Privacy Policy
Last updated: February 2026
At Remy Health, we take privacy seriously. As a healthcare practice management platform, we understand the sensitivity of the data you entrust to us. This policy explains how we collect, use, store, and protect your information in compliance with UK GDPR and the Data Protection Act 2018.
1. Who We Are
Remy Health Ltd is a company registered in England and Wales. We provide a cloud-based healthcare practice management platform designed for multi-disciplinary therapy practices.
Data Controller: Remy Health Ltd
Contact: privacy@remy.health
2. Information We Collect
We collect the following categories of information:
- Account information: When you sign in via Google OAuth, we receive your name, email address, and profile picture.
- Practice data: Patient records, referrals, staff profiles, communications, appointments, documents, equipment records, and billing information that you create and manage through the platform.
- Communications data: SMS messages, emails, voice calls, and internal notes sent or received through the platform.
- Usage data: Browser type, device information, and usage patterns to help us improve the platform.
3. Google User Data
Remy Health uses Google OAuth 2.0 for authentication. When you sign in with Google, we access only your basic profile information (name, email address, and profile picture) to create and maintain your account.
Limited Use Disclosure
Remy Health's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We do not use Google user data for advertising purposes, and we do not sell Google user data to third parties.
4. How We Use Your Information
We use the information we collect to:
- Provide and maintain the Remy Health platform and its features
- Authenticate your identity and manage your account
- Facilitate communications between your practice and patients, contacts, and staff
- Generate invoices, quotes, and billing documents
- Provide customer support and respond to your requests
- Improve the platform through usage analytics and feedback
- Comply with legal obligations, including healthcare record-keeping requirements
5. Legal Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
- Contract performance: Processing necessary to provide the services you have subscribed to.
- Consent: Where you have given explicit consent, such as connecting third-party integrations.
- Legitimate interests: Improving our platform, ensuring security, and preventing fraud.
- Legal obligations: Compliance with applicable healthcare regulations, tax requirements, and data protection laws.
6. Data Storage and Security
Your data is stored securely using Supabase, hosted in the London (eu-west-2) region to ensure data residency within the United Kingdom.
We implement the following security measures:
- Encryption in transit (TLS/SSL) and at rest (AES-256)
- Role-based access control (RBAC) to limit data access to authorised users
- Row-level security (RLS) policies ensuring multi-tenant data isolation
- Regular security reviews and monitoring
- Encrypted storage of third-party API credentials
7. Data Sharing
We do not sell your personal data. We share data only with the following sub-processors as necessary to provide our services:
- Supabase — database hosting and authentication
- Twilio — SMS, voice calls, and WhatsApp messaging
- Stripe — payment processing and subscription management
- Postmark — transactional email delivery
You may also choose to connect optional integrations such as Cliniko, Xero, or HubSpot. Data is shared with these services only at your direction and in accordance with their respective privacy policies.
8. Data Retention
We retain your data for the duration of your active account, plus 30 days following account closure to allow for reactivation or data export.
Healthcare records managed through the platform may be subject to longer legal retention requirements under applicable healthcare regulations. Your practice is responsible for determining the appropriate retention period for patient records.
9. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data where applicable
- Portability — request your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@remy.health. We will respond within 30 days.
11. Children's Privacy
Remy Health is a business-to-business platform and is not directed at individuals under the age of 16. Patient records of minors that are managed through the platform are the responsibility of the healthcare practice as the data controller.
12. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify affected users via email. We encourage you to review this page periodically.
13. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us at privacy@remy.health.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.