Physiotools Privacy Policy

I. Preliminary information

At Physiotools we respect your privacy and the protection of your personal data. The privacy of our Users and the security of their data are a top priority for us. We are deeply committed to implementing robust measures that uphold the confidentiality, integrity, and accessibility of all information processed. In this policy, "Users" refers to both health practitioners and their patients unless noted otherwise. This privacy policy describes how and why we might collect, store, use, and/or process your information when you use our services, such as when you:

  • Visit our website at https://www.physiotools.com or any website of ours that links to this privacy policy.
  • Download and use our mobile application, gateway/software collectively known as ‘the Platforms’ or any other application of ours that links to this privacy notice.
  • Engage with us in other related ways, including sales, marketing or events.

Updates to the Privacy Policy

We continually review and update our Privacy Policy to ensure it remains relevant. This policy may change and any modifications will be reflected on this page. It's your responsibility to review this page periodically, as any changes will apply to you.

Our Privacy Policy is structured in a layered format, allowing you to navigate to specific sections listed below. We prioritise the accuracy of the personal data we hold. Please keep us informed of any changes to your personal data throughout our collaboration.

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how Physiotools collects, processes, and secures your personal data through your use of our services, including any data you may provide when you sign up for our newsletter.

The categories of data subjects that this Privacy Policy is intended to apply to are:

  • Health Practitioners who provide health care services as a business (either individually or as a legal entity), who access our Services and to whom we provide Services directly;
  • Representatives of corporate Health Practitioners, such as employees or other staff, who access our Services on behalf of their employer to whom we provide services;
  • Patients of a Health Practitioner who access our services as part of their treatment by a Health Practitioner; and
  • Students of educational institutions that are part of the Physiotools’s academic discount program and who use Physiotools during their studies at their educational institution.
  • Companies who provide services as a business and provide its customers access to our Services.

Data subjects are collectively referred to as “Users,” “you,” or “your” in this Privacy Policy.  

It is important that you read this Privacy Policy and any other Privacy Policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

II. Who is the Controller of your personal data?

Physiotools OY  is the controller and responsible for your personal data  (collectively referred to as "Physiotools", "we", "us" or "our" in this Privacy Policy) when we determine the purposes and means of the processing of your personal data for example if you are visiting our website or if you are a healthcare practitioner providing us with your details, in that case we will process contact details and financial information for invoicing purposes.

We may also function as a processor entity when we process your personal data on behalf of the controller. We may act as both a controller and processor of your personal data as described below.

Physiotools Oy with company number 0491074-9 whose address is Kehräsaari B, 5th Floor, 33200 Tampere, Finland (collectively referred to as “Physiotools”, “we”, “us” or “our”).  Physiotools is committed to protecting and respecting your privacy so you can navigate and use the Platforms safely. We will process all personal and other data you provide to us in accordance with the European Union’s General Data Protection Regulation (EU) 2016/679 (‘GDPR’).

We have appointed a data protection officer responsible for overseeing questions concerning this privacy policy.

Contact details

If you have any questions about this privacy policy or our privacy practices, don't hesitate to get in touch with our data protection officer via any of the following ways:

Name of the DPO: Michał Lewandowski

Full name of legal entity: Physiotools OY

Email address: data.protection@physiotools.com

Third-party links

The Platforms may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

III. Types of personal data

Physiotools may collect and process the following types of personally identifiable information provided by you through your use of the Platforms: 

  • Identity Data: Name (first and surname), title, job title.
  • Contact Data: home or work address, email address, telephone number.
  • Technical Data: IP address and other technology you use to access the Platforms.
  • Transaction Data: includes details about payments to and from you and other details of services you have purchased from us.  
  • Usage Data: information about how you use the Platforms.  
  • Marketing and Communications Data: your preferences in receiving marketing from us.

IV. The data we collect about you as the processor

We act as a processor to Health Practitioners’ and we collect data from their patient users’ on their behalf. Therefore, our use and disclosure of information, including personal data, is limited by our agreements with them. This Privacy Policy does not reflect the privacy practices of the Health Practitioners, and we are not responsible for Health Practitioners’ privacy policies or practices. We do not review, comment upon, or monitor Health Practitioners’ privacy policies or their compliance with their respective privacy policies, nor do we review Health Practitioners’ instructions with respect to our processing of information to determine whether such instructions are in compliance or conflict with the terms of the Health Practitioners’ published privacy policy.

We may act as processor of  Patients personal data not listed in section 3 above, including Special Category  Personal  Data such as information we receive from you and your  Health Practitioner. Examples of this are which exercises have been assigned to you and your adherence to a particular exercise program. Our legal responsibilities as a processor are defined in the contract between us and the relevant data controller. Additionally, privacy obligations are mutually agreed upon between you and your Health Practitioner. With regards to retention and erasure, in accordance with data protection laws, the controller will be given the option to have the personal data either returned or deleted upon termination of the contract. If we do not hear from the controller on this point within 30 days of contract termination, we will permanently delete the personal data from our database in accordance with the Data  Retention  Policy (and from ‘back up’ within another 90 days) but may retain your data for longer periods when required under law or when agreed as otherwise in our contract with the data controller.

V. What information is collected and how is it processed?

We collect, transmit and process data you provide, for example from: 

  • completed contact us or trial request forms on our website 
  • completed e-newsletter request forms 
  • emails to us and other direct interactions with us
  • details of any problems you report via our website regarding our service or site 
  • details you give when entering a competition or promotion run by us 
  • automated technologies or interactions.  

If you complete a contact us or trial request form or send us an email the data you provide will be stored on the website temporarily. Information from these forms forwarded to us through email is in plain text. 

We will enter this data in our customer relation management system and/or helpdesk tools in order to be able to process your request for fulfilling contractual obligations, such as technical support or to pursue our legitimate interest. 

If you subscribe to our e-newsletter, the information you provide when completing the form will be forwarded to MailChimp which is our provider of email marketing services and is considered a third-party data processor by us.  

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.  We may however, act as Data Processor of some Special Category of Personal Data such as information regarding which exercises have been assigned to a specific patient and adherence to a particular exercise program.  

VI. Site visitation tracking and cookies

As you interact with our Platforms, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

VII. How do we use Personal Information and what are the Legal Grounds

Below we have listed the description of processing activities that we may perform on your Personal Information. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Do not hesitate to get in touch with us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new user

(a) Identity (b) Contact

Performance of a contract with you

To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us

(a) Identity (b) Contact (c) Transaction

(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy

(a) Identity (b) Contact

(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how users use our products/services)

To administer and protect our business and the Phystiotools Products (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity (b) Contact (c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation

To enable you to receive our newsletter

(a) Identity (b) Contact (c) Marketing and Communications

Consent Necessary for our legitimate interests (for marketing our business).

To use data analytics to improve the Phystiotools Products, and our relationships with users and their experience

(a) Technical (b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

Marketing

You may have opted in to receive our e-newsletter, if you want to avoid receiving this you can opt out of receiving such communications.

We do not pass on, sell, rent or lease any personal information provided by you to any third party for marketing purposes.

Resellers

In some instances, Physiotools may transfer your data to a local Physiotools reseller to administer services in lieu of Physiotools. 

VIII. Storage and security of your personal data

The data that we collect from you through this website may be transferred to, stored and processed at a destination outside the European Union/EEA. By submitting your personal data you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Statement. Further information about the measures we take to safeguard the transfer of your data to a country outside the European Union/EEA is available on request.  

If you subscribe to our e-newsletter, the information you provide in the form will remain within MailChimp’s database for as long as we continue to use MailChimp’s services for e-marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe link contained in all e-newsletters that we send you, or by requesting removal via email. When requesting removal via email, please send your email to us using the email account that is subscribed to the mailing list. 

IX. Disclosure of information

Physiotools may disclose your information without notice to third parties such as: 

  • If we buy or sell any business or assets, in which case we may disclose your personal data to the seller or buyer of such business or assets. 
  • If we are under a duty to disclose or share your personal data to comply with any legal obligation. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. 
  • Other companies within our Group, such as Physitrack PLC based in the United Kingdom.
  • Authorised Physiotools resellers.
  • Such third-party service providers.  

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

X. Security and data retention

The transfer of information via the Internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to and from our website; any transmission is at your own risk. Once we have received your information, we use strict procedures, security features and a secure server environment to prevent unauthorised access and protect your personal data against unlawful processing, destruction, alteration, loss and disclosure. We will retain your information for a reasonable period. 

XI. Accuracy of information

You are responsible for informing us when your personal details have changed. Please note that notification of any change must be in writing to data.protection@physiotools.com. It is then our responsibility to update our records accordingly. 

XII. Access to Information and your rights 

You have certain rights in respect to your personal data, including the right to access, object to processing, restrict processing, portability, correct, and request the erasure or transfer of your personal data.

You also have the right to object to your personal data being used for certain purposes, including to send you marketing, such as our newsletter.  

We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are a number of limitations to these rights, and there may be circumstances where we are not able to comply with your request. To make any requests regarding your personal data, or if you have any questions or concerns regarding your personal data, you should contact us by emailing data.protection@physiotools.com.

You have the right to make a complaint to the Office of the Data Protection Ombudsman at any time. We would appreciate the opportunity to deal with your concerns before you approach them, so do not hesitate to contact us in the first instance.

XIII. Third-party data processors

The following third parties process data on our behalf:

Subprocessor

Description

Data type

Evertech EU (Finland)

Cloud Service Provider

CIdentity Data (including name, title, job title), Contact Data (home or work address, email address, telephone number), Technical Data (IP address), Transaction Data (details about payments to and from you and other details of services you have purchased from us), Usage Data (information about how you use the Platforms), and Marketing and Communications Data (your preferences in receiving marketing from us)

Microsoft Corp EU

Mailing services and CRM

Name, email address

Microsoft Azure EU USA for US-based Clients

Cloud Service Provider for mobile application

Identity Data (including name, title, job title), Contact Data (home or work address, email address, telephone number), Technical Data (IP address), Transaction Data (details about payments to and from you and other details of services you have purchased from us), Usage Data (information about how you use the Platforms), and Marketing and Communications Data (your preferences in receiving marketing from us)

Armor defence USA

Cloud Service Provider for US customers

Identity Data (including name, title, job title), Contact Data (home or work address, email address, telephone number), Technical Data (IP address), Transaction Data (details about payments to and from you and other details of services you have purchased from us), Usage Data (information about how you use the Platforms), and Marketing and Communications Data (your preferences in receiving marketing from us)

Helpscout USA

We use Helpscout to process customer support emails and display our online knowledge base

Name, email, IP address

Pipedrive EU (Estonia)

We use Pipedrive to track our sales and enterprise support efforts.

Billing-related customer data

Mailchimp USA

We use rocket science for marketing automation

Name, Email address

Goodlife Technology Oy EU (Finland)

We use Goodlife Technology Oy to provide marketing and sales services

First Name, Last Name, Address, Telephone Number, Email Address, Employer, Job Title, Specialist Area

Physitrack PLC eu-north-1 (Stockholm) USA: us-east-1 (Virginia)

Parent Company. Storing encrypted backups only

Encrypted backups of production data

Chargebee EU

We use Chargebee to help manage our subscription process and invoicing.

Practitioner's billing information such as name, email and payment method. No Patient data is sent to Chargebee.

Zapier USA

We will be using Zapier to improve workflow automations across various applications. This will help us integrate data smoothly and enhance operational efficiency for our services. Zapier will not process any identifiable patient data.

Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM, account details including settings and subscription details. No Patient data is sent to Zapier.

ActiveCampaign EU

We will use ActiveCampaign within our Physitrack platform to streamline our email communications and customer management, both for new and existing customers. Our goal is to optimise the experience of our existing Physitrack subscribers and to provide a smooth onboarding process for new customers and users. ActiveCampaign will not process any identifiable patient data.

Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM.

Webflow USA

We use Webflow to improve our marketing website design and development capabilities.

Full name, email, and a choice from a survey (list of bullet points). No Patient data is sent to Webflow

ADA EU

We use ADA as our AI-powered support agent which automates routine inquiries, offers 24/7 support, and provides personalized assistance.

Name, surname, email, IP address, account details including settings and subscription details.

For further information on the policies of our third-party data processors, please refer to their websites. 

XIV. Contact us

For the purposes of this Statement, the data controller is Physiotools Oy, Kehräsaari B, 5th Floor, 33200 Tampere, Finland. 

If you have any questions or comments about this Statement or if you wish to change any data about yourself, please email data.protection@physiotools.com.  

XV. Changes to this Statement

Physiotools will occasionally update this Statement. We encourage you to review this Statement from time to time. 

This Statement was last updated in February 2024.