Privacy Policy - Pro


General information about data handling

This Privacy Policy is specifically tailored for clinicians who interact with our innovative solution for upper extremity therapy via the application namely ‘Squegg Pro Application’. This document outlines how patient, clinic, and clinician information is handled, ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) with respect to our Application (as defined herein this policy). We prioritize the privacy and security of our users' personal information. We employ robust data protection measures, including secure data storage, encryption, and adherence to applicable data protection regulations.

For the Squegg Pro Application, data is handled distinctively for three key parties: the business of the clinic, the clinician, and the patient along with their Personal Health Information (PHI). We collect and manage data related to the business operations of clinics, such as administrative data, service usage patterns, and patient visits. This information is essential for providing a tailored experience for clinic business management. Clinician data encompasses professional details like qualifications, areas of specialization, appointment schedules, and consultation notes, ensuring a high standard of service and facilitating efficient clinic management. Patient data includes health records, therapy progress, and personal identifiers, mirroring the Squegg Privacy Policy, and is safeguarded in compliance with HIPAA and GDPR.

Additionally, the interaction between the Squegg Pro Application and the Squegg Core Application forms a unique ecosystem. Data from the Squegg Core Application, including usage statistics and biomarkers, are transmitted to the Squegg Pro Application for display, storage, and processing. This integration ensures seamless monitoring and assessment of therapy progress. Modifications and program changes initiated in the Squegg Pro Application are conveyed to the platform, ensuring that the latest therapy programs and updates are reflected and accessible to the users. The ecosystem facilitates a two-way communication flow, enabling notifications and messages to be exchanged between the two apps, enhancing user engagement and adherence to therapy protocols. It is imperative to us that you know at all times to what extent we collect, use and, if necessary, pass your data onto third parties, we will subsequently inform you in detail about the processing of your personal data. We use your information to support and enhance our service and relationship with you, to share products, services, news and other offerings with you, or for other legitimate reasons described by law.

We share personal data within our company or (if need be) to third parties with your implicit consent, or as required by law, or with companies that help this Application fulfil its obligations with you and who share same commitment to protecting your privacy and data.

In the context of this Privacy Policy, the term "User" encompasses three key groups: clinicians, the business of the clinic, and the patients under their care.

Clinicians are healthcare professionals who use the Application to enhance their provision of care, particularly in areas related to upper extremity therapy. They rely on the Application for patient management, therapy tracking, and accessing important clinical data.

The business of the clinic refers to the administrative and operational entities of healthcare facilities that utilize the Application. This includes aspects like clinic management, administrative tasks, financial transactions, and logistics. The Application serves to streamline these business operations and provide valuable insights for more efficient management.

Patients under their care constitute the individuals receiving treatment or therapy from the clinicians. The Application is a tool in their therapy journey, used for tracking progress, managing health records, and facilitating communication with healthcare providers. Patient data within the Application is treated with high confidentiality, adhering to privacy and regulatory standards.

The data we collect about you.

In furtherance of facilitating the interaction between the Squegg Upper Extremity Therapy Solution which includes but is not limited to the Squegg Pro Application, Squegg Core Application, aforementioned Application along with the entire eco-system in relation to same ("Application") and Users, we engage in the comprehensive collection and processing of information pertaining to the Users This includes, but is not limited to, the acquisition and processing of the clinician's full name and contact details, hereby acknowledged as "Clinician Information."

For the business of the clinic, we collect and process data that is essential for the efficient operation and management of the clinic's services. This encompasses, but is not limited to, business administrative details, service usage analytics, financial transactions, and operational logistics. This data, referred to as "Clinic Business Information," aids in tailoring our services to meet the specific needs and requirements of each clinic, ensuring optimal functionality and service delivery.

Regarding the patients under the care of clinicians, we handle a different set of data, which is crucial for the effective management of their therapy and treatment. This includes the collection and processing of patient health records, therapy session details, progress tracking, and personal identifiers, collectively known as "Patient Health Information" (PHI). Our handling of PHI is in strict compliance with HIPAA and GDPR, ensuring the highest standards of privacy and data security.

The comprehensive collection and processing of these three distinct categories of information - Clinician Information, Clinic Business Information, and Patient Health Information - enable a seamless and integrated experience on the Application. This approach not only enhances the functionality of the Application but also ensures that the needs of clinicians, clinics, and patients are effectively met, while maintaining the highest standards of data protection and privacy.

Clinical Information: Clinician Information encompasses, without limitation, the full name, business address, telephone number, email address. .

Purpose of Processing: The processing of Clinician Information from the Users is deemed essential for the effective utilization of the Application, ensuring that clinicians can engage with the functionalities provided while adhering to applicable legal and regulatory requirements.

Patient Information: In the context of the clinician-patient interaction facilitated by the Application, we diligently undertake the collection and processing of patient information. This includes, but is not confined to, the acquisition and processing of patient details, medical history, and grip strength data, collectively referred to as "Patient Information”. Patient Information encompasses, without limitation, the patient's full name, contact details, medical history, and precise data obtained during the utilization of the Application.

Purpose of Processing: The processing of Patient Information is deemed indispensable for tailoring therapeutic exercises and tracking the progress of patients, thereby contributing to the optimization of healthcare outcomes.

Furthermore, we may collect, use, store and transfer different kinds of personal data about Users which we have grouped together as follows, however for avoidance of doubt this list is non exhaustive in nature:

Personal Information: This can include details such as the user's name, email address, physical address, phone number, age, sex, dominant hand and date of birth. This information is typically collected during the registration or sign-up process to create and manage user accounts.

Account Credentials: To secure user accounts, Applications often require users to create a username or unique identifier along with a password or other authentication credentials.

Transaction Information: When users engage in buying or selling activities on the site, transaction-related information is collected. This includes details such as the items purchased, prices, payment methods, shipping addresses, and order history.

Payment Information: Users are usually required to provide payment details, such as credit card numbers, bank account information, or payment processor account information. To enhance security, this information is typically encrypted and handled by trusted third-party payment processors.

Communication Data: When users communicate with each other through messaging systems or contact customer support, their communications may be collected and stored to facilitate customer service and dispute resolution.

Reviews and Ratings: Users may be able to leave reviews and ratings for sellers or buyers. These reviews, along with associated usernames or identifiers, are collected to provide transparency and enable feedback mechanisms within the marketplace.

Usage Data: Applications may collect data about your interactions with their services, such as the the actions you take, and the duration of your sessions. This data helps improve user experience and may be used for analytics purposes.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Application feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We collect Special Categories of Personal Data about you (this includes details about your health) as this is necessary for us to provide you with the best match of therapist to you. We do not collect any other special category including information about criminal convictions and offences.

If you fail to provide personal data where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.    

How is User’s personal data collected?

We use different methods to collect data from and about you. You may give us data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you may:

register for access or create an account on our application;

give us some feedback.  

Automated technologies or interactions. As you interact with our Application, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other Applications employing our cookies.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources including without limitation to from the following parties: analytics providers such as Google, based outside the EU.

We would typically store user data on secure servers or cloud platforms. These storage systems may employ encryption and other security measures to protect the data from unauthorized access or breaches. Data should be stored in compliance with applicable data protection regulations

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Using the information, we collect, we are able to deliver the services available to you and honor our Terms and Conditions contract with you. For example, we need to use your information to provide you your device activity, and to give you customer support.

The information we collect is also used to help improve and personalize the services and the Application and to develop new ones. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research and surveys; and develop new features and services.

We also use your information to make inferences and show you more relevant content. For example, based on the games you play with the most frequency, we may make activity goals for you to help improve your grip strength.

We also use your information when needed to send you notifications and respond to when you contact us. We also use your information to promote new features or products that we think you would be interested in. You can control marketing communications and most notifications by using your notification preferences or via the “unsubscribe” link in an email.

The information we collect is also used to promote the safety and security of the Applications, our Users, and other parties. For example, we may use the information to authenticate users, facilitate secure payments, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies. We also use cookies and other similar technology for the purposes as described above.

Where we need to perform the contract we are about to enter into or have entered into with you. Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this refers to your request to access hand therapy services via our platform and need to be contacted as part of this service that you require and for which there is a fee payable.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal. You have the right to withdraw consent to marketing at any time by contacting us.  

Purposes for which we will use your personal data

We have set out herein this policy, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.……………………………………………………...

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you in our marketing activities.

You will receive marketing communications from us if you have requested information from us or purchased services from us.

Opting out

You can ask us to stop sending you marketing by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, even registration, product/service experience or other transactions as we may still need to communicate with you about these products or services.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, of course you entitled to object to this new use of your data.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.  

Disclosures of your personal data

We may have to share your personal data with the parties set out herein this policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.    

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.    

Data retention - How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your data. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.    

Data Transfers and International Operations

We operate internationally and transfer information to the United States and other countries for the purposes described in this policy. We rely on several legal bases to lawfully transfer personal data around the world. These include your consent and US and EU Commission approved model contractual clauses, which require certain privacy and security protections.

Please note that the countries where we operate may have privacy and data protection laws that differ from and are potentially less protective than the laws of your country. You agree to this risk when you create your account, irrespective of which country you live in. If you change your mind and would like to withdraw your consent, you can delete your account.

Squegg is subject to the oversight of the US Federal Trade Commission and remains responsible for the transfer of personal information to others who process the same on our behalf and under our direction.

HIPAA Compliance

The Department of Health and Human Services has promulgated regulations at 45 Code of Federal Regulations Parts 160 and 164 implementing the privacy requirements and regulations at 45 C.F.R. Parts 160, 162 and 164 implementing the security requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005, and the regulations promulgated thereunder.

We expressly recognize the inherently sensitive nature of patient health information and affirms its unwavering commitment to compliance with the HIPAA. Patient information, inclusive of Protected Health Information (PHI), is accorded the utmost confidentiality in accordance with HIPAA regulations.

Protected Health Information (PHI) includes individually identifiable health information transmitted or maintained in any form or medium, encompassing demographic data, medical histories, test results, and other information that can be linked to an individual's healthcare.

To safeguard PHI, we employ robust data encryption protocols during the transmission and storage of all patient information, ensuring that sensitive health data remains confidential, secure, and in compliance with HIPAA standards.

Access to patient information, especially PHI, is meticulously controlled, limited exclusively to authorized clinicians and essential support staff. Access controls are systematically implemented to forestall any unauthorized access, with user activities logged for meticulous auditing purposes.


GDPR Compliance

When processing personal data, we strictly adhere to the requirements of the EU Data Protection Regulation (GDPR) and, if necessary, other data protection regulations as applicable. At any time you may contact us with any questions or concerns you may have with respect to this privacy policy.

If you live in the European Economic Area, UK, or Switzerland, please review these additional privacy disclosures under the EU’s General Data Protection Regulation (GDPR).

The BioSparrow Inc., a corporation organized under the laws of Florida, is your data controller and provides the Services if you live in the EEA, UK, or Switzerland. For our contact information please visit us at

 To the extent that information we collect is health data or another special category of personal data subject to the GDPR, we ask for your explicit consent to process the data. We obtain this consent separately when you take actions leading to our obtaining the data. You can use the tools in the application to withdraw your consent at any time, including by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account

The rights of data subjects

Chapter III of the EU Data Protection Regulation (GDPR) provides for extensive rights for data subjects, which we will explain to you below with regard to the processing of your personal data:

The right to be informed

This specification applies in particular to the following data processing details:

  • The purpose of the processing operation
  • Categories of data
  • If necessary, recipient or categories of recipients
  • If necessary, the planned storage duration or the criteria for determining this duration
  • Information on the respective right to correction, deletion, restriction or objection
  • Existence of a right of appeal to a supervisory authority
  • If necessary, origin of the data (if not collected from you)
  • If necessary, existence of automated decision making including profiling, and including meaningful information about the logic involved, the scope and the expected effects
  • If necessary, (planned) transfer to a third country or international organization

The right of rectification

If necessary, we will correct faulty data immediately if you inform us about the circumstance accordingly.

The right to deletion

If the processing is no longer necessary and one of the following conditions is fulfilled:

  • Expiry of the purpose of processing
  • Withdrawal of your consent and the absence of any other legal basis for processing
  • Opposition to processing without an important reason to the contrary
  • Illegal processing
  • Required to fulfil a legal obligation
  • Data collection in accordance with Art. 8 para. 1 GDPR
  • As part of the deletion request, we may pass on your request to those third parties to whom your data was previously transferred.

The right to restriction of processing

Provided one of the following conditions is met:

  • You dispute the accuracy of your data (restriction may be made on our site for the duration of the verification)
  • In the event of unlawful processing and provided that the data is not to be deleted, deletion shall be replaced by restriction of processing
  • If the processing purposes expire, at the same time you need your data to assert, exercise or defend legal claims
  • After your objection pursuant to Art. 21 para. 1 GDPR and for the duration of the examination, whether our justified reasons outweigh yours.

The right to data portability

As long as it is technically possible and the rights and freedoms of other persons are not affected, we will – at your request – transfer your data to another recipient (data controller).

Right to object

If we collect personal data from you or have it collected and process it (on the basis of Art. 6 Para. 1(e) or (f) or Art. 9 Para. 2(a) GDPR), you have the right to object to data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be invalid, e.g. if we can prove compelling legitimate interests for processing that outweigh your interests, or processing serves to assert, exercise or defend legal claims. If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. This also applies to any profiling connected with such direct advertising. You also have the right to object to the processing of the data we hold about you, which is carried out by us for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR unless such processing is necessary to fulfil a task in the public interest.

Automated individual decision-making including profiling

If we collect personal data from you or have it collected and process it, you have the right not to be subject to decision based exclusively on automated processing – including profiling – which has a legal effect on you or significantly impairs you in a similar manner. Exceptions to this requirement apply if the decision to conclude or fulfil a contract between you and us is necessary or if you have expressly consented to the processing. In any event, we will take reasonable measures to protect your rights and freedoms and your legitimate interests, including at least the right on our part to obtain the intervention of a person to express our position and to challenge the decision.

Right to withdraw consent under the data protection laws

You have the right to revoke your consent to the processing of personal data at any time.

Information on data security

We secure your personal data processed by us against loss, destruction, access, modification or distribution of your data by unauthorized persons by appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.

Legal basis for processing

Upon engagement with the Application, clinicians explicitly manifest their consent for the collection and processing of both Clinician Information and Patient Information. This consent, acknowledged as "Clinician Consent," serves as the unequivocal legal basis for the processing of data, thereby ensuring adherence to pertinent privacy laws and regulations.

Clinician Consent extends to encompass the comprehensive collection, processing, and retention of Clinician Information and Patient Information as outlined in this Privacy Policy. Clinicians retain the right to revoke their consent at any time, subject to the acknowledgment that such revocation may impact the continued utilization of the Application.

Furthermore, we process personal data according to the specifications of the GDPR, depending on the type and purpose of processing, as follows:

Where allowed by law Specification of the GDPR
Informed consent Art. 6 para. 1(a)
In performance of a contract Art. 6 para. 1(b)
Implementation of pre-contractual measures Art. 6 para. 1(b)
Fulfilment of legal obligations Art. 6 para. 1(c)
Protection of vital interests Art. 6 para. 1(d)
Safeguarding our legitimate interest Art. 6 para. 1(f)

Our legitimate interest

Our legitimate interest, as defined in Article 6 para. 1(f) GDPR, is based on the performance of our business activities to maintain our operability and to safeguard the employment of our employees.

General deadlines for data deletion

After elimination of the storage purpose, the retention periods are generally at least six or ten years. As a rule, the deletion of data generally takes place without delay in accordance with our deletion plan, insofar as it does not preclude any obligation to retain data, the need to fulfil a contract or a legitimate interest.

Deletion or blocking of personal data

We store your personal data only for the period necessary to fulfill the intended purpose. After elimination of the purpose and after expiration of any existing retention periods, your data will be deleted immediately. If deletion is not possible, the data will be blocked instead.

Obligation to provide personal data

Under certain conditions (e.g., due to legal or contractual regulations) you have the obligation to provide us with your personal data. Examples of such processing are as follows:

In addition to the various controls that we offer, in certain circumstances, you can seek to restrict our processing of your data, or object to our processing of your data based on our legitimate interests. Under the GDPR, you have a general right to object to the use of your information for direct marketing purposes. Please note that you can always delete your account at any time.

If you need further assistance regarding your rights, please contact our Data Protection Officer at attention: Data Protection Officer, and we will consider your request in accordance with applicable laws. You also have a right to lodge a complaint with your local data protection authority or with the US Federal Trade Commission.

If you need further assistance regarding your rights, please contact our Data Protection Officer at attention: Data Protection Officer, and we will consider your request in accordance with applicable laws. You also have a right to lodge a complaint with your local data protection authority or with the US Federal Trade Commission.



In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its subsequent amendments, this Privacy Policy includes provisions to ensure the protection and confidential handling of Protected Health Information (PHI).

Under HIPAA, PHI includes any information in a medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment. This also includes demographic information collected from an individual.

We will use and disclose PHI only as necessary to fulfill the purposes outlined in this Privacy Policy, including but not limited to providing the Application's functionalities, improving patient care, and complying with legal obligations. All such use and disclosure will be in compliance with the applicable provisions of HIPAA.

We implement robust administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. These measures include encryption, access control, and secure data storage, among others.

Patients have rights concerning their PHI in line with HIPAA regulations. These rights include the ability to review and obtain a copy of their PHI, request corrections, and receive an account of disclosures.

We ensure that all employees, contractors, and other members of our workforce who have access to PHI are trained on the proper handling of such information in compliance with HIPAA regulations. We regularly review and update our practices to maintain compliance with HIPAA standards.

Any breach of PHI will be addressed promptly, and affected individuals will be notified as required by HIPAA and other applicable laws. We also maintain records of PHI disclosures and breaches as required by law.

Our commitment to protecting the privacy and security of PHI is paramount, and we continuously strive to uphold the highest standards of data protection in accordance with HIPAA and other relevant privacy laws and regulations.

Policies for Minors

Squegg allows parents to set up accounts for their children to use the device with the application. Parents or guardians must consent to the use of the minor’s data in accordance with this policy in order to create such an account.

Persons considered minors in their jurisdiction are not permitted to create accounts unless their parent or guardian has consented in accordance with the applicable law. If we learn that we have collected the personal information of a minor without parental consent, we will take steps to delete the information as soon as possible. Parents who believe that their minor children have submitted personal information.

Changes to the Privacy Policy

We will notify you through email or through the App if any material changes should be made to this policy to give you an opportunity to review such changes before deciding if you would like to continue using the App. You can email us at to ask for previous versions of our Privacy Policy.


How to Contact us

Should you have any questions about this policy or need help in exercising your rights in relation to this policy, please contact our Data Protection Officer at


You may also contact us at:

The BioSparrow, Inc. d/b/a SQUEGG

Attn: Legal Department (Privacy Policy)

13796 NW 19th Street.,

Pembroke Pines

Florida 33028, U.S.A.