Privacy Policy

1. Introduction

Welcome to BestPhysio ("we," "our," "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, and services (collectively, the "Platform").

BestPhysio operates as a multi-country physiotherapy directory and practice management platform. We provide:

• For Patients: A free service to discover and book appointments with verified physiotherapists
• For Providers: Subscription-based practice management tools and online presence

This Privacy Policy is designed to comply with applicable data protection laws including:

• Digital Personal Data Protection Act, 2023 (India)
• General Data Protection Regulation (GDPR) (EU/UK)
• Health Insurance Portability and Accountability Act (HIPAA) (USA, where applicable)
• Privacy Act 1988 (Australia)

2. Information We Collect

2.1 Information You Provide Directly

For All Users (Patients & Providers):

• Account Registration: Name, email address, password (encrypted), phone number (optional), country
• Profile Information: Profile photo, display name, user preferences
• Google OAuth Data: If you sign in with Google, we receive your name, email, and profile photo from Google

For Patients:

• Booking Information: Appointment requests, preferred date/time, symptoms or reason for visit (optional)
• Favorites & Preferences: Saved/bookmarked physiotherapists and clinics
• Reviews & Ratings: Your feedback, ratings, and comments about providers (publicly displayed)
• Communication: Messages sent through our booking system

For Providers (Physiotherapists/Clinics):

• Professional Registration: License number, registration authority, educational qualifications
• Practice Details: Clinic name, complete address, business hours, specialties, services offered, pricing
• Team Members: Staff information (name, role, permissions) for multi-user accounts
• Tax Information: GST number, business registration details for invoicing purposes
• Subscription Data: Plan selected, billing preferences, subscription status
• Media: Clinic photos, gallery images, promotional materials

Patient Medical Records (Provider-Managed Only):

When providers use our practice management tools, the following patient data may be stored:

• Patient demographics (name, email, phone, date of birth, gender, address)
• ABHA (Ayushman Bharat Health Account) number (India only, optional)
• Medical history, allergies, current medications
• Treatment plans, progress notes, prescriptions
• Appointment history and clinical notes
• Uploaded medical documents (X-rays, MRI scans, lab reports, prescriptions)

Data Ownership: Patient medical records are owned by the treating physiotherapist/clinic. BestPhysio acts as a secure data processor and storage provider.

2.2 Information Collected Automatically

• Device Data: IP address, browser type, operating system, device identifiers
• Location Data: Country and city-level location (via IP geolocation) to route you to the appropriate country-specific directory
• Usage Analytics: Pages viewed, features used, time spent, search queries, click patterns
• Cookies & Tracking: Session cookies, authentication tokens, preference cookies
• Firebase Analytics Data: App performance metrics, user engagement statistics, error logs

3. How We Use Your Information

3.1 For Patients:

• Facilitate appointment requests and confirmations with physiotherapists
• Show you relevant physiotherapists based on your location, search criteria, and preferences
• Send appointment confirmations, reminders, and updates (with your consent)
• Remember your favorite providers, search preferences, and booking history
• Display your submitted reviews and ratings to help other patients
• Maintain your profile, login credentials, and preferences
• Respond to your inquiries and resolve issues

3.2 For Providers:

• Enable patient record management, appointment scheduling, billing, and clinical documentation
• Display your profile, clinic information, and reviews to potential patients
• Validate your professional credentials and license status
• Process your subscription, send invoices, and manage your account tier
• Provide insights into your profile views, appointment bookings, and patient engagement
• Send booking notifications, subscription reminders, and platform updates

3.3 For All Users:

• Maintain, improve, and secure our services
• Comply with applicable laws, regulations, and legal processes
• Detect and prevent fraudulent accounts, fake reviews, and security threats
• Analyze aggregated, anonymized data to improve our platform

5. How We Share Your Information

5.1 With Physiotherapists/Providers:

When you book an appointment, we share your name, contact information, and appointment details with the selected physiotherapist to facilitate your visit. Patient medical records are only accessible to the provider you've visited.

5.2 With Service Providers (Third Parties):

We share data with trusted third-party service providers:

• Firebase (Google Cloud): Authentication, database hosting, file storage, analytics
• Vercel: Web hosting and content delivery
• Email/SMS Providers: Appointment confirmations and notifications
• Payment Processors: ONLY for provider subscription payments (not patient-provider payments)

6. Data Security

We implement industry-standard security measures to protect your personal information:

Technical Safeguards:

• Encryption: Data in transit is encrypted using TLS/SSL; data at rest is encrypted in Firebase/cloud storage
• Authentication: Passwords are hashed using bcrypt; multi-factor authentication available
• Access Controls: Role-based access control (RBAC) ensures staff members only access necessary data
• Firebase Security Rules: Strict database rules prevent unauthorized access
• Regular Audits: Security assessments and penetration testing

Medical Record Security:

• FHIR Compliance: Medical data stored in Fast Healthcare Interoperability Resources (FHIR) standard format
• HIPAA Alignment: Technical safeguards aligned with HIPAA requirements (for US operations)
• Access Logging: All access to patient medical records is logged for audit purposes

7. Data Retention

Patient Accounts:

• Active Accounts: Retained as long as your account is active
• Deleted Accounts: Most personal data deleted within 90 days of account deletion
• Appointment History: Retained for 7 years for legal compliance
• Reviews: Remain public even after account deletion (anonymized to "Former User" if requested)

Provider Accounts:

• Active Subscriptions: Retained as long as subscription is active
• Cancelled Subscriptions: Account data retained for 7 years for tax/audit purposes

8. Your Rights and Choices

Depending on your location, you have the following rights regarding your personal data:

8.1 Access & Portability:

• Request a copy of your personal data in machine-readable format (JSON/CSV)
• Request copies of your medical records from your physiotherapist

8.2 Correction & Update:

• Update your profile information anytime via account settings
• Request correction of inaccurate information

8.3 Deletion & Erasure:

• Request account deletion (subject to retention requirements)
• Medical records and certain legal documents cannot be deleted per regulatory requirements

8.4 Marketing Opt-Out:

• Unsubscribe from promotional emails via link in emails or account settings
• Disable analytics via browser settings

9. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience:

Essential Cookies (Cannot be disabled):

• Authentication: Keep you logged in
• Security: Prevent CSRF attacks and fraud
• Session Management: Remember your session state

Performance Cookies (Can opt-out):

• Analytics: Google Analytics/Firebase Analytics for usage statistics
• Error Tracking: Monitor bugs and crashes

Functional Cookies (Can opt-out):

• Preferences: Remember your country, language, favorites
• Search History: Improve search suggestions

Managing Cookies: Most browsers allow you to control cookies via settings. Note that disabling essential cookies may affect platform functionality.

12. Children's Privacy

BestPhysio is not intended for children under 18 years of age (or the age of medical consent in your jurisdiction).

• You must be 18+ to create an account
• If a minor requires physiotherapy, a parent/guardian must book on their behalf
• We do not knowingly collect data from children

If we discover we've collected data from a child without parental consent, we will delete it immediately.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements.

Notification: Material changes will be notified via email and/or prominent notice on our Platform at least 30 days before changes take effect.

Your Continued Use: Using the Platform after changes constitute acceptance of the updated policy.

15. Contact Us

16. Country-Specific Provisions

India (DPDP Act 2023):

• BestPhysio registered as Data Fiduciary
• Integration with ABDM consent framework for health records
• Patient medical data from Indian clinics stored in India
• Rights: Access, correction, erasure (subject to legal retention), data portability, grievance redressal

European Union/UK (GDPR):

• BestPhysio acts as Data Controller for platform data
• Acts as Data Processor for provider-managed medical records
• Legal Basis: Contract, consent, legitimate interests, legal obligation
• Rights: Access, rectification, erasure, restriction, portability, objection
• DPO Contact: dpo@physiofinder.com

United States:

• HIPAA Alignment: Business Associate Agreements in place for health data processing
• State Privacy Laws: Compliance with CCPA (California), VCDPA (Virginia), and other state laws where applicable

Australia:

• Privacy Act 1988: Compliance with Australian Privacy Principles (APPs)
• Notifiable Data Breaches: Mandatory breach notification to OAIC and affected individuals
• Cross-Border Disclosure: Transfers comply with APP 8