Privacy Policy
PhysioFlow helps physiotherapy clinics manage patient files, attendance, billing, and appointments. This policy explains what data we process and why, in line with India’s Digital Personal Data Protection Act, 2023 (DPDP).
Who is responsible
The clinic is the data fiduciary (controller) of its patients’ personal and health data. PhysioFlow acts as a data processor, processing data only on the clinic’s instructions.
What we collect & why
- Clinic & staff: name, email, mobile, GSTIN — to run the account.
- Patients: name, age/DOB, sex, contact, weight/height, treatment & billing records — to deliver care and meet billing/medical-record obligations.
- Consent is recorded at the time a patient file is created.
Retention
Medical and financial records are retained for the period required by law (IMC Professional Conduct Regulations — at least 3 years; longer where other rules apply). An erasure request redacts non-required personal data but does not destroy records still within their legal retention window.
Your rights
Patients may request access, correction, or erasure of their data (subject to the retention rules above) by contacting the clinic. Grievances may be raised with the clinic’s grievance officer: [name / email — to be filled by the clinic].
Sharing & security
Data is stored on managed infrastructure (Supabase) and processed via service providers such as Razorpay (payments). Access is restricted by row-level security so a clinic sees only its own data. Data is encrypted in transit (HTTPS) and at rest. We do not sell personal data.
Questions? Contact your clinic. See also our Terms of Service.