send booking confirmations, session reminders, programme updates, and service-related notifications.
• Clinical Oversight: To enable your linked physiotherapist to review, approve, and adapt your programme.
• Security: To monitor for unauthorised access and maintain the integrity of the platform.
• Product Improvement: To analyse aggregated, de-identified usage patterns to improve the Services.
• Legal Compliance: To comply with applicable laws and regulations, including the Nigeria Data Protection Regulation (NDPR).

ODA does not sell, rent, or trade your personal or health information to third parties for marketing or advertising purposes.

4. Legal Basis for Processing

• Consent: You provide explicit consent to the collection of health data during onboarding.
• Contractual Necessity: Processing required to deliver the Services you have signed up for.
• Legitimate Interests: Platform security, fraud prevention, and aggregate analytics.
• Legal Obligation: Compliance with applicable Nigerian and international data protection law.

5. Data Sharing and Disclosure

5.1 Your Physiotherapist

If you are a supervised patient, your health information, programme, and session history are accessible to your linked physiotherapist to support your care.

5.2 Service Providers

We share data with trusted third-party providers who help us operate the platform, including cloud infrastructure (Supabase), email delivery (Resend), and AI services (Anthropic). All providers are bound by data processing agreements.

5.3 Calendar Integration

If you choose to connect Google Calendar, we will create calendar events for your booked sessions. We request only the minimum permissions necessary and do not read your existing calendar data.

5.4 Legal Requirements

We may disclose information where required by law, court order, or regulatory authority.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity with prior notice to you.

6. Data Retention

We retain your account and health data for as long as your account is active and for a reasonable period thereafter to meet legal and clinical record-keeping obligations. You may request deletion of your account and data at any time by contacting us.

7. Data Security

ODA implements technical and organisational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls
• Audit logging of administrative actions
• Secure password hashing

No system is completely secure. In the event of a breach that poses a risk to you, we will notify you and relevant authorities in accordance with applicable law.

8. Your Rights

Under the Nigeria Data Protection Regulation (NDPR) and applicable law, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information
• Withdraw consent to health data processing at any time
• Receive your data in a portable format
• Object to processing based on legitimate interests

To exercise any of these rights, contact us at info@opendoorsaccess.com.

9. Cookies

ODA uses only the cookies necessary for authentication and platform functionality. We do not use third-party advertising or tracking cookies.

10. Children's Privacy

ODA is intended for users aged 18 and over. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will delete the data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and notify you by email or through the platform. Continued use of the Services after the effective date constitutes acceptance.

12. Contact

Open Doors Access
Email: info@opendoorsaccess.com
Website: app.opendoorsaccess.com