PhysioEverywhere

1️⃣ Introduction

PhysioEverywhere is committed to protecting the personal data and privacy of all individuals who use our services, whether in-person or online. We collect and process personal data in accordance with the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Caldicott Principles, and, where applicable, international privacy laws including the EU GDPR and relevant U.S. and Australian data regulations.

2️⃣ Scope

This policy applies to all personal data processed by PhysioEverywhere, including data relating to:

• Patients and service users (UK and internationally)
• Staff and clinicians (employed or contracted)
• Website visitors and users of our online physiotherapy programmes

It also applies to all operations:

• In-person home visits
• Online consultations (video, phone)
• Automated or self-access exercise tools

3️⃣ Legal Basis for Processing

We process personal data under the following lawful bases:

• Consent – for marketing and optional services
• Contract – to deliver our physiotherapy services
• Legitimate Interest – for service improvement and internal quality control
• Legal Obligation – for clinical record-keeping and regulatory compliance
• Vital Interests – in safeguarding scenarios

4️⃣ What Personal Data We Collect

Depending on the services used, we may collect:

• Full name and contact details (email, phone, address)
• Date of birth and gender
• Medical history, health conditions, and treatment notes
• Communication records (emails, chat, and video calls — note: video calls are not routinely recorded; if recording is needed, we will ask for your explicit consent beforehand, and only in exceptional cases such as rehabilitation tracking or safeguarding)
• Device and usage data (via cookies/analytics)
• Location data (for home visit logistics)
• Payment details (for paid services, secured via encrypted platforms)

We will never sell your data to third parties.

5️⃣ Special Category Data

As a healthcare provider, we handle special category data including:

• Physical and mental health records
• Biometric data (e.g. posture images, if used)
• Race/ethnicity (if required for clinical purposes)

This data is treated with the highest level of confidentiality and accessed strictly on a need-to-know basis.

6️⃣ International Users

Our services may be accessed globally. We ensure international data transfers comply with the law through:

• Standard Contractual Clauses (SCCs)
• Adequacy Decisions
• Binding Corporate Rules (where applicable)

7️⃣ Data Sharing

We may share personal data:

• With healthcare professionals (with your consent)
• With third-party software providers we use: Physitrack, Zoom, Mailchimp, Microsoft Teams, Skype
• Where required by law (e.g. safeguarding, fraud)
• With your referrer (e.g. GP or employer, where applicable)

All data processors are contractually bound to maintain confidentiality and meet security standards.

8️⃣ Data Retention

• Clinical records: kept for 8 years from last contact (or longer for legal reasons or if the patient is a minor)
• Website/analytics data: kept for up to 24 months unless needed for legal or security purposes

9️⃣ How You Can Control Your Data

You have the right to:

• Access your personal data
• Correct inaccurate or outdated data
• Request data deletion (where legal retention doesn’t apply)
• Restrict or object to data processing
• Withdraw consent (where processing is based on consent)

If you withdraw consent for optional services such as marketing emails or video recordings for rehab, this will not affect your access to core physiotherapy services.

• Request data portability
• Lodge a complaint with the Information Commissioner’s Office (ICO)

🔐 10. Data Security

We implement industry-standard protections:

• SSL/TLS encrypted communications
• Secure cloud storage (UK/EU)
• Firewalls and access controls
• Role-based access restrictions
• Staff training and background checks
• Anonymisation/pseudonymisation where appropriate

If a data breach affects you, we will notify you and the ICO within 72 hours.

📈 11. Cookies & Website Analytics

See our Cookie Policy for how we use cookies and analytics.

📥 12. How to Make a Data Request

To exercise your rights, email us at [email protected] with the subject line: “Data Request”.

We will verify your identity and respond within 30 calendar days.

⚖️ 13. Caldicott Principles

As a UK healthcare provider, we follow the Caldicott Principles to protect patient confidentiality and ensure ethical use of personal data. These include:

1. Justify the purpose – All uses of personal health data are reviewed and documented.
2. Only use when necessary – We evaluate whether identifiable information is required.
3. Use the minimum data – Only essential data is accessed.
4. Access on a need-to-know basis – Only authorised individuals are granted access.
5. Ensure responsibility – All staff receive confidentiality training and sign data protection agreements.
6. Comply with the law – We fully observe UK GDPR, the DPA 2018, and relevant regulations.
7. The duty to share – Where appropriate, we share data for safety or continuity of care, with consent.

🎓 14. Staff Training, Registration & Governance

At PhysioEverywhere, we uphold the highest standards in both clinical care and data protection. All staff and clinical team members are subject to the following requirements:

• Mandatory Data Protection Training – including GDPR, confidentiality, Caldicott Principles, and safe data handling
• Enhanced DBS Clearance – required for all physiotherapists and visiting staff
• Professional Registration:
  • UK-based physiotherapists are HCPC-registered and CSP members
  • International clinicians are registered with their national professional bodies or hold equivalent qualifications
• Governance Oversight – our Data Protection Officer (DPO) ensures ongoing compliance, conducts regular audits, and updates all internal policies

📬 15. Contact Us

If you have questions or concerns about your data:

• 📧 Email: [email protected]
• 📝 ICO Registration: Registered with ICO – Registration Number pending publication