Privacy Notice

Last updated: April 29, 2026

This Privacy Notice explains how Daniel Fitoussi ("we", "us", "our", the "Seller") collects, uses, and protects personal data when you use Kinabit (the "Service").

1. Data Controller

Daniel Fitoussi acts as the data controller for personal data processed in connection with the Service.

2. Categories of Personal Data We Collect

• Account data: name, email address, password (hashed), clinic name, specialty, phone number.
• Patient records you upload: patient names, contact details, dates of birth, diagnoses, body areas, medical notes, exercise plans, check-ins, and pain levels. You are the data controller of this content; we process it on your behalf.
• Usage and telemetry data: pages visited, features used, error logs, device identifiers, IP address, browser type.
• Support communications: messages you send to our support team.

3. Purposes and Legal Basis

• Providing the Service (contract performance) — creating and maintaining your account, storing your data, generating AI exercise plans, sending check-in links to patients.
• Security and fraud prevention (legitimate interests) — detecting abuse, protecting accounts.
• Product improvement (legitimate interests) — analyzing usage patterns to improve features.
• Customer support (contract performance) — responding to your inquiries.
• Legal compliance (legal obligation) — when required by law.

4. Data Sharing

We share personal data with the following categories of recipients:

• Service providers / subprocessors — hosting (Lovable Cloud), AI providers (for exercise plan generation), email delivery, error monitoring.
• Professional advisors — legal and accounting advisors when needed.
• Authorities — when required by law, court order, or to protect our rights.

5. International Transfers

Our infrastructure may store and process data outside your country of residence. Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

6. Retention

We keep your account data for as long as your account is active. After account closure, we retain data for up to 90 days to allow recovery, after which it is deleted or anonymised. Patient records you upload follow the retention rules you choose. Billing records are retained as required by tax and accounting law (typically 7 years).

7. Your Rights

Subject to applicable law (including GDPR for UK/EEA users), you have the right to: access your data, correct inaccuracies, request erasure, restrict processing, port your data, object to processing, withdraw consent, and lodge a complaint with your supervisory authority. We will respond to verifiable requests within one month.

8. Security

We use appropriate technical and organisational measures, including encryption in transit (TLS), encryption at rest, role-based access controls, and regular security review.

9. Cookies

We use essential cookies to keep you signed in and to remember your language preference. We do not currently use marketing cookies. You can manage cookies in your browser settings.

10. Contact

To exercise your rights or ask questions about this notice, email support@kinabit.com.