Privacy Policy

Version 1.1 | Last Updated: April 14, 2026

GDPR & HIPAA Compliant: This application is designed to comply with the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA).

1. Data Controller

PhysiologicPRISM
Email: security@physiologicprism.com

2. What Data We Collect

2.1 Personal Information

User Account Data: Name, email address, institute affiliation, password (hashed)
Patient Health Information (PHI): Patient names, age, contact information, medical history, assessment records, treatment plans
Usage Data: Login/logout times, actions performed, IP addresses (for security)

2.2 Technical Data

Cookies: Session cookies (required for authentication), CSRF tokens (required for security), analytics cookies (optional, for website improvement)
Logs: Audit trail logs of all user actions for security and compliance
Analytics Data: Page views, clicks, navigation paths, session recordings (on public pages only), device information, browser type, geographic location (country-level)

3. Legal Basis for Processing (GDPR)

We process your personal data based on:

Consent: You provide explicit consent during registration
Contractual Necessity: Required to provide physiotherapy services
Legal Obligation: Required for healthcare compliance (HIPAA, medical record keeping)
Legitimate Interest: Fraud prevention, security monitoring, system improvement

4. How We Use Your Data

Service Delivery: Provide physiotherapy assessment and treatment planning tools
Security: Monitor for unauthorized access, prevent fraud, maintain audit logs
Communication: Send account-related notifications (approval status, security alerts)
Compliance: Meet legal obligations for healthcare data retention and audit trails
Analytics & Improvement: Analyze website usage patterns, understand user behavior, improve user experience (public pages only; no PHI collected)

5. Data Sharing

We do NOT sell your personal data. We share data only in these circumstances:

Within Your Institute: Your institute administrators can view your activity logs
Service Providers: Microsoft Azure (cloud infrastructure and database hosting), OpenAI (only if AI features enabled and you consent)
Legal Requirements: When required by law or to protect legal rights

5.1 Third-Party Services

Microsoft Azure: Cloud infrastructure and database hosting (BAA signed for HIPAA compliance)
OpenAI API: AI-powered suggestions (only if enabled; BAA required; data is anonymized)
Google Analytics: Website analytics and visitor tracking (public pages only; no PHI collected). See Google's Privacy Policy
PostHog: Product analytics, session replay, and user behavior tracking (public pages only; no PHI collected). See PostHog's Privacy Policy

Note on Analytics: Google Analytics and PostHog are only used on public marketing pages (homepage, blog, pricing). Once you log in to the application, these analytics tools are disabled and do not track your activity or patient data.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

6.1 Right to Access

Request a copy of all personal data we hold about you.

6.2 Right to Rectification

Correct inaccurate or incomplete personal data.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention requirements).

6.4 Right to Data Portability

Receive your data in a structured, machine-readable format (JSON).

6.5 Right to Withdraw Consent

You can withdraw consent for data processing at any time by deleting your account.

6.6 Right to Object

Object to processing based on legitimate interests (contact us at privacy@your-domain.com).

6.7 Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we violated GDPR.

7. Data Retention

User Accounts: Retained while account is active; deleted 30 days after account deletion request
Patient Records: Retained for 7 years after last treatment (legal requirement for medical records)
Audit Logs: Retained for 6 years (compliance requirement)
Session Data: Deleted after 8 hours of inactivity

8. Data Security

We implement industry-standard security measures:

Encryption: All data encrypted in transit (TLS/HTTPS) and at rest (Azure encryption)
Access Control: Role-based permissions, admin approval required for new users
Authentication: Secure password hashing (Werkzeug), session timeouts
Monitoring: Comprehensive audit logging, failed login tracking, IP blocking
CSRF Protection: All forms protected against cross-site request forgery
Security Headers: Content Security Policy, X-Frame-Options, HSTS

9. Cookies Policy

We use the following cookies:

Cookie Name	Purpose	Expiry	Type
session	User authentication	8 hours	Strictly Necessary
csrf_token	Security (prevent CSRF attacks)	1 hour	Strictly Necessary
cookie_consent	Remember your cookie preferences	1 year	Functional
_ga, _ga_*	Google Analytics - Track website usage and visitor behavior	2 years	Analytics (Optional)
ph_*	PostHog Analytics - Track user interactions and session recordings	1 year	Analytics (Optional)

Note: Session and CSRF cookies are strictly necessary for the service to function. Analytics cookies (Google Analytics and PostHog) are used on public pages only to improve user experience and are not used to track authenticated users or patient data.

10. International Data Transfers

Your data is stored in Microsoft Azure data centers. If you access the service from outside your region, your data may be transferred internationally. Microsoft Azure has appropriate safeguards in place (Standard Contractual Clauses).

11. Children's Privacy

This service is not intended for individuals under 18 years of age. We do not knowingly collect data from children.

12. Data Breach Notification

In the event of a data breach involving personal data, we will:

Notify affected users within 72 hours
Notify relevant data protection authorities as required by law
Provide details of the breach, affected data, and remediation steps

13. Contact Us

For any privacy-related questions or to exercise your GDPR rights, contact:

Data Protection Officer
Email: security@physiologicprism.com
Response time: Within 30 days (as required by GDPR)

14. Changes to This Policy

We may update this Privacy Policy from time to time. You will be notified of significant changes via email or upon login. Continued use of the service after changes constitutes acceptance of the updated policy.