Privacy Policy

Introduction

VOR Eye Rehab ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web services (collectively, the "Service").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

Information We Collect

Personal Information

When you create an account, we collect:

• Name and email address
• Account credentials (securely hashed passwords)
• Profile information you choose to provide

Health and Exercise Data

To provide rehabilitation services, we collect:

• Exercise session data (type, duration, difficulty level)
• Symptom scores (dizziness, brain fog, headache, eye strain, nausea)
• Progression metrics and difficulty adjustments
• Exercise performance data
• Session dates and times

Technical Information

We automatically collect:

• Device information (device type, operating system, app version)
• Usage statistics and analytics
• Log data and error reports
• IP address and general location (country/region)

How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Track your rehabilitation progress and adjust exercise difficulty
• Send exercise reminders and notifications (if enabled)
• Analyze usage patterns to improve the Service
• Respond to your support requests and inquiries
• Detect and prevent technical issues and fraud
• Comply with legal obligations
• Send you updates about the Service (you may opt-out of non-essential communications)

Consent and Legal Basis (GDPR)

We process your personal data based on the following legal grounds under GDPR:

Consent-Based Processing

When you create an account, we ask for your explicit consent for:

• Terms of Service: Agreement to our service terms (required)
• Privacy Policy: Acknowledgment of this privacy policy (required)
• Health Data Processing: Explicit consent to process your health-related rehabilitation data (required for service functionality)
• Marketing Communications: Optional consent to receive product updates, tips, and promotional content

Consent Records

We maintain records of your consent including:

• Type of consent given
• Date and time of consent
• Version of terms/policy agreed to
• Method of consent (app registration, quiz submission)

Withdrawing Consent

You can withdraw consent at any time:

• Marketing emails: Toggle off in Settings → Marketing Emails, or click "Unsubscribe" in any marketing email
• Health data processing: Delete your account through Settings → Clear All Data
• Data sharing with professionals: Pause or disconnect in Settings → Data Sharing

Note: Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Storage and Security

Your data is stored securely using industry-standard practices:

• All data is encrypted in transit using HTTPS/TLS
• Passwords are securely hashed using modern cryptographic algorithms
• Database access is restricted and monitored
• We use secure cloud infrastructure with regular security updates
• Regular automated backups ensure data availability

While we implement reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

• With Healthcare Providers: If you choose to export your progress data to share with your therapist or healthcare provider
• Service Providers: With third-party vendors who assist in providing the Service (authentication, hosting, analytics) under strict confidentiality agreements
• Legal Compliance: When required by law, court order, or governmental regulation
• Business Transfers: In connection with a merger, acquisition, or sale of assets (users will be notified)
• Safety and Protection: To protect the rights, property, or safety of VOR Eye Rehab, our users, or others

All third-party service providers are carefully vetted and contractually obligated to protect your data in accordance with this Privacy Policy.

Your Privacy Rights (GDPR & CCPA)

Under GDPR (for EU/EEA residents) and other privacy laws, you have the following rights:

GDPR Rights (Articles 15-22)

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Update or correct inaccurate information through your account settings
• Right to Erasure (Art. 17): Request deletion of your account and all associated data via Settings → Clear All Data
• Right to Data Portability (Art. 20): Export your complete data in JSON format via Settings → Export Data
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data
• Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time via app settings or by contacting us

How to Exercise Your Rights

We will respond to your request within 30 days as required by GDPR. We may request verification of your identity before processing certain requests.

Note: Some data may be retained as required by law (e.g., HIPAA requires retention of health records for 6 years) or for legitimate business purposes.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Active Accounts: Data retained while account is active
• Deleted Accounts: Personal data permanently deleted within 30 days of account deletion
• Backup Systems: Backup copies removed during regular backup cycles (up to 90 days)
• Legal Requirements: Some data may be retained longer to comply with legal obligations

Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

For users between 13-18 years old, we recommend parental guidance and supervision when using the Service.

Third-Party Services (Data Processors)

We use the following third-party services to provide our Service. Each operates under a Data Processing Agreement (DPA) as required by GDPR Article 28:

• Clerk (Authentication)
  Processes: Email, name, password (hashed), session data
  Privacy: clerk.com/legal/privacy
• Stripe (Payment Processing)
  Processes: Email, billing information, payment method details
  Note: We do not store credit card numbers; Stripe handles all payment data
  Privacy: stripe.com/privacy
• Resend (Email Delivery)
  Processes: Email address, email content, delivery status
  Used for: Quiz results, account notifications, marketing emails (with consent)
  Privacy: resend.com/legal/privacy-policy
• Cloud Infrastructure (Data Hosting)
  Processes: All application data (encrypted in transit and at rest)
  Location: European Union data centers

We maintain Data Processing Agreements with all processors and regularly review their security practices. You may request details about our sub-processors by contacting [email protected].

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or Privacy Shield certification (where applicable).

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt-out of the sale of personal information
• Right to request deletion of personal information
• Right to non-discrimination for exercising CCPA rights

Note: We do not sell personal information.

Data Breach Notification

In accordance with GDPR Article 33 and 34, in the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in a risk to your rights and freedoms)
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
• Notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach

We maintain documented procedures for detecting, reporting, and investigating personal data breaches.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of significant changes by:

• Posting the new Privacy Policy with an updated date
• Sending an email notification (for material changes affecting your rights)
• In-app notification

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Medical Disclaimer

VOR Eye Rehab is a rehabilitation tool and not a substitute for professional medical advice, diagnosis, or treatment. Always consult with your healthcare provider before starting any rehabilitation program. The privacy and security of your health information is important to us, but the app should be used in conjunction with professional medical care.