What types of data does Physitrack process?
Physitrack is a platform designed from the ground up around privacy and security of both your own and your clients' data. All policies and engineering standards follow this principle. Further, Physitrack is not in the business of sharing data with third parties. Our revenue comes from subscriptions and enterprise features, plain and simple.
- Physitrack runs its applications and databases on Amazon Web Services (AWS). AWS operates perhaps the most secure data centers in the world.
- Data is stored in a database that is hosted in the same data center ("availability zone") as the server on which you use Physitrack. For example, if you use us.physitrack.com, both the application and the database are in the US, and if you use nl.physitrack.com, both the application and the database are in the EU.
- The database is encrypted "at rest" (AES-256) as well as "in flight" (when being transferred between your browser/device and our application).
- Physitrack makes two types of database backups: a real-time backup and a backup that is made every 24 hours. These backups are stored in a different data center from the online database to avoid data loss in case of a catastrophe.
- Backups are encrypted.
Note that Physitrack does not store any credit card information on our systems.
Payments are processed by Adyen, our payment processor.
Data processing details
| Subject matter, nature and purpose of processing | The provision of the services to the customer |
| Duration | The duration of the agreement |
| Categories of personal data | Name, gender, year of birth, telephone number (optional for patients), email address (optional for patients), government ID number (only for Swedish customers), access code & exercise program, outcome measures, adherence data and messages feedback, IP address and timestamp of various user actions, video call log, video call audio, diagnosis code, custom exercise videos and images, app preferences (e.g. preferred language) |
| Categories of data subjects | Customer’s patients who are end users of the platform |
| Data exporter | Physitrack PLC |
| Data importer | You |
Third-party vendors (subprocessors) that process data on behalf of Physitrack
| Subprocessor | Controls in place | Description | Data type |
| Amazon Web Services Instances used based on Customer location |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | Cloud Service provider. Different AWS regions based on data residency requirements. | First & last name Gender Year of birth Mobile phone IP address Timestamp of various user actions Access code & exercise program Outcome measure results (if assigned) Messages feedback (if enabled) Video call log (if enabled) Video call audio (if enabled) Adherence details (if enabled) Diagnosis code (if enabled) Custom exercise videos and images (if added) App preferences (e.g. preferred language) |
| Chargebee EU |
GDPR-compliant, data processing agreement in place | We use Chargebee to help manage our subscription process and invoicing. | Practitioner's billing information such as name, email and payment method. No patient data is sent to Chargebee. |
| Cloudflare USA |
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place | We use Cloudflare for DNS and content distribution. | IP addresses & timestamps |
| Coconut.co USA / EU |
GDPR-compliant, based in EEA. Data Processing Agreement in place. | We use Coconut to transcode all videos into web/mobile viewable formats. Coconut automatically deletes all uploaded content after 24 hours. | Video featuring a patient |
| Customer.io USA |
GDPR-compliant, data processing agreement in place | We use Customer.io to send onboarding emails and newsletters to practitioners. | Name, Email |
| Data Dog USA / EU |
GDPR-compliant, data processing agreement in place with Standard Contractual Clauses | We use Data Dog to monitor and improve performance of our application and infrastructure. | IP Addresses & timestamps |
| Dolby.io USA |
Data Processing Agreement with Standard Contractual Clauses in place. | We use Dolby.io to help power our video calling functionality. | IP addresses |
| Google Workspace USA |
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place | We use Google Workspace to host our email. | Customer contact details and invoicing information may be sent over the email |
| Helpscout USA |
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place | We use Helpscout to process customer support emails and display our online knowledge base (such as the page you are looking at). | Name, Email, IP address |
| Mailchimp USA |
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place | We use Mailchimp's "Mandrill App" service to send transactional emails such as passwords and access codes. | Name, Email |
| Pipedrive Estonia |
GDPR-compliant, Data Processing Agreement in place | We use Pipedrive to track our sales and enterprise support efforts. | Billing-related customer data |
| Sqreen USA (until the end of April 2023) |
GDPR-compliant, data processing agreement in place | We use Sqreen to detect security vulnerabilities and attacks. | IP Addresses & timestamps |
| Twilio USA |
GDPR-compliant, data processing agreement with Standard Contractual Clauses in place | We use Twilio to send access codes via SMS to patients and send various notifications via SMS to practitioners. | Mobile phone number and information shared between Practitioner and Patient |
Note: healthcare practitioners may choose to automatically share adherence details and exercise program information from Physitrack to their patient management system. This is done at the discretion and under the control of the clinic or healthcare practitioner.