Privacy Policy

Physitrack Limited is a UK company, which is why our Privacy Policy is in English.
If you wish do view the Privacy Policy in a different language, we suggest you view them through Google Translate. Please note that it is always the English text that prevails.
🇳🇱Nederlands🇩🇪Deutsch🇫🇷Français🇪🇸Español

Physitrack takes your privacy very seriously and treats all your personal data with great care. This document sets out Physitrack’s policy regarding privacy and security. It is recommended that you read this policy carefully. The capitalized words are defined in the Terms of Service.

1. Who is Physitrack?

Physitrack Ltd. is a company with limited liability established and existing under the laws of The United Kingdom, having its registered office at 6th Floor 125 Wood Street, London, United Kingdom, EC2V 7AN.

Physitrack has developed a platform used by healthcare providers to gather information from, and/or provide information to their patients. Physitrack is not a health care provider and does not screen Content posted by healthcare providers, nor does it select or screen specific exercise programs that are displayed to patients.  

2. The Applicable Law

Physitrack Limited by incorporation as a company in the UK is subject to the Data Protection Act 2018, Regulation (EU) 679/2016 (GDPR) and the Privacy in Communication Regulations 2011 when controlling or processing data in the course of its business.

Physitrack is registered with the UK Data Supervisory Authority in accordance with The Data Protection (Charges & Information) Regulations 2018 with a registered number ZA396165.

However, where you live and where your health provider incorporates impacts the data protection and privacy laws which may apply to the control or processing of your data.

3. Physitrack as data processor

Physitrack will store and process personal data on behalf of its customers, the healthcare providers. For this processing, the healthcare provider will act as the "data controller" within the meaning of the Data Protection Act 2018 and Regulation (EU) 279/2016 (GDPR).

Physitrack also at times acts a Data Processor  when responsible for the lawful processing of personal data. The lawful grounds on which we process personal data can vary depending on the terms of our business but we rely in general on a variety of lawful basis to process including contract, consent and legitimate expectation.  Please refer to your healthcare provider the Data Controller for your personal data about the way the way they might process your personal data and the terms of their privacy policies.

4. Physitrack as data controller  

In certain circumstances Physitrack may also process your personal data for its own purposes, in which case Physitrack will be the “data controller” of your personal data and responsible for the lawful processing of this personal data. You may object to your data to being processed however this may prevent our services being provided to you. Please reach out to the contact details below should you want us to stop processing your data.

Physitrack is the data controller for the processing of payments by healthcare providers, the processing of account information, the use of Customer.io data as set out below and the provision of aggregated information to authorised parties (with your consent).  

5. What personal data does Physitrack collect and process?  

In order to make use of the Service, it is necessary to create a personal Account. For this you are required to enter certain information about yourself. Your name, sex, e-mail address, phone number and country of residence are obligatory. For healthcare providers who register on behalf of an entity, information about that entity (e.g.company or trading name and contact details) are also required.  

The information contained in your account is not visible to third parties. For patients, only the healthcare provider that has sent them an invitation to use the Service and/or healthcare providers that their healthcare provider is sharing their patients with, can see their Account information.

A detailed list of data that is processed by Physitrack can be found here.

6. Terms of Service  

By using the Service, the healthcare provider provides information about the exercise program of the patients and the patients provide information about their compliance with the exercise program and their experiences while doing the exercises. This information is private between the patient and the healthcare provider and is subject to medical privilege.

Physitrack stores this information behalf of the healthcare provider. Physitrack will only process the patient information for its own purposes with the consent of the patient. After the patient has given his consent, Physitrack will anonymise the patient information and share it with authorised third parties.  

If the patient is a minor, the parents or legal guardians of the patient will be asked to give their consent for the processing described above.  

7. Cookies  

When using Physitrack, cookies are saved on your computer. Cookies are small pieces of information (in the form of text) that a server sends to your browser (such as Internet Explorer or Firefox) with the intention that the browser sends this information back to the server the next time a user makes use of the Service. Cookies cannot damage your computer or the files saved on it.

When you use the Service, first party cookies are saved on your computer. First party cookies are made by or for Physitrack and are stored on your computer by Physitrack and only Physitrack has access to these cookies. Such cookies are used by Physitrack, for example, to remember your login information.

In order to collect data on the usage of Physitrack’s website (the marketing website, not the platform used for access to the Service), Physitrack uses Google Analytics. Google Analytics stores a permanent cookie on your computer which is subsequently used to register your use of the website. This data is then analyzed by Google and the results are given to Physitrack. This enables Physitrack to improve their services to customers and site visitors.

You can configure your browser so that you do not receive any cookies the next time you use the Service. However, it is then possible that you will no longer be able to make full use of the Physitrack website or the portal log in services offered online.  

8. The Purposes for which Physitrack processes personal data  

Physitrack may use your personal data for the following purposes:  

- To allow the healthcare provider to use the Service, including the management of the home exercise programs for patients, the management of the patients’ compliance with the exercise program and the exchange of exercise program templates with other users of Physitrack.  

- To allow the patient to use the Service, including the access to home exercise programs provided by the healthcare provider and monitoring the compliance and providing feedback to the healthcare provider.  

- To process payments by healthcare providers.  

- To communicate with you about the Service and/or other services of Physitrack;  

- To configure Physitrack for your use..  

- For protection purposes and to generate anonymous statistical data.  

9. Data Sharing

Physitrack will only release medical information to third parties where the healthcare provider has given consent for the specific third party involved (for instance, an insurance company) to receive such information and if such information is anonymized to protect patient privacy.

Physitrack will only provide your personal data to third parties other than as set out in this Privacy Policy in the following cases:  

- if it is obliged to do so based on the Agreement with the healthcare provider;

- if it is obliged to do so on account of national or international laws, case law and/or regulations;  

- if Physitrack considers it necessary to do so in defense of its own rights; or  

- if you have given permission to do so.  

Physitrack may post customer testimonials/comments/reviews on the Website, which may contain personal data of healthcare providers. Physitrack shall obtain the healthcare provider’s consent via email prior to posting the testimonial.

10. International Data Transfers

As Physitrack use localized servers to store your personal data this minimizes data transfers to countries which may not provide adequate protections in law to your personal data. For a full list of countries approved by  the European Commission as ‘adequate’ please click here https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

11. Behavioural data processing

Physitrack uses third-party analytics services to help understand the usage of the Service by healthcare providers. No patient information is shared through these services.  

In particular, we provide a limited amount of the personal data of the healthcare provider (such as your email address and sign-up date to Peaberry Software, Inc. (“Customer.io”) and utilize Customer.io to collect data for analytics purposes when you visit the Website or use the Service. Customer.io analyzes your use of our Website and/or Service and tracks our relationship so that Physitrack can improve its service to you. We may also use Customer.io as a medium for communications, either through email, or through messages within the Service.  

Customer.io is a company that is based in the United States. Physitrack Limited and Customer.io have an EC Data Protection Agreement to protect the privacy of Physitrack's users.

Physitrack also uses sub-processors, as listed on https://support.physitrack.com/article/721-what-types-of-data-are-stored-by-physitrack to process your data. When personal data is processed by sub-processors, Physitrack has data processing agreements in place with these sub-processors.

12. Data Retention

All data processed by Physitrack will be kept for periods in accordance with the Data Retention Policy. Where a health provider terminates the Physitrack service, stored personal data will be deleted or retained in accordance with the terms of the Data Retention Policy.

13. Data Security

Physitrack takes appropriate technical and organizational measures to protect your (personal) data against loss or any form of unlawful use. Because of the medical nature of some of the personal data, Physitrack has incorporated a very high level of security.  

To protect the confidentiality and integrity of your personal data, we:  

- Have internal policies that keep your data private and confidential.  

- Encrypt all communications between Physitrack and our users (http: via SSL, email via TLS).  

- Encrypt all patient health information in our database ("at-rest").  

- Limit information access inside our company to the absolute minimum necessary.  

- Use an electronically and physically secured data center.  

- Use a firewall which blocks access by attackers and unauthorized users.  

- Automatically logoff healthcare providers after a certain period of inactivity.  

- Require all of our users to choose strong passwords

- Use a world-class CDN (content distribution network) which filters out possible attackers

- Use state-of-the art development and testing systems.  

- Use best-in-class server management technologies.  

14. Your right to access or delete your personal data  

If you wish to access your personal data that Physitrack may have stored or if you wish to ask for a copy of that data, or change data that you cannot change yourself in your Account, then you can send your request to support@physitrack.com. Physitrack will provide you with the personal data within 4 weeks. If Physitrack is for any reason unable to satisfy your request it will inform you as soon as reasonably possible.  

Physitrack will retain your personal data for as long as your Account is active or as needed to provide the Service to you, to resolve disputes, enforce agreements or comply with any legal obligations in accordance with the Data Retention Policy. If you wish to delete your Account or request that Physitrack no longer uses your personal data, you can contact us at support@physitrack.com.  Physitrack retention and deletion requests are subject to law, defence of legal claims or statutory obligations irrespective of the Retention Policy.  

15. The Applicable Supervisory Authority

Should you have a complaint about the way in which your data is controlled or processed your should first contact your Health provider. If you feel that this does not resolve your concerns about the way in which your data is controlled or processed then you have the right to complain to the national supervisory authority of your country.

While Physitrack applies UK law due to incorporation, the full list of European supervisory bodies can be found here https://edpb.europa.eu/about-edpb/board/members_en

For Canadian residents the Personal Information Protection and Electronic Documents Act (PIPEDA) applies and the national Supervisory authority can be located here https://www.priv.gc.ca/en/

For Australian residents a number of privacy laws apply depending upon the federal state where you may reside. For more on privacy and the authority for privacy rights in Australian please click here https://www.oaic.gov.au/

16. Policy Date

This policy is subject to annual review or where the data protection and or privacy law changes. and therefore this policy will be amended in the future. Any policy amendments will be posted to the Physitrack website. This policy was last updated on 22 July 2019.

17. Contact Details  

If you have any questions, please do not hesitate to contact our data protection officer via support@physitrack.com or at 6th Floor 125 Wood Street, London, United Kingdom, EC2V 7AN.

Physitrack takes your privacy very seriously and treats all your personal data with great care. This document sets out Physitrack’s policy regarding privacy and security. It is recommended that you read this policy carefully. The capitalised words are defined in the Terms of Service

1. Who is Physitrack? 

Physitrack Ltd. is a company with limited liability established and existing under the laws of The United Kingdom, having its registered office at 65 Gresham Street, London EC2V 7NQ, and active on the website of Physitrack. 

Physitrack has developed a platform used by healthcare providers to gather information from, and/or provide information to their patients. Physitrack is not a healthcare provider and does not screen Content posted by healthcare providers, nor does it select or screen specific exercise programs that are displayed to patients. 

Physitrack as processor on behalf of healthcare providers 

In the case of patients, Physitrack will store and process your personal data on behalf of its customers, the healthcare providers. For this processing, your healthcare provider will have access to your personal data and act as the "data controller" within the meaning of the European Privacy Directive (1995/46) and the Data Protection Act 1998 and will be responsible to you for the lawful processing of your personal data. Please refer to your healthcare provider for information on the way the healthcare provider will process your personal data. Whilst Physitrack takes the protection of personal data very seriously, Physitrack is not responsible for your healthcare provider’s compliance with applicable privacy laws. 

Physitrack as controller 

In certain circumstances Physitrack may also process your personal data for its own purposes, in which case Physitrack will be the “data controller” of your personal data and responsible for the lawful processing of this personal data. Physitrack is the controller for the processing of payments by healthcare providers, the processing of account information and the use of Intercom cookies as set out below (under 3). Physitrack shall only act as a controller with regard to personal data of healthcare providers and shall never act as controller with regard to personal data of a medical nature. 

2. What personal data does Physitrack collect and process? 

Account

In order to make use of the Service, it is necessary to create a personal Account. For this you are required to enter certain information about yourself. Your name, gender, e-mail address, phone number and country of residence are obligatory. For healthcare providers who register on behalf of an entity, information about that entity (name and contact details) are also required. 

The information contained in your Account is not visible to third parties. For patients, only the healthcare provider that has sent you an invitation to use the Service and has been accepted by you can see your Account information. 

Use of the Service 

By using the Service, the patient or healthcare provider may provide information about their patient’s medical condition, exercise and treatment program and information about the patient’s compliance with the exercise and treatment program and the patient’s experiences while doing the exercises and treatment program. This information is treated on the Service to be private between the patient and the healthcare provider. Physitrack will store and process this information only on behalf of the healthcare provider and will never process medical information for our own purposes except as otherwise stated in this privacy policy. Once a patient grants access to their healthcare provider, the healthcare provider will have access to review their patient’s Account information, assign and modify exercise and treatment programs for the patient and use the information for the provision of health services and to contact the patient.

3. Cookies  

When using Physitrack, cookies are saved on your computer. Cookies are small pieces of information (in the form of text) that a server sends to your browser (such as Internet Explorer or Firefox) with the intention that the browser sends this information back to the server the next time a user makes use of the Service. Cookies cannot damage your computer or the files saved on it. 

When you use the Service, first party cookies are saved on your computer. First party cookies are made by or for Physitrack and are stored on your computer by Physitrack and only Physitrack has access to these cookies. Such cookies are used by Physitrack, for example, to remember your login information. 

In order to collect data on the usage of Physitrack’s website (the marketing website, not the platform used for access to the Service), Physitrack uses Google Analytics. Google Analytics stores a permanent cookie on your computer which is subsequently used to register your use of the website. This data is then analyzed by Google and the results are given to Physitrack. This enables Physitrack to get more insight in the way in which the website is used and, based on this information, to make adjustments to the website or the provided services.

You can configure your browser so that you do not receive any cookies the next time you use the Service. However, it is then possible that you will no longer be able to make full use of Physitrack. 

4. For what purposes will Physitrack use personal data about you? 

Physitrack may use your personal data for the following purposes: 

- To allow the healthcare provider to use the Service, including the management of the home exercise programs for patients, the management of the patients’ compliance with the exercise program and the exchange of exercise program templates with other users of Physitrack. 

- To allow the patient to use the Service, including the access to home exercise programs provided by the healthcare provider and monitoring the compliance and providing feedback to the healthcare provider. - To process payments by healthcare providers.  

- To verify your identity, respond to your enquiries and contact you when necessary. 

– To communicate with you about the Service and/or other services of Physitrack. 

- To configure Physitrack to your wishes and needs. 

– For protection purposes and to generate anonymous statistical data. 

For a patient, Physitrack will only provide your medical information to a third party if you or your healthcare provider has given its consent for your medical information to be disclosed (for instance, to an insurance company) and, if such information can be aggregated, will use reasonable endeavours to de-identify the information. 

Physitrack may in addition to any other rights set out in this privacy policy, provide your personal data to third parties in the following cases:  

- To any person that you authorise us to disclose your personal information to. 

- To our partners, affiliates, contractors and consultants, who are under an obligation to protect your personal information and who assist us or our related body corporates in provision of the Service or as otherwise set out in this this privacy policy. 

- To your organisation, if you are acting on behalf of an organisation. 

- To government and regulatory authorities, as required or authorised by law. 

- To our professional advisors. 

- To your healthcare provider. 

- If it is obliged or otherwise permitted to do so on account of national or international laws, case law and/or regulations including to government and regulatory authorities. 

- If Physitrack considers it necessary to do so in defense of its own rights. 

Physitrack may post customer testimonials/comments/reviews on the website, which may contain personal information. Physitrack shall obtain the the individual’s consent via email prior to posting the testimonial.  

You can contact us at support@physitrack.com if you do not wish to have your personal information used for any particular purpose. However, it is then possible that you may not be able to access or use all or part of the Service or our website. If Physitrack later advises you of an intended use or disclosure and you do not object to that use or disclosure or Physitrack is permitted or required by law to do so, Physitrack may do so. 

Customer.io   

Physitrack uses third-party analytics services to help understand the usage of the Service by healthcare providers. No patient information is shared through these services.  

In particular, we provide a limited amount of the personal data of the healthcare provider (such as your email address and sign-up date to Peaberry Software, Inc. (“Customer.io”) and utilize Customer.io to collect data for analytics purposes when you visit the Website or use the Service. Customer.io analyzes your use of our Website and/or Service and tracks our relationship so that Physitrack can improve its service to you. We may also use Customer.io as a medium for communications, either through email, or through messages within the Service.  

Customer.io is a company that is based in the United States. Physitrack Limited and Customer.io have an EC Data Protection Agreement to protect the privacy of Physitrack's users.

5. How does Physitrack protect your personal data? 

Physitrack takes appropriate technical and organizational measures to protect your personal data against loss or any form of unlawful use, but cannot guarantee that data transmission over the Internet will be wholly secure. Physitrack is also unable to warrant the security of any information provided to us over the Internet.  Because of the medical nature of some of the personal data provided through the Service, Physitrack uses reasonable endeavours to incorporate a high level of security. 

To protect the confidentiality and integrity of your personal data, we: 

- Have internal policies to keep your data private and confidential in accordance with this privacy policy. 

- Encrypt all communications between Physitrack and our users (http: via SSL, email via TLS). 

- Use reasonable endeavors to encrypt all appropriate patient health information in our database where practical to do so ("at-rest"). 

- Limit information access inside our company. 

- Use an electronically and physically secured data center. 

- Use a firewall which blocks access by attackers and unauthorized users. 

- Automatically logoff healthcare providers after a certain period of inactivity. 

- Require all of our users to choose strong passwords, and choose a new password every 90 days. 

- Use a CDN (content distribution network) which filters out possible attackers 

- Use up-to-date development and testing systems. 

- Use up-to-date server management technologies. 

Physitrack uses cloud web-hosting provided by Amazon Web Servers, Inc (“Amazon”) to store personal information collected (including encrypted medical information) on servers located in Australia, but may also use servers in Ireland to store back-ups of this information. For further information about the privacy practices of Amazon, please visit http://aws.amazon.com/privacy/. Your personal information (including medical information) may from time to time be disclosed overseas to Physitrack, its related bodies corporate and third parties in accordance with this privacy policy. Locations will include United Kingdom and Australia, as amended from time to time. 

6. Viewing, changing and deleting your personal data 

If you wish to know what personal data Physitrack has collected about you or if you wish to change data that you cannot change yourself in your Account, then you can send your request to support@physitrack.com.  Before Physitrack provides you with access to your personal information, Physitrack may require some proof of identity. To the extent permitted by law, Physitrack will use reasonable endeavours to provide you with your personal information within 4 weeks of your request.  In some circumstances where Physitrack corrects or updates a record, Physitrack may still require the retention of the original record. Physitrack will retain your personal data for as long as your Account is active or as needed to provide the Service to you, to resolve disputes, enforce agreements or comply with any legal obligations. If you wish to delete your Account or request that Physitrack no longer uses your personal data, you can contact us at support@physitrack.com

7. Can this policy be changed? 

It is possible for this policy to be amended in the future. Any changes to the policy will be mentioned on the Website, so it is recommended to regularly have a look at the Website. Your continued use of the Service and this Website after any changes to this policy means that you consent to such changes. 

8. Australian privacy rights  

If you are an Australian resident, you acknowledge and consent that Australian Privacy Principle 8.1 will not apply to an overseas disclosure of your personal information in accordance with this policy including in relation to Intercom and Full Contact. In addition, if you have any requests or complaints about this policy, you may send these tosupport@physitrack.com. Physitrack may respond to your request within 4 weeks. If you are dissatisfied with the outcome, you may make a complaint to the Australian Information Commissioner at the Office of the Australian Information Commissioner via telephone to 1300 363 992 (if calling within Australia) or + 61 2 9284 9749 (if calling outside Australia) or online at www.oaic.gov.au. 

9. Questions? 

If you have any questions, please do not hesitate to contact us via support@physitrack.com.   Last modified: April 2017 (switched from Intercom.io to Customer.io)

This addendum is applicable to Healthcare Practitioners using Physitrack from Canada.

Physitrack, and all of its employees, contractors and representatives, will take all reasonable precautions with the storage and handling of any patient information, and will comply with the obligations of the British Columbia Personal Information Protection Act (”PIPA”).  As part of these duties Physitrack shall:

  1. Only collect, use, access, and retain the information provided to it as identified in the subscription agreement between Physitrack and Customers. (the Healthcare Providers)
  2. Allow a Customer access to its information when asked for it, and never deny access because of a disputed payment for services.
  3. Report any privacy breach or security incident to Customers within two business days.
  4. Return or destroy personal information to the Customer when the subscription agreement ends.
  5. Physitrack agrees that all patient information will be stored on servers located in Canada only.
  6. Physitrack, as a normal policy, conducts systems and data security audits performed by independent third-party companies, at least once per year.
  7. Access to Patient Information - Physitrack works to ensure that Access to patient information by Physitrack is appropriately limited, and that all such information is protected with best-in-class security measures. 
  8. Rights to personal Information -
    Physitrack limits access to private patient information only to those individuals with the rights and strict necessity to view it.
    At the server and developer level, secure keys and passwords are issued to any individual authorised to access Physitrack's data and application only insofar as the individual is actively involved with development of Physitrack.
    Physitrack's sales and support employees and contractors have no access to individual patient outcome data other than PhysiApp access codes, and will strictly use this data for support requests initiated either by the patient or the practitioner.
  9. Encryption - All data stored which can reasonably expected to be contain sensitive information is encrypted at-rest, and in transit. 
  10. In the Event of Data Breach in the event of a personal information breach or security incident, Physitrack shall:
    1) Immediately research which (sub)systems have been affected by a possible security breach;
    2) If Physitrack suspects that sensitive practitioner data has been compromised, Physitrack will invalidate practitioner passwords, forcing practitioners to choose a new password upon logging in from a unique email link.
    3) Send an emailing to all (affected) practitioners and subscribers detailing the nature of the data breach, steps which have been taken to mitigate the data breach, and measures which have been taken to prevent a future reoccurrence of this data breach. 
    4) Make available a 12-hour response  window via email to support@physitrack.com
    5) Hire an external, ISO-accredited security research company to audit Physitrack's system to confirm that the measures taken are sufficient.

  11. System Outage - Physitrack hosts its applications in world-class data centers. Further, Physitrack uses various monitoring systems to monitor application status and performance.
    In the event of scheduled, non-emergency outage of more than 20 minutes during business hours , this will be announced either via email or inside the Physitrack application.
    In the event of unschedule outage, a Physitrack systems developer will be notified and investigate the matter as soon as is reasonably possible.

Last updated 27 May 2016