Privacy Policy

Oris is an AI-powered clinical platform for physiotherapists, providing session documentation, AI-assisted differential diagnosis, treatment plan generation, and patient management tools. References to "Oris", "we", or "us" in this policy refer to the operator of the Service.

For the purposes of data protection law, Oris is the data processor for patient data and the data controller for clinic account and platform usage data.

Your clinic is the data controller for all patient personal data entered into the platform. You are responsible for your own GDPR compliance in relation to your patients.

We collect the following categories of data when you use Oris:

Clinic Account Data

• Clinic name and email address
• Password — stored exclusively as a bcrypt hash (12 rounds). We never store, log, or transmit your plain-text password.
• Practitioner profile: name, years of experience, specialisations, clinic setting, preferred treatment approaches, available equipment, and session duration preferences
• Subscription plan and plan activation dates
• Notification preferences (enabled/disabled, advance notice window)

Patient Data — Special Category Health Data (entered by you as data controller)

The following data constitutes special category data under Article 9 UK/EU GDPR because it relates to the physical health of identifiable individuals. It is entered by you (the clinic) and processed by Oris solely on your instruction, as your data processor.

• Patient demographics: first name, last name, date of birth, gender, phone number, email address, residential address, and occupation
• Referral source and patient status (active / discharged)
• Medical history: presenting conditions, current medications, known allergies, previous surgeries, and any additional history entered by the practitioner
• Clinical session records: subjective complaints, objective assessment findings (range of motion, strength, pain scores, affected body regions), clinical assessment, treatment plan, treatment log, session notes, and session status
• AI-generated clinical outputs linked to a patient session: differential diagnoses, red flag screening results, treatment plan recommendations, and adaptive plan notes

Calendar Integration Data (optional)

• Google Calendar: If you connect Google Calendar, we store OAuth access and refresh tokens and your selected calendar ID to read and write appointment events on your behalf.
• Microsoft Outlook Calendar: If you connect Microsoft Outlook, we store an equivalent OAuth token set via Microsoft's identity platform. Appointment data is handled identically to Google Calendar.
• Apple iCal (read-only subscription): We generate a private iCal feed URL scoped to your clinic. No credentials are stored. You subscribe to the feed in Apple Calendar; data flows read-only from Oris to your device.
• Calendar events created by Oris contain only the appointment date, time, and a general label — no clinical details or patient health data are included in calendar event bodies.

Anonymous Public Analytics (with consent)

• If you consent via the cookie banner on our public website, we collect anonymised page-level analytics: a random per-session identifier, page path, approximate traffic source (direct, organic search, social, referral), device type (desktop / mobile / tablet), browser family, operating system, and country (ISO country code derived from your IP address — the IP itself is not stored).
• This data is collected only on public marketing pages (e.g. the homepage and pricing page) and never inside the authenticated application.
• If you decline or do not interact with the cookie banner, no analytics data is collected. You can change your preference at any time by clearing your browser's local storage.

Usage & Technical Data

• Authentication session tokens (JWTs) stored client-side in an HttpOnly cookie, containing only your clinic ID, email, and display name — no patient identifiers are stored in session tokens
• Standard server logs (IP addresses, request timestamps, HTTP status codes) retained for up to 90 days for security monitoring and debugging

We use the data we collect exclusively to operate, maintain, and improve the Service:

• To authenticate your clinic account and enforce data isolation between tenants
• To store and retrieve patient records and session data on your behalf
• To transmit clinical notes to Google Gemini AI for the purpose of generating assessments and treatment plans (see Section 7)
• To sync session appointments with your Google Calendar if you have enabled that integration
• To send in-app notifications about upcoming patient sessions based on your configured preferences
• To respond to support enquiries and account administration requests
• To detect and prevent fraud, abuse, or unauthorised access

We do not sell your data, share it with advertisers, or use it for any purpose beyond operating the Service.

4.1 — Clinic Account & Platform Data (Article 6 UK/EU GDPR)

For ordinary personal data relating to your clinic account and use of the platform, our legal bases are:

• Article 6(1)(b) — Contract performance: Processing your clinic name, email address, password hash, practitioner profile, subscription status, notification preferences, and calendar integration tokens is necessary to provide the Service described in our Terms and Conditions.
• Article 6(1)(f) — Legitimate interests: Processing server logs, authentication event records, and security metadata is necessary for our legitimate interest in operating a secure, reliable platform and preventing unauthorised access. These interests are not overridden by your interests or rights, given the limited and purely technical nature of the data.
• Article 6(1)(a) — Consent: Anonymous page analytics on our public website are processed only if you have explicitly accepted the cookie banner. Consent can be withdrawn at any time.
• Article 6(1)(c) — Legal obligation: We may retain certain records where required by applicable law (e.g. financial records, security incident logs).

4.2 — Special Category Health Data (Article 9 UK/EU GDPR)

Patient health data — including medical histories, clinical session records, diagnoses, and treatment plans — constitutes special category data under Article 9 UK/EU GDPR. Processing this category of data requires both a valid Article 6 legal basis and a specific condition under Article 9(2).

Oris's role: As a data processor, Oris processes patient health data exclusively on your instruction. We do not independently determine the purposes or means of processing patient data. Our processing of this data is governed by the lawful instruction of you, the data controller (the clinic).

Your role as data controller: You, the clinic, are responsible for identifying and documenting a valid Article 9(2) condition before entering patient health data into Oris. The most common applicable conditions are:

• Article 9(2)(h) — Healthcare purposes: Processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment, or the management of health care systems. This is the primary lawful basis for most physiotherapy practices processing patient clinical data in the course of treatment.
• Article 9(2)(a) — Explicit consent: The patient has given explicit consent to the processing of their health data for one or more specified purposes. If you rely on this basis, you must obtain, document, and be able to demonstrate that consent independently of Oris.
• Article 9(2)(i) — Public health: Processing is necessary for public health purposes. This basis is less commonly applicable in individual clinical practice.

Important: You must not enter patient health data into Oris unless you have a documented lawful basis under both Article 6 and Article 9(2) to do so. Oris provides the technical means to process this data, but the legal responsibility for patient data compliance — including obtaining patient consent where required, maintaining records of processing activities, and responding to patient rights requests — rests with your clinic as the data controller.

If you require a Data Processing Agreement (DPA) with Oris to document our processor relationship under Article 28 GDPR, please contact us.

4.3 — Summary Table

Oris is built on a strict multi-tenant architecture. Every patient record, session, and clinical note is tagged with a clinic ID at the database level. All API routes enforce authentication and scope every database query to your clinic ID.

No clinic can access another clinic's data — not through the user interface, not through the API, and not through any other mechanism. Even if a user guesses or obtains another clinic's record IDs, the system will return a 404 error rather than expose data.

Our database schema enforces foreign-key constraints and cascade-delete rules to ensure data integrity and isolation are maintained automatically.

We implement the following security measures to protect your data:

• Passwords — hashed using bcrypt with 12 rounds before storage. We never store or log plain-text passwords.
• Authentication — JWT-based sessions signed with a secret key. Tokens contain no patient data.
• Database — hosted on Neon (a managed PostgreSQL provider) with encryption at rest and TLS in transit. Database credentials are not exposed in client-side code.
• API keys — all third-party API keys (Gemini, Google OAuth) are stored as server-side environment variables and are never sent to or accessible from the browser.
• Transport — all communication between your browser and the Service is encrypted over HTTPS/TLS.

No system is 100% secure. If you become aware of a security vulnerability in Oris, please contact us immediately.

To deliver the Service, your data is shared with the following third-party processors. Each is engaged only to the extent necessary for the specific function described below.

Google Gemini AI

When you generate an AI assessment or treatment plan, the clinical notes for that session are transmitted server-side to Google's Gemini API over an encrypted connection. Google processes this data under its API terms and data processing addendum. The notes are used solely to generate the immediate response; they are not retained on Google's infrastructure beyond the single API call. You should review Google's Gemini API terms in the context of your clinical governance obligations.

Google Calendar API

If you enable Google Calendar sync, appointment data (date, time, and a general appointment label) is shared with Google Calendar via OAuth 2.0. No patient clinical details, diagnoses, or health data are included in calendar event bodies. You can revoke this integration at any time from Settings, at which point we immediately delete the stored OAuth tokens.

Microsoft Graph API (Microsoft Outlook Calendar)

If you enable Microsoft Outlook calendar sync, appointment data is shared with Microsoft's Graph API via OAuth 2.0 under the same terms as Google Calendar. No patient health data is included in calendar events. You can disconnect this integration from Settings at any time.

Resend (Transactional Email)

We use Resend to send transactional emails, specifically the one-time password (OTP) verification email sent during account registration. The email address you provide at sign-up is transmitted to Resend solely for the purpose of delivering this message. Resend processes email data under its own privacy policy and data processing agreement. No patient data is ever transmitted to Resend.

Neon (Database Hosting)

All persistent platform data — clinic accounts, patient records, session data, and calendar tokens — is stored in a managed PostgreSQL database hosted by Neon on AWS infrastructure. Data is encrypted at rest and in transit. Neon acts as a data processor and does not have access to your data beyond what is necessary to operate the managed database service.

Vercel (Hosting & Infrastructure)

The Oris application is deployed on Vercel. Vercel processes HTTP request data (including IP addresses and headers) as part of serving the application and providing its edge network. Vercel acts as a data processor and does not use your data for any purpose beyond operating the hosting infrastructure. Data is processed primarily in EU regions where available.

These are the only third parties with whom your data is shared. We do not use advertising networks, behavioural analytics platforms, or data brokers of any kind.

Patient data is never used to train, fine-tune, or evaluate AI models.

When your clinical notes are sent to Google Gemini AI for processing, they are used solely to generate the immediate response (assessment or treatment plan) for that API call. We do not retain a copy of the notes on Google's infrastructure beyond the processing of a single request, and we do not use patient data to improve, personalise, or update any AI model.

The Gemini API is used in a manner consistent with Google's data processing terms, which prohibit the use of API-submitted data for model training without explicit consent.

We retain your clinic account data and patient data for as long as your account is active.

If your free trial expires and you do not subscribe, we retain your data for 30 days after trial expiry to allow you to export it. After that period, it is permanently deleted.

If you close your account, we retain your data for 30 days following account closure, after which all clinic and patient data is permanently and irreversibly deleted from our systems and backups.

Server and security logs are retained for up to 90 days for security and debugging purposes.

Google OAuth tokens are deleted immediately when you disconnect the Google Calendar integration from Settings.

If you are located in the UK or EU, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can correct inaccurate data held about your clinic account directly within the Settings page
• Right to erasure — you can request deletion of your account and all associated data
• Right to data portability — you can export your patient and session data at any time from within the platform
• Right to object — you can object to processing based on legitimate interests
• Right to restrict processing — you can request that we restrict how we process your data in certain circumstances

Regarding patient data: because you are the data controller for your patients' data, patient rights requests (from your patients) should be directed to you as the controller. We will assist you in fulfilling such requests on request.

To exercise any of these rights, contact us through your registered clinic account. We will respond within 30 days (or within the shorter timeframe required by applicable law).

You also have the right to lodge a complaint with your relevant data protection authority — in the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

Oris uses the following browser storage mechanisms:

• Session cookie (NextAuth): Set when you sign in. This is an HttpOnly, Secure, SameSite=Lax cookie that holds your encrypted session token. It contains only your clinic ID, email, and display name — no patient data. It expires when you sign out or after the session timeout.
• Analytics consent (localStorage — kq_analytics_consent): Stores your response to the cookie consent banner (true or false). No analytics data is collected until this value is set to true. You can withdraw consent at any time by clearing this key from your browser's localStorage.
• Anonymous session ID (sessionStorage — kq_sid): A random UUID generated per browser session, used to group page views together for analytics purposes. It contains no personal identifiers and is automatically cleared when you close the browser tab.
• New visitor flag (localStorage — kq_visitor): A simple flag set on your first visit to distinguish new vs. returning visitors in aggregate analytics. Contains no personal information.
• Notification toast tracking (sessionStorage — notif-seen): Tracks which in-app notification toasts have already been shown during the current session, to prevent repeated alerts. Not transmitted to our servers. Cleared on tab close.
• Theme preference (localStorage — oris-theme): Stores your chosen light or dark theme. Not transmitted to our servers.

We do not use third-party advertising cookies, cross-site tracking pixels, or any cookies that track you across other websites.

The analytics data collected on consent (page views, device type, browser family, country) is stored in our own database — it is not sent to a third-party analytics platform such as Google Analytics.

The Service is intended for use by healthcare professionals and is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has registered an account, please contact us and we will remove the account promptly.

Note: patient records for minor patients (children receiving physiotherapy treatment) may be entered by a registered practitioner clinic account. In such cases, the practitioner is responsible for ensuring appropriate legal basis and parental/guardian consent in accordance with applicable law.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the platform at least 14 days before the change takes effect.

The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

For any privacy-related questions, data subject access requests, or concerns about how we handle your data, please contact us through your registered account or via the contact details provided within the platform.

We aim to respond to all data protection enquiries within 5 business days and within 30 days for formal data subject requests.