Privacy Policy
Last updated: 31 March 2026
Who We Are
Rebound is a mobile application for ACL rehabilitation developed and operated by SC MUSINOX ASSET MANAGEMENT S.R.L., a company registered in Romania ("we", "us", or "our").
If you have any questions about this policy or how we handle your data, contact us at contact@rebound.zone.
What Data We Collect
Account and Identity Data
When you create an account, we collect:
- First name
- Date of birth
- Email address
- Password (stored as a secure hash - we never store your password in plain text)
- Operated leg (left or right)
Health and Medical Data
To personalise your rehabilitation programme, we collect:
- Surgery date
- Reconstruction type (primary or revision)
- Graft type (quad tendon, hamstring tendon, patellar tendon, or allograft)
- Meniscus involvement (none, repair, partial meniscectomy, or total meniscectomy)
- Additional procedures (LET, PCL repair, collateral ligament repair, cartilage repair)
- Surgeon-specified restrictions (weight-bearing status, flexion limits, brace protocol)
- Return-to-sport goal and sport type
This is health data.Under the General Data Protection Regulation (GDPR), health data is classified as "special category" personal data and is subject to stricter protections. We only collect it because it is strictly necessary to deliver your rehabilitation programme.
Session and Progress Data
As you use the app, we collect:
- Exercises completed, sets, reps, and loads used
- Session completion status and dates
- Pain scores and pain type (knee joint or donor site) logged during sessions
- Swelling grades
- Assessment results and gate pass/fail outcomes
- Questionnaire responses (KOS-ADLS, ACL-RSI)
- Missed session reasons and gap durations
- Compliance rate and streak data
- Mindset journal entries (confidence scores and optional notes)
Technical and Usage Data
We automatically collect limited technical data to keep the app functioning:
- Device type and operating system
- App version
- Firebase authentication identifiers
- Timestamps of app interactions
We do not collect advertising identifiers or track your behaviour for marketing purposes.
Waitlist Data
If you sign up on rebound.zone before creating an app account, we collect:
- Email address
- First name (optional)
Legal Basis for Processing
We process your data under the following legal bases as defined by GDPR:
| Data type | Legal basis |
|---|---|
| Account data | Performance of a contract (Article 6(1)(b)) - necessary to provide the service |
| Health and medical data | Explicit consent (Article 9(2)(a)) - you actively consent during onboarding |
| Session and progress data | Performance of a contract (Article 6(1)(b)) |
| Technical data | Legitimate interests (Article 6(1)(f)) - to maintain app security and stability |
| Waitlist data | Consent (Article 6(1)(a)) - you opt in by submitting the form |
You may withdraw your consent for health data processing at any time by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
How We Use Your Data
We use your data exclusively to:
- Deliver your personalised rehabilitation programme
- Track your progress through the five phases of recovery
- Determine your current position in the programme if you join mid-recovery
- Respond to pain and swelling data with appropriate in-app guidance
- Calculate your compliance rate and session streaks
- Notify you of upcoming sessions and assessments (if you enable notifications)
- Send waitlist updates and launch announcements (waitlist signups only)
- Maintain account security and prevent fraud
We do not use your data for advertising, profiling, or any purpose unrelated to your rehabilitation.
Data Storage and Security
Your data is stored in Google Firebase (Firestore), a cloud database infrastructure operated by Google LLC with data centres in the European Economic Area (EEA) and the United States. Firebase is ISO 27001 certified and compliant with GDPR.
All data is encrypted in transit (TLS) and at rest (AES-256). Authentication tokens are stored securely on your device using platform-level secure storage.
Waitlist signup data is stored in Loops (Loops LLC, United States). Loops processes this data solely for the purpose of sending you waitlist and launch communications.
Your data is never sold to third parties.
Third-Party Services
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Google Firebase | Authentication and database | Account, health, session data | policies.google.com/privacy |
| RevenueCat | In-app purchase and entitlement management | Purchase status, app user ID | revenuecat.com/privacy |
| Loops | Waitlist email management | Email, first name | loops.so/privacy |
| Zoho Mail | Contact email management | Any personal data you send us by email | zoho.com/privacy |
| Vercel | Website hosting | IP address, request logs | vercel.com/legal/privacy-policy |
| Apple / Google | App distribution and payment processing | Per their platform policies | - |
Data Retention
| Data type | Retention period |
|---|---|
| Account and health data | Retained for as long as your account is active. Deleted within 30 days of account deletion. |
| Session and progress data | Retained for as long as your account is active. Deleted within 30 days of account deletion. |
| Waitlist data | Retained until you unsubscribe or request deletion, or until the waitlist is closed. |
| Technical logs | Retained for up to 90 days. |
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access - you can request a copy of all personal data we hold about you.
- Right to rectification - you can ask us to correct inaccurate data.
- Right to erasure - you can ask us to delete your data. You can also delete your account directly from the app, which triggers deletion of all associated data.
- Right to restriction - you can ask us to restrict processing of your data in certain circumstances.
- Right to data portability - you can request your data in a structured, machine-readable format.
- Right to object - you can object to processing based on legitimate interests.
- Right to withdraw consent - for health data processed on the basis of consent, you can withdraw at any time.
To exercise any of these rights, contact us at contact@rebound.zone. We will respond within 30 days.
Transfers Outside the EEA
Some of our third-party service providers (Google Firebase, Loops) may process data outside the EEA, including in the United States. Where this occurs, transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an equivalent level of protection.
Children
Rebound is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a person under 16 has provided us with their data, contact us at contact@rebound.zone and we will delete it promptly.
Supervisory Authority
You have the right to lodge a complaint with the Romanian data protection supervisory authority:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
Website: dataprotection.ro
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti, 010336, Romania
Medical Disclaimer
Rebound is a rehabilitation support tool. It is not a medical device and does not constitute medical advice. The programme content is based on established ACL rehabilitation protocols, but it is not a substitute for assessment and guidance from your surgeon or physiotherapist. Always consult your healthcare team before starting or modifying your rehabilitation programme.
Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, where changes are material, notify you via email or in-app notification. Continued use of Rebound after changes are posted constitutes acceptance of the updated policy.