Privacy Policy - User


General information about data handling

This PrivacyPolicy is specifically tailored for individuals and users who interact with our innovative solution for upper extremity therapy. This document outlines how the information is handled, with respect to our Application (as defined herein this policy) thereby ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Our aim is to provide a holistic and supportive environment for individuals seeking insights, products, and guidance for upper extremity therapy solution under the brand name of ‘Squegg’. It also details the measures we take to protect this sensitive information. We prioritize the privacy and security of our users' personal information. We employ robust data protection measures, including secure data storage, encryption, and adherence to applicable data protection regulations. Our platform respects user confidentiality during consultation sessions, ensuring a safe and trusted environment for seeking professional help.

The protection of your private rights and freedoms is important to us; we only use data for the purposes intended. Since, it is imperative to us that you know at all times to what extent we collect, use and, if necessary, pass your data onto third parties, we will subsequently inform you in detail about the processing of your personal data (collected via our Application). It is pertinent to mention that we collect, store or use your personal information for specific purposes. We use your information to support and enhance our service and relationship with you, to share products, services, news and other offerings with you, or for other legitimate reasons described by law. We share personal data within our company or (if need be) to third parties with your implicit consent, or as required by law, or with companies that help this Application fulfil its obligations with you and who share same commitment to protecting your privacy and data.

For the purpose of this Privacy Policy, "Application" shall mean and include an Squegg integrated solution encompassing both a physical device and a digital application, specifically designed for upper extremity therapy. This includes focus areas such as grip strength training and hand therapy exercises. Squegg's offerings are facilitated through a combination of an interactive Application, which together aim to provide a comprehensive and user-friendly approach to rehabilitation and strength improvement for its users.

It is pertinent to mention that this privacy policy is specifically for the users of Application (which may include patients as well). A user/patient will create their own account on the Application. Subsequently, they do that they can i) continue to use that to perform their own exercises related to upper extremity therapy, ii) use the Application for leisure or exercise purposes and/or iii) Use it as connected with the Squegg Pro application.

As iterated above, the brand places a strong emphasis on the privacy and security of personal and health-related information, adhering to stringent health data protection regulations like HIPAA and GDPR. This commitment is reflected in the implementation of advanced data protection measures, including but not limited to secure data storage and encryption, ensuring the confidentiality and integrity of user data.

The data we collect about you.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

In furtherance of facilitating the interaction with the Squegg Upper Extremity Therapy Solution ("Application"), we may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Personal Information: This can include details such as the user's name, email address, physical address, phone number, age, sex, dominant hand and date of birth. This information is typically collected during the registration or sign-up process to create and manage user accounts.

Account Credentials: To secure user accounts, Application often requires users to create a username or unique identifier along with a password or other authentication credentials.

Transaction Information: When users engage in buying or selling activities on the site, transaction-related information is collected. This includes details such as the items purchased, prices, payment methods, shipping addresses, and order history.

Payment Information: Users are usually required to provide payment details, such as credit card numbers, bank account information, or payment processor account information. To enhance security, this information is typically encrypted and handled by trusted third-party payment processors.

Communication Data: When users communicate with each other through messaging systems or contact customer support, their communications may be collected and stored to facilitate customer service and dispute resolution.

Analytics and Usage Data: Marketplace often collect analytics and usage data to understand how users interact with the platform, improve user experience, and make data-driven decisions. This can include information on user behavior, preferences, device information, IP addresses, and browsing history.

Reviews and Ratings: Users may be able to leave reviews and ratings for sellers or buyers. These reviews, along with associated usernames or identifiers, are collected to provide transparency and enable feedback mechanisms within the marketplace.

Usage Data: Application may collect data about your interactions with their services, such as the exercises you complete, the actions you take, and the duration of your therapy sessions. This data helps improve user experience and may be used for analytics purposes.

Communication Data: If you communicate with the Application or service provider through their platform (e.g., via messaging or email), those communications may be collected and stored.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific Application feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We collect Special Categories of Personal Data about you (this includes details about your health) as this is necessary for us to provide you with the best match of therapist to you. We do not collect any other special category including information about criminal convictions and offences.

In addition to the basic usage information, we collect detailed analytics on your interactions with our services. This includes, but is not limited to, specific exercises completed, the duration of therapy sessions, and user engagement with various features. This data is crucial for us to understand your needs better and to enhance the overall functionality and user experience of our Application.

We also store records of your communications with us for quality assurance and training purposes, ensuring that we can continually improve our customer support and service delivery.

If you fail to provide personal data where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.    

How is your personal data collected?

We use different methods to collect data from and about you. You may give us data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you may:

register for access or create an account on our Application;

give us some feedback.  

Automated technologies or interactions. As you interact with our Application, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources including without limitation to from the following parties: analytics providers such as Google, based outside the EU.

We would typically store user data on secure servers or cloud platforms. These storage systems may employ encryption and other security measures to protect the data from unauthorized access or breaches. Data should be stored in compliance with applicable data protection regulations

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Using the information, we collect, we are able to deliver the services available to you and honor our Terms and Conditions contract with you. For example, we need to use your information to provide you your device activity, and to give you customer support.

The information we collect is also used to help improve and personalize the services and the application and to develop new ones. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research and surveys; and develop new features and services.

In addition to the purposes mentioned, it is important to explicitly state that the information we collect plays a crucial role in the ongoing improvement and personalization of our services and the Application, as well as in the development of new products and features. Specifically, we use this data to:

Troubleshoot and protect against errors.

Perform data analysis and testing.

Conduct research and surveys.

Develop new features and services.

Furthermore, we wish to clearly communicate our practices regarding de-identified data. De-identified data is information from which all personally identifiable information has been removed. This type of data is vital for our research and development efforts and helps us enhance our existing services and create new ones. It is important for users to understand that Application retains ownership of de-identified data indefinitely and may use it for various purposes in compliance with applicable laws and regulations. We assure our users that the integrity and confidentiality of their personal information are maintained even in the process of data de-identification.

We also use your information to make inferences and show you more relevant content. For example, based on the games you play with the most frequency, we may make activity goals for you to help improve your grip strength.

We also use your information when needed to send you notifications and respond to when you contact us. We also use your information to promote new features or products that we think you would be interested in. You can control marketing communications and most notifications by using your notification preferences or via the “unsubscribe” link in an email.

The information we collect is also used to promote the safety and security of the applications, our users, and other parties. For example, we may use the information to authenticate users, facilitate secure payments, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies.

Where we need to perform the contract we are about to enter into or have entered into with you. Note that, in this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this refers to your request to access hand therapy services via our platform and need to be contacted as part of this service that you require and for which there is a fee payable.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.

We will use clinicians data in improving the Application in terms to recommending exercises.

We will also use the patients information for our records to publish documents, build normative data.

We also see what kind of therapies that they give and what kind of customizations they create in the exercises. All this information can aid in improving the Application.

We may track normative data and their usage of the device and application

We may use any of the information that they enter into the application

We reserve the right to legally utilize the data that user has shared from their interaction with the therapist.

Generally, we do not rely on consent as a legal basis for processing your personal. You have the right to withdraw consent to marketing at any time by contacting us.  

In addition to using your information for service delivery, we also use it to create and maintain a comprehensive user profile. This helps us in offering personalized recommendations and targeted services that align with your specific therapy needs and preferences.

We also use aggregated and anonymized data for research and development purposes. This data, which no longer identifies you, helps us in improving our existing services and developing new features and technologies.

Purposes for which we will use your personal data

We have set out herein this policy, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.……………………………………………………...

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you in our marketing activities.

You will receive marketing communications from us if you have requested information from us or purchased services from us.

Opting out

You can ask us to stop sending you marketing by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, even registration, product/service experience or other transactions as we may still need to communicate with you about these products or services.

While transferring your data internationally, we ensure that it is protected with the same level of security and confidentiality as it is within your home country. We use advanced encryption and security protocols for data transmission to safeguard your information against unauthorized access or breaches.

To further enhance the security of your credit card information, we continuously monitor our systems for potential vulnerabilities and attacks, and we work closely with our payment processing vendors to ensure the highest level of security compliance.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, of course you entitled to object to this new use of your data.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.  

Disclosures of your personal data

We may have to share your personal data with the parties set out herein this policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.    

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.    

Data retention - How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your data. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.    

Data Transfers and International Operations

We operate internationally and transfer information to the United States and other countries for the purposes described in this policy. We rely on several legal bases to lawfully transfer personal data around the world. These include your consent and US and EU Commission approved model contractual clauses, which require certain privacy and security protections.

Please note that the countries where we operate may have privacy and data protection laws that differ from and are potentially less protective than the laws of your country. You agree to this risk when you create your account, irrespective of which country you live in. If you change your mind and would like to withdraw your consent, you can delete your account.

Squegg is subject to the oversight of the US Federal Trade Commission and remains responsible for the transfer of personal information to others who process the same on our behalf and under our direction.

HIPAA Compliance

The Department of Health and Human Services has promulgated regulations at 45 Code of Federal Regulations Parts 160 and 164 implementing the privacy requirements and regulations at 45 C.F.R. Parts 160, 162 and 164 implementing the security requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005, and the regulations promulgated thereunder.

We expressly recognize the inherently sensitive nature of patient health information and affirms its unwavering commitment to compliance with the HIPAA. Patient information, inclusive of Protected Health Information (PHI), is accorded the utmost confidentiality in accordance with HIPAA regulations. In addition, under HIPAA, you have the right to access and request amendments to your PHI. We provide clear channels for you to exercise these rights, as outlined on our Application.

Protected Health Information (PHI) includes individually identifiable health information transmitted or maintained in any form or medium, encompassing demographic data, medical histories, test results, and other information that can be linked to an individual's healthcare.

To safeguard PHI, we employ robust data encryption protocols during the transmission and storage of all patient information, ensuring that sensitive health data remains confidential, secure, and in compliance with HIPAA standards.

Access to patient information, especially PHI, is meticulously controlled, limited exclusively to authorized clinicians and essential support staff. Access controls are systematically implemented to forestall any unauthorized access, with user activities logged for meticulous auditing purposes. In the event of a data breach involving PHI, we have established a breach notification protocol to promptly inform affected individuals and relevant regulatory authorities, as required by HIPAA.


GDPR Compliance

When processing personal data, we strictly adhere to the requirements of the EU Data Protection Regulation (GDPR) and, if necessary, other data protection regulations as applicable. At any time you may contact us with any questions or concerns you may have with respect to this privacy policy.

If you live in the European Economic Area, UK, or Switzerland, please review these additional privacy disclosures under the EU’s General Data Protection Regulation (GDPR).

The BioSparrow Inc., a corporation organized under the laws of Florida, is your data controller and provides the Services if you live in the EEA, UK, or Switzerland. For our contact information please visit us at

 To the extent that information we collect is health data or another special category of personal data subject to the GDPR, we ask for your explicit consent to process the data. We obtain this consent separately when you take actions leading to our obtaining the data. You can use the tools in the application to withdraw your consent at any time, including by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account

The rights of data subjects

Chapter III of the EU Data Protection Regulation (GDPR) provides for extensive rights for data subjects, which we will explain to you below with regard to the processing of your personal data:

The right to be informed

This specification applies in particular to the following data processing details:

The purpose of the processing operation

Categories of data

If necessary, recipient or categories of recipients

If necessary, the planned storage duration or the criteria for determining this duration

Information on the respective right to correction, deletion, restriction or objection

Existence of a right of appeal to a supervisory authority

If necessary, origin of the data (if not collected from you)

If necessary, existence of automated decision making including profiling, and including meaningful information about the logic involved, the scope and the expected effects

If necessary, (planned) transfer to a third country or international organization

The right of rectification

If necessary, we will correct faulty data immediately if you inform us about the circumstance accordingly.

The right to deletion

If the processing is no longer necessary and one of the following conditions is fulfilled:

Expiry of the purpose of processing

Withdrawal of your consent and the absence of any other legal basis for processing

Opposition to processing without an important reason to the contrary

Illegal processing

Required to fulfil a legal obligation

Data collection in accordance with Art. 8 para. 1 GDPR

As part of the deletion request, we may pass on your request to those third parties to whom your data was previously transferred.

The right to restriction of processing

Provided one of the following conditions is met:

You dispute the accuracy of your data (restriction may be made on our site for the duration of the verification)

In the event of unlawful processing and provided that the data is not to be deleted, deletion shall be replaced by restriction of processing

If the processing purposes expire, at the same time you need your data to assert, exercise or defend legal claims

After your objection pursuant to Art. 21 para. 1 GDPR and for the duration of the examination, whether our justified reasons outweigh yours.

The right to data portability

As long as it is technically possible and the rights and freedoms of other persons are not affected, we will – at your request – transfer your data to another recipient (data controller).

Right to object

If we collect personal data from you or have it collected and process it (on the basis of Art. 6 Para. 1(e) or (f) or Art. 9 Para. 2(a) GDPR), you have the right to object to data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be invalid, e.g. if we can prove compelling legitimate interests for processing that outweigh your interests, or processing serves to assert, exercise or defend legal claims. If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. This also applies to any profiling connected with such direct advertising. You also have the right to object to the processing of the data we hold about you, which is carried out by us for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR unless such processing is necessary to fulfil a task in the public interest.

Automated individual decision-making including profiling

If we collect personal data from you or have it collected and process it, you have the right not to be subject to decision based exclusively on automated processing – including profiling – which has a legal effect on you or significantly impairs you in a similar manner. Exceptions to this requirement apply if the decision to conclude or fulfil a contract between you and us is necessary or if you have expressly consented to the processing. In any event, we will take reasonable measures to protect your rights and freedoms and your legitimate interests, including at least the right on our part to obtain the intervention of a person to express our position and to challenge the decision.

Right to withdraw consent under the data protection laws

You have the right to revoke your consent to the processing of personal data at any time.

Information on data security

We secure your personal data processed by us against loss, destruction, access, modification or distribution of your data by unauthorized persons by appropriate technical and organizational measures. However, despite regular checks, complete protection against all risks is not possible.

Legal basis for processing

Upon engagement with the Squegg Upper Extremity Therapy solution, individuals explicitly manifest their consent for the collection and processing of personal information. This consent, acknowledged as "User Consent," serves as the unequivocal legal basis for the processing of data, thereby ensuring adherence to pertinent privacy laws and regulations.

User Consent extends to encompass the comprehensive collection, processing, and retention of information as outlined in this Privacy Policy. User retains the right to revoke their consent at any time, subject to the acknowledgment that such revocation may impact the continued utilization of the Squegg Smart Grip Trainer/Application.

Furthermore, we process personal data according to the specifications of the GDPR, depending on the type and purpose of processing, as follows:

Where allowed by law Specification of the GDPR
Informed consent Art. 6 para. 1(a)
In performance of a contract Art. 6 para. 1(b)
Implementation of pre-contractual measures Art. 6 para. 1(b)
Fulfilment of legal obligations Art. 6 para. 1(c)
Protection of vital interests Art. 6 para. 1(d)
Safeguarding our legitimate interest Art. 6 para. 1(f)

Furthermore, in addition to adhering to the specifications of the GDPR, we also ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) for the handling of Protected Health Information (PHI) as follows:

Under HIPAA, we obtain explicit consent or authorization from individuals before using or disclosing their PHI, except in specific situations as outlined by the Act (such as for treatment, payment, or healthcare operations).

We adhere to the 'minimum necessary' standard of HIPAA, which stipulates that only the minimum necessary PHI should be used or disclosed to accomplish the intended purpose of the use or disclosure.

In compliance with the Privacy and Security Rules under HIPAA, we implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

In the event of a breach involving unsecured PHI, we follow HIPAA’s Breach Notification Rule to promptly notify affected individuals, the Department of Health and Human Services, and, in some cases, the media.

Consistent with HIPAA’s Privacy Rule, we respect patient rights regarding their PHI, including the right to access their PHI, request an amendment to their health records, and obtain an accounting of certain disclosures.

Our staff receives regular training on HIPAA regulations, and we conduct periodic assessments to ensure ongoing compliance with HIPAA standards.

We enter into Business Associate Agreements with third-party service providers who handle PHI on our behalf, ensuring they too adhere to HIPAA’s requirements.

Our legitimate interest

Our legitimate interest, as defined in Article 6 para. 1(f) GDPR, is based on the performance of our business activities to maintain our operability and to safeguard the employment of our employees.

General deadlines for data deletion

After elimination of the storage purpose, the retention periods are generally at least six or ten years. As a rule, the deletion of data generally takes place without delay in accordance with our deletion plan, insofar as it does not preclude any obligation to retain data, the need to fulfil a contract or a legitimate interest.

Deletion or blocking of personal data

We store your personal data only for the period necessary to fulfill the intended purpose. After elimination of the purpose and after expiration of any existing retention periods, your data will be deleted immediately. If deletion is not possible, the data will be blocked instead.

Obligation to provide personal data

Under certain conditions (e.g. due to legal or contractual regulations) you have the obligation to provide us with your personal data. Examples of such processing are as follows:

In addition to the various controls that we offer, in certain circumstances, you can seek to restrict our processing of your data, or object to our processing of your data based on our legitimate interests. Under the GDPR, you have a general right to object to the use of your information for direct marketing purposes. Similarly, under HIPAA, you have specific rights regarding the use and disclosure of your health information. This includes the right to request restrictions on certain uses and disclosures of Protected Health Information (PHI), especially disclosures to health plans for services you have paid for out-of-pocket in full. Please note that you can always delete your account at any time.


If you need further assistance regarding your rights, please contact our Data Protection Officer at hello@ attention: Data Protection Officer, and we will consider your request in accordance with applicable laws. You also have a right to lodge a complaint with your local data protection authority or with the US Federal Trade Commission.

Policies for Minors

Squegg allows parents to set up accounts for their children to use the device with the application. Parents or guardians must consent to the use of the minor’s data in accordance with this policy in order to create such an account.

Persons considered minors in their jurisdiction are not permitted to create accounts unless their parent or guardian has consented in accordance with the applicable law. If we learn that we have collected the personal information of a minor without parental consent, we will take steps to delete the information as soon as possible. Parents who believe that their minor children have submitted personal information.

Credit Card Information Protection

We understand the sensitivity and importance of your credit card information, and we are committed to ensuring its security and confidentiality. We engage third-party vendors to facilitate payment processing and related services. These vendors are carefully selected, and we ensure that they adhere to stringent security measures to protect your credit card information. Our third-party vendors are contractually bound to comply with security standards that align with or exceed industry best practices. Regular assessments and audits are conducted to verify that vendors maintain the required security standards.

While we take every reasonable precaution to protect your credit card information, we cannot guarantee absolute security due to the inherent risks associated with electronic transmissions. By using our Application and we, you acknowledge and accept these inherent risks and limitations.

Changes to the Privacy Policy

We will notify you through email or through the Application if any material changes should be made to this policy to give you an opportunity to review such changes before deciding if you would like to continue using the Application. You can email us at to ask for previous versions of our Privacy Policy.


How to Contact us

Should you have any questions about this policy or need help in exercising your rights in relation to this policy, please contact our Data Protection Officer at


You may also contact us at:

The BioSparrow, Inc. d/b/a SQUEGG

Attn: Legal Department (Privacy Policy)

13796 NW 19th Street,

Pembroke Pines

Florida 33028, U.S.A.