Legal
Terms and conditionsPrivacy policy
Patient information
Information for patientsAccount deactivationMaking a complaint

Privacy Policy

Last updated 13th October 2025

1. We are committed to protecting your privacy

We (Flok Health Ltd) collect and process your personal information whenever you use the Flok Health App, web forms, and software medical device (our ‘Service’). We want you to feel confident in the service we provide – protecting your privacy and keeping your information secure are an important part of this.

At Flok, we use privacy by design to address the seven data protection principles laid out in the UK Data Protection Act 2018 (`UK GDPR`):
  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
This policy describes how we meet the seven data protection principles to protect your privacy and keep your information secure.

2. We only collect information about you that is strictly necessary

You provide us with your personal information when using the service and you do this via the Flok Health App. Some of this information is provided voluntarily by you, i.e., you enter your personal information in the app, and other information is collected automatically, e.g., our app logs whenever you use the service.

In addition, we use products and services provided by third party suppliers for certain functionality, including appointment bookings and reminders, customer, and technical support management, and seeking user feedback.

We process the following information relating to you when you use our service:
  • Personal identifiers.  This includes your name, address, email address, gender, mobile number, and date of birth and is essential to providing a safe service to you.
  • Occupation information. Information relating to your occupation helps us assess your risk of back pain and personalise the service we provide to you.
  • Employer. We record the name of your employer when the service we provide is on behalf of your employer. This is so that we can provide your employer with aggregate statistics on app usage and outcome metrics. We do not share personal or health information with your employer.
  • Back pain history. We use your history of back pain to ensure that we provide you with a safe and effective service. We may also use this information to personalise the service we provide to you.
  • Symptoms relevant to your back pain. We use symptoms that you report to us to ensure that we provide you with a safe and effective service. We may also use this information to personalise the service we provide to you.
  • Progress and outcomes. We track your progress through the back pain treatment programme provided as part of our service, and record outcomes data at completion of the programme. This is to ensure that the services we provide are safe and effective and that each appointment is appropriate for you.
  • Bookings and appointments. We store information on your appointment bookings to manage service capacity and provide you with booking reminders.
  • Mobile device details. We retain information on your mobile device including make, model, and IP (internet) address to monitor the availability and security of our services and ensure that we provide a good quality of service to you.
  • Usage and engagement data. We log how you use and engage with the service. This helps us learn more about your needs and improve the service we offer. Also, it enables us to provide you with technical support should things go wrong when you use the app.
  • Feedback. We may ask you to provide us with optional feedback during and after your use of the service. This helps to use to improve the service for future users.
  • Technical support. We store administrative details relating to technical support queries you raise so that we can resolve any issues that arose when using the service.
We store electronic cookie data on the device you use to access our service:
  • Authentication token. This is a secure token assigned to you each time you log in to the app and use our service. The authentication token is essential to the correct operation of our service and helps keep your information confidential and secure.
We do not use third party tracking, advertising or marketing cookies.

3. We only use your information for reasons we have told you about

We use your data for the following reasons:
  • To provide a service to you including personalising the medical care you receive
Article 6(b): We have a contractual obligation.Article 6(f): We have a legitimate interestArticle 6(d) Where it is necessary to protect your vital interests, e.g. during a medical emergency.

Special Category Data
Information we collect relating to your health and health outcomes is Special Category Data, which we additionally process under Article 9(h): Health or Social Care.
  • To collect your feedback on our service
Article 6(f): We have a legitimate interest
  • To analyse how the service is used, maintain administrative records and security and fraud prevention We minimise the personal information we store, and only analyse anonymised and/or aggregate data (summary statistics) for this purpose, to protect your privacy.
Article 6(f): We have a legitimate interest
  • To undertake product development, research, and business development.  We use anonymised data for this purpose to protect your privacy.
Article 6(f): We have a legitimate interest
  • To report usage, engagement, and outcomes data back to your employer (only when our service is provided through your employer).  We use aggregate data (summary statistics) for this purpose to protect your privacy.
Article 6(f): We have a legitimate interest
We may also process your data under Article 6(c) Legal Obligation whenever we are required to do so, e.g., by legislation or court order.

4. We are responsible for keeping your information confidential

We (Flok Health Ltd) are the Data Controller for the personal information you provide when using our service. We are registered with the UK Information Commissioner’s Office. Our registration number is ZB452487, and you can view our certificate online.We use sub-processors as part of the service we provide to you:
  • DigitalOcean, LLC.  The healthcare service we provide is hosted on servers owned and managed by DigitalOcean. Our services and data are hosted in the UK and are covered by a Data Processing Agreement with DigitalOcean.
  • Amazon Web Services, Inc. (AWS). We use AWS services to store, process and transcribe feedback provided to us as a voice note, as well as storing data backups of the healthcare service we host with DigitalOcean. Our services and data are hosted in the UK (London) and are covered by a Data Processing Agreement with AWS.
  • Google, LLC. We use Google’s Firebase service for sending push notifications to your mobile device. Google store a code number that uniquely identifies your mobile device, but do not hold or process any further information about you. To protect your privacy, we do not include personal or health information in the push notification messages that we send to your mobile device.
  • Datadog, Inc. We use Datadog’s service to log app performance, availability, and error data as part of maintaining a high quality of service to you. We do not store personal or health information on Datadog’s servers and tokenise or mask any information that might identify you, to protect your privacy.
  • Microsoft, Inc. We use services provided by Microsoft, Inc for managing appointment booking, as well as storing user feedback. All data is stored on servers located in the United Kingdom.
  • Peaberry Software, Inc. We use Peaberry’s customer.io platform to manage reminders and notifications that we send to you. Peaberry store and process your personal information for this purpose on servers in the EU.  Peaberry do not hold or process health information.
Additionally, we use sub-processors for processing feedback from you about the service and managing customer/technical support queries:
  • FrontApp, Inc. We use FrontApp’s software to provide tracking of customer and technical support queries, which may include your name, email address and phone number. We do not use FrontApp to process health or other personal information as part of the service. FrontApp may store your details on servers in the UK or Europe, however the standard protections under UK GDPR continue to apply. Please refer to FrontApp’s Privacy Notice for further information: https://front.com/legal/privacy-notice.
  • SmartSurvey Ltd. We use SmartSurvey to conduct patient surveys about our service which may include personal and health information. SmartSurvey is a G-Cloud approved supplier and stores your data on servers in the UK, with standard protections under UK GDPR.

5. We keep your information secure

All personal information is encrypted both at rest and in transit, following industry best practice, e.g., HTTPS TLS and AES encryption. We provide you with access to the app through username and password authentication, and additionally, Flok Health staff are required to use multi-factor authentication when accessing the service. You are responsible for choosing a strong password and keeping your password secure. We maintain adequate data backups and have a disaster recovery plan.

Flok Health is certified to UK Cyber Essentials Plus, in keeping with NHS requirements.

6. We do not transfer or share your information with others except where stated

Information you provide to us through the Flok Health App is stored on servers in the United Kingdom (and occasionally in the EU, as laid out above) and we do not otherwise transfer it outside of the UK. All health information is stored and processed in the UK only.

We may share your personal, health and treatment information with other UK healthcare providers where it is necessary to provide safe, joined-up care. We may:
  • Inform your GP or other healthcare practitioners/providers of your assessment and treatment with Flok.
  • Tell other healthcare services about you when we are referring you to them. Services we refer to may include community physiotherapy, hospital, or NHS 111 services.
  • Update information on your NHS Summary Care Record, and/or share similar health and evaluation information with the relevant NHS commissioners, providers, and national bodies (e.g. NHS England or NHS Scotland as applicable) when required to do so by the NHS organisations that commission your care.
  • Provide necessary information to your health insurance company or payer, as part of administering your health insurance claim and coverage.
We only use your information as laid out in this agreement and do not share your data with other persons or organisations unless there is a legal basis for doing so, e.g., legislation or court order. In the event of dissolution of Flok Health Ltd we will provide a copy of your medical record to the healthcare body that last commissioned the service we provided to you.

Importantly, we do not share your data with third parties for marketing or advertising.

7. We do not keep your data for longer than is necessary

We have a data retention policy that specifies how long we may retain certain types of data. Data that forms part of your health record, i.e., information relating to the physiotherapy service we delivered to you, has the longest retention period. We will keep this information for 8 years after you last used the service, in line with UK NHS guidance.

8. You have certain legal rights to access the information we hold on you

The UK Data Protection Act 2018 lays out certain legal rights regarding the information we process.
  • Right of access. You have the right to ask us for a copy of the personal information we hold on you.
  • Right to rectification. You have the right to ask us to rectify the personal information we hold on you if you think it is inaccurate, or to provide additional information if you believe the information we hold is incomplete.
  • Right to erasure. You have the right to ask us to erase the personal information we hold on you in certain circumstances.
  • Right to restriction of processing. You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Right to object to processing. You have the right to object to us processing your personal information in certain circumstances.
  • Right to data portability. You have the right to ask that we transfer the personal information we hold on you to another organisation, or to you, in certain circumstances.
Note: We do not use automated decision making and profiling as described in Article 4(4) and Article 22 of UK GDPR.

If you wish to exercise your rights, please contact us using the details below. Any request that you make is free of charge and we will respond to you as soon as possible, and at the latest within one calendar month.

9. How to contact us

Our Data Protection Officer is Ricardo da Silva. Flok Health can be contacted at
Flok Health Ltd
Lime Barn
Foxes Bridge Farm
Royston Lane
Comberton
Cambridge
CB23 7EET
Telephone: 0333 3396 052
Email: dpo@flok.health

10. How to make a complaint

You can make a complaint by contacting us using the contact details above.

If we are unable to satisfactorily resolve your complaint you may contact the UK Information Commissioner:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0845 630 6060
Website: www.ico.gov.uk
Legal
Terms and conditionsPrivacy policy
Patient information
Information for patientsAccount deactivationMaking a complaint
Home page
© 2025 Flok Health Ltd.
how we help
For PatientsFor Organisations
Company
AboutCareersNews
legal
Patient InformationPrivacy & Terms
connect
© 2025 Flok Health, Inc.
All Rights Reserved