1. Our Commitment to GDPR
Physiologio is committed to handling personal data with respect, transparency, and legal compliance. We design our platform with data protection in mind from the outset (“privacy by design and by default” — GDPR Article 25), and we take our obligations under Regulation (EU) 2016/679 (“GDPR”) and applicable Cyprus and EU national data protection law seriously.
This page provides a focused summary of our data protection approach, your rights, and how to exercise them. For full details of what data we collect and how we use it, please read our Privacy Policy.
Physiologio operates in a dual capacity:
- As a data controller for website visitors and platform account holders (clinic staff).
- As a data processor for patient records entered into the platform by subscribing clinics (who are the data controllers for their patients’ data).
2. Data Protection Principles
We adhere to all seven data protection principles set out in GDPR Article 5:
- Lawfulness, fairness, and transparency: We process data on a valid legal basis and are transparent about how and why we process it.
- Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and is not processed in ways incompatible with those purposes.
- Data minimisation: We only collect data that is adequate, relevant, and necessary for the purposes for which it is processed.
- Accuracy: We take reasonable steps to ensure data is kept accurate and up to date. Users can update their own account details at any time.
- Storage limitation: Personal data is kept in a form that permits identification no longer than necessary (see retention periods in our Privacy Policy — Section 8).
- Integrity and confidentiality: We apply appropriate technical and organisational security measures to protect data against unauthorised access, disclosure, loss, or destruction.
- Accountability: We maintain records of processing activities, enter into DPAs with sub-processors, and can demonstrate compliance upon request.
3. Your Rights as a Data Subject
If you are an individual whose personal data is processed by Physiologio as a data controller (i.e. you are a website visitor, or a clinic staff member with an account), the following rights apply to you under the GDPR:
Right of Access
Article 15Request a copy of the personal data we hold about you, along with information about how and why we process it, who we share it with, and how long we keep it.
Right to Rectification
Article 16Request correction of inaccurate or incomplete personal data. Platform users can update most account details directly within their profile settings.
Right to Erasure
Article 17Request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful. Note: some data may be retained for legal obligations.
Right to Restriction
Article 18Request that we restrict processing of your data in certain circumstances — for example, while the accuracy of the data is being verified.
Right to Data Portability
Article 20Receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) where processing is based on consent or contract.
Right to Object
Article 21Object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Re: Automated Decisions
Article 22Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Physiologio does not use such automated decision-making.
Right to Withdraw Consent
Article 7(3)Withdraw consent at any time where processing is based on your consent (e.g. analytics cookies). Withdrawal does not affect lawfulness of prior processing.
4. How to Exercise Your Rights
To exercise any of your GDPR rights regarding data controlled by Physiologio, please contact us by:
- Email (preferred): support@physiologio.com
Please include “Data Subject Request” in the subject line and specify which right(s) you wish to exercise.
Identity Verification
To protect your personal data, we may ask you to verify your identity before processing your request. This is to ensure we do not disclose or modify data to or at the direction of an unauthorised person. We will request only the minimum information necessary for verification and will not use it for any other purpose.
What to Include in Your Request
- Your full name and the email address associated with your account
- The specific right(s) you are exercising
- Any additional context that helps us locate and process your data
Requests are free of charge. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to act on the request, in accordance with GDPR Article 12(5).
5. Response Timelines
| Scenario | Response Deadline |
|---|---|
| Standard request (most cases) | Within 30 calendar days of receiving the request |
| Complex or numerous requests (e.g. multiple rights exercised simultaneously, large data volume) | Up to 3 months from receipt, with notification within 30 days of the extension and reasons |
| Breach notification to supervisory authority | Within 72 hours of becoming aware of a breach that poses a risk to data subjects (GDPR Article 33) |
| Breach notification to affected individuals (where high risk) | Without undue delay (GDPR Article 34) |
We will acknowledge receipt of your request promptly and keep you informed of progress.
6. Supervisory Authorities
If you are not satisfied with how we have handled your personal data or responded to a request, you have the right to lodge a complaint with a data protection supervisory authority. You may contact the authority in the EU/EEA country where you reside, work, or where the alleged infringement occurred.
Cyprus
Office of the Commissioner for Personal Data Protection
Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
- www.dataprotection.gov.cy
- commissioner@dataprotection.gov.cy
- +357 22 818 456
- 1 Iasonos Street, 1082 Nicosia, Cyprus
Greece
Hellenic Data Protection Authority
Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (ΑΠΔΠΧ)
- www.dpa.gr
- contact@dpa.gr
- +30 210 6475 600
- 1–3 Kifissias Avenue, 115 23 Athens, Greece
We always encourage you to contact us at support@physiologio.com first so that we have the opportunity to address your concern directly and efficiently.
7. Security & Technical Measures
We apply technical and organisational security measures appropriate to the risk involved in processing personal data, particularly given that the platform processes special category health data. Key measures include:
Encryption in Transit
All data transmitted to and from the platform is encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints).
Encryption at Rest
Stored data — including patient records and profile images — is encrypted at the storage level using industry-standard algorithms.
Password Security
User passwords are stored as cryptographic hashes (bcrypt or equivalent). Plain-text passwords are never stored or logged.
Role-Based Access Control
Each staff member sees only the data relevant to their role (Admin, Receptionist, Physiotherapist). Access is restricted by design.
Audit Logging
All account actions and administrative operations are logged for accountability and incident investigation purposes.
EU-Based Infrastructure
Platform data is stored on servers located within the EEA, operated by vetted providers under formal Data Processing Agreements.
Internal Access Controls
Access to production data by Physiologio staff is granted on a strict need-to-know basis and is subject to logging and review.
Breach Response
We have an incident response procedure that includes notifying the supervisory authority within 72 hours of a qualifying breach.
Security is an ongoing commitment. We conduct regular security reviews and update our practices in line with evolving threats and industry standards. If you discover a potential security vulnerability, please report it responsibly to support@physiologio.com.
8. Data Processing Agreements
GDPR Article 28 requires that any data processor used by a data controller is bound by a written Data Processing Agreement (DPA) that sets out the subject matter, duration, nature, purpose, and type of processing, as well as the obligations and rights of the controller.
Clinics Using Physiologio
By accepting our Terms & Conditions, subscribing clinics enter into a DPA with Physiologio (see Terms, Section 7). This DPA governs how Physiologio processes patient data on the clinic’s behalf as a data processor.
If your clinic requires a separately signed DPA document for your own compliance records or for regulatory purposes, please contact us at support@physiologio.com and we will arrange this.
Physiologio’s Sub-Processors
Physiologio, in turn, has DPAs in place with all third-party sub-processors that handle personal data on our behalf — including Amazon Web Services EMEA SARL (platform hosting, Ireland), Vercel Inc. (website hosting), Stripe Technology Europe Ltd (payments, Ireland), and our email and SMS notification providers. A current list of sub-processors is available in our Privacy Policy — Section 6. We notify subscribing clinics of any changes to this list with at least 14 days’ notice.
Records of Processing Activities
We maintain internal Records of Processing Activities (ROPA) as required by GDPR Article 30, documenting the purposes, categories, recipients, and retention periods for all personal data we process, both as controller and as processor.
9. Health Data & Article 9 GDPR
Health data is classified as special category data under GDPR Article 9 and carries heightened protection obligations. The processing of health data is generally prohibited unless a specific exception in Article 9(2) applies.
Physiologio handles health data exclusively as a data processor, acting on the documented instructions of the clinic (data controller). The clinic bears the primary legal responsibility for ensuring:
- A valid Article 9(2) exception applies to all health data they process — typically Article 9(2)(h) (healthcare provision) or Article 9(2)(a) (explicit consent).
- Patients have been informed of how their health data is used, including the use of Physiologio as a processing tool.
- Health data is only recorded by qualified or appropriately supervised healthcare professionals subject to professional confidentiality obligations.
- The national health law applicable in Cyprus and/or Greece (as relevant to the clinic) is complied with — including any specific requirements for medical record processing that go beyond GDPR.
10. Contact Us
For any GDPR-related enquiry, data subject access request, or compliance question:
- Email: support@physiologio.com
- DPO: Not yet appointed — contact the above email address
Other legal documents
For the full picture of how we handle your data, please also read: