What types of data does Physitrack process?
Physitrack is a platform designed from the ground up around privacy and security of both your own and your patient's data. All policies and engineering standards follow this principle. Further, Physitrack is not in the business of sharing data with third parties. Our revenue comes from subscriptions and enterprise features, plain and simple.
- Physitrack runs its applications and databases on Amazon Web Services (AWS). AWS operates perhaps the most secure data centers in the world.
- Data is stored in a database that is hosted in the same data center ("availability zone") as the server on which you use Physitrack. For example, if you use us.physitrack.com, both the application and the database are in the US, and if you use nl.physitrack.com, both the application and the database are in the EU.
- The database is encrypted "at rest" (AES-256) as well as "in flight" (when being transferred between your browser/device and our application).
- Physitrack makes two types of database backups: a real-time backup and a backup that is made every 24 hours. These backups are stored in a different data center from the online database to avoid data loss in case of a catastrophe.
- Backups are encrypted.
Note that Physitrack does not store any credit card information on its systems. Payments are processed by Stripe, our payment processor.
Data processing details
| Subject matter, nature and purpose of processing | The provision of the services to the customer |
| Duration | The duration of the agreement |
| Categories of personal data | Name, gender, year of birth, telephone number (optional for patients), email address (optional for patients), government ID number (only for Swedish customers), NHS ID (only for UK customers), access code & exercise program, outcome measures, adherence data and messages feedback, IP address and timestamp of various user actions, video call log, video call audio, diagnosis code, custom exercise videos and images, app preferences (e.g. preferred language) |
| Categories of data subjects | Customer’s patients who are end users of the platform |
| Data exporter | Physitrack PLC |
| Data importer | You |
Third-party vendors (subprocessors) that process data on behalf of Physitrack
| Subprocessor | Controls in place | Description | Data Type |
| ActiveCampaign EU |
GDPR-compliant, Data Processing Agreement in place | We use ActiveCampaign within our Physitrack platform to streamline our email communications and customer management, both for new and existing customers. Our goal is to optimise the experience of ourexisting Physitrack subscribers and to provide a smooth onboarding process for new customers and users. ActiveCampaign will not process any identifiable patient data. | Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM |
| ADA EU |
GDPR-compliant, Data Processing Agreement in place | We use ADA as our AI-powered support agent which automates routine inquiries, offers 24/7 support, and provides personalized assistance. | Name, surname, email, IP address, account details including settings and subscription details |
| Amazon Web Services Instances used based on Customer location |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | Cloud Service provider. Different AWS regions based on data residency requirements. | First & last name, gender, year of birth, mobile phone, email, IP address, timestamp of various user actions, access code & exercise program, outcome measure results (if assigned), messages feedback (if enabled), video call log (if enabled), video call audio (if enabled), adherence details (if enabled), diagnosis code (if enabled), custom exercise videos and images (if added), app preferences (e.g. preferred language) |
| Cloudflare USA |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Cloudflare for DNS and content distribution. | IP Addresses & timestamps |
| Chargebee EU |
GDPR-compliant, Data Processing Agreement in place | We use Chargebee to help manage our subscription process and invoicing. | Practitioner's billing information such as name, email and payment method. No Patient data is sent to Chargebee. |
| Coconut.co USA / EU |
GDPR-compliant, Data Processing Agreement in place | We use Coconut to transcode all videos into web/mobile viewable formats. Coconut automatically deletes all uploaded content after 24 hours. | Video featuring a patient |
| Data Dog USA / EU |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Data Dog to monitor and improve the performance of our application and infrastructure. | IP Addresses & timestamps |
| FullStory EU (Germany) |
GDPR-compliant, Data Processing Agreement in place | We use FullStory as an analytics tool to help us understand how Practitioners interact with our products to improve our services. | Practitioners’ website and apps interactions, including events onsite, clicks and scrolls. Name, email address. No Patient data is sent to FullStory. |
| Google Workspace USA |
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place | We use Google Workspace to host our emails. | Customer contact details and invoicing information may be sent over the email. |
| Help Scout USA |
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place | We use Helpscout to process customer support emails and display our online knowledge base. | Name, email, IP address |
| Twilio USA |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Twilio to send access codes via SMS to clients and send various notifications via SMS to practitioners. | Mobile phone number and information shared between Practitioner and Patient |
| Webflow USA |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Webflow to improve our marketing website design and development capabilities. | Full name, email, and a choice from a survey (list of bullet points). No Patient data is sent to Webflow. |
| Zapier USA |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Zapier to improve workflow automations across various applications. This will help us integrate data smoothly and enhance operational efficiency for our services. Zapier will not process any identifiable patient data. | Organisation name, first name, last name, address, contact name, contact email address, contact phone number, usage numbers from CRM, account details including settings and subscription details. No Patient data is sent to Zapier. |
| Zoom Video Communications Inc. USA / EU |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Zoom for telehealth to enhance our service capabilities, ensuring efficient, reliable, and high-quality communication. | Meeting recordings and Meeting transcriptions |
Note: healthcare practitioners may choose to automatically share adherence details and exercise program information from Physitrack to their patient management system. This is done at the discretion and under the control of the clinic or healthcare practitioner.