Info

Privacy Policy
Last updated: 17th July 2025
  1. Introduction & Purpose

    Physia Clinic OÜ ("Physia Clinic", "we", "us", or "our") provides a secure, webbased platform that enables physiotherapists to design, deliver, and monitor threedimensional (3D) exercise programmes for their patients. Delivery channels include modern web browsers, native iOS and Android apps, and immersive extendedreality (XR) / virtualreality (VR) headsets (Meta Quest 2, 3, and 3 S).

    This Privacy Policy explains in detail—over approximately twentyfive pages—how we collect, use, disclose, safeguard, and otherwise process personal information when you interact with any Physia Clinic product, website, mobile application, or XR/VR experience (collectively, the “Services”).

    We have drafted this Policy to comply with widely recognised dataprotection regimes such as:

    • Pakistan PDPB 2023
    • EU & UK GDPR
    • Singapore PDPA
    • Thailand PDPA
    • India DPDP 2023
    • Philippines Data Privacy Act 2012
    • United Arab Emirates & Saudi Arabia PDPLs
    • U.S. State Privacy Laws (California Consumer Privacy Act [CCPA], California Privacy Rights Act [CPRA], Virginia Consumer Data Protection Act [VCDPA], Colorado Privacy Act [CPA], Connecticut Data Privacy Act [CTDPA], Utah Consumer Privacy Act [UCPA])
    • South Africa POPIA
    • Other applicable local laws and regulations.

    If any provision of this Policy conflicts with mandatory law in your jurisdiction, the stricter requirement will prevail.

  2. Scope of This Policy

    This Policy applies to personal data processed by Physia Clinic in connection with the Services. It does not cover information processed by third parties you may interact with via integrations, nor does it cover data a physiotherapist exports and stores on their own infrastructure (see Section 4.3).

    Clinical content (exercise videos, anatomical models, treatment plans) that does not identify an individual is outside the scope of personal data and may be used by Physia Clinic for any lawful purpose.

  3. Definitions

    “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”).

    “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing personal data.

    “Processor” means a natural or legal person which processes personal data on behalf of the controller.

    “Patient Data” refers to any personal data concerning a patient entered into the Services by a physiotherapist or clinic, including but not limited to name, contact details, health status, treatment notes, and exercise progress.

    Other capitalised terms shall have the meanings set out in Annex B.

  4. Who We Are and Our Role

    Physia Clinic OÜ is a private limited company organised under the laws of Estonia and registered at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia.

    1. Data Controller Activities

      We act as Data Controller for personal data we collect for our own legitimate business purposes, such as:

      • Creation and administration of physiotherapist or clinic accounts.
      • Billing, payment, and taxation records.
      • Customer support communications.
      • Platform analytics, feature development, and marketing (with consent where required).
    2. Data Processor Activities

      When a physiotherapist or clinic enters Patient Data into the platform, Physia Clinic acts as a Data Processor. The physiotherapist or clinic (collectively, “Professional User”) is the Data Controller responsible for obtaining any required consents and for honouring patient rights requests. We will process Patient Data only in accordance with the Professional User’s documented instructions, as set out in the Data Processing Agreement (DPA).

    3. Optional SelfHosting / OnPremises Storage

      The platform offers an export feature that permits Professional Users to download Patient Data and store or process it on their own servers or electronic health record (EHR) systems. When a Professional User elects to do so:

      • The Professional User becomes both Controller and Processor of that exported data.

      • Physia Clinic bears no responsibility for security, compliance, or retention once data leaves our controlled environment.
      • The Professional User must satisfy any additional safeguards required by law (e.g., execution of Standard Contractual Clauses if data is moved internationally, local encryption, or datahosting obligations).
    4. No JointController Status

      For clarity, Physia Clinic does not act as a Joint Controller with any Professional User with respect to Patient Data.

  5. Information We Collect

    1. Categories of Personal Data

      Category Examples Primary Legal Basis
      Contact & Account Data Full name, business email, phone number, clinic address, username, password (hash) Contract, Legitimate Interests
      Professional Credentials Degrees, licences, accreditation numbers, areas of specialisation Legitimate Interests, Legal Obligation (where professional validation required)
      Billing & Financial Data VAT/Tax ID, card last 4 digits, transaction IDs, invoices, payment status Contract, Legal Obligation
      Patient Data (UserEntered) Name, contact info, injury/condition, therapy notes, exercise progress; age or gender if typed into Notes Contract (between patient & physiotherapist), Vital Interest (health), Consent (where required), Processor acting on Controller’s instructions
      Usage & Device Data IP address, browser, OS, device identifiers, feature usage, session metadata Legitimate Interests (service improvement & security)
      Cookies & Online Identifiers Session ID, analytics ID, advertising ID (if optedin) Consent (nonessential), Legitimate Interests (essential)
      Support Communications Emails, chat logs, voice calls (recordings when notified) Legitimate Interests
    2. Sources of Data

      • Data you provide directly through registration forms, profile updates, or customersupport channels.
      • Data Professional Users upload about patients.
      • Data collected automatically via cookies and similar technologies.
      • Data from thirdparty services you connect (e.g., singlesignon identity providers, payment gateways).
    3. Sensitive Data

      We do not intentionally solicit or require sensitive data such as race, religion, or biometric identifiers. Nevertheless, certain healthrelated information contained within Patient Data may be classified as specialcategory data under GDPR or sensitive personal data under other laws. We process such data solely to provide the healthcare service and under appropriate safeguards (encryption, access controls, leastprivilege design).

    4. Children’s Data

      Patient accounts for minors may be created only by a Professional User who has obtained verifiable parental or guardian consent. Minors cannot create independent accounts. See Section 11 and Section 15 for further details.

  6. How We Collect Data

    1. Direct Interactions

      You may give us your personal data by filling in forms, corresponding by email or chat, uploading files, or subscribing to a newsletter. Professional Users may input Patient Data to draft exercise programmes.

    2. Automated Technologies

      When you interact with the Services, we automatically log Usage & Device Data through server logs and firstparty cookies. For optional cookies, we obtain consent via our banner.

    3. ThirdParty Sources

      We may receive personal data about you from payment processors (e.g., status of a transaction), identity providers (e.g., SSO profile), or marketing partners (e.g., event attendee lists) in accordance with their privacy policies.

  7. Legal Bases for Processing

    1. EU / UK GDPR

      We rely on:

      • Performance of Contract– to deliver the Services you requested.
      • Legitimate Interests– to secure the platform, prevent fraud, and improve functionality, provided these interests are not overridden by your rights.
      • Consent– for nonessential cookies and direct marketing.
      • Legal Obligation– for tax, accounting, and regulatory compliance.
    2. PDPA (Singapore & Thailand)

      Processing follows the “Notification, Purpose Limitation, and Consent” principles. We obtain consent where required and rely on “Business Improvement” and “Compliance with Law” bases analogous to legitimate interests & legal obligation.

    3. PDPB 2023 (Pakistan)

      For Pakistani data subjects, we ensure transfers meet Section 22 requirements and appoint a local Grievance Officer. Where processing involves sensitive health data, we rely on explicit consent or the healthservices exemption.

    4. DPDP (India)

      Our processing is anchored in “deemed consent” for provision of requested services, or explicit consent where sensitive personal data is involved. We appoint a Grievance Officer for India to handle complaints within 15 days.

    5. POPIA (South Africa)

      We process on the basis of performance of a contract with the data subject or controller, or legitimate interest of the data subject in receiving healthcare services.

    6. U.S. State Privacy Laws

      We comply with applicable U.S. state privacy regulations, including:

      • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Provides California residents with rights to access, delete, and opt-out of data sales and sharing. Physia Clinic does not sell data but allows residents to exercise their rights.

      • Virginia Consumer Data Protection Act (VCDPA): Provides Virginia residents with rights of access, correction, deletion, portability, and opt-out of targeted advertising, profiling, and sale.

      • Colorado Privacy Act (CPA): Offers similar privacy rights to Colorado residents, including the right to opt-out of targeted advertising, sale, and profiling activities.

      • Connecticut Data Privacy Act (CTDPA): Grants Connecticut residents similar rights to access, correct, delete, port their data, and opt-out of targeted advertising, sale, and profiling.

      • Utah Consumer Privacy Act (UCPA): Provides Utah residents with rights to access and delete personal data and opt-out of targeted advertising and sales.

    7. Legitimate Interests Assessment Summary

      We maintain written assessments demonstrating that our legitimateinterest processing (e.g., security monitoring, product analytics) is necessary, proportionate, and does not unduly impact individuals’ rights. Balancing tests are available upon request.

  8. How We Use Personal Data

    1. Provision of Services

      • Account creation and authentication
      • Hosting exercise libraries and 3D assets
      • Syncing progress across web, mobile, and XR/VR devices
    2. XR / VR & Meta Quest Processing

      • Rendering 3D models locally on the headset; limited telemetry (e.g., device model, framerate, error codes) sent to our servers.
      • Optional inheadset voice recording (disabled by default) for feedback capture; recordings never leave the device without explicit user action.
    3. Communications

      • Transactional emails (welcome, password reset, invoices)
      • Product updates and onboarding tips
      • Newsletters or webinars (optin only)
    4. Analytics & Product Development

      • Aggregated usage statistics to prioritise new features.
      • A/B testing to improve userinterface accessibility.
    5. Marketing

      • Displaying Physia Clinic ads on thirdparty sites via Google Ads (cookiebased, consent required in EU/UK).
      • Aggregating deidentified usage insights for case studies.
    6. Payments & Invoicing

      • Processing subscription fees via Stripe.
      • Preventing fraudulent transactions and chargebacks.
    7. Security, Fraud & Misuse Prevention

      • IP reputation checks, rate limiting, and CAPTCHA challenges.
    8. Compliance with Laws

      • Responding to lawful requests from supervisory authorities.
      • Retaining financial records for statutory periods.
    9. Deidentified & Aggregated Data

      We may transform personal data into anonymised statistics (e.g., average completion rate of a kneerehab programme) for research or commercial insight. Such data is irreversibly deidentified.

  9. Cookies & Similar Technologies

    1. Essential Cookies

      • _physia_session– Maintains secure login session (expires 24 h after last activity).
      • csrf_token– Prevents crosssite request forgery (expiry: session).
    2. Optional Cookies & Consent Mechanism

      • _ga (Google Analytics) – Visitor analytics (expiry: 13 months; disabled until consent).
      • _fbp (Meta Pixel) – Advertising remarketing (expiry: 90 days; disabled until consent).

      Consent is gathered through a banner appearing on first visit. EU/UK users see a granular preference centre with “Accept All”, “Reject All”, and “Manage Settings” options.

    3. Global Privacy Control / DoNotTrack

      We honour recognised browser signals by defaulting optional cookies to “off” when GPC or DNT is detected.

    4. Cookie Lifetimes

      Detailed lifetimes and purposes for each cookie are listed in our standalone Cookie Policy, incorporated by reference.

  10. Sharing & Disclosure of Personal Data

    Recipient Type Purpose Safeguard
    Amazon Web Services (AWS UK) Cloud infrastructure & backups ISO 27001; SCCs for support staff outside UK/EU
    Stripe Payment processing PCIDSS compliance; dataprocessing contracts
    SendGrid / AWS SES Transactional & marketing emails Dataprocessing contracts; TLS encryption
    Google LLC Analytics & Tag Manager IP anonymisation; consentmode in EU/UK, CCPA, and other relevant juridictions
    HubSpot CRM & user onboarding SCCs & BCR certification

    We do not sell personal data. Disclosures to authorities are limited to legally valid demands and subject to minimisation and challenge where possible.

  11. XR / VR Patient Consent Flow

    1. OnScreen Consent Notice

      Before a patient accesses any programme via web, mobile, or VR, they are presented with a concise notice that summarises:

      • Identity of the Data Controller (their physiotherapist or clinic).
      • Types of data collected (e.g., name, contact info, exercise telemetry).
      • Purpose of processing (delivery and monitoring of rehabilitation programme).
      • A link to this Privacy Policy and to the Professional User’s privacy notice.
      • Buttons to “Agree & Continue” or “Decline”.
    2. QRCode & App PopUp

      If the patient joins via a QR code, a popup within the mobile app or VR headset redisplays the notice and requests confirmation. The programme will not start until consent is recorded.

    3. Record of Consents

      Timestamps, IP, device ID, and consent status are logged and stored for eight years. Professional Users may export consent logs in CSV format for audit purposes.

  12. International Data Transfers & Localisation

    1. Primary Hosting in the United Kingdom

      All production databases and object storage (exercise media) are located in AWS’s London (euwest2) region.

    2. Standard Contractual Clauses (SCCs)

      Where we transfer personal data from the EU/UK to a country without an adequacy decision, we rely on SCCs (and, where required, the UK International Data Transfer Addendum) plus supplementary measures (encryption, strict access controls, dataminimisation).

    3. CountrySpecific Measures

      • Singapore & Thailand: Data processed in UK under contractual clauses guaranteeing PDPAequivalent protection; optional inregion caching is available.
      • Pakistan: Pakistan data protection regulation requires “equivalent protection” for any cross-border transfers with data subject’s explicit consent with SCC or BCRs in place. We will process this data under legal basis of contractual obligation along with consent where needed to process the data.
      • India: Until DPIIT releases localisation rules, crossborder transfers follow DPDP provisions. We will adapt if India mandates whitelists or localisation.
      • UAE & Saudi Arabia: If future regulations mandate local hosting, we will offer regionlocked storage zones.
      • United States: Compliance with state privacy laws; additional data localization available upon request.
    4. Data Residency & Segmentation

      For enterprise customers requiring incountry data storage, we provide private cloud deployments in:

      • London, UK (EU/UK zone)
      • Mumbai, India (APAC South)
      • Karachi, Pakistan (PK zone)
      • United States (US zone)
    5. PakistanSpecific Transfer Logic

      Pakistani patient data is “subject to residency controls and may only be transferred under strict legal mechanisms (e.g., adequacy, explicit consent, binding contract, public interest).

  13. Data Retention & Deletion

    1. General Retention Principles

      We retain personal data only for as long as necessary, aligned with:

      • Statutory obligations (e.g., tax, AML laws)
      • Contractual obligations (supporting active subscriptions)
      • Legitimate business needs (defending legal claims)
    2. EightYear Retention Schedule

      Data Category Retention Period Rationale
      Financial & Billing Records 8 years from transaction Tax & audit (UK Finance Act 2020; typical AML compliance)
      Physiotherapist Clinical Notes 8 years from last patient interaction Medical record retention best practice (UK NHS; EU physiotherapy guidelines)
      Patient Programme Data Active + 8 years Allows treatment continuity and legal defence
      Support Tickets 2 years Quality assurance & dispute resolution
      Raw Server Logs 12 months Security investigations
      Aggregated Analytics Indefinite (anonymised) Product insight (nonpersonal)
    3. Soft Delete & Archiving

      Upon account termination, Patient Data is flagged as “dormant” and moved to an encrypted archive, inaccessible from the UI. After eight years, automated purge scripts permanently delete the data.

    4. Patient Programme Continuity Options

      If a subscription ends while a patient’s programme is still active, we automatically notify the patient and offer:

      • Option A – Immediate Deletion: All data erased within 30 days.
      • Option B – Temporary Continuation: Limited readonly access for up to 90 days to complete the programme, after which data is deleted unless the patient transfers to another professional.
    5. Backups & Residual Data

      Encrypted backups are rotated every 24 hours and retained for 30 days. At backup expiry, data is overwritten. Residual data might persist in disasterrecovery snapshots for up to 90 days, after which cryptographic erase procedures apply.

    6. Secure Disposal

      When storage media reach endoflife, AWS follows NIST SP 80088 “purge or destroy” guidelines. Local drives used for development are wiped using cryptographic shredding.

  14. Security Measures

    1. Technical Measures

      • Encryption– TLS 1.3 for data in transit; AES256 for data at rest.
      • ZeroTrust Networking– Services communicate via mutual TLS, no implicit trust for internal traffic.
      • MultiFactor Authentication (MFA)– Mandatory for all staff accounts.
      • Rate Limiting & WAF– Mitigates DDoS and injection attacks.
    2. Organisational Measures

      • Staff background checks and signed confidentiality agreements.
      • Rolebased access control (“least privilege”).
      • Quarterly securityawareness training.
    3. Incident Response & Notification

      We maintain a 24/7 oncall rota. Breaches are classified by severity with documented containment and eradication steps. Notifiable breaches trigger regulator notification within statutory timeframes (e.g., 72 hours under GDPR).

    4. Independent Assessments

      We aim to complete annual penetration tests and to have certification (ISO and SOC) in progress (target Q4 2025).

  15. Data Subject Rights

    1. How to Exercise Rights

      Email contact@physiaclinic.com or use the inapp “Privacy Centre”. If you are a patient, please contact your physiotherapist first; we will assist them in fulfilling your request.

    2. Identity Verification

      We may require confirmation of identity (e.g., replying from registered email or government ID) to protect your data.

    3. RegionSpecific Timelines

      Jurisdiction Response Deadline
      EU / UK GDPR 1 month (extendable +2 months)
      Singapore PDPA “Reasonable” – typically within 30 days
      India DPDP 15 days via Grievance Officer
      Pakistan PDPB 2023 30 days
      California CCPA / CPRA 45 days (extendable +45 days)
    4. Appeals & Supervisory Authorities

      If you are dissatisfied, you may lodge a complaint with your local dataprotection authority. Contact details are provided in Annex A.

  16. Automated DecisionMaking & Profiling

    Physia Clinic does not engage in automated decisionmaking that produces legal or similarly significant effects. We may use basic algorithms to recommend exercise progressions, but decisions always require human approval.
  17. ThirdParty Links & Integrations

    Our blog, knowledgebase, or marketplace may link to external resources. Clicking those links may allow third parties to collect data. We are not responsible for their content or privacy practices. Please review their policies.
  18. Changes to This Policy

    We may update this Policy to reflect changes in law, technology, or business operations. Material changes will be notified by email or inapp message at least 30 days before they take effect, except where immediate changes are required by law.

  19. Contact & Data Protection Officer Information

    Data Protection Officer (Pakistan / India / EU / UK): Email: contact@physiaclinic.com Postal Address: Physia Clinic OÜ Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia Attn: Privacy Officer
  20. Annexes


    Annex A – Key Jurisdictional Addenda

    Jurisdiction Supervisory Authority Contact Information Website
    EU European Data Protection Board (EDPB) Rue Wiertz 60, B-1047 Brussels, Belgium edpb.europa.eu
    United Kingdom Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK ico.org.uk
    Singapore Personal Data Protection Commission (PDPC) 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438 pdpc.gov.sg
    India Data Protection Board of India (DPBI) Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi - 110003, India meity.gov.in
    Pakistan National Commission for Personal Data Protection (NCPDP) Constitution Avenue, Islamabad, Pakistan moitt.gov.pk
    South Africa Information Regulator JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa justice.gov.za/inforeg
    California, USA California Privacy Protection Agency (CPPA) 2101 Arena Blvd, Sacramento, CA 95834, USA cppa.ca.gov

    Annex B – Glossary of Terms

    Term Definition
    Anonymisation Irreversible process of transforming personal data so that the individual cannot be identified by any reasonable means.
    De-identification Process of removing or altering identifying characteristics of data to prevent it from being linked to a specific individual without additional information.
    Data Processing Agreement (DPA) Contract outlining data processing terms between a controller and processor, establishing respective responsibilities and obligations under applicable laws.
    Standard Contractual Clauses (SCCs) Model clauses approved by the European Commission that allow data transfers from the EU to countries without adequacy decisions under GDPR.
    Transfer Impact Assessment (TIA) Assessment required to evaluate risks associated with transferring personal data internationally and determine if additional safeguards are needed.
    Sensitive Personal Data Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person`s sex life or sexual orientation.

    Annex C – Record of Processing Activities (RoPA)

    Processing Activity Categories of Data Purpose Legal Basis Recipients Retention Period
    Account Management Contact & Account Data Account creation, billing, communication Contract Internal, Stripe Active + 8 years
    Clinical Management Patient Data Delivery and management of exercise programs Contract, Vital Interests, Consent AWS, Internal Active + 8 years
    Marketing & Analytics Cookies & Online Identifiers Optimisation and targeted advertising Consent, Legitimate Interests Google, Meta 13 months
    Security Management Usage & Device Data Security, fraud prevention Legitimate Interests Internal 12 months

    Annex D – Data Storage Locations & Sub-Processors

    Sub-Processor Purpose Location Data Protection Measures Last Audit Date
    Amazon Web Services (AWS) Infrastructure & Storage UK (London) ISO 27001, SOC 2, SCCs March 2025
    Stripe Payment Processing USA, Ireland (EU) PCI-DSS, SCCs February 2025
    Google LLC Analytics & Tag Management USA SCCs, IP anonymisation April 2025
    HubSpot CRM & User Management USA SCCs, ISO 27001 January 2025
    SendGrid / AWS SES Email Services USA, Ireland (EU) SCCs, TLS encryption May 2025