Physia Clinic OÜ ("Physia Clinic", "we", "us", or "our") provides a secure, webbased platform that enables physiotherapists to design, deliver, and monitor threedimensional (3D) exercise programmes for their patients. Delivery channels include modern web browsers, native iOS and Android apps, and immersive extendedreality (XR) / virtualreality (VR) headsets (Meta Quest 2, 3, and 3 S).
This Privacy Policy explains in detail—over approximately twentyfive pages—how we collect, use, disclose, safeguard, and otherwise process personal information when you interact with any Physia Clinic product, website, mobile application, or XR/VR experience (collectively, the “Services”).
We have drafted this Policy to comply with widely recognised dataprotection regimes such as:
If any provision of this Policy conflicts with mandatory law in your jurisdiction, the stricter requirement will prevail.
This Policy applies to personal data processed by Physia Clinic in connection with the Services. It does not cover information processed by third parties you may interact with via integrations, nor does it cover data a physiotherapist exports and stores on their own infrastructure (see Section 4.3).
Clinical content (exercise videos, anatomical models, treatment plans) that does not identify an individual is outside the scope of personal data and may be used by Physia Clinic for any lawful purpose.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”).
“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing personal data.
“Processor” means a natural or legal person which processes personal data on behalf of the controller.
“Patient Data” refers to any personal data concerning a patient entered into the Services by a physiotherapist or clinic, including but not limited to name, contact details, health status, treatment notes, and exercise progress.
Other capitalised terms shall have the meanings set out in Annex B.
Physia Clinic OÜ is a private limited company organised under the laws of Estonia and registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia.
We act as Data Controller for personal data we collect for our own legitimate business purposes, such as:
When a physiotherapist or clinic enters Patient Data into the platform, Physia Clinic acts as a Data Processor. The physiotherapist or clinic (collectively, “Professional User”) is the Data Controller responsible for obtaining any required consents and for honouring patient rights requests. We will process Patient Data only in accordance with the Professional User’s documented instructions, as set out in the Data Processing Agreement (DPA).
The platform offers an export feature that permits Professional Users to download Patient Data and store or process it on their own servers or electronic health record (EHR) systems. When a Professional User elects to do so:
The Professional User becomes both Controller and Processor of that exported data.
For clarity, Physia Clinic does not act as a Joint Controller with any Professional User with respect to Patient Data.
Category | Examples | Primary Legal Basis |
---|---|---|
Contact & Account Data | Full name, business email, phone number, clinic address, username, password (hash) | Contract, Legitimate Interests |
Professional Credentials | Degrees, licences, accreditation numbers, areas of specialisation | Legitimate Interests, Legal Obligation (where professional validation required) |
Billing & Financial Data | VAT/Tax ID, card last 4 digits, transaction IDs, invoices, payment status | Contract, Legal Obligation |
Patient Data (UserEntered) | Name, contact info, injury/condition, therapy notes, exercise progress; age or gender if typed into Notes | Contract (between patient & physiotherapist), Vital Interest (health), Consent (where required), Processor acting on Controller’s instructions |
Usage & Device Data | IP address, browser, OS, device identifiers, feature usage, session metadata | Legitimate Interests (service improvement & security) |
Cookies & Online Identifiers | Session ID, analytics ID, advertising ID (if optedin) | Consent (nonessential), Legitimate Interests (essential) |
Support Communications | Emails, chat logs, voice calls (recordings when notified) | Legitimate Interests |
We do not intentionally solicit or require sensitive data such as race, religion, or biometric identifiers. Nevertheless, certain healthrelated information contained within Patient Data may be classified as specialcategory data under GDPR or sensitive personal data under other laws. We process such data solely to provide the healthcare service and under appropriate safeguards (encryption, access controls, leastprivilege design).
Patient accounts for minors may be created only by a Professional User who has obtained verifiable parental or guardian consent. Minors cannot create independent accounts. See Section 11 and Section 15 for further details.
You may give us your personal data by filling in forms, corresponding by email or chat, uploading files, or subscribing to a newsletter. Professional Users may input Patient Data to draft exercise programmes.
When you interact with the Services, we automatically log Usage & Device Data through server logs and firstparty cookies. For optional cookies, we obtain consent via our banner.
We may receive personal data about you from payment processors (e.g., status of a transaction), identity providers (e.g., SSO profile), or marketing partners (e.g., event attendee lists) in accordance with their privacy policies.
We rely on:
Processing follows the “Notification, Purpose Limitation, and Consent” principles. We obtain consent where required and rely on “Business Improvement” and “Compliance with Law” bases analogous to legitimate interests & legal obligation.
For Pakistani data subjects, we ensure transfers meet Section 22 requirements and appoint a local Grievance Officer. Where processing involves sensitive health data, we rely on explicit consent or the healthservices exemption.
Our processing is anchored in “deemed consent” for provision of requested services, or explicit consent where sensitive personal data is involved. We appoint a Grievance Officer for India to handle complaints within 15 days.
We process on the basis of performance of a contract with the data subject or controller, or legitimate interest of the data subject in receiving healthcare services.
We comply with applicable U.S. state privacy regulations, including:
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Provides California residents with rights to access, delete, and opt-out of data sales and sharing. Physia Clinic does not sell data but allows residents to exercise their rights.
Virginia Consumer Data Protection Act (VCDPA): Provides Virginia residents with rights of access, correction, deletion, portability, and opt-out of targeted advertising, profiling, and sale.
Colorado Privacy Act (CPA): Offers similar privacy rights to Colorado residents, including the right to opt-out of targeted advertising, sale, and profiling activities.
Connecticut Data Privacy Act (CTDPA): Grants Connecticut residents similar rights to access, correct, delete, port their data, and opt-out of targeted advertising, sale, and profiling.
Utah Consumer Privacy Act (UCPA): Provides Utah residents with rights to access and delete personal data and opt-out of targeted advertising and sales.
We maintain written assessments demonstrating that our legitimateinterest processing (e.g., security monitoring, product analytics) is necessary, proportionate, and does not unduly impact individuals’ rights. Balancing tests are available upon request.
We may transform personal data into anonymised statistics (e.g., average completion rate of a kneerehab programme) for research or commercial insight. Such data is irreversibly deidentified.
Consent is gathered through a banner appearing on first visit. EU/UK users see a granular preference centre with “Accept All”, “Reject All”, and “Manage Settings” options.
We honour recognised browser signals by defaulting optional cookies to “off” when GPC or DNT is detected.
Detailed lifetimes and purposes for each cookie are listed in our standalone Cookie Policy, incorporated by reference.
Recipient Type | Purpose | Safeguard |
---|---|---|
Amazon Web Services (AWS UK) | Cloud infrastructure & backups | ISO 27001; SCCs for support staff outside UK/EU |
Stripe | Payment processing | PCIDSS compliance; dataprocessing contracts |
SendGrid / AWS SES | Transactional & marketing emails | Dataprocessing contracts; TLS encryption |
Google LLC | Analytics & Tag Manager | IP anonymisation; consentmode in EU/UK, CCPA, and other relevant juridictions |
HubSpot | CRM & user onboarding | SCCs & BCR certification |
We do not sell personal data. Disclosures to authorities are limited to legally valid demands and subject to minimisation and challenge where possible.
Before a patient accesses any programme via web, mobile, or VR, they are presented with a concise notice that summarises:
If the patient joins via a QR code, a popup within the mobile app or VR headset redisplays the notice and requests confirmation. The programme will not start until consent is recorded.
Timestamps, IP, device ID, and consent status are logged and stored for eight years. Professional Users may export consent logs in CSV format for audit purposes.
All production databases and object storage (exercise media) are located in AWS’s London (euwest2) region.
Where we transfer personal data from the EU/UK to a country without an adequacy decision, we rely on SCCs (and, where required, the UK International Data Transfer Addendum) plus supplementary measures (encryption, strict access controls, dataminimisation).
For enterprise customers requiring incountry data storage, we provide private cloud deployments in:
Pakistani patient data is “subject to residency controls and may only be transferred under strict legal mechanisms (e.g., adequacy, explicit consent, binding contract, public interest).
We retain personal data only for as long as necessary, aligned with:
Data Category | Retention Period | Rationale |
---|---|---|
Financial & Billing Records | 8 years from transaction | Tax & audit (UK Finance Act 2020; typical AML compliance) |
Physiotherapist Clinical Notes | 8 years from last patient interaction | Medical record retention best practice (UK NHS; EU physiotherapy guidelines) |
Patient Programme Data | Active + 8 years | Allows treatment continuity and legal defence |
Support Tickets | 2 years | Quality assurance & dispute resolution |
Raw Server Logs | 12 months | Security investigations |
Aggregated Analytics | Indefinite (anonymised) | Product insight (nonpersonal) |
Upon account termination, Patient Data is flagged as “dormant” and moved to an encrypted archive, inaccessible from the UI. After eight years, automated purge scripts permanently delete the data.
If a subscription ends while a patient’s programme is still active, we automatically notify the patient and offer:
Encrypted backups are rotated every 24 hours and retained for 30 days. At backup expiry, data is overwritten. Residual data might persist in disasterrecovery snapshots for up to 90 days, after which cryptographic erase procedures apply.
When storage media reach endoflife, AWS follows NIST SP 80088 “purge or destroy” guidelines. Local drives used for development are wiped using cryptographic shredding.
We maintain a 24/7 oncall rota. Breaches are classified by severity with documented containment and eradication steps. Notifiable breaches trigger regulator notification within statutory timeframes (e.g., 72 hours under GDPR).
We aim to complete annual penetration tests and to have certification (ISO and SOC) in progress (target Q4 2025).
Email contact@physiaclinic.com or use the inapp “Privacy Centre”. If you are a patient, please contact your physiotherapist first; we will assist them in fulfilling your request.
We may require confirmation of identity (e.g., replying from registered email or government ID) to protect your data.
Jurisdiction | Response Deadline |
---|---|
EU / UK GDPR | 1 month (extendable +2 months) |
Singapore PDPA | “Reasonable” – typically within 30 days |
India DPDP | 15 days via Grievance Officer |
Pakistan PDPB 2023 | 30 days |
California CCPA / CPRA | 45 days (extendable +45 days) |
If you are dissatisfied, you may lodge a complaint with your local dataprotection authority. Contact details are provided in Annex A.
We may update this Policy to reflect changes in law, technology, or business operations. Material changes will be notified by email or inapp message at least 30 days before they take effect, except where immediate changes are required by law.
Jurisdiction | Supervisory Authority | Contact Information | Website |
---|---|---|---|
EU | European Data Protection Board (EDPB) | Rue Wiertz 60, B-1047 Brussels, Belgium | edpb.europa.eu |
United Kingdom | Information Commissioner's Office (ICO) | Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK | ico.org.uk |
Singapore | Personal Data Protection Commission (PDPC) | 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438 | pdpc.gov.sg |
India | Data Protection Board of India (DPBI) | Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi - 110003, India | meity.gov.in |
Pakistan | National Commission for Personal Data Protection (NCPDP) | Constitution Avenue, Islamabad, Pakistan | moitt.gov.pk |
South Africa | Information Regulator | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa | justice.gov.za/inforeg |
California, USA | California Privacy Protection Agency (CPPA) | 2101 Arena Blvd, Sacramento, CA 95834, USA | cppa.ca.gov |
Term | Definition |
---|---|
Anonymisation | Irreversible process of transforming personal data so that the individual cannot be identified by any reasonable means. |
De-identification | Process of removing or altering identifying characteristics of data to prevent it from being linked to a specific individual without additional information. |
Data Processing Agreement (DPA) | Contract outlining data processing terms between a controller and processor, establishing respective responsibilities and obligations under applicable laws. |
Standard Contractual Clauses (SCCs) | Model clauses approved by the European Commission that allow data transfers from the EU to countries without adequacy decisions under GDPR. |
Transfer Impact Assessment (TIA) | Assessment required to evaluate risks associated with transferring personal data internationally and determine if additional safeguards are needed. |
Sensitive Personal Data | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person`s sex life or sexual orientation. |
Processing Activity | Categories of Data | Purpose | Legal Basis | Recipients | Retention Period |
---|---|---|---|---|---|
Account Management | Contact & Account Data | Account creation, billing, communication | Contract | Internal, Stripe | Active + 8 years |
Clinical Management | Patient Data | Delivery and management of exercise programs | Contract, Vital Interests, Consent | AWS, Internal | Active + 8 years |
Marketing & Analytics | Cookies & Online Identifiers | Optimisation and targeted advertising | Consent, Legitimate Interests | Google, Meta | 13 months |
Security Management | Usage & Device Data | Security, fraud prevention | Legitimate Interests | Internal | 12 months |
Sub-Processor | Purpose | Location | Data Protection Measures | Last Audit Date |
---|---|---|---|---|
Amazon Web Services (AWS) | Infrastructure & Storage | UK (London) | ISO 27001, SOC 2, SCCs | March 2025 |
Stripe | Payment Processing | USA, Ireland (EU) | PCI-DSS, SCCs | February 2025 |
Google LLC | Analytics & Tag Management | USA | SCCs, IP anonymisation | April 2025 |
HubSpot | CRM & User Management | USA | SCCs, ISO 27001 | January 2025 |
SendGrid / AWS SES | Email Services | USA, Ireland (EU) | SCCs, TLS encryption | May 2025 |