PF
PhysioFlow

Privacy Policy

Last updated: 17 March 2026

1. Introduction

PhysioFlow ("we", "us", "our") is committed to protecting your privacy and handling your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, store, and protect your information when you use our practice management platform.

2. Data Controller

PhysioFlow acts as a data processor on behalf of physiotherapy and veterinary practices ("Organisations") that use our platform. Each Organisation is the data controller for the patient and client data they enter into PhysioFlow. For data we collect directly (e.g. account registration), PhysioFlow is the data controller.

3. What Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, password (hashed), and organisation details when you register.
  • Client/patient data: names, contact details, addresses, dates of birth, and other demographic information entered by your Organisation.
  • Special category (health) data: clinical notes, diagnoses, treatment plans, appointment records, and medical reports entered by practitioners within your Organisation.
  • Financial data: invoice records and payment method references (we do not store full card numbers).
  • Technical data: IP addresses, browser type, and session information for security and service operation.

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract: processing necessary to provide the PhysioFlow service to you and your Organisation.
  • Legitimate interests: security monitoring, fraud prevention, and service improvement.
  • Explicit consent: for processing special category (health) data, as required under Article 9 of UK GDPR. Consent is obtained at registration and may be withdrawn at any time.
  • Legal obligation: where we are required to retain records by law (e.g. financial records for HMRC).

5. How We Protect Your Data

  • All sensitive personal and health data is encrypted at rest using AES-256 encryption.
  • Sessions are encrypted and transmitted over HTTPS only.
  • Passwords are hashed using bcrypt with a high work factor.
  • Two-factor authentication is available for all accounts.
  • All data is scoped to your Organisation — no other Organisation can access your data.
  • Access is controlled through role-based permissions within each Organisation.

6. Data Retention

We retain data in accordance with the following guidelines:

  • Clinical records: retained for a minimum of 8 years from the date of last treatment, in line with Chartered Society of Physiotherapy (CSP) guidance. For children, records are retained until their 25th birthday or 8 years after last treatment, whichever is longer.
  • Financial records: retained for 6 years as required by HMRC.
  • Account data: retained for the duration of your account and deleted or anonymised within 90 days of account closure.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your data, subject to legal retention requirements.
  • Data portability: receive your data in a structured, machine-readable format.
  • Withdraw consent: withdraw consent for data processing at any time.
  • Object: object to processing based on legitimate interests.
  • Complain: lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Data Sharing

We do not sell your data. We only share personal data with third parties where necessary to provide the service:

  • Hosting providers: our infrastructure provider processes data on our behalf under a Data Processing Agreement.
  • Payment processing: Stripe processes payment data under their own privacy policy and our Data Processing Agreement.

All third-party processors are vetted for UK GDPR compliance and bound by Data Processing Agreements.

9. Cookies

We use essential cookies only — for session management and CSRF protection. We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Data Breach Notification

In the event of a personal data breach, we will notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. We will also notify affected individuals without undue delay where the breach is likely to result in a high risk.

11. Contact

For any questions about this privacy policy or to exercise your data rights, please contact us at: privacy@physioflow.com