Legal

Privacy Policy

Last updated: March 2026

Your privacy matters to us. This Privacy Policy explains what information we collect when you visit after.surgery or use our Recovery Planner, how we use it, and your rights in relation to it. We are committed to handling your personal data responsibly and in compliance with applicable data protection laws.

1. Who We Are

After.surgery is an independent website providing surgical recovery information, product recommendations, and a personal Recovery Planner. After.surgery is the data controller in respect of personal data collected through this website and its associated services.

If you have any questions about this Privacy Policy or our data practices, please contact us at hello@after.surgery.

2. What Information We Collect

2.1 Information You Provide Voluntarily

We may collect personal information that you provide directly, such as:

  • Your name and email address when you create an account or contact us;
  • A password (stored in hashed form; we never see your plain-text password);
  • Information you enter into the Recovery Planner, including surgery details, daily check-ins, journal entries, photos, and videos you choose to upload;
  • Any information you include in a message or enquiry submitted through the website;
  • Preferences or settings you choose while using the site.

2.2 Information Collected Automatically

When you visit after.surgery, certain technical data may be collected automatically, including:

  • Your IP address and approximate geographic location;
  • Browser type, version, and operating system;
  • Pages visited, time spent on pages, and navigation behaviour;
  • Referring website or search terms used to find the site;
  • Cookie identifiers (see Section 6).

This information is typically collected in aggregate and anonymised form for analytics purposes.

2.3 Account and Recovery Data

If you create an account, we store the following in order to provide the Recovery Planner service:

  • Your email address and account credentials;
  • Your subscription plan tier (free or paid);
  • Surgery details you enter, including type, date, and healthcare provider;
  • Recovery journal entries, check-in responses, symptom logs, and progress notes;
  • Photos and videos you upload to your journal (paid plans only);
  • Journal sharing tokens if you choose to share your recovery with a carer or clinician.

Your recovery data belongs to you. We use it solely to power your personal Recovery Planner and do not use it for advertising, profiling, or any commercial purpose beyond delivering the service.

2.4 Payment Data

If you subscribe to a paid plan, payment is processed securely by Stripe, a certified PCI-DSS Level 1 payment processor. We do not receive or store your full card number, CVV, or other sensitive payment details. Stripe may share limited transaction metadata with us, including the amount, currency, and subscription status. Stripe's own privacy policy governs their handling of your payment information.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and improve the website and Recovery Planner;
  • To create and manage your account and subscription;
  • To process payments and send billing-related communications via Stripe and Resend;
  • To respond to your enquiries or support requests;
  • To send transactional emails (account confirmation, password reset, billing receipts);
  • To send updates or newsletters you have opted into (you may unsubscribe at any time);
  • To understand how visitors use our site and to improve user experience;
  • To comply with our legal obligations;
  • To detect, prevent, and address technical issues or misuse of the website.

We do not use your recovery health data for any purpose other than operating your Recovery Planner. We do not sell it, share it with advertisers, or use it to build marketing profiles.

4. Legal Basis for Processing

We rely on the following lawful bases for processing your personal data:

  • Contract, to perform our obligations under your subscription agreement, including providing access to the Recovery Planner and processing payments;
  • Consent, where you have given clear consent, for example by subscribing to a newsletter or uploading health-related content to your journal;
  • Legitimate interests, for analytics, website improvement, fraud prevention, and security, where our interests are not overridden by your rights;
  • Legal obligation, where we are required to process data to comply with the law.

5. Sub-Processors and Third-Party Services

We use a small number of trusted third-party services to operate after.surgery. Each is bound by appropriate data processing agreements and security standards:

  • Supabase — our database and authentication provider, used to store account information and recovery data. Data is hosted on servers located within the European Union or equivalent jurisdictions.
  • Stripe — our payment processor. Stripe handles all card data and is certified to PCI-DSS Level 1. See Stripe's Privacy Policy.
  • Resend — our transactional email provider, used to send account and billing emails.
  • Amazon Associates — when you click an affiliate link, Amazon may set its own cookies. See Section 7 for more detail.

We do not use advertising networks, behavioural tracking platforms, or data brokers.

6. Cookies

After.surgery uses cookies and similar tracking technologies to enhance your experience. Cookies are small text files placed on your device by your browser.

We use the following types of cookies:

  • Essential cookies, necessary for the website to function correctly, including authentication tokens that keep you signed in to your account;
  • Analytics cookies, used in aggregate, anonymised form to understand how visitors interact with the site;
  • Third-party cookies, set by external services such as Amazon when you click affiliate links.

You can control and delete cookies through your browser settings. Disabling essential cookies will prevent you from staying signed in to your account. By continuing to use this site, you consent to our use of cookies as described above.

7. Affiliate Links and Commercial Relationships

After.surgery participates in the Amazon Associates Programme and may participate in other affiliate schemes. When you click an affiliate link and visit a third-party site such as Amazon, that site's own privacy policy will apply. We have no control over and accept no responsibility for third-party data practices.

We do not sell, rent, or trade your personal data to any third party for marketing purposes. We have no advertising relationships, paid placements, or sponsorship arrangements with any product manufacturer or healthcare provider. Our only commercial arrangement of this kind is the Amazon Associates Programme.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or as required by law:

  • Account data is retained for the duration of your account and for a reasonable period afterwards to handle disputes or comply with legal obligations. You may request deletion at any time.
  • Recovery journal data is retained for the duration of your account. If you delete your account, your journal data is permanently deleted.
  • Billing records may be retained for up to seven years in accordance with financial regulations.
  • Analytics data is typically retained in anonymised form and may be kept indefinitely for trend analysis.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, destruction, or alteration. These include encrypted connections (HTTPS), hashed passwords, and access controls on our database. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

If you believe that your personal data has been compromised, please contact us immediately at hello@after.surgery.

10. Your Rights

Under applicable data protection law, you may have the following rights in relation to your personal data:

  • Right of access, you may request a copy of the personal data we hold about you;
  • Right to rectification, you may ask us to correct inaccurate or incomplete data;
  • Right to erasure, you may ask us to delete your personal data in certain circumstances;
  • Right to restriction, you may ask us to restrict processing of your data in certain circumstances;
  • Right to data portability, you may request your account and recovery data in a structured, machine-readable format;
  • Right to object, you may object to processing based on legitimate interests or for direct marketing;
  • Rights related to automated decision-making, we do not currently use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at hello@after.surgery. We will respond within a reasonable timeframe as required by applicable law. You also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

11. Children's Privacy

After.surgery is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without parental consent, please contact us so that we can take appropriate action.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page will be revised accordingly. We encourage you to review this policy periodically. Continued use of the website after any changes constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us at hello@after.surgery. We take privacy enquiries seriously and aim to respond promptly.