Trust & Security

Kinesia helps clinicians - physiotherapists, chiropractors, and osteopaths - create personalised exercise programs - including video demonstrations - and share them securely with patients. Protecting patient data isn't just a feature; it's foundational to how we've built every part of the platform.

Encrypted at every stage

All data is encrypted in transit using TLS (the same encryption standard used by banks and hospitals) and at rest using AES-256 (a government-grade encryption standard). Whether information is moving between your phone and our servers or sitting in our database, it's protected from unauthorised access.

Your data stays yours

Every clinician can only access their own patients and programs. This isn't just an app-level rule - it's enforced directly in the database itself, so even a software bug couldn't expose another practitioner's data. Patients can only view programs that have been specifically sent to them.

Identity verified, no passwords needed

Before a patient can view any program, they verify their identity with a one-time code sent to their email. Codes expire after a short window and the account locks temporarily after failed attempts. Patients never need to create an account or remember a password.

Private by default

Exercise videos and documents are stored in private storage with no publicly accessible URLs. When a verified user needs access, the system generates a time-limited link that expires automatically. These links cannot be guessed, reused, or shared.

AI that respects privacy

When a clinician uses Kinesia's AI assistant to help build a program, only the clinical notes they type are processed. Patient names, email addresses, phone numbers, videos, and files are never sent to the AI provider. Our AI provider, Anthropic, does not store or use submitted data for training under their commercial API terms.

Built on trusted infrastructure

Kinesia is built on industry-leading cloud providers with independently audited security practices:

  • Supabase (database & authentication) - SOC 2 Type II certified
  • Cloudflare (content delivery & file storage) - SOC 2 Type II, ISO 27001
  • Anthropic (AI provider) - commercial API with zero data retention

Deleted means deleted

When a clinician deletes a program, everything associated with it - exercises, videos, documents, progress notes, and sharing links - is permanently removed. Data is not archived or hidden. It is irreversibly deleted from our systems.

What we'll never do

  • We never sell or share patient data with third parties
  • We never show ads or use patient data for marketing
  • We never use tracking cookies or follow patients across other websites
  • We never collect more personal information than is needed to deliver the service