GDPR: What types of data are collected by Physitrack?

Physitrack is a platform designed from the ground up around privacy and security of both your own and your clients' data. All policies and engineering standards follow this principle. Further, Physitrack is not in the business of sharing data with third parties. Our revenue comes from subscriptions and enterprise features, plain and simple.

  • Physitrack runs its applications and databases on Amazon Web Services (AWS). AWS operates perhaps the most secure data centers in the world
  • Data is stored in a database that is hosted in the same data center ("availability zone") as the server on which you use Physitrack. For example, if you use us.physitrack.com, both the application and the database are in the US, and if you use nl.physitrack.com, both the application and the database are in the EU.
  • The database is encrypted "at rest" (AES-256) as well as "in flight" (when being transferred between your browser/device and our application).
  • Physitrack makes two types of database backups: a real-time backup and a backup that is made every 24 hours. These backups are stored in a different data center from the online database to avoid data loss in case of a catastrophe.
  • Backups are encrypted.

The list below enumerates what type of data we store.

Note that Physitrack does not store any credit card information on our systems.
Payments are processed by Adyen, our payment processor.

Practitioner data

Field name Description 3rd party processors
Note that all data is also processed by AWS
First & last name Adyen, Chargebee, Customer.io, Chartmogul, Helpscout, Twilio, Dolby.io
Email address Adyen, Chargebee, Customer.io, Mailchimp
Owner Which PT Direct account owns this practitioner? Adyen, Chargebee, Customer.io, Chartmogul
Practice name Adyen, Chargebee, Customer.io, Chartmogul
Address Adyen, Chargebee, 
Country Adyen, Chargebee, Customer.io, Chartmogul
State
Customer.io, Chargebee
Skype ID
Mobile phone Twilio
Timezone Customer.io, Chartmogul
VAT ID Chargebee
Agreed to terms of service?
Subscription status Customer.io, Chargebee, Chartmogul
App preferences E.g. weight units, notification preferences
Password Hashed
Affiliation Practice management system or organization Customer.io, Chargebee, Chartmogul
API integration  Patient management system (PMS) and api key for the Physitrack-connection to the PMS Customer.io (only the name of the PMS, not the key)
Attempted logins Timestamp and IP address of unsuccessful login attempts
Custom templates Custom templates created by this practitioner
Messages Messages sent to and received from clients.
Video call log Logs (timestamp and duration, not contents) of video calls
Sign in count Customer.io
Last sign in date & IP IP address and timestamp of user actions. Used for performance and security metrics. Customer.io (only timestamp), Data Dog
Current sign in & IP IP address and timestamp of user actions. Used for performance and security metrics. Data Dog
Creation date Customer.io, Chargebee, Chartmogul
Date record was last updated
Search settings Recent search settings
Custom exercise videos and images Coconut, Algolia, Customer.io (only count)

Client data

Field name Description 3rd party processors
Note that all data is also processed by AWS
First & last name -
Gender -
Year of birth -
Government ID number (Only applicable on our Swedish server, and only if the practitioner enters this for their patients)
Mobile phone Twilio
Email Mailchimp
IP address and timestamp of various user actions IP address and timestamp of various user actions (across web and API). Used for performance and security metrics. Data Dog, Sqreen
Access code & exercise program Access code and exercise program with its content (exercises and/or educational content and/or outcome measures).
Google Firebase, Fabric.io, Twilio
Outcome measures Answers to outcome measures. -
Messages Messages sent by and to the client, exercise feedback. -
Video call log Timestamp and duration of made video calls. Dolby.io
Video call audio If enabled by the practitioner, an mp3 audio recording of made video calls. Amazon Web Services
Adherence details Details of the completion of sets, reps, hold, pain level, etc. -
Diagnosis code Optionally, a practitioner may choose to store diagnosis codes on Physitrack. -
Custom exercise videos and images The practitioner is prevented from entering the client's first and last name in the exercise title or description. Coconut, Algolia
App preferences E.g. preferred language.

Access code & client-identifiable information
The client must enter their year of birth to access the exercise program. Only a certain amount of incorrect attempts can be made every hour before PhysiApp is locked.

Third-party vendors (subprocessors) that process data on behalf of Physitrack

Subprocessor Controls in place Description
Adyen
Netherlands
GDPR-compliant, data processing agreement in place We use Adyen to process our payments. 
No client data is processed by Adyen.
Algolia
France & USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Algolia to power our search of exercises. 
No practitioner or client data is processed by Algolia that could let Algolia identify practitioners or clients.
Amazon Web Services
Luxemburg & USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place Physitrack owns and controls logical access to the infrastructure maintained by AWS, while AWS maintain the physical security of the servers, network and the data center. For data residency requirements, Physitrack is segregated across different AWS regions.
Coconut.co
France
GDPR-compliant, based in EEA. Data Processing Agreement in place. We use Coconut to transcode all videos into web/mobile viewable formats. No patient information is sent to Coconut, but the videos sent to Coconut for encoding may contain videos that feature a client. Coconut automatically deletes all uploaded content after 24 hours.
Cloudflare
USA
GDPR-compliant, Data Processing Agreement with Standard Contractual Clauses in place We use Cloudflare for DNS and content distribution. Cloudflare uses enhanced privacy protocols for DNS over TLS and DNS over HTTPS which prevents data tracking by not linking DNS queries to your personal IP address (personal data) and limits record retention to 24 hours.
Chargebee
Netherlands, India, USA
GDPR-compliant, data processing agreement in place, Standard Contractual Clauses in place We use Chargebee to help manage our subscription process and invoicing. Information sent to Chargebee includes the practitioner's billing information such as name, email and payment method. No client data is sent to Chargebee. 
Chartmogul
Germany
GDPR-compliant. Data processing agreement in place. Data is processed in EU. We use Chartmogul to analyse revenue and subscription metrics so we can better understand how to evolve our platform and product offering.
HelpHero
New Zealand
GDPR-compliant, guarantee that all information sent to US sub-processors is appropriately protected, Data Processing Agreement in place We use HelpHero to show onboarding tours to practitioners in the demo version of Physitrack, and to practitioners who have not yet added any clients. 
No practitioner or client data is processed by HelpHero.
Helpscout
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Helpscout to process customer support emails and display our online knowledge base (such as the one you are looking at).
On the web version of Physitrack, when a practitioner sends a message to Helpscout, Helpscout processes the IP address, name and email of the practitioner.  
Both practitioners and clients have the possibility to send a support email to support@physitrack.com or support@physiapp.com which will be displayed to a qualified Physitrack staff member.  We tightly control who has access to Helpscout, and require 2-factor authentication.
Mailchimp
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Mailchimp's "Mandrill App" service to send transactional emails such as passwords and access codes. The recipient email and subject line are stored by Mailchimp, and the message body is only temporarily stored (max 1 hour) for debugging and troubleshooting purposes. Access to Mailchimp is strictly limited.
Google Firebase
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Google Firebase to detect whether a client or a practitioner is online and to generate single-sign on links for patients. No data is processed by Google Firebase which would allow a third party to identify who the parties are.
Google Workspace
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Google Workspace to host our email. All @physitrack.com emails are processed by Google Workspace on behalf of Physitrack.
Customer.io
USA
GDPR-compliant, data processing agreement in place We use Customer.io to send onboarding emails and newsletters to practitioners.
The information that is sent to Customer.io is limited to the information that is required to properly identify the correct recipients of our various onboarding emails, and includes activity information such as name, email, the number of patients, number of assigned exercise programs, subscription information. 
No client data is processed by Customer.io.
Data Dog
Ireland & USA
GDPR-compliant, data processing agreement in place with Standard Contractual Clauses We use Data Dog to monitor and improve performance of our application and infrastructure. No names or emails are sent to Data Dog (this data is scrubbed before it is sent to Data Dog), and all data is destroyed after 30 days.
Pipedrive
Estonia
GDPR-compliant, Data Processing Agreement in place We use Pipedrive to track our sales and enterprise support efforts. No patient data is sent to Pipedrive, and only strictly sales and billing-related customer data (e.g. account type, registration date, number of licenses in use) is processed by Pipedrive on our behalf.
Sentry
USA
GDPR-compliant, Data Processing Agreement & Standard Contractual Clauses in place We use Sentry to track errors in our application. No practitioner or client identifiable data is processed by Sentry, as this data is scrubbed before it gets sent.
Sqreen
USA & France
GDPR-compliant, data processing agreement in place We use Sqreen to detect security vulnerabilities and attacks. No practitioner or client identifiable data is processed by Sqreen, as this data is aliased before it gets sent.
Transifex
Greece & USA
GDPR-compliant
We use Transifex to dynamically translate our marketing site. Transifex places cookies to remember which language you are viewing the Physitrack marketing site in. No practitioner or client data is sent to Transifex.
Twilio
USA
GDPR-compliant, data processing agreement with Standard Contractual Clauses in place We use Twilio to send access codes via SMS to clients and send various notifications via SMS to practitioners.
Typeform
Spain
GDPR-compliant, Data Processing Agreement in place We use Typeform to collect troubleshooting information from practitioners and their clients. No information is automatically sent to Typeform.
Dolby.io
USA
Data Processing Agreement with Standard Contractual Clauses in place. We use Dolby.io to help power our video calling functionality. Video streams are encrypted using AES-128 bit encryption or stronger.  
Only the practitioner's initials are processed by Dolby.io, as well as the practitioner's and patient's IP addresses.
Prograils
Poznan, Poland
Strict confidentiality clauses in place, ISO 27001 certified Prograils is Physitrack's application developer and from time to time needs to access production databases to deploy new features, performance improvements and bug fixes.
Prograils does not download and process store patient or practitioner information to their systems.
Chaos Gears
Warsaw, Poland
Strict confidentiality clauses in place, ISO 27001 certified Chaos Gears designs and manages Physitrack's AWS infrastructure and from time to time needs to access production servers and databases for performance and security enhancements.
Chaos Gears does not download and process patient or practitioner information in their systems.


Note:
 healthcare practitioners may choose to automatically share adherence details and exercise program information from Physitrack to their patient management system.
This is done at the discretion and under the control of the clinic or healthcare practitioner.

Get in touch: Contact Physitrack Contact Physitrack