Privacy Policy

Overview

Bigger Than Pain is a personalised recovery platform for people living with persistent pain. To deliver that experience, we collect and process health-related information about you.

Here is the short version:

• Your data is encrypted on your device and in transit between your device and our servers.
• Our servers process your data in readable form to deliver the service — including AI-guided support, personalised movement plans, and recovery tracking.
• We never sell your data, share it with advertisers, or use it for any purpose other than your care.
• You can export or delete all of your data at any time.

The rest of this document explains the details.

Who we are

Bigger Than Pain is operated by BiggerThanPain Limited, based in Ireland. For the purposes of EU data protection law (GDPR), we are the data controller.

If you have questions about how your data is handled, you can reach us at support@biggerthanpain.com.

What we collect

We collect different types of information depending on how you use the platform:

Account information

Your email address, a hashed version of your password (we never store your actual password), and basic profile data. This is needed to create and secure your account.

Onboarding assessment

When you first use Bigger Than Pain, you complete a structured assessment covering your pain history, affected body areas, sleep, stress, movement tolerance, and recovery goals. This generates your personalised Clarity Report and shapes every part of the system.

Chat conversations

Messages you exchange with Biggie, your AI guide. These conversations are stored so that Biggie can learn your context over time and provide more relevant guidance. Conversations include your messages, Biggie's responses, and analytical metadata used to improve the quality of support.

Pain tracking

Pain levels, body locations, triggers, activities, mood, sleep quality, stress levels, weather conditions, and any notes you add. This data powers your pattern insights and feeds into your recovery direction.

Movement and exercise data

Your movement plans, session completions, confidence and tolerance ratings, pain before and after exercise, and progression history. This shapes how your movement plan adapts over time.

Flare-up records

When you log a flare, we store its intensity, duration, triggers, body area, and any regulation or management actions you took. This helps the system adapt during difficult periods.

Recovery tracking

The Functional Recovery Engine computes weekly snapshots of your recovery direction across multiple domains. These snapshots are stored to show you how your recovery is progressing over time.

Video and learning activity

Which educational videos you watch, how far you get, any notes you take, and your progress through learning pathways. This helps the system recommend relevant content.

Payment information

If you subscribe, payment processing is handled entirely by Stripe. We never see or store your card details. We store your Stripe customer ID and subscription status to manage your access.

Wearable data (optional)

If you connect a wearable device (Apple Health, Fitbit, Garmin, Google Fit, Oura, or WHOOP), we receive sleep, activity, heart rate, and recovery metrics from that platform. This connection is entirely optional and can be revoked at any time.

Usage analytics (with your consent)

If you consent, we collect basic usage events — which features you use, page views, and session data. This helps us understand how the platform is being used and where to improve it. No analytics data is collected without your explicit consent, and no data is sent to third-party analytics services.

How we use your data

Everything we collect serves one purpose: to deliver and improve your personalised recovery experience. Specifically:

• Personalisation — Your onboarding data, tracking history, and conversation context are used to tailor Biggie's guidance, your movement plan, and your learning pathway.
• Pattern recognition — Pain tracking and flare data are analysed to surface patterns in your triggers, activities, and recovery trends.
• Recovery tracking — Weekly snapshots measure your progress across body confidence, nervous system regulation, and functional capacity.
• Safety monitoring — The system flags clinical concerns (such as signs of distress or crisis) to ensure support remains safe and responsible.
• Service delivery — Account management, notifications, email communications, and subscription management.

Legal basis (GDPR): We process your health data on the basis of your explicit consent, which you provide when you create an account and complete onboarding. We process account and payment data on the basis of contractual necessity (delivering the service you subscribed to). We process safety monitoring data on the basis of legitimate interest (keeping you safe).

AI and your data

Biggie, your AI guide, is powered by Anthropic's Claude language model. When you chat with Biggie, your messages and relevant context (such as your onboarding summary, recent tracking data, and conversation history) are sent to Anthropic's API for processing.

This means:

• Anthropic receives your messages in readable form in order to generate responses.
• Anthropic does not use API inputs to train their models. This is part of their standard API terms.
• Anthropic may retain API inputs for up to 30 days for trust and safety purposes (abuse detection), after which they are deleted.
• No other AI provider receives your data. Biggie is the only AI-powered feature that processes your personal information.

We also use OpenAI's embedding model to power semantic search of educational content (the Vault). This processes course and video content only — your personal data, messages, and health records are never sent to OpenAI.

Third-party services

We use a small number of third-party services to operate the platform. Here is exactly who they are and what data they receive:

We do not use any third-party advertising or tracking services. We do not embed social media pixels or tracking scripts. There is no Google Analytics, Facebook Pixel, or similar technology on this platform. A full technical Record of Processing Activities is maintained internally and is available on request to regulators or users exercising their data rights.

Encryption and security

We take the security of your data seriously, particularly given the sensitive nature of health information. Here is exactly what we do:

• Encrypted in transit — All data between your device and our servers is encrypted via HTTPS/TLS.
• Encrypted on your device — Sensitive data cached on your device (such as chat history and tracking data) is encrypted using AES-256-GCM before being stored in your browser. The encryption keys never leave your device.
• Passwords — Your password is hashed using bcrypt before storage. We never store or have access to your actual password.
• Authentication — Sessions are managed via short-lived JWT tokens with HTTP-only refresh cookies.

What this means in practice: Your data is protected against interception in transit and against unauthorised access on your device. On our servers, your data is stored in a form that allows us to process it and deliver the service. We do not claim end-to-end encryption — the server needs to read your data to power features like Biggie, pattern analysis, and recovery tracking.

Clinical quality monitoring

To ensure the Platform operates safely and responsibly, the founder and clinical team may review system-generated summaries of AI interactions and inferred recovery patterns. This review is for quality assurance, safety monitoring, and clinical improvement purposes only.

This access is logged and controlled. No data reviewed in this way is shared with any third party. The purpose is to ensure that the AI guide (Biggie) is responding safely and appropriately, and that system-inferred patterns (such as recovery phase assignments) are functioning as intended.

Data retention

We retain your data for as long as you have an active account. Different types of data have different handling:

• Chat conversations — Conversations older than 60 days or exceeding 200 messages are automatically trimmed. The system keeps your most recent 50 messages and generates a summary of earlier exchanges. This prevents unbounded data growth while preserving context.
• Pain tracking, movement, and recovery data — Retained for the life of your account. This history is essential for tracking your recovery progress over time.
• Login codes and password reset tokens — Expire within minutes and are cleaned up automatically.
• Payment data — Stripe retains payment records per their own retention policy (typically three years for compliance purposes). We store only your customer ID and subscription status.

When you close your account, you can choose to suspend it for 90 days (keeping all your data safe in case you return) or permanently delete everything immediately. If you choose suspension, your data is automatically and permanently deleted after 90 days if you do not reactivate. We will email you a reminder 10 days before permanent deletion. See Your rights for details.

Your rights

Under GDPR and Irish data protection law, you have the following rights:

• Access — You can export a complete copy of your data at any time from your account settings. The export includes your profile, conversations, pain tracking, movement history, assessments, recovery snapshots, video activity, and more.
• Correction — You can update your profile information directly in the app. For corrections to other data, contact us.
• Deletion — You can permanently delete your account and all associated data from your account settings. This process requires email verification for security. When confirmed, your Stripe subscription is cancelled, your Stripe customer record is deleted, and all data across our database is permanently removed via cascading deletion.
• Data portability — Your data export is provided in JSON format, which can be used to transfer your data to another service.
• Withdraw consent — You can withdraw consent for optional data processing (such as analytics) at any time through your account settings. Withdrawing consent for core data processing would require closing your account, as the service cannot function without processing your health data.
• Lodge a complaint — You have the right to lodge a complaint with the Irish Data Protection Commission at www.dataprotection.ie.

To exercise any of these rights, email support@biggerthanpain.com or use the tools in your account settings.

Cookies and local storage

Bigger Than Pain is a progressive web app (PWA). We use a small number of browser storage mechanisms to operate:

• HTTP-only cookies — Used for secure session management (refresh tokens). These cannot be read by JavaScript and are essential for keeping you logged in.
• Local storage — Used for UI preferences (dark mode, panel states) and non-sensitive identifiers (such as your active conversation ID). No health data is stored in local storage.
• IndexedDB — Used for encrypted client-side data caching. Sensitive data (chat messages, tracking data) is encrypted with AES-256-GCM before being written here. The encryption keys are non-extractable and never leave your device.

We do not use tracking cookies, advertising cookies, or any third-party cookies.

Children

Bigger Than Pain is not designed for or directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

If we make material changes to this policy, we will notify you via email or an in-app notification before the changes take effect. We will not reduce your rights under this policy without your explicit consent.

Contact

If you have any questions about this policy or how your data is handled:

• Email: support@biggerthanpain.com
• Data Protection Commission Ireland: www.dataprotection.ie