Legal

Privacy Policy.

Effective date: 9 June 2026 · Version 1.0

This Privacy Policy explains how Digital Gait Labs Limited ("Digital Gait Labs", "we", "us", "our") collects, uses, shares and protects information when you use the GaitKeeperGo iOS application, the Digital Gait Labs Cloud dashboard at app.gaitkeeper.ie, and related services (together, the "Services").

We are committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, the UK GDPR, and applicable equivalent laws in territories where the Services are available.

1. Who is the data controller?

Different parts of the Services involve different data-controller relationships. We explain each below because it determines who you should contact about your rights.

1.1 Patient data — the deploying healthcare provider is the controller

When a clinician uses GaitKeeperGo to assess a patient, the resulting test data (gait speed, Timed Up & Go, MobilityDNA scores, video and pose keypoints) is collected on behalf of the clinician or the healthcare organisation that has deployed the Services. The deploying healthcare provider is the data controller for that patient data. Digital Gait Labs acts as a data processor on the controller's behalf, under a written Data Processing Agreement.

If you are a patient and want to exercise your data-protection rights in relation to a test recorded about you, please contact the clinician or clinic that performed the test.

1.2 Clinician account data — Digital Gait Labs is the controller

For information we collect directly from clinicians or clinics to operate the Services (account email, password, device identifiers, billing information, support communications), Digital Gait Labs is the data controller. Contact details for exercising your rights are at the end of this policy.

2. Information we collect

2.1 Information you provide directly

Account details — when you create a Clinic Login for the Cloud dashboard: email address and a password (stored as a bcrypt hash, not in clear text).
Patient identifiers entered by clinicians — patient name or pseudonymous reference, used to associate tests with a patient record. Patient names are stored locally on the device and synchronised to the Cloud only when the clinician chooses to enable cloud sync.
Communications — when you email us at support@digitalgaitlabs.com or use the contact form on our website.

2.2 Information collected automatically through the iOS app

Device identifier — an iOS vendor identifier (UUID) is generated by iOS on first launch and stored in the device Keychain. Used as the device's identity within our system.
API token — a server-issued bearer token used to authenticate uploads from the device to our API.
Clinic Code — a short alphanumeric code that groups tests from one or more devices under a clinic. Auto-generated for solo users; user-editable for clinic deployments. Stored in the device Keychain.
Device model and iOS version — to support diagnostics and compatibility checks.

2.3 Clinical measurement data (when cloud sync is enabled)

When a clinician enables Cloud sync, the following information generated during a test is uploaded to our Cloud platform:

Test results (JSON) — gait speed, Timed Up & Go phase times, falls-risk classification, MobilityDNA 8-domain scores, line-crossing events, and 17-joint pose keypoints for every frame of the test. Approximately 10–15 MB per test.
Test video — a screen recording of the walk session (.mov format), 15–200 MB per test, including the AR overlay visible during the test.
Test metadata — timestamp, device identifier, clinic code, patient association (if any), test type, app version.

If cloud sync is not enabled, this data remains exclusively on the device and is not transmitted to our infrastructure.

2.4 Information collected through purchases

In-app purchases (test credit packs and Cloud subscriptions) are processed by Apple Inc. through the App Store and by our payments partner RevenueCat, Inc.. We receive purchase confirmation data including the product identifier, transaction identifier, purchase date, and (for subscriptions) renewal status. We do not receive your full payment-card details.

2.5 Diagnostics and crash data

If you opt in via your device settings, anonymous diagnostic and crash data may be sent to Apple and shared with us by Apple. This data is not directly identifiable and is used only to improve app stability.

3. How we use information

We use the information described above to:

Provide and operate the Services — including running gait assessments, processing test uploads, and rendering clinical dashboards.
Authenticate devices and accounts and enforce multi-tenancy (so a clinic's tests are visible only to that clinic).
Process subscriptions and consumable in-app purchases.
Provide technical support and respond to enquiries.
Improve product quality, reliability and accuracy of measurement algorithms (in an aggregated form, not for advertising).
Comply with legal obligations, including tax, accounting, and applicable medical-device record-keeping requirements.

We do not use information for advertising or for sale to third parties. We do not engage in cross-context behavioural advertising, and we do not share patient data with advertisers.

4. Legal basis for processing (GDPR)

The legal bases on which we rely under Article 6 of the GDPR are:

Performance of a contract — when we process information necessary to operate your account or deliver a paid feature you have purchased.
Legitimate interests — for service improvement, security, fraud prevention, and product analytics, where these do not override your fundamental rights.
Legal obligation — for accounting, tax, and any applicable medical-device record-keeping.
Explicit consent — for any processing of special-category (health) data where consent is the appropriate basis. In most clinical-use scenarios the legal basis under Article 9(2)(h) — provision of healthcare or treatment — is established by the deploying clinician/clinic in their role as controller of patient data.

We share information only with the following categories of recipient, and only as necessary to deliver the Services:

Cloud infrastructure providers — Google Cloud (GCP), region europe-west1 (Belgium) hosts our production database, API, and dashboard. Data is encrypted at rest and in transit. A development environment is hosted with Hetzner Online (Germany) for non-production data only.
Apple Inc. — receives in-app purchase data through the App Store and may receive anonymous diagnostic data through iOS reporting.
RevenueCat, Inc. (United States) — processes subscription state and entitlement management.
Email and communications providers — to deliver support emails and account notifications.
Professional advisors — accountants, auditors, and legal advisors bound by confidentiality obligations.
Authorities — where we are required to do so by law, court order, or to protect our legal rights.

Where data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards — Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-US Data Privacy Framework where applicable, or other valid transfer mechanisms.

6. How long we keep information

Patient test data — retained for as long as the deploying healthcare provider instructs, in accordance with the Data Processing Agreement between us. Patient data is deleted on request from the deploying controller within 30 days, except where retention is required by law.
Clinician account data — retained for the lifetime of the account and for 12 months after closure to support reactivation and dispute resolution.
Purchase and billing records — retained for 7 years to meet Irish accounting and tax obligations.
Support communications — retained for 24 months from last contact.
Server and security logs — retained for up to 90 days for incident-response and security analysis.

7. Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data, subject to lawful retention requirements.
Restriction — restrict our processing of your data in certain circumstances.
Portability — receive a copy of your data in a structured, machine-readable format and transmit it to another controller.
Object — object to processing carried out under our legitimate interests.
Withdraw consent — where processing relies on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Not be subject to automated decision-making — GaitKeeperGo produces clinical measurements and rule-based interpretations but does not make automated decisions about you that produce legal or similarly significant effects. Final clinical judgement always rests with a qualified healthcare professional.

To exercise these rights, contact us at support@digitalgaitlabs.com. We will respond within 30 days. For patient data, please contact the deploying clinician or clinic in the first instance.

8. Security

Digital Gait Labs operates an information-security programme aligned with the ISO/IEC 27001 Information Security Management framework. We apply encryption in transit (TLS) and at rest, role-based access controls, and defence-in-depth architectural principles. The Services are subjected to regular penetration testing following the OWASP methodology, and findings are tracked to remediation.

9. Children

The Services are intended for use by trained healthcare professionals. The GaitKeeperGo iOS app is not directed at children, and we do not knowingly collect personal data directly from children. Clinical assessments of paediatric patients are conducted by clinicians on behalf of, and under the responsibility of, the deploying healthcare provider.

10. AI and automated processing

GaitKeeperGo uses on-device artificial intelligence and augmented-reality technology to capture and quantify gait. Outputs include the MobilityDNA mobility fingerprint and a rule-based clinical interpretation generated offline on the device.

Under the EU AI Act, GaitKeeperGo is classified as Minimal Risk; Article 50 transparency obligations apply but the system is not high-risk under Annex III. The embedded AI Assistant is trained exclusively on measurement methodology and gait assessment procedures, does not provide medical advice, and does not access patient data. Final clinical judgement rests entirely with the qualified healthcare professional.

11. Cookies and similar technologies

Our marketing website at digitalgaitlabs.com uses strictly necessary cookies plus a single privacy-respecting analytics cookie from StatCounter. The analytics cookie loads only after you give consent via the banner shown on your first visit. If you decline, no analytics cookie is set and no analytics data is collected about your session.

What StatCounter records (only if you accept) — page views, page-to-page navigation paths, the country of the visit (derived from IP, IP is not stored alongside the visit by default), referring website (e.g., a press article that linked to us), broad browser and device type, and the visit's date and time. StatCounter does not record personally identifiable information about you, and we do not combine this analytics data with any other personal data we hold.

Your consent choice is remembered in your browser's local storage (key: dgl-analytics-consent) so we do not show the banner again. You can change your choice at any time by clearing your site data in your browser's privacy settings and reloading the page — the banner will reappear.

The Cloud dashboard at app.gaitkeeper.ie uses session cookies and local storage to maintain your logged-in state. We do not use third-party advertising or behavioural-tracking cookies anywhere in the Services.

StatCounter is operated by StatCounter (an Irish company). For details of StatCounter's own data handling, see their privacy and legal pages.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, where the changes are material, notify you through the app or by email. Continued use of the Services after a change indicates acceptance of the updated policy.

13. Contact us

For any questions about this Privacy Policy or to exercise your rights, contact:

Digital Gait Labs Limited
Dublin, Ireland
Email: support@digitalgaitlabs.com
Web: www.digitalgaitlabs.com

14. Supervisory authority

You have the right to lodge a complaint with a data-protection supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission:

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Web: www.dataprotection.ie
Phone: +353 (0)761 104 800

GaitKeeper, MobilityDNA and MobilityMatters are registered trademarks of Digital Gait Labs Limited.