Privacy Policy

Last Updated: January 13, 2025

GDPR & HIPAA Compliant: This application is designed to comply with the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA).

1. Data Controller

PhysiologicPRISM
Email: security@physiologicprism.com

2. What Data We Collect

2.1 Personal Information

User Account Data: Name, email address, institute affiliation, password (hashed)
Patient Health Information (PHI): Patient names, age, contact information, medical history, assessment records, treatment plans
Usage Data: Login/logout times, actions performed, IP addresses (for security)

2.2 Technical Data

Cookies: Session cookies (required for authentication), CSRF tokens (required for security)
Logs: Audit trail logs of all user actions for security and compliance

3. Legal Basis for Processing (GDPR)

We process your personal data based on:

Consent: You provide explicit consent during registration
Contractual Necessity: Required to provide physiotherapy services
Legal Obligation: Required for healthcare compliance (HIPAA, medical record keeping)
Legitimate Interest: Fraud prevention, security monitoring, system improvement

4. How We Use Your Data

Service Delivery: Provide physiotherapy assessment and treatment planning tools
Security: Monitor for unauthorized access, prevent fraud, maintain audit logs
Communication: Send account-related notifications (approval status, security alerts)
Compliance: Meet legal obligations for healthcare data retention and audit trails

5. Data Sharing

We do NOT sell your personal data. We share data only in these circumstances:

Within Your Institute: Your institute administrators can view your activity logs
Service Providers: Google Cloud Platform (Firestore hosting), OpenAI (only if AI features enabled and you consent)
Legal Requirements: When required by law or to protect legal rights

5.1 Third-Party Services

Google Cloud Firestore: Database hosting (BAA signed for HIPAA compliance)
OpenAI API: AI-powered suggestions (only if enabled; BAA required; data is anonymized)

6. Your Rights Under GDPR

As a data subject, you have the following rights:

6.1 Right to Access

Request a copy of all personal data we hold about you.

6.2 Right to Rectification

Correct inaccurate or incomplete personal data.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention requirements).

6.4 Right to Data Portability

Receive your data in a structured, machine-readable format (JSON).

6.5 Right to Withdraw Consent

You can withdraw consent for data processing at any time by deleting your account.

6.6 Right to Object

Object to processing based on legitimate interests (contact us at privacy@your-domain.com).

6.7 Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we violated GDPR.

7. Data Retention

User Accounts: Retained while account is active; deleted 30 days after account deletion request
Patient Records: Retained for 7 years after last treatment (legal requirement for medical records)
Audit Logs: Retained for 6 years (compliance requirement)
Session Data: Deleted after 8 hours of inactivity

8. Data Security

We implement industry-standard security measures:

Encryption: All data encrypted in transit (TLS/HTTPS) and at rest (Firestore encryption)
Access Control: Role-based permissions, admin approval required for new users
Authentication: Secure password hashing (Werkzeug), session timeouts
Monitoring: Comprehensive audit logging, failed login tracking, IP blocking
CSRF Protection: All forms protected against cross-site request forgery
Security Headers: Content Security Policy, X-Frame-Options, HSTS

9. Cookies Policy

We use the following cookies:

Cookie Name	Purpose	Expiry	Type
session	User authentication	8 hours	Strictly Necessary
csrf_token	Security (prevent CSRF attacks)	1 hour	Strictly Necessary
cookie_consent	Remember your cookie preferences	1 year	Functional

Note: All cookies are strictly necessary for the service to function. Disabling cookies will prevent login.

10. International Data Transfers

Your data is stored in Google Cloud Platform data centers located in Asia South 1 (Mumbai). If you access the service from outside India, your data may be transferred internationally. Google Cloud has appropriate safeguards in place (Standard Contractual Clauses).

11. Children's Privacy

This service is not intended for individuals under 18 years of age. We do not knowingly collect data from children.

12. Data Breach Notification

In the event of a data breach involving personal data, we will:

Notify affected users within 72 hours
Notify relevant data protection authorities as required by law
Provide details of the breach, affected data, and remediation steps

13. Contact Us

For any privacy-related questions or to exercise your GDPR rights, contact:

Data Protection Officer
Email: security@physiologicprism.com
Response time: Within 30 days (as required by GDPR)

14. Changes to This Policy

We may update this Privacy Policy from time to time. You will be notified of significant changes via email or upon login. Continued use of the service after changes constitutes acceptance of the updated policy.