privacy
EQPT Privacy Policy
Effective Date: May 29, 2026
Last Updated: May 29, 2026
At a Glance
EQPT is a physical-therapy platform offered by EQPT HOLDINGS LLC ("EQPT,"
"we," "our," "us"). This Privacy Policy explains what information we
collect, why we collect it, how we use and share it, how long we keep
it, and the choices you have. Some highlights:
• The EQPT mobile app uses your camera to analyze body movement and
(for vestibular-therapy exercises) head movement entirely on your
device using Apple Core ML. By default, no video, images, or
frames of you leave your device.
• EQPT does not use Apple's face-detection, face-landmark,
face-mesh, ARKit face-tracking, or eye-gaze APIs. We do not
extract facial features, eye tracking, or any biometric template
from any image.
• EQPT records and uploads exercise video clips ONLY if you
explicitly turn on "Contribute to Research" in your patient
profile and accept the in-app research agreement. This is
optional and is off by default.
• EQPT does not sell or rent Personal Information. We do not use
your information for cross-context behavioral advertising.
• When EQPT is deployed by a healthcare clinic, EQPT acts as a HIPAA
Business Associate of that clinic, and your information is also
subject to the clinic's Notice of Privacy Practices.
This summary is for convenience. The full policy below controls.
1. Who We Are and What This Policy Covers
This Privacy Policy describes how EQPT HOLDINGS LLC, a [Delaware]
corporation with offices at 8 THE GREEN STE B, DOVER, DE 19901, ("EQPT"),
collects, uses, discloses, retains, and otherwise processes Personal
Information through:
• our website https://www.eqpt.ai and any subdomain (the "Site"),
• the EQPT mobile application for iOS (the "App"), and
• our backend services and APIs used by the Site and the App
(together with the Site and the App, the "Services").
Two relationships are possible:
Controller relationship.
When you visit the Site, fill in a contact form, sign up for
marketing, or otherwise interact with us outside of a clinical care
relationship, EQPT is the controller of your Personal Information.
This Privacy Policy describes that processing.
Business-Associate / Processor relationship.
When a healthcare clinic, hospital, or other Covered Entity engages
EQPT to provide the Services to that Covered Entity's patients,
EQPT acts as a Business Associate under the U.S. Health Insurance
Portability and Accountability Act (HIPAA) and as a "service
provider" or "processor" under U.S. state privacy laws. EQPT
processes Protected Health Information (PHI) and other patient data
only as permitted by the Business Associate Agreement (BAA) between
EQPT and the Covered Entity, and the Covered Entity's own Notice of
Privacy Practices also applies.
If you are unsure which relationship applies to you, contact us at
2. Information We Collect
2.1 Information you provide directly.
• Account profile. When you (or your clinic on your behalf) create
an EQPT account, we collect your first name, last name, email
address, and (optionally) phone number and profile picture. We
also collect timestamps recording when you accepted our Terms of
Service and completed onboarding.
• Phone verification. When you verify your phone number, our SMS
provider (Amazon Web Services) sends a one-time code to that number.
We store the masked phone number and the verification timestamp;
we do not store the one-time code after verification.
• Passkey credential. EQPT signs you in using a passkey (a FIDO2 /
WebAuthn credential). The private key for the passkey is
generated and stored on your device by Apple, in the Secure
Enclave, and is never sent to EQPT. EQPT stores only the public
key and a randomly generated credential identifier. No biometric
template is ever sent to or stored by EQPT.
• Clinical / care information you enter. Depending on your role in
your clinic's deployment, you or your therapist may enter intake
information (such as height, weight, age, the condition or injury
being treated, mobility limitations, and treatment goals),
program assignments (which exercises you are prescribed and at
what sets/reps/duration/frequency), and therapist notes about
your sessions.
• Communications. If you contact us by email, through our support
form at https://www.eqpt.ai/support, or otherwise, we collect
what you send us together with our response.
2.2 Information collected automatically when you use the App.
• Exercise analytics generated on-device. During an exercise
session, an on-device Apple Core ML model classifies each
captured frame into a movement-phase label and computes
numerical analytics, including: repetition counts, repetition
timing (idle, top, down, bottom, up durations), set duration,
target vs. actual reps, computed form score, and — for
vestibular head-movement exercises — head-position phase labels.
These analytics are sent to EQPT's backend so that your therapist
can review your progress.
• Camera and video. By default, no camera frames or video leave
your device — see Section 3. If you opt into the research
program (Section 5), the App also writes a short per-set video
clip to a temporary folder on your device and uploads it to EQPT.
• App and device diagnostics. The App may send us limited
diagnostic information about app version, iOS version, device
model, language, time zone, and crash logs. EQPT does not
collect your iOS Advertising Identifier (IDFA) and does not use
the AppTrackingTransparency framework, because the App does not
engage in cross-app tracking.
• Push notification token. If you enable notifications, iOS issues
a device token that EQPT uses with Apple Push Notification
Service (APNS) to deliver reminders and session updates.
• Audit and security logs. We record sign-in events, passkey
registration and reset events, research-consent grants and
revocations, and similar security-relevant events for HIPAA
audit-trail and account-security purposes.
2.3 Information collected automatically when you use the Site.
• Server logs and cookies. Our website collects standard server log
data (IP address, browser and operating-system identifiers,
referring URL, pages requested, timestamps), and uses cookies
and similar technologies for analytics and site functionality.
• Web analytics. We use [Google Analytics] on the Site to measure
traffic and improve content. See
https://www.google.com/policies/privacy/partners/.
• Cross-device tracking. We may correlate Site visits with accounts
you later create so we can attribute marketing activity. We do
not use cookies to follow you to unrelated third-party sites.
2.4 Information we never collect.
EQPT does not collect, request, or use:
• Your microphone or audio recordings. The App configures an audio
session only for playback (exercise cues and sounds); it does
not record audio.
• Your precise or coarse location. The App does not request
location permissions.
• Your Apple Health (HealthKit) data. The App does not integrate
with HealthKit.
• Your Photos library or any photo or video you did not record in
the App.
• Your Face ID biometric template. Face ID is handled by Apple on
your device.
• Your contact list, calendar, Bluetooth peripherals, or motion
sensors.
3. Camera, Video, Head Position, and Face Data
This section answers the requirements of Apple App Store Review
Guideline 5.1.1(i) in detail. If you only read one section, read
this one.
3.1 What the camera does in the App.
The EQPT mobile app uses your device camera during an exercise
session for two purposes:
(a) For body-movement exercises (squats, push-ups, lunges,
overhead press, bicep curl, bench press, bent-over row,
stretches, etc.), an on-device Apple Core ML model classifies
the body's position into one of several movement-phase labels
("up," "down," "top," "bottom") and computes a form score. The
model is analyzing your body; your face may appear in the
frame because the camera is pointed at you.
(b) For vestibular-therapy head-movement exercises (the
"Horizontal Head Shake" / VOR-Horizontal and "Vertical Head
Shake" / VOR-Vertical exercises), a separate on-device Apple
Core ML model classifies the position of your head into the
same set of movement-phase labels at 60 frames per second. For
these exercises the head is the subject that the model is
analyzing.
3.2 What the model does NOT do, in either case.
• It does not use Apple's face-detection, face-landmark, face-
mesh, ARKit face-tracking, or Vision-framework face APIs.
• It does not extract or store any facial geometry, face mesh, eye
tracking, gaze direction, pupil location, facial feature points,
or biometric template.
• It cannot be used to identify you. The model's only output is a
single movement-phase label per frame together with a numerical
form score and movement timing. None of these outputs is face
data.
• By default, it does not transmit camera frames, video, or images
of any kind off your device. Only the numerical outputs above
are transmitted.
3.3 When (if ever) video that may contain your face leaves your
device.
Video clips leave your device only when you have explicitly turned
on "Contribute to Research" in your patient profile and accepted the
in-app research consent agreement. While the research toggle is off
(the default state), the App does not write any exercise video to
disk and does not upload any video. A snapshot of your research-
consent setting is taken when an exercise session begins, so toggling
the setting in the middle of a session never starts or stops
recording mid-set.
For the purposes of Apple Guideline 5.1.1(i), any image of your face
that appears in a research clip is treated as face data and governed
by Section 5 below.
3.4 Face ID.
If you choose to enable Face ID, Apple uses Face ID locally on your
device to unlock your passkey credential. EQPT never receives,
processes, or stores Face ID biometric data. Face ID is used solely
to unlock the passkey; it is not used to identify you, to log your
usage, or for any other purpose.
4. Health, Fitness, and Clinical Data
EQPT is a physical-therapy platform. The Services therefore involve
information about your body and your therapy program, including:
• Demographic and intake information (height, weight, date of
birth or age band, gender if you provide it, the injury or
condition being treated, treatment goals).
• Exercise program assignments.
• Per-set exercise performance analytics generated on your device.
• Therapist notes and clinical observations.
• Adherence and progress information.
• Any free-text feedback you submit during or after a session.
We treat this information as sensitive health data:
• We use it solely to deliver the therapy program prescribed by
your provider, to allow your provider to monitor your progress
between in-person visits, to send you in-app and push reminders
required for the program, and to generate aggregated, de-
identified analytics for our clinical-operations team.
• Where EQPT is engaged by a Covered Entity, this information is
Protected Health Information (PHI) under HIPAA and is processed
only as permitted by the Business Associate Agreement between
EQPT and the Covered Entity.
• We do not sell, rent, or share health, fitness, or clinical data
with advertising networks, data brokers, social-media platforms,
or any third party for marketing purposes.
• We do not use health, fitness, or clinical data to make
decisions that produce legal or similarly significant effects
about you without human review (see Section 13).
5. Research and AI Model Improvement (Opt-in)
EQPT runs an opt-in research program in which patients may choose to
contribute their exercise videos so we can improve the accuracy of
the on-device body- and head-movement classification and form-
scoring models. The program is entirely voluntary and is OFF by
default. Declining or withdrawing from the program does not affect
the therapy services available to you through EQPT.
5.1 How to join and leave the program.
To participate, open your patient profile, read the in-app research
consent agreement, and tap "I Agree." To leave the program at any
time, turn the "Contribute to Research" toggle off in your patient
profile. Once you turn it off, EQPT will not record or upload any
new exercise videos.
5.2 What we collect and store under the program.
While participation is on, the App writes a short video clip
(typically less than three minutes per exercise set, at 640×480
resolution, 30 frames per second) of each completed exercise set to
a temporary folder on your device, then uploads that clip to EQPT's
servers in the United States and deletes the local copy. The clip
is tagged with your EQPT user identifier and the exercise type. For
body exercises the clip may contain your face incidentally; for
vestibular head-movement exercises the clip will prominently contain
your head and face because the camera is pointed at your head.
5.3 Why we store these clips.
We use them solely to: (a) improve the accuracy of the on-device
body- and head-movement classification and form-scoring models,
including by training and validating new versions of those models;
and (b) allow a licensed physical therapist on our clinical team to
review unusual sessions for clinical-quality assurance.
We do NOT use these clips to identify you biometrically, to build a
face template, to enable face login, for advertising, or to make
automated decisions about your therapy.
5.4 How long we store them.
Raw exercise videos are retained for no longer than twenty-four (24)
months from the date of upload, after which the raw video file is
permanently deleted from our storage. We chose 24 months because
that is the length of a single annotation–training–validation cycle
for our movement models; storing the raw video for longer is not
necessary to improve the product. You may request earlier deletion
at any time (see Section 11).
After deletion of the raw video, de-identified, aggregate training
artifacts derived from it (such as the trained model weights and
label-only metadata that cannot be linked back to you) may be
retained indefinitely as part of the on-device model. Those
artifacts are mathematical parameters and cannot be used to
reconstruct your video or to identify you.
5.5 Who we share them with, and why.
We share these clips only with the categories of service providers
listed below, each acting as our processor under a written data-
processing agreement and contractually prohibited from using the
video for any purpose other than providing services to EQPT:
• Amazon Web Services (United States): hosts our backend and stores
the encrypted video file. The cloud provider does not access
video content and does not use it to train its own models.
• Annotation contractors engaged on a per-project basis under
written confidentiality and data-processing agreements: label
movement phases and form errors so that the labels can be fed
into our training pipeline. Annotators receive only the video
and the exercise type; they are not given any other information
about you.
• EQPT's licensed clinical reviewers and engineering staff, under
written confidentiality and HIPAA obligations.
We do not share research videos with advertising networks,
analytics providers, social-media platforms, data brokers, or any
other third party.
5.6 Whether those third parties also store face data.
Amazon Web Services stores the video on our behalf for the same 24-
month maximum window described above, and deletes it on our
instruction; it does not retain a separate copy beyond standard
backup-retention windows required for service reliability (currently
up to 35 days after deletion). Annotation contractors are not
permitted to retain a copy of the video after their labeling work
is completed; their access is revoked and any local copies must be
deleted within thirty (30) days of project completion.
5.7 No sale, no advertising use.
We do not sell, license, or rent research videos. We do not use
research videos for any form of advertising or marketing and we do
not share them with social-media platforms.
6. How We Use Personal Information
We use the information described in Section 2 to:
• create and administer your EQPT account, including onboarding,
sign-in, and account recovery;
• deliver the therapy program prescribed by your provider and
record your progress in that program;
• generate the on-device exercise analytics and form feedback that
drive the App experience;
• communicate with you about your sessions, missed sessions,
program changes, and other service-related matters;
• respond to your support requests;
• maintain the security, integrity, and reliability of the
Services, including fraud prevention, abuse detection, and
HIPAA-required audit trails;
• improve the on-device models and the Services, in the case of
research videos only as described in Section 5;
• comply with our legal, regulatory, and contractual obligations,
including those imposed by HIPAA, state privacy laws, the Apple
Developer Program License Agreement, and applicable App Store
rules; and
• with your consent, send you marketing communications about EQPT
(see Section 11 for opt-out).
7. How We Share Personal Information
7.1 With your clinic and care team.
If your account was provisioned through a clinic, EQPT shares your
account, intake, exercise, and progress information with that clinic
and the therapists and clinic owners assigned to your care.
7.2 With service providers (subprocessors).
• Cloud infrastructure and storage: Amazon Web Services.
• SMS verification: Twilio.
• Email delivery: Amazon Web Services.
• Push notifications: Apple Push Notification Service (APNS).
• Authentication: Apple Passkey services + EQPT WebAuthn relying
party.
• Error and crash reporting: Apple App Store Connect.
• Annotation contractors as described in Section 5.5.
• Professional advisors (lawyers, accountants, auditors) bound by
confidentiality.
A current list of named subprocessors is available on request at
7.3 In legal or safety circumstances.
We may disclose Personal Information if we have a good-faith belief
that disclosure is necessary to comply with applicable law, enforce
our Terms, address fraud or security issues, or protect the rights,
property, or safety of EQPT, our users, or others.
7.4 In a corporate transaction.
If EQPT is involved in a merger, acquisition, financing, or sale of
assets, Personal Information may be transferred as part of that
transaction, subject to commitments equivalent to this Policy.
7.5 Aggregated and de-identified data.
We may produce de-identified or aggregated information from Personal
Information. De-identified or aggregated information that cannot
reasonably be linked back to an individual is not subject to this
Policy. We will not attempt to re-identify such data.
8. International Transfers
EQPT and its subprocessors are based in the United States, and the
Services are hosted in the United States. If you access the
Services from outside the United States, your information will be
transferred to and processed in the United States.
If you are in the EEA, the UK, or Switzerland and you wish to learn
more about the safeguards we apply to transfers, contact us at
9. How Long We Keep Information (Retention)
We retain Personal Information no longer than necessary for the
purposes for which it was collected:
• Account information: while your account is active, deleted or
de-identified within ninety (90) days after account closure
(except where law requires longer retention).
• Exercise program assignments, performance analytics, and
therapist notes (PHI / medical records): duration of the care
relationship plus seven (7) years, then permanently deleted or
de-identified. The Covered Entity's BAA controls if different.
• Exercise videos uploaded under research consent: no more than
twenty-four (24) months from upload. Earlier deletion is
honored on request.
• Security and audit logs: two (2) years.
• Customer-support communications: two (2) years from last
contact.
• Marketing contact lists: until you unsubscribe, with deletion
within thirty (30) days.
• Backups: deleted information may persist in encrypted backup
snapshots for up to thirty-five (35) days after deletion.
10. How We Protect Information (Security)
We use reasonable administrative, technical, and physical
safeguards, including:
• TLS 1.2 or higher for all transit between the App, the Site,
and our backend;
• encryption at rest of databases, storage buckets, and backups;
• access controls that restrict EQPT employee and contractor
access to Personal Information to the minimum necessary for
their role, audited centrally;
• passkey-only authentication for the App, with biometric unlock
handled locally by Apple — EQPT never receives a password and
never receives Face ID or Touch ID biometric data;
• HIPAA-required security and audit-logging policies;
• written confidentiality and data-processing agreements with all
subprocessors;
• secure software-development practices.
No security control is perfect. We will notify you of a security
incident affecting your Personal Information as required by
applicable law and our BAAs.
11. Your Rights and Choices
Subject to applicable law, you have the following rights:
• Access, correction, deletion, portability.
• Withdraw consent at any time (including research participation).
• Opt out of "sale" or "sharing" — EQPT does not sell or share
Personal Information for cross-context behavioral advertising,
so this is honored by default.
• Opt out of marketing.
• Restrict or object to certain processing.
• Non-discrimination for exercising rights.
• Authorized agent and appeal.
To exercise any of these rights, visit https://www.eqpt.ai/support
or email contact@eqpt.ai. We will verify your identity and respond
within the time required by applicable law (generally 45 days under
CCPA/CPRA, one month under GDPR/UK GDPR).
If you are a patient of a Covered Entity that uses EQPT, you also
have rights under HIPAA (access, amendment, accounting of
disclosures, restriction). HIPAA rights are exercised through your
Covered Entity, and EQPT supports such requests as required by the
Business Associate Agreement.
12. State and Country-Specific Privacy Disclosures
12.1 California (CCPA / CPRA).
12.2 Washington (My Health My Data Act) and Nevada (SB 370).
12.3 Other U.S. states (Colorado, Connecticut, Virginia, Utah,
Texas).
12.4 European Economic Area, United Kingdom, and Switzerland.
(Full content in the publishable document — see prior drafting.)
13. Automated Decision-Making and AI
EQPT's on-device Core ML models produce automated outputs —
movement-phase labels, form scores, head-position labels, rep
counts. These outputs are presented to your therapist as
information, not as decisions. Your therapist remains responsible
for prescribing and adjusting your therapy. EQPT does not use these
outputs to make decisions that produce legal or similarly significant
effects about you without human review.
14. Children and Minors
The EQPT Services are intended only for adults aged 18 or older.
We do not knowingly collect Personal Information from minors. If
we learn that we have collected Personal Information from a minor,
we will delete it.
15. Third-Party Services and Links
The Services may contain links to third-party websites, products,
or services that EQPT does not operate. This Policy does not apply
to those third parties.
The EQPT App relies on the following Apple-operated services: the
Apple App Store, Apple Push Notification Service, Apple Passkey
services, Apple Core ML, the Apple Vision framework (used only as a
host for our custom Core ML model — no face APIs invoked), and Face
ID / Touch ID for local biometric unlock. Apple's privacy practices
are governed by Apple's Privacy Policy at
https://www.apple.com/legal/privacy/.
16. Changes to This Policy
We may update this Policy from time to time. When we do, we will
update the "Last Updated" date at the top. If the changes are
material, we will notify you in advance by email or by an in-App
notice and, where required, obtain your consent.
17. Contact Us
EQPT HOLDINGS LLC
8 THE GREEN STE B
DOVER, DE 19901
United States
Email: contact@eqpt.ai
Support: https://www.eqpt.ai/support