Legal & Policies
GDPR (General Data Protection Regulation) and Physitrack
The GDPR is in place to protect personal information in the ever-increasing digital world that we live in. There are various video summaries available on YouTube to explain how GDPR might affect your practice.
Any company or organisation who handles or processes data about individuals associated with goods or services used within the EU must comply with GDPR.
Here at Physitrack, the protection of our customers' data, including all client data is paramount. Below, we describe how Physitrack complies with all 7 pillars set out by the GDPR. If you have any questions, please feel free to contact us using the link above.
Consent
In obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as to give it.
Physitrack's Terms of Service and Privacy Policy are written in clear English and divided into logical chunks. A practitioner can remove any client at any time, and remove their own account at any time as well.
Breach Notification
In the event of a data breach, data processors have to notify their controllers and customers of any risk within 72 hours.
Physitrack has a communications infrastructure in place which will let us quickly communicate information in the event of a data breach.
Right to Access
Data Subjects have the right to obtain confirmation from the Data Controller of how their personal data is being processed by the Data Controller. On demand, the Data Controller should provide an electronic copy of personal data to Data Subjects at no charge.
At any time, practitioners can download their client information as easy to use spreadsheets. Further, information on how data is being processed is set forth in the Terms of Service and Privacy Policy referenced above.
Right to be forgotten
When data is no longer relevant to its original purpose, Data Subjects can request the Data Controller to erase their personal data and cease its dissemination.
- If you are a healthcare practitioner, you can remove any patient at any time, as well as remove your own Physitrack account.
- If you are a patient, you can request that your healthcare practitioner remove your data from their Physitrack account.
Data Portability
Allow individuals to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
A practitioner can quickly export all of a client's data for re-use in other applications.
Privacy by Design
Inclusion of data protection from the onset of the system's design, with the implementation of appropriate technical and infrastructural measures.
Physitrack is tested regularly for various security vulnerabilities, both during development, where static analysis algorithms check code before it is checked into our continuous integration pipeline, and on our production systems, where weekly scans are conducted for (among others) OWASP-10 vulnerabilities.
Data Protection Officer (DPO)
Physitrack's DPO is Breht McConville. He can be reached at dpo@physitrack.com
Physitrack is registered with the UK Information Commissioner's Office (ICO) under number ZA396165.
140 London Wall
London EC2Y 5DN
United Kingdom
We hereby declare that the medical device (Software) specified above meets the provisions of the Council Directive No. 93/42/EEC for Medical Devices and issued under the sole responsibility of Physitrack PLC.
The Software as medical device covered by the present EU declaration is in conformity with the (EU) MDR 2017/745.
All supporting documentation for this EC Declaration of Conformity is retained in the document management system of the manufacturer.
Breht McConville
Chief Compliance Officer
Physitrack PLC
Diversity Statement
At Physitrack, we are all different. And that’s our greatest strength. We draw on the differences in who we are, where we live, what we have experienced, and how we think. In order to build solutions that serve everyone - we believe in including everyone.
Our company and team are committed to creating and managing an environment of inclusion, and one that always strives to be inclusive of people of all genders, colours, cultures and religions.
Physitrack is a diverse company with customers in over 100 countries around the world. Our team of Physitrack collaborators is diverse and spans more than 10 nationalities, with representatives of various cultures, sexual orientations and ethnic backgrounds.
For our exercise library, which we film in England, we cast the most suitable models and athletes for the specialties that we need, and this process is independent of gender, sexual orientation, ethnic background and skin color.
Our online coaches include active and inactive professional athletes, professional dancers, choreographers, war veterans, all with unique onscreen performance skills. With the diversity of these models we want to offer you the clearest exercise performance and on screen guidance you can find.
Data Retention Policy
1. Introduction
1.1 This policy sets out the policies and procedures of Physitrack Limited (the "company") with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.
1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognises the importance of formulating clear and specific policies in relation to data retention.
2. Definitions
2.1 In this policy:
(a) "appointed person" means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;
(b) "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) "data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(d) "data subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(e) "deletion" means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and
(f) "personal data" means any information relating to a data subject.
3. Data retention, archiving and deletion
3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.
3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:
(a) the fulfillment of any legal or contractual obligations of the company; and/or
(b) the establishment, exercise or defence of any legal claims.
3.3 The company must not delete data to the extent that:
(a) the company has a legal obligation to retain the data;
(b) the company has a contractual obligation to retain the data (providing that such contractual obligation is not overridden by any legal obligation to delete the data); and/or
(c) the retention of the data is reasonably required for the establishment, exercise or defence of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).
4. Default archiving and deletion methods
4.1 Data must be archived by the company specify methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).
4.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).
5. Reviewing and updating this policy
5.1 The appointed person shall be responsible for reviewing and updating this policy.
5.2 This policy must be reviewed and, if appropriate, updated annually on or around 1 July.
5.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company.
5.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) changes to any codes of conduct to which the company subscribes;
(c) developments in industry best practice;
(d) any new data collected by the company;
(e) any new data processing activities undertaken by the company; and
(f) any security incidents affecting the company.
SCHEDULE 1 (DATA RETENTION PERIODS)
1. Introduction
1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.
1.2 If a data record falls under more than one section of this schedule 1, then the earlier section shall take precedence over the later section, unless the record constitutes a duplicate copy of data that is separately governed by the earlier section.
2. Customer data: retention, archiving and deletion
2.1 In this policy, "customer data" means all customer relationship management records relating to the customers of the company, including customer identity details, customer identity evidence and customer contact details.
2.2 Customer data is stored by the company in the following databases: for each geographical data centre where Physitrack application data is stored, Customer data will be stored in SQL-based database management systems, configured in a high-availability pattern..
2.3 Customer data must be archived daily.
2.4 Customer data must be deleted:
(a) not less than 8 years following the archiving of the data; and
(b) not more than 9 years following that event, subject to subsection 3.3 of the main body of this policy.
2.5 Customer data must be deleted by deleting the backups from the storage medium.
Cookie Policy
1. Introduction
1.1 Physitrack uses cookies.
1.2 Insofar as those cookies are not strictly necessary for the provision of our website and platform, we will ask you to consent to our use of cookies when you first visit our website.
2. About cookies
2.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
2.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
2.3 Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
3. Cookies that we use
3.1 We use cookies for the following purposes:
(a) authentication and status - we use cookies to identify you when you visit our website and as you navigate our website, and to help us determine if you are logged into our website;
(b) personalisation - we use cookies to store information about your preferences and to personalise our website for you;
(c) security - we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally; and
(d) cookie consent - we use cookies to store your preferences in relation to the use of cookies more generally.
4. Cookies used by our service providers
4.1 Our service providers use cookies and those cookies may be stored on your computer when you visit our website.
4.2 We use Embedly to show instruction and demonstration videos. This service uses cookies for tracking which instruction and/or demonstration videos were viewed. You can view the privacy policy of this service provider at https://embed.ly/legal/privacy. The relevant cookie is: em_cdn_uid.
4.3 We use Vimeo to show instruction and demonstration videos. This service uses cookies for tracking which instruction and/or demonstration videos were viewed. You can view the privacy policy of this service provider at https://vimeo.com/privacy. The relevant cookie is: vuid.
4.4 We use Helpscout to host our support documentation. This service uses cookies for tracking which documentation was viewed. You can view the privacy policy of this service provider at https://www.helpscout.com/company/legal/privacy/. The relevant cookie is: PLAY_SESSION.
5. Managing cookies
5.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
(a) https://support.google.com/chrome/answer/95647 (Chrome);
(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
(c) https://help.opera.com/en/latest/security-and-privacy/ (Opera);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
(e) https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac (Safari); and
(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
5.2 Blocking all cookies will have a negative impact upon the usability of many web-based applications.
5.3 If you block cookies, you will not be able to use our platform.
6. Our details
6.1 This website is owned and operated by Physitrack Limited.
6.2 We are registered in England and Wales under registration number 8106661, and our registered office is at Bastion House, 6th Floor, 140 London Wall, London EC2Y 5DN, United Kingdom.
6.3 You can contact us by email, using support@physitrack.com.
Privacy Policy
Physitrack respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you as to how we look after your personal data when users visit our websites or use our platform (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. Users in this context can be health practitioners or patients of the health practitioners, unless otherwise specified.
This Privacy Policy is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.
1. Important information and who we are
2. [THE DATA WE COLLECT ABOUT YOU]
3. [HOW IS YOUR PERSONAL DATA COLLECTED?]
4. [HOW WE USE YOUR PERSONAL DATA]
5. [DISCLOSURES OF YOUR PERSONAL DATA]
6. [INTERNATIONAL TRANSFERS]
7. [DATA SECURITY]
8. [DATA RETENTION]
9. [YOUR LEGAL RIGHTS]
10. [GLOSSARY]
1. Important information and who we are
Purpose of this Privacy Policy
This Privacy Policy aims to give you information on how Physitrack collects and processes your personal data through your use of our platform), including any data you may provide when you sign up to our newsletter.
The categories of data subjects that this Privacy Policy is intended to apply to are:
- Health Practitioners who are trading as individuals, who access our platform through and to whom we provide services directly;
- Representatives of corporate Health Practitioners a such as employees or other staff, who access our platform on behalf of their employer to whom we provide services;
- Patients of a Health Practitioner who access our platform as part of their treatment by a Health Practitioner; and
- Students of educational institutions that are part of Physitrack’s academic discount program and who use Physitrack in the course of their studies at said educational institution.
Collectively referred to as “Users” “you” or “your” in this Privacy Policy.
It is important that you read this Privacy Policy together with any other Privacy Policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.
Controller
Physitrack PLC is the controller and responsible for your personal data (collectively referred to as "Physitrack", "we", "us" or "our" in this Privacy Policy).
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise [your legal rights], please contact the DPO using the details set out below.
Contact details
If you have any questions about this Privacy Policy our privacy practices, please contact our DPO in the following ways:
Name of DPO: Paulina Glicza
Full name of legal entity: Physitrack PLC.
Email address: dpo@physitrack.com
Postal address: Bastion House, 6th Floor, 140 London Wall, London EC2Y 5DN, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Changes to the Privacy Policy and your duty to inform us of changes
We keep our Privacy Policy under regular review. This version was last updated on [31 December 2021].
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third-party links
Our website or platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the Privacy Policy of every website you visit.
2. The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Health Practitioners
· Identity Data includes first name and last name.
· Contact Data includes billing address, delivery address, email address and telephone numbers.
· Customer Relationship Data includes your name, the name of your business or employer, your job title or role, your contact details, your classification / categorisation within our customer relationship management system and information contained in or relating to communications between us and you, or between us and your employer.
· Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
· Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website or platform.
· Profile Data includes your api token, password, email address, account creation and modification dates, website settings, your interests, preferences, feedback and survey responses.
· Usage Data includes information about how you use our website, products and services.
· Marketing and Communications Data includes your preferences in receiving marketing such as our newsletter.
Patients
· Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website or platform.
Students
· Identity Data includes first name, last name, email, student ID.
· Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website or platform.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website or platform feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. We may however, act as Data Processor of some Special Category Personal Data such as information regarding which exercises have been assigned to a specific patient and your adherence to a particular exercise program. Our legal obligations as a Data Processor are instead set out in the contract between us and the relevant Data Controller. With regards to retention and erasure, in accordance with data protection laws, the Data Controller will be given the option to have the Personal Data either returned or deleted upon termination of the contract. If we do not hear from the Data Controller on this point within 30 days of contract termination, we will permanently delete the Personal Data from our database (and from ‘back up’ within another 90 days).
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. How is your personal data collected?
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
· apply for our products or services;
· create an account on our platform;
· subscribe to our service or publications;
· request marketing to be sent to you;
· enter a competition, promotion or survey; or
· give us feedback or contact us.
Automated technologies or interactions. As you interact with both our website and our platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy [LINK] for further details.
Third parties. We will receive personal data about you from various third parties as set out below:
· Contact, Financial and Transaction Data from providers of technical, payment and delivery services Adyen (Netherlands) and Chargebee (United States).
· Identity and Contact Data from publicly available sources such as LinkedIn.
4. How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we are about to enter into or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal obligation.
Click here [LINK TO GLOSSARY, LAWFUL BASIS] to find out more about the types of lawful basis that we will rely on to process your personal data.
In limited circumstances will we rely on consent as a legal basis for processing your personal data.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new User and set up an account/profile
(a) Identity
(b) Contact
Performance of a contract with you
To provide you with our services, including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(c) operating our platform
(d) providing our services
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Marketing and Communications
(f) Customer relationship data
(g) Service Data
(a) Performance of a contract with you, and/or
(b) Necessary for our legitimate interests (to recover debts due to us)
To process your account/profile data for the purposes of publishing such data on our platform and elsewhere through our services
(a) Identity
(b) Contact
(c) Profile
(d) Service Data
Performance of a contract with you
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey
(c) to communicate with you for example in order to resolve any functionality issues.
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(e) Customer relationship data
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a survey
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
For security monitoring purposes and to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity
(b) Contact
(c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you, to send you our newsletter where you have opted into receiving it
(a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications
(a) Necessary for our legitimate interests (to develop our products/services and grow our business); and/or
(b) Consent
To establish or defend legal claims
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Service Data
Necessary for our legitimate interests (the protection and assertion of our legal rights, your legal rights and the legal rights of others).
To obtain or maintain insurance coverage, managing risks and/or obtaining professional advice.
(a) Identity
(b) Contact
(c) Profile
(d) Usage
((e) Service Data
Necessary for our legitimate interests (the proper protection of our business against risks).
Applicable to Health Practitioners only:
Marketing and Promotional offers from us
You may receive our monthly newsletter, from us if you have opted-in to receive this information from us.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established personal data control mechanisms which will be embedded in all marketing communications you receive, and you will be able unsubscribe from receiving these messages at any time.
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you (we call this marketing).
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see https://www.physitrack.com/cookie-policy
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Disclosures of your personal data
We may share your personal data with the parties set out below for the purposes set out in the table: Service providers acting as processors who provide IT, hosting and system administration services identified at https://support.physitrack.com/subprocessors.
Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. International transfers
International Transfers to external third parties
Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.
How we safeguard personal data when we transfer it internationally
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. or
2. Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
For further details of the specific mechanisms we rely on where we transfer your data internationally, please see https://support.physitrack.com/article/721-what-types-of-data-are-stored-by-physitrack.
7. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are available in our Data Retention Policy which you can request from us by contacting us.
In some circumstances you can ask us to delete your data: see [your legal rights] below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. EU Representative
Our representative within the EU with respect to our obligations under European data protection law is Physiotools Oy incorporated and registered in Finland with company number 0491074-9 whose address is Kehräsaari B, 5th Floor, 33200 Tampere, Finland. Email: data.protection@physiotools.com
10. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
[Request access to your personal data].
[Request correction of your personal data].
[Request erasure of your personal data].
[Object to processing of your personal data].
[Request restriction of processing your personal data].
[Request transfer of your personal data].
[Right to withdraw consent].
If you wish to exercise any of the rights set out above, please contact by email: dpo@physitrack.com.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
11. Glossary
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
THIRD PARTIES
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
· If you want us to establish the data's accuracy.
· Where our use of the data is unlawful but you do not want us to erase it.
· Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
· You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Physitrack takes your privacy very seriously and treats all your personal data with great care. This document sets out Physitrack’s policy regarding privacy and security. It is recommended that you read this policy carefully. The capitalised words are defined in the Terms of Service.
1. Who is Physitrack?
Physitrack Ltd. is a company with limited liability established and existing under the laws of The United Kingdom, having its registered office at 65 Gresham Street, London EC2V 7NQ, and active on the website of Physitrack.
Physitrack has developed a platform used by healthcare providers to gather information from, and/or provide information to their patients. Physitrack is not a healthcare provider and does not screen Content posted by healthcare providers, nor does it select or screen specific exercise programs that are displayed to patients.
Physitrack as processor on behalf of healthcare providers
In the case of patients, Physitrack will store and process your personal data on behalf of its customers, the healthcare providers. For this processing, your healthcare provider will have access to your personal data and act as the "data controller" within the meaning of the European Privacy Directive (1995/46) and the Data Protection Act 1998 and will be responsible to you for the lawful processing of your personal data. Please refer to your healthcare provider for information on the way the healthcare provider will process your personal data. Whilst Physitrack takes the protection of personal data very seriously, Physitrack is not responsible for your healthcare provider’s compliance with applicable privacy laws.
Physitrack as controller
In certain circumstances Physitrack may also process your personal data for its own purposes, in which case Physitrack will be the “data controller” of your personal data and responsible for the lawful processing of this personal data. Physitrack is the controller for the processing of payments by healthcare providers, the processing of account information and the use of Intercom cookies as set out below (under 3). Physitrack shall only act as a controller with regard to personal data of healthcare providers and shall never act as controller with regard to personal data of a medical nature.
2. What personal data does Physitrack collect and process?
Account
In order to make use of the Service, it is necessary to create a personal Account. For this you are required to enter certain information about yourself. Your name, gender, e-mail address, phone number and country of residence are obligatory. For healthcare providers who register on behalf of an entity, information about that entity (name and contact details) are also required.
The information contained in your Account is not visible to third parties. For patients, only the healthcare provider that has sent you an invitation to use the Service and has been accepted by you can see your Account information.
Use of the Service
By using the Service, the patient or healthcare provider may provide information about their patient’s medical condition, exercise and treatment program and information about the patient’s compliance with the exercise and treatment program and the patient’s experiences while doing the exercises and treatment program. This information is treated on the Service to be private between the patient and the healthcare provider. Physitrack will store and process this information only on behalf of the healthcare provider and will never process medical information for our own purposes except as otherwise stated in this privacy policy. Once a patient grants access to their healthcare provider, the healthcare provider will have access to review their patient’s Account information, assign and modify exercise and treatment programs for the patient and use the information for the provision of health services and to contact the patient.
3. Cookies
When using Physitrack, cookies are saved on your computer. Cookies are small pieces of information (in the form of text) that a server sends to your browser (such as Internet Explorer or Firefox) with the intention that the browser sends this information back to the server the next time a user makes use of the Service. Cookies cannot damage your computer or the files saved on it.
When you use the Service, first party cookies are saved on your computer. First party cookies are made by or for Physitrack and are stored on your computer by Physitrack and only Physitrack has access to these cookies. Such cookies are used by Physitrack, for example, to remember your login information.
In order to collect data on the usage of Physitrack’s website (the marketing website, not the platform used for access to the Service), Physitrack uses Google Analytics. Google Analytics stores a permanent cookie on your computer which is subsequently used to register your use of the website. This data is then analyzed by Google and the results are given to Physitrack. This enables Physitrack to get more insight in the way in which the website is used and, based on this information, to make adjustments to the website or the provided services.
You can configure your browser so that you do not receive any cookies the next time you use the Service. However, it is then possible that you will no longer be able to make full use of Physitrack.
4. For what purposes will Physitrack use personal data about you?
Physitrack may use your personal data for the following purposes:
- To allow the healthcare provider to use the Service, including the management of the home exercise programs for patients, the management of the patients’ compliance with the exercise program and the exchange of exercise program templates with other users of Physitrack.
- To allow the patient to use the Service, including the access to home exercise programs provided by the healthcare provider and monitoring the compliance and providing feedback to the healthcare provider. - To process payments by healthcare providers.
- To verify your identity, respond to your enquiries and contact you when necessary.
– To communicate with you about the Service and/or other services of Physitrack.
- To configure Physitrack to your wishes and needs.
– For protection purposes and to generate anonymous statistical data.
For a patient, Physitrack will only provide your medical information to a third party if you or your healthcare provider has given its consent for your medical information to be disclosed (for instance, to an insurance company) and, if such information can be aggregated, will use reasonable endeavours to de-identify the information.
Physitrack may in addition to any other rights set out in this privacy policy, provide your personal data to third parties in the following cases:
- To any person that you authorise us to disclose your personal information to.
- To our partners, affiliates, contractors and consultants, who are under an obligation to protect your personal information and who assist us or our related body corporates in provision of the Service or as otherwise set out in this this privacy policy.
- To your organisation, if you are acting on behalf of an organisation.
- To government and regulatory authorities, as required or authorised by law.
- To our professional advisors.
- To your healthcare provider.
- If it is obliged or otherwise permitted to do so on account of national or international laws, case law and/or regulations including to government and regulatory authorities.
- If Physitrack considers it necessary to do so in defense of its own rights.
Physitrack may post customer testimonials/comments/reviews on the website, which may contain personal information. Physitrack shall obtain the the individual’s consent via email prior to posting the testimonial.
You can contact us at support@physitrack.com if you do not wish to have your personal information used for any particular purpose. However, it is then possible that you may not be able to access or use all or part of the Service or our website. If Physitrack later advises you of an intended use or disclosure and you do not object to that use or disclosure or Physitrack is permitted or required by law to do so, Physitrack may do so.
Customer.io
Physitrack uses third-party analytics services to help understand the usage of the Service by healthcare providers. No patient information is shared through these services.
In particular, we provide a limited amount of the personal data of the healthcare provider (such as your email address and sign-up date to Peaberry Software, Inc. (“Customer.io”) and utilize Customer.io to collect data for analytics purposes when you visit the Website or use the Service. Customer.io analyzes your use of our Website and/or Service and tracks our relationship so that Physitrack can improve its service to you. We may also use Customer.io as a medium for communications, either through email, or through messages within the Service.
Customer.io is a company that is based in the United States. Physitrack Limited and Customer.io have an EC Data Protection Agreement to protect the privacy of Physitrack's users.
5. How does Physitrack protect your personal data?
Physitrack takes appropriate technical and organizational measures to protect your personal data against loss or any form of unlawful use, but cannot guarantee that data transmission over the Internet will be wholly secure. Physitrack is also unable to warrant the security of any information provided to us over the Internet. Because of the medical nature of some of the personal data provided through the Service, Physitrack uses reasonable endeavours to incorporate a high level of security.
To protect the confidentiality and integrity of your personal data, we:
- Have internal policies to keep your data private and confidential in accordance with this privacy policy.
- Encrypt all communications between Physitrack and our users (http: via SSL, email via TLS).
- Use reasonable endeavors to encrypt all appropriate patient health information in our database where practical to do so ("at-rest").
- Limit information access inside our company.
- Use an electronically and physically secured data center.
- Use a firewall which blocks access by attackers and unauthorized users.
- Automatically logoff healthcare providers after a certain period of inactivity.
- Require all of our users to choose strong passwords, and choose a new password every 90 days.
- Use a CDN (content distribution network) which filters out possible attackers
- Use up-to-date development and testing systems.
- Use up-to-date server management technologies.
Physitrack uses cloud web-hosting provided by Amazon Web Servers, Inc (“Amazon”) to store personal information collected (including encrypted medical information) on servers located in Australia, but may also use servers in Ireland to store back-ups of this information. For further information about the privacy practices of Amazon, please visit http://aws.amazon.com/privacy/. Your personal information (including medical information) may from time to time be disclosed overseas to Physitrack, its related bodies corporate and third parties in accordance with this privacy policy. Locations will include United Kingdom and Australia, as amended from time to time.
6. Viewing, changing and deleting your personal data
If you wish to know what personal data Physitrack has collected about you or if you wish to change data that you cannot change yourself in your Account, then you can send your request to support@physitrack.com.
Before Physitrack provides you with access to your personal information, Physitrack may require some proof of identity. To the extent permitted by law, Physitrack will use reasonable endeavours to provide you with your personal information within 4 weeks of your request. In some circumstances where Physitrack corrects or updates a record, Physitrack may still require the retention of the original record. Physitrack will retain your personal data for as long as your Account is active or as needed to provide the Service to you, to resolve disputes, enforce agreements or comply with any legal obligations. If you wish to delete your Account or request that Physitrack no longer uses your personal data, you can contact us at support@physitrack.com.
7. Can this policy be changed?
It is possible for this policy to be amended in the future. Any changes to the policy will be mentioned on the Website, so it is recommended to regularly have a look at the Website. Your continued use of the Service and this Website after any changes to this policy means that you consent to such changes.
8. Australian privacy rights
If you are an Australian resident, you acknowledge and consent that Australian Privacy Principle 8.1 will not apply to an overseas disclosure of your personal information in accordance with this policy including in relation to Customer.io. In addition, if you have any requests or complaints about this policy, you may send these to support@physitrack.com.
Physitrack may respond to your request within 4 weeks. If you are dissatisfied with the outcome, you may make a complaint to the Australian Information Commissioner at the Office of the Australian Information Commissioner via telephone to 1300 363 992 (if calling within Australia) or + 61 2 9284 9749 (if calling outside Australia) or online at www.oaic.gov.au.
9. New Zealand privacy rights
Physitrack acknowledges and complies with the New Zealand Privacy Act 2020 and the 13 principles of The Health Information Privacy Act 2020.
10. Questions?
If you have any questions, please do not hesitate to contact us via support@physitrack.com.
Last modified: October 2021 (added paragraph on New Zealand privacy rights)
This addendum is applicable to Healthcare Practitioners in Canada using Physitrack (through https://ca.physitrack.com)
Physitrack complies with the Canadian PIPEDA and individual Provincial privacy and data protection laws governing healthcare software companies.
Physitrack and all of its employees, contractors and representatives, take all reasonable precautions with the storage and handling of any patient information, and will comply with the obligations of the National and Provincial laws.
Generally speaking, all provider and patient data is stored securely in Canada. Additionally, Physitrack has developed a full scope privacy and security architecture and conducts regular threat risk assessments.
Below is a list of additional safeguards that are deployed to meet individual Provincial privacy laws and regulations, as they may apply.
Alberta: Physitrack adheres to Alberta’s Personal Information Protection Act (PIPA), and limits collection, access and disclosure of personal information following the Provincial laws.
British Columbia: Physitrack complies with the Personal Information Protection Act (”PIPA”). As part of these duties Physitrack shall:
- Only collect, use, access, and retain the information provided to it as identified in the subscription agreement between Physitrack and Customers. (the Healthcare Providers)
- Allow a Customer access to its information when asked for it, and never deny access because of a disputed payment for services.
- Report any privacy breach or security incident to Customers within two business days.
- Return or destroy personal information to the Customer when the subscription agreement ends.
- Physitrack agrees that all patient information will be stored on servers located in Canada only.
- Physitrack, as a normal policy, conducts systems and data security audits performed by independent third-party companies, at least once per year.
- Access to Patient Information
Physitrack works to ensure that Access to patient information by Physitrack is appropriately limited, and that all such information is protected with best-in-class security measures. - Rights to personal Information
Physitrack limits access to private patient information only to those individuals with the rights and strict necessity to view it.
At the server and developer level, secure keys and passwords are issued to any individual authorised to access Physitrack's data and application only insofar as the individual is actively involved with development of Physitrack.
Physitrack's sales and support employees and contractors have no access to individual patient outcome data other than PhysiApp access codes, and will strictly use this data for support requests initiated either by the patient or the practitioner. - Encryption
All data stored which can reasonably expected to be contain sensitive information is encrypted at-rest, and in transit. - In the Event of Data Breach
In the event of a personal information breach or security incident, Physitrack shall:
i. Immediately research which (sub)systems have been affected by a possible security breach;
ii. If Physitrack suspects that sensitive practitioner data has been compromised, Physitrack will invalidate practitioner passwords, forcing practitioners to choose a new password upon logging in from a unique email link.
iii. Send an emailing to all (affected) practitioners and subscribers detailing the nature of the data breach, steps which have been taken to mitigate the data breach, and measures which have been taken to prevent a future reoccurrence of this data breach.
iv. Make available a 12-hour response window via email to support@physitrack.com
v. Hire an external, ISO-accredited security research company to audit Physitrack's system to confirm that the measures taken are sufficient. - System Outage
Physitrack hosts its applications in world-class data centers. Further, Physitrack uses various monitoring systems to monitor application status and performance.
In the event of scheduled, non-emergency outage of more than 20 minutes during business hours , this will be announced either via email or inside the Physitrack application.
In the event of unscheduled outage, a Physitrack systems developer will be alerted to resolve the outage as soon as reasonably possible.
Manitoba: Physitrack complies with the Manitoba Personal Health Information Act (PHIA) as promulgated by the Provincial government.
New Brunswick: Physitrack complies with the Personal Health Information Privacy and Access Act. As such Physitrack abides by the rules governed by the Province, as outlined by the Provincial Government.
Newfoundland and Labrador: Canadian PIPEDA laws as outlined above apply here.
Nova Scotia: Physitrack abides by the Personal Information International Disclosure Act (PIIDA), and as such stores all patient related data inside of Canada. Physitrack abides by the PIIDA laws as outlined by the provincial Government.
Ontario: Physitrack is a cloud-based Software as a Service (SaaS) provider that abides by the safety and access standards set forth by the Information and Privacy Commissioner of Ontario. All data is stored and accessed in Canada, and Physitrack deploys best practices as outlined by the Commissioner.
Further, Physitrack and all of its employees, contractors and representatives will take all reasonable precautions with the storage and handling of any patient information of Ontario residents, and will comply with the obligations of the Provincial laws.
Prince Edward Island: Canadian PIPEDA laws as outlined above apply here.
Quebec: Physitrack abides by the Act Respecting the Protection of Personal Information in the Private Sector and as such stores all patient related data inside of Canada, limits the access to such personal data, and secures all data employing the industry best practices. Physitrack acknowledges adherence to the Provincial law.
Saskatchewan: Canadian PIPEDA laws as outlined above apply here.
Northwest Territories, Nunavut, and Yukon: Canadian PIPEDA laws as outlined above apply here.
This policy was last updated on 6 April 2020
Terms of Service
1 - Introduction
1. These Terms of Service apply to the use of Physitrack’s Service (as defined below). By using the Service, you agree to the Terms of Service and enter into an agreement with Physitrack (hereinafter “Agreement”). If you do not wish to agree to the Terms of Service, you cannot use the Service.
2. Physitrack PLC is a company established and existing under the laws of The United Kingdom, having its registered office at Bastion House, 6th Floor, 140 London Wall, London, EC2Y 5DN and active on the website of Physitrack (hereinafter “Website”). It is registered for VAT under VAT number GB 183 6396 73.
3. We advise you to read these Terms of Service carefully so that you are aware of your rights and responsibilities when using Physitrack’s Service. Questions about the Terms of Service should be sent to support@physitrack.com.
2 - General
1. These Terms of Service apply, to the exclusion of your terms and conditions, to all agreements between you and Physitrack and every use made of the Service via your Account.
2. Physitrack reserves the right to amend or supplement these Terms of Service at any time by posting an updated set of terms and conditions to the Website. The amended or supplemented Terms of Service will be brought to your attention by email to the address registered with your Account and by notice on the Website before the date on which such updated terms and conditions are due to come into effect. If you continue to use the Service after that date, you irrevocably accept the amended or supplemented Terms of Service. If you do not agree to the amended or supplemented Terms of Service, your only option is to terminate the Agreement in accordance with article 9.
3. Any additions to and/or deviations from these Terms of Service whether on a temporary or permanent basis are only valid when confirmed in writing by Physitrack acting by an authorized officer such as a director or senior manager.
3 - Service and availability
1. Physitrack has developed a platform, called Physitrack, which enables healthcare providers to manage home exercise programs for their patients, including management of the patients’ compliance with the exercise program and the exchange of exercise program templates with other clients of Physitrack (hereinafter “Platform”). The Platform is made accessible by Physitrack through the Website (hereinafter “Service”). To obtain access to the Service, you must have a registered account (hereinafter “Account”).
2. Subject to your full and continued compliance with all obligations pursuant to these Terms of Service, Physitrack grants you a limited, personal, revocable, non-exclusive, non-sub-licensable and non-transferable right to use the Service, including the Platform for the above purposes (but not further or otherwise).
3. Physitrack will make reasonable efforts to provide the Service with due care. You accept that the Service, including the Platform, only contains the functionalities and other characteristics as described in the current documentation as set out at the moment of your use (“as is” and “as available”). Each and every use of the Service is at your own risk and responsibility. Physitrack does not warrant that the provision of the Service will be uninterrupted or error-free and Physitrack does not accept responsibility for any part of the service provision infrastructure (including without limitation the internet) which is outside its reasonable control.
4. Physitrack is at all times entitled, without in any way becoming liable to you:
- to make procedural and technical alterations and/or improvements to the Platform and/or the Service; and
- to temporarily discontinue or limit the Service or your Account if, in its view, this is necessary, for example for purposes of preventive, corrective or adaptive maintenance. Physitrack will notify you of the temporary unavailability or restricted use of the Service insofar and as soon as reasonably possible.
4 - Account
1. To use the Service, you must create an Account by following the registration process on the Website.
2. Upon registration of the Account you will set your user name and unique password (together “identifiers”) in order to obtain access to the Account. You are responsible for keeping the identifiers secret. As soon as you know or have reason to suspect that the identifiers are no longer secret, or that the Account is being abused, you must notify Physitrack immediately and take all necessary steps to prevent unauthorized access including changing relevant identifiers and taking other security measures as recommended by your infrastructure provider.
3. You are not permitted to:
- provide information during registration that is not accurate, complete and up-to-date;
- create more than one Account;
- create an Account for another natural person or legal entity;
- share an Account or in any other way provide access to the Account to another natural person or legal entity; or
- create an Account if you are younger than 18 years of age.
4. In the case of a patient, you may download from the Service your exercise programs and account details strictly for your personal, non-commercial use only, provided you keep intact all copyright and other proprietary notices.
5. In the case of the healthcare provider, you may download from the Service your patient’s exercise program and compliance history strictly for the purpose of maintaining your patient’s records and must not sell, redistribute or use for any other purpose. You may not use any means for the export and/or download of your patient’s exercise program and compliance history, other than the means expressly provided for such purpose by Physitrack.
6. Physitrack offers students following a Health Sciences degree (e.g. Physiotherapy, Exercise Physiology, Occupational Therapy, Chiropractic a.o.) complimentary access to Physitrack for the duration of their Bachelor's degree + 1 year. The maximum number of years of complimentary access is 5 years. At the time of subscribing to Physitrack students are required to select their affiliated University or College and enter their unique student ID number and expected year of graduation. When the complimentary subscription expires students can either change to a paid subscription or cancel their subscription.
Physitrack reserves the right to cancel complimentary students subscriptions where those subscriptions were obtained using incorrect or false information.
5 - Your obligations
1. In using the Service, you are not permitted to perform any acts as listed below: - make content (including all information, data or material such as exercise programs (hereinafter “Content”)) available which, at the discretion of Physitrack, is discriminatory or is otherwise deemed hurtful, offensive or inappropriate; - deal with personal data, other than in compliance with applicable law; - make Content available which contains viruses, Trojan horses, worms, bots or other software which can cause any interference, loss or damage to the Platform or any data or make it unusable or inaccessible or delete it, or which can appropriate it or which is intended to circumvent technical protection measures of the Service, the Platform and/or the computer systems of Physitrack; - make Content available which is directed at individuals (including patients) younger than 18 years of age, unless there is prior consent of the parents or guardians of such individuals; - make or transmit any unwanted or unsolicited material or Content (spam); - make Content available which could prejudice the interests and reputation of Physitrack.
2. Physitrack reserves the right, without prior notice, to abridge, alter, refuse and/or remove any Content in its absolute discretion and liability.
3. In the case of the healthcare provider, you may not create home exercise programs for more patients than agreed upon for your Account. The applicable limitation on the number of patients will be mentioned on the Website prior to the conclusion of the Agreement.
4. Breaches of this article 5 may lead to suspension or termination of the right to use the Service and Physitrack shall in any case be able to claim full damages for any breach of this article 5.
6 - Privacy
1. If you are a patient, by using the Service, both you and your healthcare provider may provide Physitrack with contact information and medical information about you. If you are a healthcare provider, by using the Service, both you and your patients may provide Physitrack with contact and other information about you. Physitrack solely uses this data for administrative and research purposes related to providing a stable and reliable Service to patients and healthcare providers and will observe the Data Protection Act and Australian privacy laws in relation to the provision of this information and any relevant rules and, where applicable, codes of practice relating to medical records as required by law. Our Privacy Policy set out on the Website shall apply to you and your use of the Service. You consent to the use, disclosure and keeping of your information in accordance with our Privacy Policy.
2. If you are a healthcare provider, you accept and agree that you are responsible for
compliance with all applicable privacy legislation as the healthcare provider to the patient and no acts or omissions by Physitrack shall relieve you of your obligations. Under the Data Protection Act, Physitrack acts as a data processor only pursuant to the Data Protection Act and you remain the data controller in respect of all data processed using the Service. Physitrack shall only process personal data insofar as is necessary for the performance of the agreement with the healthcare provider and her instructions in writing, unless Physitrack is required by law to process personal data outside this scope or if the patient has given his
consent for such processing to Physitrack. In respect of the Processing of Personal Data as referred to in this provision, Physitrack and the healthcare provider may conclude a Processor Agreement. In certain circumstances Physitrack may also process your personal data for its own purposes as specified in the Privacy Policy set out on this Website. Pursuant to the above-mentioned privacy legislation, you may have access obligations towards your patients, such as an obligation to provide information, and to allow inspection, correction, retention and removal of patient personal data. You are fully and exclusively responsible for ensuring compliance with these obligations; including taking regular back-ups of patient information in a form required by relevant legislation, rules and code of practice that apply to you as a healthcare provider. Physitrack shall provide its reasonable assistance to the healthcare provider to comply with requests of patients regarding their personal data. Insofar as consent of the patient is necessary, you will be responsible for obtaining such consent.
3. Physitrack shall use its best efforts to keep the personal data received from the healthcare provider strictly confidential and to implement appropriate technical and organisational measures to protect personal data against any form of unlawful and/or unauthorised personal data processing. Physitrack shall provide its reasonable assistance to the healthcare provider, in order for the health care provider to comply with its obligations regarding the evaluation of the effectiveness of security measures, the security of personal data, and notifications of a data breach.
7 - Payment
1. If you are a patient, there are no fees payable to Physitrack for using the Service, other than any fee applicable to downloading any applications from any app store.
2. If you are a healthcare provider, you shall pay to Physitrack the agreed fees, as mentioned on the Website (“Healthcare Provider Fees”).
3. All Healthcare Provider Fees are in the currency as shown on the subscription page and exclusive of all taxes, levies, or duties imposed by taxing authorities including without limitation taxes (such as VAT).
4. Physitrack is entitled to change its Healthcare Provider Fees at any time by email notice to you. The changed fees will become applicable to you from commencement of your next subscription period (month or year).
5. All Healthcare Provider Fees are due in advance for the entire subscription period (month or year) and shall be payable in advance by credit or debit card or direct debit. Physitrack shall charge the amounts due through your preferred method as indicated on the Website during your registration, and reserves the right to automatically charge the next and any subsequent period’s Healthcare Provider Fees without notice to you unless written cancellation of your Account is received from you not less than 10 days prior to the end of the current subscription period. In any event, payments must be made 6 days before the end of the subscription period.
6. In the case of a healthcare provider, if you fail to provide full and timely payments, you will immediately be in default without any advance demand or notice of default being required. From the time of default: - Physitrack may immediately terminate or suspend your access to, and use of, the Service, in whole or in part, including access to the Platform by your patients; - you owe Physitrack interest equal to the maximum rate permitted by law from (and including) the due date of payment up to the date of payment in full with interest; and - Physitrack may decide to refer the debt for collection, in which case all costs incurred by Physitrack in connection with the late payments will be charged to you. These costs are estimated to come to at least 10% of the amount of the invoice with a minimum of £100, excluding VAT.
7. Complaints regarding (parts of) the Service or the invoice do not suspend your payment obligation.
8. To the maximum extent permitted by law, the Service is provided on a non-refundable basis. There will be no refunds or credits for partial months of Service, refunds for months of Service unused with an activated Account or for unauthorized use of an Account. None of the foregoing restricts your rights under any Statutory Warranties.
8 - Intellectual Property Rights
1. The intellectual property rights - including but not limited to copyrights, database rights and trade name rights (hereinafter “IP rights”) - in relation to the Service, including the Platform are held by Physitrack or its licensors. Nothing in the Terms of Service is intended to entail any transfer of IP rights to you.
2. You retain all IP rights on the Content you provide through the Service. By making available or uploading Content to the Service you automatically grant Physitrack a cost-free, worldwide, irrevocable, sub-licensable and transferrable right to use this Content insofar as is related to the provision of the Service.
3. Save to the extent that it is allowed by mandatory law, you may not reproduce or decompile the Platform or apply reverse engineering to it. Furthermore, removal and/or circumvention of security measures or technical limitations (to use) of the Service and/or the Platform is not allowed.
9 - Term and Termination
1. You agree that your use of the Service is for a definite period of time, either a month or a year (initial period). After the initial period has lapsed, your right to access to use the Service will automatically be renewed for the same period of time (month or year), subject to these Terms and Conditions.
2. You can terminate your Account and access to the Service at any time within your Account settings. If you are a healthcare provider and there are exercise programs that extend beyond the current subscription period, you must manually edit the programs of these patients to end within the current subscription period before you can terminate your Account and access to use the Service. Notwithstanding the foregoing, if you are a patient, your access to the Platform will cease upon your healthcare provider’s access to the Service ceasing.
3. If you are a healthcare provider and you terminate 10 days or more before the end of the current subscription period, your cancellation will take effect at the end of the current subscription term and you will not be charged for the following subscription period. If you terminate less than 10 days before the end of the current subscription period, your cancellation will take effect at the end of the next subscription term and fees will continue to be due and payable for the next subscription term.
4. Physitrack has the right to immediately discontinue or to (temporarily) suspend its Service or to terminate the Agreement, notwithstanding Physitrack’s other rights and remedies, including its right to claim damages: - if you breach your obligations under the Agreement and/or the Terms of Service; or - in the event you go bankrupt or are granted a suspension of payments, as well as in the event your business is closed down or liquidated.
5. In the event the Account is terminated, you will not receive any refunds as a result of termination.
6. Upon termination of the Agreement, if you are a healthcare provider, Physitrack shall keep all Content available to you for a period of 30 days after the end of the Agreement. You will be able to use the Service during this month insofar as is necessary for the exporting of your Content. You may not add any Content. After this period, Physitrack shall make your Account inaccessible to you. Physitrack will not be obliged to provide any Content or other information to you or convert or export such information. This clause is not applicable where your access to the Service is terminated as a result of a breach of your obligations under these Terms of Service.
7. After termination of a healthcare provider, for whatever reason, the patients shall not be able to access any exercise programs assigned by that healthcare provider. Physitrack shall still have the right to use the Content you provided during the Agreement as set out in article 8 insofar as you shared the Content with other clients of Physitrack.
10 - Liability
1. To the fullest extent permitted by law, Physitrack’s liability under any guarantee, condition or warranty (including, without limitation, any guarantee, condition or warranty of merchantability, acceptable quality, fitness for purpose or fitness for disclosed result), or any other right or remedy, under any legislation or implied into these Terms of Service by any legislation (Statutory Warranties) is hereby excluded. Where Physitrack is liable under any Statutory Warranties, and any legislation avoids or prohibits provisions in a contract excluding or modifying the application of, or exercise of, or liability under, such Statutory Warranties, Physitrack’s liability for any breach of such Statutory Warranties shall be limited, at Physitrack’s option, to one or more of the following: - if the breach relates to goods: the replacement of the goods or the supply of equivalent goods; the repair of such goods; the cost of replacing the goods or of acquiring equivalent goods; or the cost of having the goods repaired; and - if the breach relates to services: the supplying of the services again or the cost of having the services supplied again. You acknowledge and agree that reliance by Physitrack on this limitation of liability is fair and reasonable in all the circumstances.
2. To the maximum extent permitted by law, Physitrack shall not be liable for any loss (including direct and indirect loss and damage), howsoever caused (including through our negligence), suffered or incurred by you arising from or in connection with: - your access to, or use of, the Service, any Content (including Physitrack materials, user posted content and exercise programs) or any linked site; - any decision or action taken by you in reliance on any Content (including Physitrack materials and user posted content); - any error or defect in the Service; or - any contravention by any other user of any applicable laws.
3. Notwithstanding this article 10, if Physitrack is liable for damage to you whether in contract, tort or on any legal theory whatsoever, Physitrack shall be liable solely for direct damage suffered by you up to an amount not exceeding that of your payments to Physitrack for 125% of last 12 months Service preceding the event that caused the damage or £5000 whichever shall be higher.
4. Direct damage shall solely mean: - Direct damage to physical property - Direct cost of obtaining any replacement service for the Services or spent in ensuring that Physitrack’s performance conforms to these Terms of Service, in each case, during the period - Up to the date of any termination of the Agreement by you; or - Up to the date of the earliest expiry date of any period during which the Services were being provided to you whichever shall first occur. - Wasted costs and expenses incurred by you in ascertaining the cause and scope of any damage falling within these Terms of Service
5. Your right to claim damages against Physitrack whether in contract, tort or on any legal theory whatsoever is dependent upon your informing Physitrack promptly as soon as you become aware of any facts or matters giving rise to such claim and in any event within three weeks of becoming aware of such facts and matters. 6. Nothing in this clause shall operate to exclude or limit the liability of either party: - for death or personal injury caused by that party’s negligence; - for fraud or fraudulent misrepresentation; or - for any other loss or damage which may not be validly excluded or limited by law.
11 – Information on the Service
1. We do not warrant or represent the accuracy, completeness or suitability for your intended use of any information (including, without limitation, any Content) on the Service. You are responsible for the use of any such information and you should make your own enquiries to check if the information is accurate, complete and suitable for your intended use.
2. All exercises available on the Service are demonstrations only. You acknowledge that healthcare providers are responsible to ensure that any exercises and exercise programs created for a patient are appropriate for that patient.
3. Physitrack does not endorse or recommend any information on the Platform or made available through the Service. All information contained on the Platform and through the Service is for personal use only and may not be sold, redistributed or used for any commercial purpose.
4. If you are a patient, there is always the possibility of physical injury and/or death when participating in any exercise or exercise program. If you feel discomfort or pain, you should immediately stop the activity causing such discomfort or pain and contact your healthcare provider or an ambulance in the case of a medical emergency. By using the Service, you represent that you have fully informed your healthcare provider of your medical history and existing condition and have received their consent to participate (and continue to participate) in the programs and exercises available to you on the Service.
5. The Service may from time to time contain links to internet sites maintained by third parties. Such links shall be provided for your convenience and are not under Physitrack’s control. Physitrack is not responsible for the contents (including the accuracy, completeness or suitability for your intended use) of any linked site or any link contained in a linked site. Physitrack does not endorse any information on linked sites or any associated organisation, product or services.
6. At the healthcare provider’s request and with the consent of the patient, we will transfer a patient’s records to the patient’s new healthcare provider using the Service. Once a transfer occurs no further access to the patient’s records will be available to the transferring healthcare provider. It is the responsibility of the transferring healthcare provider to ensure that it maintains its records relating to the patient in accordance with law.
12 - Warranties and indemnifications
1. Physitrack does not guarantee: - that the Service shall be available to you at all times and without interruptions, faults or disturbances; - that the Service shall be effective or the use of the Service shall lead to certain results; or - that the information provided through the Service shall be accurate, up to date and complete.
2. Physitrack is not responsible for (and expressly disclaims all liability to you): - the purchase and/or the proper operation of your infrastructure; - loss, damage, inaccuracy and/or incompleteness of any Content; - transmission errors, malfunctions or non-availability of any computer, data or telecom facilities, including the internet; - any unauthorized use or attempted use of the Service; - making backup copies of any Content; or - the management, including checking the settings, the use of the Service and the manner in which the results of the Service are used.
3. Physitrack may provide application programming interfaces to allow integration of the Service with other services and platforms. Physitrack is not responsible for (and expressly disclaims all liability to you) for such other services and platforms which the Service integrates with or which integrate with the Service.
4. You guarantee that you will not use the Service and/or the Platform in a way that: - infringes the rights of Physitrack or third parties, including but not limited to IP Rights or rights in relation to the protection of privacy; - is contrary to any current legislation or regulations; or - is contrary to any provision in these Terms of Service. 5. You agree to indemnify Physitrack against all costs, claims, damages and expenses which Physitrack incurs as a result of - any claim by any third party based on any infringement or alleged infringement of such party’s IP-rights; - any claim by any third party based on breach of privacy or wrongful use or disclosure of personal data or breach of any law relating to data or records including but not limited to your obligations in respect of the privacy of your patients as set out in article 6 above; and - any claim by any third party in respect of any personal injury or damage to physical property suffered by them, to the extent that the same arises out of any wrongful or negligent act or omission by you in the course of your use of the Platform or receiving the Service or making use of the Service to provide services to others.
13 - Miscellaneous
1. Physitrack may assign or subcontract rights and obligations arising from these Terms of Service or the Agreement to third parties and will notify you of this. You are not permitted to assign or purport to assign to third parties any right derived from the Account without Physitrack’s prior written consent which Physitrack may grant or refuse in its sole discretion.
2. If Physitrack waives, in whole or part, any rights available to us under these Terms of Service on any occasion, this does not mean that those rights will automatically be waived on any other occasion.
3. If any provision of these Terms of Service are held to be invalid, unenforceable or illegal for any reason, it is to be read down to give it as much effect as possible, or if it is not capable of having any effect at all, it is to be severed from this Agreement, in which case, the remainder of these Terms of Service shall nevertheless continue in full force.
4. These Terms of Service and the use of the Service are governed by the laws of England and Wales.
5. To the extent that national or international rules of law do not prescribe otherwise as mandatory, any disputes that arise or are related to agreements concluded subject to these Terms of Service, or arise therefrom, will solely be submitted to the courts of England and Wales which will have exclusive jurisdiction with respect to any matters raised under these Terms of Service.
Last reviewed in November 2020.