« Legal & Policies

Data Processing Agreement

If you or your practice are based in the United States, then the US version of our Terms of Service and the US version of our End User Terms apply to you.

If you or your practice are not in the United States, then the outside USA version of our Terms of Service and outside USA version of our End User Terms apply to you.

1.1 This Data Processing Agreement is made between Physitrack PLC, a company incorporated in England and Wales, with company number 08106661, registered address 140 Aldersgate Street, London, EC1A 4HY (“Physitrack”), and the customer (“You”) identified in the Main Agreement.

1.2 Definitions 

“Data Protection Legislation” shall mean “all applicable data protection and privacy legislation in force from time to time including without limitation the UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)); the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications). 

“EU P-to-C Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Four (Processor- to - Controller). 

Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws.  

Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: 

https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en 

(“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”). 

 

1.3 Both You and Physitrack will comply with the applicable requirements of Data Protection Legislation generally. 

 

1.4 You shall retain control of the Customer Personal Data and undertake to Physitrack that You have the legal right to disclose Customer Personal Data to Physitrack and that You have provided the Data Subjects with all appropriate notices and obtained any necessary authorisations. You shall ensure that all individuals who provide written instructions are authorised to do so. 

 

1.5 Without prejudice to the generality of paragraph 1.3 above, Physitrack shall, in relation to Customer Data: 

1.5.1. Process Your Personal Data only on Your written instructions. The scope, nature purpose and duration of the processing and Your Personal Data categories and Data Subject types are described in the below table “Data Processing Details”;  

1.5.2. keep Your Personal Data confidential and ensure its personnel are subject to a duty of confidentiality; 

1.5.3. comply with Your reasonable instructions with respect to processing Your Personal Data; 

1.5.4. Not transfer Your Personal Data outside of the UK or EEA unless, in accordance with the Data Protection Legislation. Physitrack ensures that; 

  1. the transfer is to a country approved as providing an adequate level of protection for Your Personal Data; or  
  2. there are appropriate safeguards in place for the transfer of Your Personal Data; or  
  3. one of the derogations for specific situations applies to the transfer.   

1.5.5. Physitrack ensure to assist You at Your own cost in responding to any data subject access request and to  ensure compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators; 

1.5.6. Physitrack ensures to notify You without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach or communication which relates to Your or Physitrack's compliance with the Data Protection Legislation; and 

1.5.7. maintain complete and accurate records and information to demonstrate  compliance with this Clause and allow for audits by You or Your designated auditor; and  

1.5.8. inform You if, in its opinion, an instruction infringes Data Protection Legislation. 

 

1.6 Physitrack shall ensure that they have in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of Your Personal Data and against accidental loss or destruction of, or damage to, Your Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. 

 

1.7 Insofar as the provision of the services lead to a Restricted Transfer of Your Personal 

Data, You and Physitrack hereby enter into the EU P-to-C Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Physitrack and the importer is You. and on the basis that: 

(a) The EU P-to-C Transfer Clauses will be completed as follows: 

  1. in clause 7, the optional docking clause will apply; 
  2. in Clause 11, the additional redress mechanism will not apply; 
  3. in Clause 14, the EEA processor will be combining personal data received from the third country-controller with personal data collected by the processor in the EEA; 
  4. Clauses 17 and 18 shall be governed by the jurisdiction of Ireland and disputes shall be resolved before the courts of the jurisdiction of Ireland;   
  5. for the purposes of Annex I to the EU P-to-C Transfer Clauses: (a) the categories of data transferred are Company Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are described in the below table “Data Processing Details”;  
  6. For the purpose of Annex II the security measures are specified at https://www.physitrack.com/information-security  which are hereby incorporated by reference. 

(b) The UK Addendum will apply as follows: 

  1. The EU P-to-C Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 1.6 (a); and 
  1. Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 1.6 (a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting "data exporter".

1.8 Physitrack shall retain personal data in accordance with the terms of its Retention Policy which can be accessed via https://www.physitrack.com/data-retention-policy. 

1.9 You undertake to inform Physitrack of any changes to the email address You have provided during the provision of Services. 

 

1.10 You acknowledge and consent generally to the appointment by Physitrack of third parties as sub-processors of Your Personal Data being processed under these Terms of Service. A current list of sub-processors can be found below in the table “Third Party Vendors (Subprocessors) that process data on behalf of Physitrack”. 

 

1.11 Physitrack confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this clause and that b) it shall remain liable for the actions of its subprocessors. 

 

1.12 Physitrack shall give You notice of the appointment of any new sub-processors and provide You with full details of the processing to be undertaken by the sub-processor, thereby giving You the opportunity to object to such appointment. If Physitrack so notifies You of any changes to sub-processors and You object to such changes, You will be entitled to terminate this Service (without liability for either party, and such termination will be deemed to be a nofault termination) if You have reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause You to be in breach of the Data Protection Legislation. 

 

1.13 The total aggregate liability of whatever nature, whether in contract, tort or otherwise, of Physitrack for any losses whatsoever and howsoever caused arising from or in any way connected with this Data Processing Agreement shall be subject to the “Limitation of Liability” clause set out in the Terms of Service. Notwithstanding the foregoing, nothing in this clause will seek to limit either party’s liability which can not be legally limited, including (but not limited to) liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation. 

 

1.14 You agree to indemnify, keep indemnified and defend at its own expense Physitrack against all costs, claims, damages or expenses incurred by Physitrack or for which Physitrack may become liable due to any failure by You or Your employees, subcontractors or agents to comply with any of its obligations under these Terms of Service and/or the Data Protection Legislation, in particular any failure by You to comply with the provisions of Clause 1.4 above. 

Data Processing Details 

Subject matter, Nature and Purpose of processingThe provision of the Services to the Customer
DurationThe duration of the Agreement.
Categories of Personal DataName, gender, year of birth, telephone number (optional for patients), email address (optional for patients), government ID number (only for Swedish Customers) access code & exercise program, outcome measures, adherence data and messages feedback, IP address and timestamp of various user actions, Video call log, Video call audio, Diagnosis code, Custom exercise videos and images, App preferences E.g. preferred language, IP address and timestamp of various user actions
Categories of Data SubjectsCustomer's Patients who are End Users of the Platform
Data ProcessorPhysitrack PLC
Data ControllerYou

Third-party vendors (sub-processors) that process data on behalf of Physitrack 

Sub-Processor Legal address Location Processing Activity
Active Campaign 1 N Dearborn St, 5th Floor, Chicago, IL 60602, USA EU Organisation and contact details (name, email, phone number, usage metadata) for email campaigns
ADA Köpenicker Str. 126, 10179 Berlin, Germany EU Name, surname, email, IP address, support-related account metadata
AWS (PaaS) 38 Avenue John F. Kennedy, L-1855, Luxembourg Customer location Full user and patient data including personal identifiers, health data, messages, logs, and backups
Chargebee 909 Rose Avenue, Suite 950, North Bethesda, MD 20852, USA EU Practitioner billing details including name, email, and payment method (no patient data)
Cloudflare 101 Townsend St, San Francisco, CA 94107, USA USA IP addresses, TLS data and geolocation metadata for web traffic protection
Coconut.co 14 Rue Robert Stümper, L-2557, Luxembourg USA/EU Patient video files for transcoding; automatically deleted after 24 hours
Datadog 620 8th Ave, 45th Floor, New York, NY 10018, USA USA/EU Performance monitoring & Error reporting
Fullstory 1745 Peachtree St NW, Suite G, Atlanta, GA 30309, USA EU Website/app usage events, session replays, practitioner name and email (no patient data)
Gong.io 40 Tuval Street, 39th Floor, Ramat Gan 52522, Israel USA/EU Communication analytics and transcription services; phone‑call recording and analysis infrastructure
Google Workspace Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA USA Email and contact metadata for invoicing and internal communications
Grafana Cloud Grafana Labs, 461 5th Avenue, 17th Floor, New York, NY 10017, USA EU Infrastructure metrics, server health logs, telemetry data
Helpscout 131 Tremont St, Boston, MA 02111, USA USA Name, email, IP address from customer support queries and help centre usage
HubSpot One Sir John Rogerson's Quay, Dublin 2, Ireland USA/EU Organisation and contact details (name, email, phone number, usage metadata) for email campaigns
Sentry 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA USA/EU User ID, session trace, error stack data and performance metrics
Twilio 101 Spear Street, Suite 500, San Francisco, CA 94105, USA USA Phone number and message content used for sending access links or alerts
Webflow 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA USA Survey responses, interaction metadata, optional email (no patient data)
Zapier 548 Market St, #62411, San Francisco, CA 94104-5401, USA USA Contact metadata, automation triggers, CRM data (no patient or health data)
Zoom 55 Almaden Blvd, San Jose, CA 95113, USA USA/EU Meeting audio/video, participant details, chat transcripts if recording enabled
Please note that if you are reading a translated version of this policy, the text of the English version of this policy prevails.
Start a 14 day trial
About
About PhysitrackFeature overviewClinical StudiesContact usInvestorsMedia & PressBlogCareersWebinar
Support
Help & SupportIntegrationsSystem StatusLegal & PoliciesInformation SecurityDeveloper InformationPhysitrack for the NHSBranded AppPhysidata
Manage cookies
Solutions for
Private PracticesOccupational Health & Case
ManagementHealthcare Systems & HospitalsElite SportsTelehealthUniversities & Research Institutions
Socials
©2025 Physitrack - All Rights Reserved. Physitrack® is a registered Trademark of Physitrack PLC. Physitrack is a fitness and wellness tool and does not guarantee outcomes in a rehabilitation process.
For more information, contact your healthcare provider. Patent pending.