Legal
Privacy Policy
Last updated: [EFFECTIVE DATE]
This Privacy Policy explains how [COMPANY NAME] ([LEGAL FORM], established in [COUNTRY], [COMPANY/KVK NUMBER]) ("CheckMyShoulder", "we", "us") collects, uses and protects your personal information when you use checkmyshoulder.com and the CheckMyShoulder app (the "Service"). We are the data controller. For any privacy question, contact us at [CONTACT EMAIL].
We take your privacy seriously, especially because some of the information you share with us is about your health. We only collect what we need to give you your result and programme, and we never sell your data.
1. Information we collect
Information you give us
- Account details — your email address and a password. Passwords are stored securely (hashed) by our authentication provider; we never see them.
- Health information you provide — your answers to the shoulder check (symptoms, pain levels, how you responded to movement prompts), the result generated from them, and any progress or check-in scores you record. This is information about your health and is treated as a special category of personal data under the GDPR.
- Communications — messages you send us (for example, support or account-deletion requests).
Information collected automatically
- Technical data — IP address, device and browser type, and basic usage information, processed by our hosting provider to keep the Service secure and working.
- Cookies — see "Cookies" below.
Payment information
When paid plans are available, payments are processed by Paddle.com Market Ltd, which acts as the Merchant of Record (the seller of record) and as a separate data controller for your payment and tax data. We do not receive or store your full card details. See Paddle's privacy policy.
2. Why we use your information and our legal basis
- To provide the Service (create your account, generate your result, run your programme, track progress) — on the basis of performance of our contract with you.
- To process your health information — on the basis of your explicit consent (Article 9(2)(a) GDPR), which you give by taking the check and saving your result. You can withdraw this consent at any time by deleting your data or your account (see your rights below).
- To keep the Service secure and improve it — on the basis of our legitimate interests, balanced against your rights.
- To meet legal obligations — for example, tax and accounting obligations relating to payments (handled by our Merchant of Record).
CheckMyShoulder provides educational, self-help information and does not provide medical care or a diagnosis. See our Medical Disclaimer.
3. Cookies
We keep cookies to a minimum. We currently use:
- Strictly necessary cookies — to keep you signed in and secure your session. These are required for the Service to work.
- Preference cookies — for example, to remember your chosen currency.
We do not currently use advertising or third-party analytics/tracking cookies. If we introduce them in the future (for example, to measure advertising), we will ask for your consent first through a cookie banner.
4. Who we share your information with
We do not sell your data. We share it only with service providers that help us run the Service, under contracts that require them to protect it:
- Supabase — database and authentication (stores your account and the data you save).
- Vercel — hosting and delivery of the app.
- Paddle — payment processing and tax, as Merchant of Record (when paid plans are live).
We may also disclose information where required by law, or to protect our rights or the safety of others.
5. International transfers
Some of our providers may process data outside the European Economic Area (for example, in the United States). Where they do, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. [Confirm data-hosting region for Supabase/Vercel and update this section accordingly.]
6. How long we keep your information
We keep your account and the data you save for as long as your account is active. If you delete your account, we delete your personal data, except where we must keep limited records to meet legal obligations (for example, payment records). Backups are overwritten on a rolling basis.
7. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time (this does not affect processing before withdrawal).
To exercise any of these, email us at [CONTACT EMAIL]. You can also delete your account and data from your account page. If you believe we have not handled your data properly, you can complain to your local data protection authority (in the Netherlands, the Autoriteit Persoonsgegevens).
8. Security
We use industry-standard measures to protect your data, including encryption in transit, hashed passwords, and access controls. No online service can be completely secure, but we work to keep your information safe.
9. Children
The Service is not intended for children under 16, and we do not knowingly collect their data. If you believe a child has provided us with personal data, contact us and we will remove it.
10. Changes to this policy
We may update this policy from time to time. We will post the new version here and update the "Last updated" date, and where changes are significant we will let you know.
11. Contact
[COMPANY NAME], [ADDRESS]. Email: [CONTACT EMAIL].