Privacy policy


At Good Boost our mission is to support everyone to better manage their musculoskeletal health to create more affordable and accessible health services. Privacy is just an important to us and we strive to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and to be market leaders when it comes to healthcare and privacy.

This policy explains how we use your personal data. We want to help you understand how we work with your data, so that you can make informed choices and be in control of your information. We may update this policy from time to time and, if we make any material changes, we will notify you when we do so. We will provide you with the opportunity to review such changes. By continuing to use our products and services after the changes have been made and we have notified you of them, the way we use your personal data will be subject to the terms of the updated policy.

We have taken considerable steps to protect the confidentiality, security and integrity of this information.

Please read this privacy policy carefully as it will help you make informed decisions about sharing your personal information with us. We comply with the NHS Data Security and Protection Toolkit Standards (DSPT) for 2020-21, we also comply with the seven Coldicott Principles and the NHS Constitution. We anonymise information contained in medical and health records for use by researchers to support healthcare improvement.

This policy explains how we use your personal data for our musculoskeletal health services.

This policy covers:

1. Who we are

2. What personal data we hold and how we gather it

3. What we use your personal data for

4. Sharing your personal data with others

5. Retention

6. Data security and transfers


8. Your rights

9. Policy Updates

10. Contact Us

1. Who Are We

Our health services are delivered through software (medical-apps) that is developed by Good Boost Wellbeing Limited (Company number 11495760) (“Good Boost”, “Company”, “we”, “us”, or “our”). Good Boost develops and deploys the software that provides you with personalised therapeutic exercises. Our registered offices are 82 Southwark Bridge Road, London, SE1 0AS.

This privacy policy applies to all information collected through our mobile application, (“App”), and/or any related services, sales, marketing or events (we refer to them collectively in this privacy policy as the “Services”).

Good Boost is both the controller and processor of your personal data provided to, or collected by or for in connection with our healthcare services.

2. What personal data we hold and how we gather it

We collect personal information that you voluntarily provide to us when registering on our Apps, expressing an interest in obtaining information about us or our products and services, when participating in activities on the Apps or otherwise contacting us. The personal information that we collect depends on the context of your interactions with us and the App, the choices you make, and the products and features you use. The personal information we collect can include the following:

Personal details

When you register with us your complete forms and provide us with basic information about yourself, such as your name, age, post code and email address. We collect demographic information such as employment status, age and ethnicity. You are responsible for the accuracy of the information that you provide to us.

Social Media Login Data.

We may provide you with the option to register using social media account details as your user log in, such as your Facebook and Google account. If you choose to register in this way, we will collect the information described in the section called “How do we handle your social logins” below.

Voluntary contact information

when you communicate with us (for example when you send us an email or use a “contact us” form) we collect the Personal Information you provided us with.

Health Information

The main type of information we hold about you is health information. The focus is primarily on your musculoskeletal health information, such as if you experience pain in your joints and if you have any diagnosed joint conditions. We also ask for more global health information such as if you have a heart condition for the purposes of safety and screening to ensure the exercises selected are suitable for you.

We gather this information directly from you during your registration on the App. You can review this information, update information or add new information on the App. We also gather feedback measures, such as pain and wellbeing, from you a specific time points to measure your change and progress. We also gather feedback from you before and after you complete an exercise session.

All personal information that you provide to us must be true, complete and accurate, and you must update your details the Good Boost app or notify us of any changes to such personal information.

Information automatically collected.

We automatically collect certain information when you visit, use or navigate the Apps. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Apps and other technical information. This information is primarily needed to maintain the security and operation of our Apps, and for our internal analytics and reporting purposes.

3. What we use your personal data for

We use personal information collected via our Apps for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we rely on next to each purpose listed below.

Providing you a service

Your personal details such as your name, post code, email and phone number are used to create a user profile for you. We may use this information to verify your identify in the event you forget your login details.

Keeping you up to date

We may use you email address, phone number and/or details to contact you or present you with occasional updates and messages. will also use your contact detail to update you of any changes to our policies and procedures in addition to inviting you to receive regular updates on Good Boost and our services. We may use the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt-out of our marketing emails at any time (see the “What are your privacy rights” below).

We may contact you by SMS, email and/or other means to offer you helpful information or invite you to make appointments, for example for free healthcare screening programmes relevant to you.

Commitment to equality and accessibility

We gather information such as age, employment statement, ethnicity and gender to understand the demographic details of our users. We are working to ensure that we deliver a digital health service that is accessible to all.

Creating personalised exercise programs

Your self-reported health information and the feedback information you provide before and after your exercise session is used to generate your personalised exercise program. Our artificial intelligence has been designed by clinical specialists for exercise rehabilitation in addition to best clinical practice, research evidence and clinical guidelines.

Improving our service for you and others

We complete internal data audits and analysis for the purposes of service improvement. We also work with academic partners to validate our service improvement and analysis. When working with third-parties for the purpose of service improvement and research we never share your personal contact details or any other personal identifiable data. All details shared are fully anonymised. Furthermore, we only work in collaboration with academic institutions that have high levels of data security and governance in place to ensure that data is kept secure.

Impact reporting

Good Boost is funded by public bodies such as Innovate UK and the Small Business Research Initiative. As part of our commitment to report the impact of our services we report aggregated statistics and measures. None of these reports include any way to interpret any individual users data as they are presented in data grouped in statistics and graphs.

We will ask for your explicit consent to collect, process and store your information, for the following purposes:

Patient engagement activities

Developing case studies

To facilitate account creation and logon process. If you choose to link your account with us to a third-party account (such as your Google or Facebook account), we use the information you allowed us to collect from those third parties to facilitate account creation and logon process for the performance of the contract. See the section below headed “How do we handle your social logins” for further information.

To post testimonials. We post testimonials on our Apps that may contain personal information. Prior to posting a testimonial, we will obtain your consent to use your name and testimonial. If you wish to update, or delete your testimonial, please contact us at DPO@goodboost.org and be sure to include your name, testimonial location, and contact information.

Request Feedback. We may use your information to request feedback and to contact you about your use of our Apps.

To enforce our terms, conditions and policies for Business Purposes, Legal Reasons and Contractual.

Other uses

Based on our legitimate interest in managing and planning our business, we may analyse data about your use of our services to troubleshoot bugs within the App, forecast demand of service and to understand other trends in use, including which features users use the most and find most helpful, and what features users require from us. This does not involve making any decisions about you that would have a significant legal effect on you – it is only about improving our App so that we can deliver better services to you. Strict confidentiality and data security provisions will apply at all times.

Where necessary for safety, regulatory and/or compliance purposes, we may audit your interactions with our services. Strict confidentiality and data security provisions will apply at all times to any such audit and access.

To respond to legal requests and prevent harm. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond. If there is valid and legitimate risk to health or harm under safeguarding, we will share data with the appropriate authority in accordance with GDPR.

To respond to user inquiries/offer support to users. We may use your information to respond to your inquiries and solve any potential issues you might have with the use of our Services.

4. Sharing your personal data with others

We may process or share data based on the following legal basis:

Consent: We may process your data if you have given us specific consent to use your personal information in a specific purpose.

Legitimate Interests: We may process your data when it is reasonably necessary to achieve our legitimate business interests.

Performance of a Contract: Where we have entered into a contract with you, we may process your personal information to fulfil the terms of our contract.

Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).

Vital Interests: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

More specifically, we may need to process your data or share your personal information in the following situation:

Research partners: We may share anonymised personal Information with third parties, such as research institutes, healthcare systems and healthcare providers, for research purposes and for improvement of our services. These partners will act as data processors on our behalf, acting strictly under contract in accordance with Article 28 GDPR. Those data processors are bound by strict confidentiality and data security provisions, and they can only use your data in the ways specified by us.

Anonymised information

We may share with our partners aggregated and anonymised data that does not personally identify you, but which shows general trends, for example, the number of users of our service.

If is your right to share your data with others, including health care professionals. If you plan to share your data with other it is essential that you are certain you are sharing it with a trusted individual, health professional or organisation.

5. Retention

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law. No purpose in this policy will require us keeping your personal information for longer than 10 years past the termination of the user’s account.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. We will send you an email reminder 6-months before and 1 month before data is destructed.

We reserve the right to destroy your data if we have reasonable grounds to believe the account has been made maliciously without the intention for genuine use.

You can request a copy of all personal information that we hold about you at any time.

6. Data security and transfers

We will at all times comply with the requirements of the General Data Protection Regulation (GDPR) 2018, including ensuring that there are appropriate technological and operational procedures in place to protect your and other users’ information. When you submit personal data via the website or through our apps (for example by giving feedback), this is protected both online and offline.

All of your and other users’ information, not just personal data, has restricted access. Everyone whom we employ must use password-protected log-in screens to gain entry to restricted information. Furthermore, all employees are kept up-to-date on our security and privacy practices. When new policies are added, our employees are notified and/or reminded about the importance we place on privacy, and what they can do to ensure your information is protected. You may at any time request a copy of the data we hold on you by sending an email to DPO@goodboost.org or by written notice to us.

We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.

We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.

We have implemented administrative, technical, and physical safeguards to help prevent unauthorised access, use, or disclosure of your Personal Information. Your information is stored on secure servers and isn’t publicly available. We use Amazon Web Servers to securely store your data. For more information on Amazon Web Servers security and data privacy standards please visit https://aws.amazon.com/compliance/data-privacy-faq/

We do not store any data on your device.

You need to help us prevent unauthorized access to your account by protecting your password appropriately and limiting access to your account (for example, by signing off after you have finished accessing your account). You will be solely responsible for keeping your password confidential and for all use of your password and your account, including any unauthorised use.

While we seek to protect your information to ensure that it is kept confidential, we cannot absolutely guarantee its security. You should be aware that there is always some risk involved in transmitting information over the internet. While we strive to protect your Personal Information, we cannot ensure or warrant the security and privacy of your personal Information or other content you transmit using the service, and you do so at your own risk.

7. Data Breach

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. You will be notified about data breaches when Good Boost Wellbeing Limited believes you are likely to be at risk or serious harm. For example, a data breach may be likely to result in serious financial harm or harm to your mental or physical well-being. In the event that Good Boost Wellbeing Limited becomes aware of a security breach which has resulted or may result in unauthorized access, use or disclosure of personal information Good Boost Wellbeing Limited will promptly investigate the matter and notify the applicable Supervisory Authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

8. Your rights

Under the GDPR your rights are as follows. You can read more about your rights in details following this link: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

the right to be informed;

  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling.

You also have the right to complain to the Information Commissions Office, ICO (www.ico.org.uk, 0303 123 1113) if you feel there is a problem with the way we are handling your data. Our ICO Registration number is: ZA501212.

We handle subject access requests in accordance with the GDPR.

In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing server of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If you have questions or comments about your privacy rights, you may email us at DPO@goodboost.org.

9. Policy Updates

We may update this privacy policy from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

10.Contact Us

We are here to help.

If you require further information, assistance, queries or you are facing technical problems, you can contact Good Boost from within the app by pressing the ‘contact Good Boost button’, contact us through email, info@goodboost.org or call us on 0203 488 4695. 

Make sure to include as much detail about the problem as possible in your report. Information like the kind of phone or tablet you were using and what you were doing when the problem occurred may help us address the issue. We are committed to addressing issues, complaints, feedback and contact submissions; we reserve the right to response within 10 working days.

You may also contact our Data Protection Officer (DPO) by email at dpo@goodboost.org