VAST.Rehab, Privacy Policy

Last Revised: March 16, 2026

Brontes Processing sp. z o.o. (“Brontes Processing”, “we”, “us”, or “our”) is committed to protecting personal information processed in connection with VAST.Rehab. This Privacy Policy explains how we collect, use, disclose, store, transfer, retain, and otherwise process personal information in connection with the VAST.Rehab software platform, our websites, our support and commercial processes, and related services that do not have separate governing privacy terms.

VAST.Rehab is a therapist-directed rehabilitation platform. Depending on the configuration, it may support motion-tracked rehabilitation exercises, therapist workflows, reporting, implementation, support, account administration, optional communication features, and optional remote-session support. Patient-facing access is typically enabled through an organization or professional workflow rather than as a general self-service consumer service.

This Privacy Policy does not replace product labeling, clinical instructions, or a customer-specific data processing agreement, business associate agreement, order form, distributor agreement, or other written contract that may apply to a specific customer relationship.

Please review the following definitions before using VAST.Rehab:

  • “Brontes Processing”, “we”, “Company”, or “Brontes Processing sp. z o.o.” means Brontes Processing sp. z o.o., located in Poland, 44-100 Gliwice, Przewozowa 32.
  • “VAST.Rehab” means the VAST.Rehab applications, websites, services, servers, support channels, and related materials that do not have separate governing privacy terms.
  • “Terms of Use”, “TOU”, or “Agreement” means the VAST.Rehab Terms of Use available at the URL listed below.
  • “Privacy Policy” means this VAST.Rehab Privacy Policy.
  • “Customer” means the legal entity or individual that purchases, licenses, receives, or otherwise lawfully obtains access to VAST.Rehab from Brontes Processing or an authorized distributor.
  • “Authorized Organization” means a clinic, facility, practice, hospital, distributor, partner, or other organization authorized to use VAST.Rehab.
  • “Authorized Professional” means a healthcare professional, therapist, or other trained and authorized person acting within an Authorized Organization and within the scope of permissions, qualifications, instructions, and applicable law governing the use of VAST.Rehab in the relevant jurisdiction.
  • “Patient User” means a natural person who accesses a patient-facing part of VAST.Rehab because such access was enabled, assigned, or approved by an Authorized Organization or Authorized Professional.
  • “Personal Information” means information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable individual.
  • “Customer Data” means information, files, records, documents, reports, session data, patient data, and other content that a Customer or its users submit to, store in, or process through VAST.Rehab.

Terms of Use: https://vast.rehab/terms-of-use

Privacy Policy: https://vast.rehab/privacy-policy

Scope of this Privacy Policy

This Privacy Policy applies to personal information processed by Brontes Processing in connection with:

  • the VAST.Rehab website and related contact forms, demo forms, downloads, newsletters, and commercial communications;
  • account creation, account administration, licensing, support, onboarding, implementation, and billing for VAST.Rehab;
  • Customer Data processed by Brontes Processing on behalf of Customers where Brontes Processing acts as a processor, service provider, business associate, subprocessor, or similar role under applicable law; and
  • other interactions with Brontes Processing that refer to this Privacy Policy.

This Privacy Policy does not apply to websites, services, or hardware operated by third parties under their own privacy terms, except to the extent explicitly stated otherwise.

Roles of Brontes Processing and our Customers

Our role depends on the context in which personal information is processed.

  • When Brontes Processing acts as controller. We act as controller for personal information that we collect and use for our own purposes, such as website operation, cookies and analytics where applicable, contact forms, demo requests, support interactions, billing, contract administration, account management for our own commercial relationships, security and fraud prevention, compliance with legal obligations, and limited operational situations in which we lawfully process health-related information directly.
  • When Brontes Processing acts on behalf of a Customer. In many cases, a clinic, facility, distributor, or other Customer determines why patient and clinical data are entered into VAST.Rehab and how that data should be used. In those cases, the Customer is typically the controller or covered entity, and Brontes Processing acts as processor, service provider, business associate, subprocessor, or comparable role under applicable law and the relevant contract.

If you are a Patient User and your data was entered into VAST.Rehab by a clinic, facility, therapist, or other organization, that organization will usually be your primary point of contact for privacy rights requests relating to that data. Brontes Processing will support the relevant Customer as required by applicable law and contract.

Categories of information we may process

Depending on how VAST.Rehab is used, we may process the following categories of personal information:

  • Contact and identity data, such as name, business email address, phone number, job title, organization name, address, country, and other details you provide to us.
  • Account and access data, such as username, login identifiers, password hashes or authentication records, account role, licensing information, subscription status, and related account metadata.
  • Organization and commercial data, such as customer name, facility details, billing contact details, distributor relationships, quotes, orders, invoices, payment status, and support entitlements.
  • Technical and device data, such as IP address, device type, application version, operating system, browser type, crash logs, diagnostic logs, security events, and other telemetry needed to operate, secure, and support VAST.Rehab.
  • Usage data, such as product interactions, feature usage, support history, implementation progress, and website analytics data.
  • Therapy, session, and patient-related data submitted by Customers, which may include patient identifiers, demographic data, schedule information, session history, therapeutic task settings, movement-related session outputs, therapist notes, reports, and other information entered or generated within a Customer’s workflow. Depending on context, this category may include data concerning health and other special categories of personal data under applicable law, including information about rehabilitation sessions, therapeutic progress, physical function, or clinical notes.
  • Communication data, such as messages sent to us, support tickets, emails, customer success communications, and, where applicable, data needed to enable optional communication or remote-session support features.
  • Cookie and similar technology data, as described in the Cookies and Analytics section below.

We ask that you do not send us health data, patient data, or other sensitive information outside the intended VAST.Rehab workflow unless it is reasonably necessary for support or another legitimate purpose and you are authorized to do so.

Special categories of personal data and health data

VAST.Rehab may process data concerning health and other special categories of personal data where this is necessary for therapist-directed rehabilitation workflows, patient support, support operations, legal compliance, or other purposes permitted by applicable law and contract.

Where Brontes Processing acts on behalf of a Customer, the relevant Customer is generally responsible for determining and documenting the applicable legal basis and any applicable Article 9 GDPR condition or equivalent requirement for the processing of health data or other special category data. Where Brontes Processing acts as controller and directly processes health data, we do so only in limited circumstances and only where a valid condition under applicable law applies, such as explicit consent, health or care management purposes where permitted by law and subject to confidentiality obligations, establishment or defence of legal claims, or another condition recognized under applicable law.

How we collect information

We may collect personal information in the following ways:

  • Directly from you, for example when you contact us, book a demo, request support, create an account, sign a contract, or otherwise communicate with us.
  • From your organization or another authorized party, for example when a clinic, facility, distributor, or therapist creates or provisions your account or uploads data relating to you.
  • Automatically, for example through logs, analytics tools, security tools, authentication systems, cookies, and similar technologies used on our websites and services.
  • From integrations, service providers, or business partners, where lawful and appropriate for the relevant service, commercial relationship, or support process.

Why we process information

Depending on context, we may process personal information for the following purposes:

  • to provide, operate, maintain, secure, and support VAST.Rehab;
  • to provision accounts, authenticate users, enforce licensing, and manage access rights;
  • to enable therapist-directed rehabilitation workflows, patient access, reporting, and related functionality requested by the relevant Customer;
  • to deliver customer support, implementation, training, and service communications;
  • to manage commercial relationships, quotes, orders, billing, payments, taxes, and contract administration;
  • to maintain the security, integrity, availability, and resilience of our website, systems, and services;
  • to investigate incidents, complaints, fraud, misuse, and legal claims;
  • to improve our website, product, documentation, support, and operations;
  • to comply with applicable law, lawful requests, regulatory obligations, and contractual commitments; and
  • to communicate with you about our services, including marketing communications where permitted by law.

We do not use this Privacy Policy to authorize autonomous clinical decision-making, diagnosis, or independent therapeutic personalization by Brontes Processing. Clinical decisions remain the responsibility of the relevant Authorized Professional or Customer.

Lawful bases, where applicable

Where the GDPR or similar law applies and Brontes Processing acts as controller, we generally process personal information on one or more of the following bases:

  • performance of a contract or steps taken at your request before entering into a contract;
  • compliance with legal obligations;
  • our legitimate interests, such as operating, securing, improving, supporting, and administering VAST.Rehab and our business, except where overridden by your interests or fundamental rights; and
  • consent, where consent is the appropriate legal basis.

Where Brontes Processing acts as controller and processes data concerning health or other special categories of personal data, we rely on an additional condition required by applicable law, such as explicit consent, a health or care-related condition permitted by law, legal claims, or another recognized exception. Legitimate interests alone are not relied on as the sole basis for processing health data where such an additional condition is required.

Where Brontes Processing processes Customer Data on behalf of a Customer, the relevant Customer is generally responsible for determining the lawful basis and, where applicable, the additional condition required for health data or other special category data, and for providing any required notices to data subjects.

Data protection governance and assessments

Brontes Processing applies privacy-by-design, role-based access, contractual controls, and security measures appropriate to the context of processing. Where required by applicable law, we carry out or support data protection impact assessments and related risk assessments for processing operations that are likely to result in a high risk to the rights and freedoms of individuals.

Customer-controlled patient data

Customers may submit Customer Data to VAST.Rehab for hosting, storage, processing, reporting, support, and related service purposes. Brontes Processing processes such Customer Data only as permitted by the applicable contract, documented instructions, applicable law, and the legitimate operational needs of providing and securing VAST.Rehab.

If you are a patient, client, or other person whose data was entered into VAST.Rehab by a clinic, facility, therapist, or another organization, please contact that organization first if you want to exercise privacy rights relating to your records. We will assist the relevant Customer where required by law or contract.

Where required, Brontes Processing will enter into an appropriate data processing agreement, data protection addendum, business associate agreement, or similar document with the relevant Customer. If protected health information is processed by Brontes Processing on behalf of a HIPAA covered entity or business associate in a manner that requires a business associate relationship under HIPAA, a separate written business associate agreement is required before Brontes Processing processes that protected health information.

Sharing information with third parties

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising where prohibited or restricted by applicable law. We may disclose personal information only as appropriate for the purposes described in this Privacy Policy, including to the following categories of recipients:

  • Service providers and subprocessors, such as hosting providers, infrastructure providers, communications providers, customer support tools, analytics providers, authentication providers, and payment processors, who help us operate and support VAST.Rehab.
  • Distributors, implementation partners, and support partners, but only to the extent reasonably necessary for territory management, order fulfillment, implementation, support, training, or other legitimate commercial or operational purposes and subject to applicable confidentiality and data protection obligations.
  • Authorities, regulators, courts, and law enforcement, where required by applicable law, legal process, or lawful governmental request.
  • Corporate transaction counterparties, where disclosure is reasonably necessary in connection with a merger, acquisition, financing, restructuring, or sale of all or part of our business, subject to appropriate confidentiality and legal safeguards.
  • Other parties with your direction or where you otherwise authorize the disclosure.

A list of subprocessors currently used by Brontes Processing is available upon request and may also be described in the applicable data processing agreement or other customer documentation.

We may also use and disclose aggregated, statistical, or de-identified information to the extent permitted by law and contract.

International transfers

Brontes Processing is based in Poland, and we may use service providers located in other countries. Personal information may therefore be transferred to, stored in, or accessed from countries other than the country in which it was originally collected.

Where required by applicable law, we use appropriate transfer mechanisms and safeguards. Depending on the recipient and destination, this may include an adequacy decision, the recipient’s participation in a recognized data transfer framework such as the EU-U.S. Data Privacy Framework where applicable, or the European Commission’s standard contractual clauses together with supplementary contractual, technical, and organizational measures where appropriate.

Retention

We retain personal information for no longer than necessary for the purposes described in this Privacy Policy, taking into account the category of data, the contractual relationship, applicable law, Customer instructions, the deployment model, limitation periods, accounting and tax requirements, security needs, and medical-record retention obligations determined by the relevant Customer or applicable law.

Unless a different period is required by law, contract, Customer instruction, or a justified operational need, we generally apply the following retention criteria:

  • Website inquiries, contact forms, and demo requests: up to twenty-four (24) months after the last substantive contact, unless needed longer for an active sales process, legal claim, or compliance requirement.
  • Marketing subscription data: until you unsubscribe, object, withdraw consent where consent is the basis, or after twenty-four (24) months of inactivity, whichever occurs first, unless longer retention is justified by law.
  • Account, contract, billing, and core support records: for the duration of the commercial relationship and usually for up to six (6) years thereafter, or longer where required by tax, accounting, medical device, fraud-prevention, or limitation laws.
  • Security, audit, and system logs: generally up to twelve (12) months, unless a longer period is required for a security investigation, legal hold, regulatory issue, or documented customer requirement.
  • Customer Data in cloud-hosted deployments: as instructed by the relevant Customer and governed by the applicable contract and law. Following expiration or termination, we generally delete or return Customer-accessible data within up to ninety (90) days, unless the Customer requests otherwise, applicable law requires longer retention, or data remains temporarily in protected backups.
  • Protected backups and disaster-recovery copies: typically overwritten or deleted within up to one hundred eighty (180) days, unless a longer retention period is required by law, legal hold, or documented customer instruction.

On-premises and offline deployments

Not all VAST.Rehab deployments are identical. Some configurations may be hosted or supported through cloud infrastructure. Other configurations may be deployed locally, on premises, or in a fully offline mode controlled by the Customer. The categories of data processed by Brontes Processing, the location of that data, and our operational role may therefore differ depending on the selected deployment model and contract.

If a Customer uses a local server, on-premises deployment, or offline mode, the Customer may retain a greater share of operational control over the relevant data environment. This Privacy Policy still applies to personal information that Brontes Processing processes in connection with such deployments, but it does not convert Brontes Processing into the controller of Customer-controlled environments merely because the VAST.Rehab software is used there.

Cookies and analytics

When you visit our website or use web-based parts of VAST.Rehab, we and our service providers may use cookies, local storage, pixels, and similar technologies to operate the site, remember preferences, maintain security, analyze traffic, and improve the user experience.

Where required by law, we will request consent before using non-essential cookies or similar technologies. You can also manage cookies through your browser settings and, where available, through our consent tools.

Analytics tools may help us understand website traffic, page performance, campaign performance, and product usage patterns. We use such tools to improve our services, but we do not use this Privacy Policy to authorize hidden clinical profiling or autonomous therapeutic decision-making.

Security

We use reasonable technical, organizational, and administrative measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful processing. Such measures may include encryption, access controls, logging, monitoring, segmentation, training, least-privilege controls, and vendor management, as appropriate to the context.

No method of transmission over the Internet, no hosting environment, and no electronic storage system is completely secure. We therefore cannot guarantee absolute security.

Security incidents and privacy reporting

If you become aware of a suspected privacy incident, security incident, unauthorized access event, or other issue affecting personal information processed in connection with VAST.Rehab, please report it to us without undue delay using the contact details below or through the relevant Customer, distributor, or support channel.

Where Brontes Processing acts as processor, business associate, or comparable service provider, we will notify the relevant Customer or upstream party without undue delay as required by applicable law and contract. Where Brontes Processing acts as controller, we will assess and respond to personal data breaches in accordance with applicable law, which may include notification to authorities, Customers, and affected individuals where required.

This section addresses privacy and information-security matters. Product safety incidents, malfunctions, and adverse events should be reported through the product support, quality, or safety channels identified in the applicable terms, labeling, or customer documentation.

Children

VAST.Rehab is generally intended to be implemented through organizations and professionals rather than through direct self-service use by children. If personal information relating to a child is processed through VAST.Rehab, the relevant Customer, parent, guardian, or other responsible party must ensure that all required notices, permissions, consents, and other legal prerequisites have been satisfied under applicable law.

Where VAST.Rehab processes personal information of children on behalf of a Customer, the Customer is responsible for ensuring that parental or guardian consent, authorization, and all other requirements under applicable child-protection laws, including COPPA and GDPR Article 8 where applicable, have been satisfied.

If you believe that a child has provided personal information directly to Brontes Processing in a way that is not permitted, please contact us.

Your rights and choices

Depending on applicable law and the role in which Brontes Processing acts, you may have the right to request access to personal information, rectification, erasure, restriction, objection, portability, withdrawal of consent where consent is the basis, or the right to lodge a complaint with a competent supervisory authority.

If Brontes Processing acts as controller for the relevant data, you may submit your request to us using the contact details below. If Brontes Processing acts on behalf of a Customer, you should usually direct your request to that Customer first, and we will support them where required.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will make reasonable efforts to provide notice through the website, product, email, or another appropriate channel. Unless a shorter period is required by law or for urgent security, legal, or regulatory reasons, material changes will take effect thirty (30) days after such notice is provided. Other changes will take effect as of the stated “Last Revised” date.

Got any Questions?

If you have any questions, comments, privacy requests, or incident reports relating to this Privacy Policy, please contact us using the details below.

E-mail: privacy@vast.rehab

We will make an effort to reply within a reasonable timeframe.