Physitrack and the GDPR

The General Data Protection Regulation (GDPR) is a European privacy law, applicable throughout the European Union (EU) since 25 May 2018. The GDPR deals with the protection of personal data and regulates the rights of citizens, responsibilities of organisations and powers of regulators when it comes to (the processing of) personal data.

  • You can find more information about the GDPR on (among others) Wikipedia (opens in new window).
  • You can also find several videos on YouTube on how the GDPR may affect your clinic or practice.

The protection of personal data of both healthcare practitioners and patients is incredibly important to Physitrack. On this page, we outline how Physitrack complies with the seven requirements listed in the GDPR. If you have any questions, please contact us at


In obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as to give it.

Physitrack's Terms of Service and Privacy Policy are written in clear English and divided into logical chunks. A healthcare practitioner can delete both his own and patients' accounts at any time.

Breach Notification

In the event of a data breach, data processors have to notify their data controllers and customers of any risk within 72 hours.

Physitrack has a communication infrastructure in place which will let us quickly communicate information in the event of a data breach.

Right to Access

Data subjects have the right to obtain a confirmation from the data controller of how their personal data is being processed by the data controller. On demand, the data controller should provide an electronic copy of personal data to data subjects at no charge.

At any time, practitioners can download their client information as easy to use spreadsheets. Further information on how data is being processed can be found in the Terms of Service and Privacy Policy.

Right to be forgotten

When data is no longer relevant to its original purpose, data subjects can request the data controller to erase their personal data and cease its dissemination.

  • If you are a healthcare practitioner, you can remove any patient at any time, as well as remove your own Physitrack account.
  • If you are a patient, you can request that your healthcare practitioner remove your data from their Physitrack account.

Data Portability

Allow individuals to obtain and re-use their personal data for their own purposes by transferring it across different IT environments.

A practitioner can quickly export all of a patient's data for re-use in other applications.

Privacy by Design

Inclusion of data protection from the onset of the system's design, with the implementation of appropriate technical and infrastructural measures.

Physitrack is tested regularly for various security vulnerabilities, both during development, where static analysis algorithms check code before it is checked into our continuous integration pipeline, and on our production systems, where weekly scans are conducted for (among others) OWASP-10 vulnerabilities.

Data Protection Officer (DPO)

Physitrack's DPO can be reached at

Physitrack is registered with the UK Information Commissioner's Office (ICO) under number ZA396165. Our representative within the EU with respect to our obligations under European data protection law is Physiotools Oy incorporated and registered in Finland with company number 0491074-9 (Kehräsaari B, 5th Floor, 33200 Tampere, Finland). Email:

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Get in touch: Contact Physitrack Contact Physitrack