Privacy Policy

Last updated: May 2026

This policy is reviewed annually. Next scheduled review: May 2027.

This Privacy Policy describes how Movement First International ("we", "us", or "our") collects, uses, and protects information when you use the SpinalRisk Online Tool ("the Tool") at spinalrisk.com and related services.

1. Information We Collect

When you use the SpinalRisk Tool, you provide the following information voluntarily:

• Full name
• Email address
• Sex
• Age
• Responses to clinical screening questions covering fracture, cancer, infection, neurological, and inflammatory risk factors

We do not collect date of birth, Medicare numbers, health insurance details, or any other government-issued identifiers.

Your clinical screening responses constitute health information and are treated as sensitive personal information under applicable privacy law. We collect this information solely for the purpose of generating your personalised SpinalRisk triage summary, with your explicit consent, as described in Section 2 below.

2. How We Use Your Information and Our Legal Basis

Your information is used for the following purposes:

• To generate your personalised SpinalRisk triage summary (legal basis: your explicit consent to the processing of health information for this specific purpose, provided at the point of assessment)
• To subscribe you to the Movement First International newsletter, where you have opted in to receive it (legal basis: consent)
• To send occasional updates about SpinalRisk and Movement First International services (legal basis: consent)

We do not use your health screening responses for advertising, profiling, or sale to third parties.

For users in the European Economic Area (EEA) and UK, we rely on your explicit consent under Article 9(2)(a) of the GDPR for the processing of health information. For all other processing of personal data described in this policy, we rely on your consent (Article 6(1)(a)), or our legitimate interests in operating and improving the Tool (Article 6(1)(f)) where processing of non-health personal data is involved and those interests are not overridden by your privacy interests.

3. Automated Processing and Your Triage Result

The SpinalRisk triage summary is generated automatically. When you complete the assessment, a rule-based algorithm applies fixed clinical screening criteria to your responses and assigns your result to one of several triage outcome categories. This process does not involve machine learning, artificial intelligence, or any system that learns from or modifies its behaviour based on user data.

The triage result is intended to help you decide whether to seek further assessment. It is not a diagnosis, and it does not constitute clinical advice. You should consult a qualified health professional before making any health decisions.

You have the right to request a human review of your triage result at any time by contacting us at admin@movementfirst.org. We will respond within 30 days.

For EEA/UK users: under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The SpinalRisk triage output is a screening guide, not a legally binding determination. However, if you wish to contest your result or request human review, please contact us using the details in Section 12.

4. Data Processing and Storage

Your individual clinical screening responses are not stored in a way that identifies you. When you complete an assessment, the tool records anonymised, aggregated data — your age range (not your exact age), sex, the assessment outcome category, and which risk factors were indicated — to a secure analytics system hosted by Google. This anonymised data contains no name, email address, or other information that could identify you, and is used solely to understand how the tool is used and to improve its clinical accuracy over time.

Your name and email address are handled separately and only for newsletter subscription purposes, as described in Section 5 below. They are never linked to your clinical screening responses.

The anonymised, aggregated analytics data described above cannot be linked to any individual and therefore does not constitute personal data under applicable privacy law. It is retained indefinitely for tool improvement purposes. Because it does not identify you, it is not subject to deletion on an individual basis.

5. Data Retention

Your email subscription data is retained by Kit for as long as you remain subscribed to the Movement First International newsletter. You may unsubscribe at any time using the link provided in every email, at which point your data will be removed in accordance with Kit's data retention policies (available at kit.com/privacy).

Your individual, identifiable clinical screening responses are not stored by us at any point.

6. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to the personal information we hold about you:

• Right to access your personal information
• Right to correct inaccurate personal information
• Right to request deletion of your personal information
• Right to data portability (receive your data in a structured, machine-readable format)
• Right to restrict or object to processing based on our legitimate interests
• Right to withdraw consent for email communications at any time
• Right to request human review of any automated processing that significantly affects you (see Section 3)
• Right to lodge a complaint with a supervisory authority

To exercise any of these rights, contact us using the email address in Section 12 below.

For users in Australia, you may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au.

For users in the EEA, you may lodge a complaint with the data protection authority in your country of residence. A list of EEA data protection authorities is available at edpb.europa.eu. For users in the UK, the relevant authority is the Information Commissioner's Office (ICO): ico.org.uk.

7. Cookies and Analytics

The SpinalRisk website uses cookies for basic site functionality only. We do not use third-party advertising tracking or audience measurement technology on this site.

We collect anonymised assessment analytics through a custom analytics system built on Google Apps Script, which records the aggregated, non-identifying data described in Section 4 to a secure Google-hosted spreadsheet. This analytics system does not use cookies and does not identify you.

You can control cookie settings through your browser preferences.

8. Children's Privacy

The SpinalRisk Tool is not intended for use by individuals under the age of 18 without parental or guardian supervision. We do not knowingly collect personal information, including health screening responses, from children under 18 without verifiable parental consent.

If you are a parent or guardian and believe your child has submitted health information through this Tool without your consent, please contact us at admin@movementfirst.org and we will take steps to remove that information promptly.

9. International Users and Cross-Border Data Transfers

The SpinalRisk Tool is accessible globally. If you are located outside Australia, your email subscription data may be transferred to and processed in the United States (via Kit) and Australia (by Movement First International).

Movement First International has accepted Data Processing Agreements with both Kit (ConvertKit) and Google that require them to handle personal information consistently with applicable privacy law, including the Australian Privacy Principles.

For cross-border transfer purposes under applicable law:

• Kit complies with the EU–U.S. Data Privacy Framework, the Swiss–U.S. Data Privacy Framework, and the UK Extension to the EU–U.S. DPF, providing a recognised mechanism for the transfer of EEA, Swiss, and UK personal data to the United States.
• Google LLC is certified under the EU–U.S. Data Privacy Framework and the UK Extension to the EU–U.S. DPF, providing an equivalent recognised transfer mechanism.

For Australian users: by providing your consent to use the Tool and subscribe to the newsletter, you acknowledge that your email data will be transferred to the United States and handled by Kit and Google subject to the protections described above.

For EEA and UK users: your rights under the GDPR and UK GDPR are respected regardless of where your data is processed. If you have questions about international transfer safeguards, contact us at admin@movementfirst.org.

10. Third-Party Services

We use the following third-party services:

• Kit (formerly ConvertKit) — email subscription management. Kit is certified under the EU–U.S. Data Privacy Framework. Privacy policy: kit.com/privacy.
• HostGator — website hosting.
• Sucuri — website security.
• Google Apps Script and Google Sheets — anonymised assessment analytics. Data is stored on Google servers located in the United States. Google is certified under the EU–U.S. Data Privacy Framework. Privacy policy: policies.google.com/privacy.

We are not responsible for the privacy practices of these third-party services beyond the contractual obligations we have put in place. We encourage you to review their respective privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the Tool after changes constitutes acceptance of the updated policy. This policy is reviewed at least annually; the next scheduled review is May 2027.

12. Contact and Complaints

For privacy-related enquiries, contact:

Movement First International
Email: admin@movementfirst.org
Website: movementfirst.org

Complaints process: Privacy complaints should be submitted to admin@movementfirst.org with the subject line "Privacy Complaint". We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate your complaint to the relevant supervisory authority for your jurisdiction (see Section 6 for contact details).