Legal

GDPR & Data Protection

Our commitment to data protection, your rights under the GDPR, and how to exercise them.

Last updated: 20 April 2026

1. Our Commitment to GDPR

Physiologio is committed to handling personal data with respect, transparency, and legal compliance. We design our platform with data protection in mind from the outset (“privacy by design and by default” — GDPR Article 25), and we take our obligations under Regulation (EU) 2016/679 (“GDPR”) and applicable Cyprus and EU national data protection law seriously.

This page provides a focused summary of our data protection approach, your rights, and how to exercise them. For full details of what data we collect and how we use it, please read our Privacy Policy.

Physiologio operates in a dual capacity:

  • As a data controller for website visitors and platform account holders (clinic staff).
  • As a data processor for patient records entered into the platform by subscribing clinics (who are the data controllers for their patients’ data).

2. Data Protection Principles

We adhere to all seven data protection principles set out in GDPR Article 5:

  • Lawfulness, fairness, and transparency: We process data on a valid legal basis and are transparent about how and why we process it.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and is not processed in ways incompatible with those purposes.
  • Data minimisation: We only collect data that is adequate, relevant, and necessary for the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure data is kept accurate and up to date. Users can update their own account details at any time.
  • Storage limitation: Personal data is kept in a form that permits identification no longer than necessary (see retention periods in our Privacy Policy — Section 8).
  • Integrity and confidentiality: We apply appropriate technical and organisational security measures to protect data against unauthorised access, disclosure, loss, or destruction.
  • Accountability: We maintain records of processing activities, enter into DPAs with sub-processors, and can demonstrate compliance upon request.

3. Your Rights as a Data Subject

If you are an individual whose personal data is processed by Physiologio as a data controller (i.e. you are a website visitor, or a clinic staff member with an account), the following rights apply to you under the GDPR:

Right of Access

Article 15

Request a copy of the personal data we hold about you, along with information about how and why we process it, who we share it with, and how long we keep it.

Right to Rectification

Article 16

Request correction of inaccurate or incomplete personal data. Platform users can update most account details directly within their profile settings.

Right to Erasure

Article 17

Request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful. Note: some data may be retained for legal obligations.

Right to Restriction

Article 18

Request that we restrict processing of your data in certain circumstances — for example, while the accuracy of the data is being verified.

Right to Data Portability

Article 20

Receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) where processing is based on consent or contract.

Right to Object

Article 21

Object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Re: Automated Decisions

Article 22

Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Physiologio does not use such automated decision-making.

Right to Withdraw Consent

Article 7(3)

Withdraw consent at any time where processing is based on your consent (e.g. analytics cookies). Withdrawal does not affect lawfulness of prior processing.

If you are a patient: If you are a patient of a clinic that uses Physiologio, the clinic (not Physiologio) is the data controller for your health records. Please direct any data subject rights requests to your clinic directly. We will assist clinics in fulfilling such requests upon their instruction.

4. How to Exercise Your Rights

To exercise any of your GDPR rights regarding data controlled by Physiologio, please contact us by:

  • Email (preferred): support@physiologio.com
    Please include “Data Subject Request” in the subject line and specify which right(s) you wish to exercise.

Identity Verification

To protect your personal data, we may ask you to verify your identity before processing your request. This is to ensure we do not disclose or modify data to or at the direction of an unauthorised person. We will request only the minimum information necessary for verification and will not use it for any other purpose.

What to Include in Your Request

  • Your full name and the email address associated with your account
  • The specific right(s) you are exercising
  • Any additional context that helps us locate and process your data

Requests are free of charge. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to act on the request, in accordance with GDPR Article 12(5).

5. Response Timelines

ScenarioResponse Deadline
Standard request (most cases)Within 30 calendar days of receiving the request
Complex or numerous requests (e.g. multiple rights exercised simultaneously, large data volume)Up to 3 months from receipt, with notification within 30 days of the extension and reasons
Breach notification to supervisory authorityWithin 72 hours of becoming aware of a breach that poses a risk to data subjects (GDPR Article 33)
Breach notification to affected individuals (where high risk)Without undue delay (GDPR Article 34)

We will acknowledge receipt of your request promptly and keep you informed of progress.

6. Supervisory Authorities

If you are not satisfied with how we have handled your personal data or responded to a request, you have the right to lodge a complaint with a data protection supervisory authority. You may contact the authority in the EU/EEA country where you reside, work, or where the alleged infringement occurred.

Cyprus

Office of the Commissioner for Personal Data Protection

Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

Greece

Hellenic Data Protection Authority

Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (ΑΠΔΠΧ)

  • www.dpa.gr
  • contact@dpa.gr
  • +30 210 6475 600
  • 1–3 Kifissias Avenue, 115 23 Athens, Greece

We always encourage you to contact us at support@physiologio.com first so that we have the opportunity to address your concern directly and efficiently.

7. Security & Technical Measures

We apply technical and organisational security measures appropriate to the risk involved in processing personal data, particularly given that the platform processes special category health data. Key measures include:

Encryption in Transit

All data transmitted to and from the platform is encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints).

Encryption at Rest

Stored data — including patient records and profile images — is encrypted at the storage level using industry-standard algorithms.

Password Security

User passwords are stored as cryptographic hashes (bcrypt or equivalent). Plain-text passwords are never stored or logged.

Role-Based Access Control

Each staff member sees only the data relevant to their role (Admin, Receptionist, Physiotherapist). Access is restricted by design.

Audit Logging

All account actions and administrative operations are logged for accountability and incident investigation purposes.

EU-Based Infrastructure

Platform data is stored on servers located within the EEA, operated by vetted providers under formal Data Processing Agreements.

Internal Access Controls

Access to production data by Physiologio staff is granted on a strict need-to-know basis and is subject to logging and review.

Breach Response

We have an incident response procedure that includes notifying the supervisory authority within 72 hours of a qualifying breach.

Security is an ongoing commitment. We conduct regular security reviews and update our practices in line with evolving threats and industry standards. If you discover a potential security vulnerability, please report it responsibly to support@physiologio.com.

8. Data Processing Agreements

GDPR Article 28 requires that any data processor used by a data controller is bound by a written Data Processing Agreement (DPA) that sets out the subject matter, duration, nature, purpose, and type of processing, as well as the obligations and rights of the controller.

Clinics Using Physiologio

By accepting our Terms & Conditions, subscribing clinics enter into a DPA with Physiologio (see Terms, Section 7). This DPA governs how Physiologio processes patient data on the clinic’s behalf as a data processor.

If your clinic requires a separately signed DPA document for your own compliance records or for regulatory purposes, please contact us at support@physiologio.com and we will arrange this.

Physiologio’s Sub-Processors

Physiologio, in turn, has DPAs in place with all third-party sub-processors that handle personal data on our behalf — including Amazon Web Services EMEA SARL (platform hosting, Ireland), Vercel Inc. (website hosting), Stripe Technology Europe Ltd (payments, Ireland), and our email and SMS notification providers. A current list of sub-processors is available in our Privacy Policy — Section 6. We notify subscribing clinics of any changes to this list with at least 14 days’ notice.

Records of Processing Activities

We maintain internal Records of Processing Activities (ROPA) as required by GDPR Article 30, documenting the purposes, categories, recipients, and retention periods for all personal data we process, both as controller and as processor.

9. Health Data & Article 9 GDPR

Health data is classified as special category data under GDPR Article 9 and carries heightened protection obligations. The processing of health data is generally prohibited unless a specific exception in Article 9(2) applies.

Physiologio handles health data exclusively as a data processor, acting on the documented instructions of the clinic (data controller). The clinic bears the primary legal responsibility for ensuring:

  • A valid Article 9(2) exception applies to all health data they process — typically Article 9(2)(h) (healthcare provision) or Article 9(2)(a) (explicit consent).
  • Patients have been informed of how their health data is used, including the use of Physiologio as a processing tool.
  • Health data is only recorded by qualified or appropriately supervised healthcare professionals subject to professional confidentiality obligations.
  • The national health law applicable in Cyprus and/or Greece (as relevant to the clinic) is complied with — including any specific requirements for medical record processing that go beyond GDPR.
Legal review recommended: The processing of health data under Article 9 GDPR is an area where national law (Cyprus, Greece) can impose additional requirements. Clinics should seek advice from a qualified legal professional or their professional body to confirm their Article 9 basis and any additional national law obligations before processing patient health records on this platform.

10. Contact Us

For any GDPR-related enquiry, data subject access request, or compliance question:

Other legal documents

For the full picture of how we handle your data, please also read: