Privacy Policy

Rehabify collects different types of information to provide and improve our service:

Account Information

When you create an account, we collect your email address, name, and password. Passwords are hashed and never stored in plain text.

Exercise Data

During exercise sessions, we collect:

• Joint angles calculated from pose landmarks (no video frames)
• Rep counts and form scores for each exercise
• Session duration and timestamps
• Form error types and frequencies
• Progress metrics over time

Voice Data

When you use voice AI coaching features, your voice audio is transmitted to:

• Vapi - Real-time voice AI platform for exercise coaching
• Deepgram - Speech-to-text transcription (via Vapi)
• OpenAI - Language model for generating coaching responses (via Vapi)
• ElevenLabs - Text-to-speech for voice output (via Vapi)

Audio data is transmitted via encrypted WebSocket connections and processed in real-time. Vapi may retain audio recordings for quality assurance and model improvement as described in their privacy policy.

Usage Data

We automatically collect information about how you use our service, including:

• Pages visited and features accessed
• Device type, browser type, and operating system
• IP address and approximate geographic location (city/country level)
• Session timestamps and duration

We use the information we collect to:

• Provide real-time form correction and exercise coaching
• Track your rehabilitation progress over time
• Improve our pose detection algorithms and coaching responses
• Send you service updates, security alerts, and support messages
• Detect and prevent fraud, abuse, and technical issues
• Comply with legal obligations and respond to legal requests

We do NOT use your data for advertising purposes or sell it to third parties.

Rehabify shares your information with the following trusted third-party services:

Vapi (Voice AI Platform)

Voice audio, session context, and form correction data are transmitted to Vapi for real-time conversational AI coaching. Vapi processes this data through Deepgram (speech-to-text), OpenAI (language model), and ElevenLabs (text-to-speech).

Neon (Database and Authentication)

Your account information, exercise data, and session metrics are stored in Neon PostgreSQL with row-level security policies. Neon Auth handles user authentication securely.

Google Gemini (Plan Generation)

Your exercise history and progress data may be sent to Google Gemini to generate personalized rehabilitation plans. This data is anonymized where possible.

We do NOT share your personal information with marketers, advertisers, or data brokers. We only share data with service providers necessary to operate Rehabify, and we require them to protect your information.

We implement industry-standard security measures to protect your data:

• Client-Side Video Processing: Video frames never leave your device. MediaPipe Pose runs entirely in your browser using WebAssembly.
• TLS Encryption: All data transmission between your browser and our servers uses HTTPS/TLS encryption.
• Encrypted WebSockets: Voice audio is transmitted via secure WebSocket connections (WSS protocol).
• Password Hashing: Passwords are hashed using bcrypt before storage.
• Row-Level Security: Neon PostgreSQL uses RLS policies to ensure users can only access their own data.
• Regular Security Audits: We review and update our security practices regularly.

While we strive to protect your information, no security system is impenetrable. If you believe your account has been compromised, please contact us immediately at security@rehabify.com.

You have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request corrections to inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data.
• Export: Download your exercise data in a portable format (CSV/JSON).
• Object: Object to certain data processing activities.
• Withdraw Consent: Withdraw consent for data processing where consent was the legal basis.

To exercise these rights, email us at privacy@rehabify.com or use the account settings page after logging in. We will respond to your request within 30 days.

Data Retention

We retain your account information and exercise data for as long as your account is active. If you delete your account, we will permanently delete your personal data within 90 days, except where we are required to retain it for legal compliance.

Rehabify is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@rehabify.com and we will delete the information promptly.

Users between 13 and 18 years of age should use Rehabify only with parental consent and supervision. We recommend consulting with a healthcare provider before beginning any rehabilitation program.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

When we make material changes, we will:

• Update the “Last Updated” date at the top of this page
• Send you an email notification if you have an account
• Display a prominent notice on our website for 30 days

Your continued use of Rehabify after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you may delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to resolving privacy concerns promptly and transparently. We will acknowledge your inquiry within 48 hours and provide a full response within 30 days.