1. Introduction & Scope
This Privacy Policy describes how Physiologio (“we”, “us”, “our”), the operator of physiologio.com and the Physiologio platform, processes personal data in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection law in Cyprus and the European Union.
This Policy applies to:
- Website visitors browsing physiologio.com.
- Platform subscribers and their staff — clinic owners, administrators, physiotherapists, and receptionists who hold an account on the Physiologio platform.
- Patient records managed through the platform — processed on behalf of the clinic as data processor (see Section 2).
This Policy does not govern how individual clinics (as independent data controllers) process patient data under their own legal obligations. Clinics are responsible for maintaining their own privacy notices for patients.
2. Data Controller & Data Processor
The GDPR distinguishes between a data controller (who determines the purposes and means of processing) and a data processor (who processes data on the controller’s instructions). Physiologio acts in both capacities, depending on the context:
Physiologio as Data Controller
We are the data controller for:
- Personal data of website visitors (analytics, contact form submissions).
- Personal data of clinic subscribers and their staff members who hold a Physiologio account (name, email, role, profile image, login activity).
- Billing and subscription records of client clinics.
As controller, our details are:
Physiologio, Cyprus.
Data protection contact: support@physiologio.com
Physiologio as Data Processor
When a physiotherapy clinic uses our platform to manage patient records (names, contact details, health information, appointment history, identification numbers, profile images), the clinic is the data controller and Physiologio processes that data solely on the clinic’s instructions as a data processor under a Data Processing Agreement (DPA) incorporated into our Terms & Conditions.
If you are a patient of a clinic that uses Physiologio, please contact your clinic directly for information about how your data is handled. We will support clinics in fulfilling any data subject rights requests that relate to data we process on their behalf.
3. Personal Data We Collect
A. Platform Account Holders (Clinic Staff)
When a clinic subscribes and staff members are invited or registered, we collect:
- Full name and email address
- Password (stored as a cryptographic hash — never in plain text)
- Profile photograph (optional, uploaded by the user)
- Role within the platform (Admin, Receptionist, Physiotherapist)
- Login timestamps, session activity, and IP address (for security purposes)
- Billing contact name and payment method summary (last 4 digits, card type — full card data is handled exclusively by our payment processors)
B. Website Visitors
- IP address and approximate geolocation (country/city level)
- Browser type, device type, and operating system
- Pages visited, time on page, and referral source
- Contact form submissions (name, email address, and message content)
- Google Analytics 4 data — only where you have given cookie consent (see our Cookie Policy)
C. Patient Records (Processed as Data Processor)
When clinic staff enter or manage patient data through the platform, we process the following categories of data on behalf of the clinic:
- Full name, email address, and mobile number
- National identification number or passport number (where collected by the clinic for invoicing or identity verification)
- Health information (special category data under GDPR Article 9): diagnosis notes, treatment records, clinical observations, and medical history entered by physiotherapists
- Profile photograph (optional, uploaded by clinic staff)
- Appointment history, scheduling data, attendance records
- Notes and clinical comments added by treating physiotherapists
- Payment history and insurance/healthcare fund information (where entered by clinic staff)
4. Legal Bases for Processing
Platform Account Holders & Staff
- Article 6(1)(b) — Contract performance: processing is necessary to provide you with access to the Physiologio platform under our service agreement.
- Article 6(1)(f) — Legitimate interests: security monitoring, fraud prevention, service improvement, and maintaining audit logs.
- Article 6(1)(c) — Legal obligation: where processing is required by applicable law (e.g. tax and billing records).
Website Visitors
- Article 6(1)(f) — Legitimate interests: website security and abuse prevention.
- Article 6(1)(a) — Consent: analytics cookies (Google Analytics 4) — only collected when you have given explicit consent via our cookie banner.
- Article 6(1)(b) — Pre-contractual steps: processing contact form submissions to respond to your enquiry.
Patient Records (as Data Processor)
We rely on the lawful basis determined by the clinic as data controller. Common lawful bases used by clinics include:
- Art. 6(1)(b): performance of a contract for healthcare services with the patient.
- Art. 6(1)(c): compliance with legal obligations (medical record retention requirements under Cyprus/EU law).
- Art. 9(2)(h): processing of health data for the purposes of preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, by or under the responsibility of a professional subject to the obligation of professional secrecy.
- Art. 9(2)(a): explicit consent of the data subject (where applicable and where the clinic has obtained it directly).
5. Purposes of Processing
For Platform Users
- Account creation, authentication, and access management
- Providing and maintaining the Physiologio platform features
- Billing, invoicing, and subscription management
- Customer support and technical assistance
- Platform security monitoring and fraud prevention
- Service notifications, updates, and product communications
For Website Visitors
- Analytics and website performance measurement (with consent)
- Responding to contact and sales enquiries
- Website security and DDoS prevention
For Patient Records (as Processor)
- Storing and retrieving patient profiles on behalf of the clinic
- Scheduling and appointment management as instructed by clinic staff
- Sending appointment reminder notifications via SMS and email on the clinic’s behalf
- Generating anonymised or aggregate appointment statistics and reports for clinic administrators
- Supporting the clinic in fulfilling data subject rights requests
6. Data Sharing & Recipients
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We engage the following third-party processors under written Data Processing Agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Platform server infrastructure, hosting & cloud storage | All platform data, profile images | Ireland (EEA) |
| Vercel Inc. | Marketing website hosting (physiologio.com) | Web request logs (IP address, page visited) | USA (SCCs applied — see Section 7) |
| Email service provider (to be confirmed) | Transactional emails (notifications, reminders) | Name, email address | EU (EEA) |
| SMS provider (to be confirmed) | SMS appointment reminders | Name, mobile number | EU (EEA) |
| Stripe Technology Europe, Ltd (Ireland) | Payment processing | Billing name, payment card data (handled exclusively by Stripe; Physiologio does not store full card numbers) | Ireland (EEA) |
| Google LLC | Website analytics (Google Analytics 4) | Anonymised usage data, IP address (truncated), device & browser info — only with your cookie consent | USA (SCCs applied — see Section 7) |
We may also disclose personal data when required by law, court order, or competent authority (e.g. a data protection supervisory authority), and only to the extent strictly necessary.
7. International Data Transfers
The Physiologio platform is hosted on Amazon Web Services (AWS) in Ireland (eu-west-1), within the EEA. All platform data — including patient records and account data — remains within the EEA at all times. Transfers outside the EEA are limited to the following:
- Vercel Inc. (website hosting): Vercel is incorporated in the United States and hosts the physiologio.com marketing website. Web request logs (IP address, pages visited) may be processed on Vercel’s infrastructure. Data is transferred under Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914). Vercel operates under a signed Data Processing Agreement.
- Google Analytics 4: Google LLC is incorporated in the United States. Analytics data is transferred under Standard Contractual Clauses (SCCs — Commission Implementing Decision (EU) 2021/914). We have enabled GA4 in Consent Mode v2 and have a signed Data Processing Amendment with Google. You can prevent GA4 data collection by declining analytics cookies in our cookie banner or by using the Google Analytics Opt-out Add-on.
If any additional providers outside the EEA are engaged in the future, this section will be updated prior to the transfer commencing, and appropriate safeguards (SCCs or adequacy decision) will be in place.
8. Data Retention
| Data Category | Retention Period | Rationale |
|---|---|---|
| Platform account data (staff) | Duration of subscription + 90 days after termination | Contract performance; post-termination grace period for data export |
| Billing & payment records | 7 years from transaction date | Cyprus tax law & VAT obligations (Article 32, Cyprus Tax Collection Law) |
| Website contact form submissions | 12 months | Legitimate interest in responding to and following up enquiries |
| Analytics data (Google Analytics 4) | 14 months | Reduced from GA4 default (26 months) as a privacy-conscious setting |
| Security & access logs | 90 days | Security monitoring and incident response |
| Patient records (as data processor) | Up to 10 years from date of last treatment, or as instructed by the clinic (data controller) | Reflects applicable medical record retention standards under Cyprus and EU healthcare regulation. The clinic, as controller, determines the precise period. |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised, such that it can no longer be attributed to any identified or identifiable individual.
9. Minor Patients
The Physiologio platform allows clinic staff to create patient records for individuals under 18 years of age. In all such cases:
- Minors do not have direct access to the platform. There is no patient-facing login; all data entry and appointment management is performed exclusively by authorised clinic staff.
- Appointments for minors are managed in consultation with their parents or legal guardians.
- The clinic, as data controller, is responsible for obtaining and documenting appropriate parental or guardian consent before processing a minor’s personal and health data.
- We process minor patient data exclusively in accordance with the clinic’s instructions and do not use it for any purpose beyond delivering the contracted service.
We do not knowingly collect personal data directly from children through the physiologio.com website. If you believe a child has submitted data to us directly, please contact us at support@physiologio.com and we will take immediate steps to delete the information.
10. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights under the GDPR. These rights apply to data for which Physiologio is the data controller (see Section 2). For patient data, please contact your clinic directly.
- Right of access (Article 15): You may request confirmation of whether we process your personal data and obtain a copy of it, along with information about how it is used.
- Right to rectification (Article 16): You may request that inaccurate or incomplete personal data is corrected.
- Right to erasure (Article 17): You may request deletion of your personal data in certain circumstances (e.g. it is no longer necessary for the purpose for which it was collected). Note that some data may be retained for legal obligations (e.g. billing records — see Section 8).
- Right to restriction of processing (Article 18): You may request that we restrict processing of your data in specific circumstances (e.g. while contesting the accuracy of data).
- Right to data portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) where processing is based on consent or contract and carried out by automated means.
- Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or rights.
- Rights related to automated decision-making (Article 22): Physiologio does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals.
- Right to withdraw consent (Article 7(3)): Where processing is based on your consent (e.g. analytics cookies), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
To exercise any of the above rights, please contact us at support@physiologio.com. We will respond within 30 days as required by GDPR Article 12. In complex or numerous cases, we may extend this period by a further two months, with notification.
11. Supervisory Authorities
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a competent data protection supervisory authority. You may do so in the EU/EEA country where you reside, work, or where the alleged infringement took place:
- Cyprus: Office of the Commissioner for Personal Data Protection (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
Website: www.dataprotection.gov.cy
Tel: +357 22 818 456 | Email: commissioner@dataprotection.gov.cy - Greece: Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα — ΑΠΔΠΧ)
Website: www.dpa.gr
Tel: +30 210 6475 600 | Email: contact@dpa.gr
We encourage you to contact us first at support@physiologio.com so that we can attempt to resolve the matter directly.
12. Security Measures
We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include, but are not limited to:
- Encryption of all data in transit using TLS 1.2 or higher
- Encryption of data at rest using industry-standard algorithms
- Cryptographic hashing of all user passwords (no plain-text passwords are stored)
- Role-based access control (RBAC) within the platform, ensuring each staff member can only access data relevant to their role
- Strict internal access controls for Physiologio engineering and operations staff — access to production data is granted on a need-to-know basis and is logged
- Audit logs for account actions and administrative operations
- Regular security assessments and dependency updates
- Platform data hosted on AWS Ireland (eu-west-1), within the EEA, under a formal Data Processing Agreement
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We will notify you and the competent supervisory authority of any data breach that poses a risk to your rights and freedoms, within 72 hours of becoming aware of it, in accordance with GDPR Article 33.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or our services. When we do, we will update the “Last updated” date at the top of this page.
For material changes — those that significantly affect how we process your personal data — we will notify active subscribers by email or via an in-platform notification at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated Policy.
We recommend reviewing this page periodically. Previous versions of this Policy are available upon request.
14. Contact Us
For all data protection enquiries, subject access requests, or other privacy-related questions, please contact us:
- Email: support@physiologio.com
- Data Protection Officer: Not yet appointed — contact the above email address