Privacy Policy

Last updated: April 2026

1. Introduction

At Move8 Health, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the Move8 Health platform ("Platform"). We process personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Move8 Health
Vienna, Austria
Email: privacy@move8health.com

3. Data We Collect

Account Information

When you register for an account, we collect your name, email address, and password (stored in hashed form). If you are a Therapist, we may also collect your professional credentials and practice details.

Exercise Plans & Therapy Data

We store the exercise plans, therapy programmes, and related notes you create on the Platform.

Patient Information

Therapists may enter patient information including names, contact details, and therapy-related notes. As a Therapist, you are responsible for obtaining appropriate consent from your patients before entering their data on the Platform.

Payment & Billing Information

When you subscribe to a paid plan or make a one-time purchase, payment is processed by Stripe. We do not store your full card number. We retain only non-sensitive billing data such as the last four digits of your card, billing address, subscription status, and transaction history, which are necessary to manage your account and comply with financial record-keeping obligations.

Usage Data

We automatically collect certain information about your use of the Platform, including pages visited, features used, and timestamps.

Cookies

We use essential cookies required for the Platform to function properly, such as authentication cookies. See Section 9 for more details.

4. How We Use Data

We use the data we collect to:

Provide, maintain, and improve the Platform and its features.
Authenticate users and maintain account security.
Send important service notifications, such as account verification, security alerts, and changes to our terms.
Analyse usage patterns to improve the user experience and develop new features.
Process payments, manage subscriptions, and send billing-related communications such as receipts, payment failure notices, and renewal reminders.
Respond to your enquiries and provide customer support.
Comply with legal obligations, including financial record-keeping requirements.

5. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Contract Performance: Processing necessary to provide you with the Services you have requested (Article 6(1)(b) GDPR).
Legitimate Interests: Processing necessary for our legitimate interests, such as improving the Platform, ensuring security, and preventing fraud (Article 6(1)(f) GDPR).
Consent: Where required by law, we will obtain your explicit consent before processing your data, such as for optional communications (Article 6(1)(a) GDPR).
Legal Obligation: Processing necessary to comply with legal requirements (Article 6(1)(c) GDPR).

6. Data Sharing

We do not sell your personal data to third parties.

We may share your data with:

Service Providers: Trusted third-party providers who assist us in operating the Platform, including hosting (Vercel), database (Neon), email services (Resend), and payment processing (Stripe). Stripe acts as a data processor for payment transactions and is certified to PCI DSS standards. All providers are contractually obligated to protect your data and may not use it for their own purposes.
Legal Requirements: We may disclose your data if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with the Services.

If you delete your account, we will permanently delete or anonymise your personal data within thirty (30) days of account closure. Certain data may be retained longer if required by law or for legitimate business purposes, such as resolving disputes or enforcing our agreements.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access: You may request a copy of the personal data we hold about you.
Right to Rectification: You may request that we correct any inaccurate or incomplete personal data.
Right to Erasure: You may request the deletion of your personal data, subject to certain legal exceptions.
Right to Data Portability: You may request a copy of your data in a structured, commonly used, and machine-readable format.
Right to Restriction: You may request that we restrict the processing of your personal data under certain circumstances.
Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us at privacy@move8health.com. We will respond to your request within thirty (30) days.

9. Cookies

We use essential cookies only. These cookies are strictly necessary for the Platform to function and cannot be switched off. They include:

Authentication cookies: To keep you signed in and maintain your session.
Security cookies: To protect against cross-site request forgery and other security threats.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

10. Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/SSL) and at rest.
Secure, EU-based cloud hosting infrastructure.
Hashed password storage using industry-standard algorithms.
Regular security reviews and updates.
Access controls and authentication mechanisms to restrict unauthorised access.

11. International Transfers

Your data is primarily hosted within the European Union. In the event that data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.

12. Children

The Platform is not intended for use by children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice via email or a prominent notice on the Platform before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at privacy@move8health.com.

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. In Austria, the relevant authority is the Austrian Data Protection Authority (Datenschutzbehörde).