Privacy Policy
1. Who We Are
PhysioKer is a physiotherapy marketplace platform connecting patients with registered physiotherapists in Kerala. "We", "us", or "our" refers to PhysioKer. "You" refers to any patient, physiotherapist, or clinic using this platform.
2. What Data We Collect
Patients: Full name, phone number, district, locality, health complaint description, preferred visit time, and session ratings you submit voluntarily.
Physiotherapists: Full name, phone number, district, locality, professional registration ID (KAPC/IAP/NCAHP), KUHS roll number (for fresh graduates), specialisation, years of experience, clinic name, and subscription status.
Clinics: Clinic name, registration number, contact person, phone, district, locality, physiotherapist count, services offered, and subscription status.
Technical data: Device fingerprint hash (for fraud prevention only — not linked to identity), session logs, and audit events.
What we do NOT collect: GPS coordinates, precise location data, payment card details (handled by Razorpay directly), or any biometric data.
Browser storage: This app uses your browser's localStorage and sessionStorage to remember your session state, improve performance, and (for physiotherapists and clinics) store earnings and revenue data locally for cross-device sync. A one-way hashed device fingerprint is stored for fraud prevention. You can clear this data at any time by clearing your browser data or signing out.
3. Why We Collect It (Purpose)
We collect only what is necessary to:
- Match patients with physiotherapists in their district
- Verify physiotherapist professional credentials before allowing patient-facing profiles
- Process subscription payments for physiotherapist and clinic plans
- Detect and prevent fraudulent account creation
- Comply with applicable law
4. How We Protect Your Data
All data is transmitted over TLS 1.3. Our database provider (Supabase) applies AES-256 encryption at the infrastructure level — your data is encrypted at rest on Supabase-managed servers. Database access is further protected by Row-Level Security (RLS) policies — physiotherapists can only access data for their own assigned patients, not any other patient's data. Patient PINs are stored as one-way SHA-256 hashes and are never recoverable.
Clinical notes (SOAP format) are stored in a restricted table and are accessible only to the physiotherapist who created them. Patients cannot access clinical notes.
5. Who We Share Data With
We share the minimum necessary data with:
- Supabase (database hosting — data is stored on Supabase-secured infrastructure; Supabase is SOC 2 Type II certified)
- Razorpay (payment processing — they receive only what is required to process your subscription, never your health data)
- SMS / OTP provider (when OTP verification is enabled — they receive only your phone number for the duration of the verification. The specific provider will be named here when this feature is active.)
- Assigned physiotherapist — when you submit a request, your name, district, locality, and health complaint are shared with the physio who accepts your case
We never sell your data. We never share your data with advertisers.
6. Location Data
PhysioKer does not store GPS coordinates or real-time location data on our servers. Matching is based on the district you select at registration. After a physiotherapist accepts your case, you may choose to share your live location directly with them via Google Maps (a temporary link that expires — this never touches PhysioKer servers).
7. Your Rights Under DPDP Act 2023
As a data principal under India's DPDP Act, you have the right to:
- Access — request a copy of all personal data we hold about you
- Correction — request correction of inaccurate personal data
- Erasure (Right to Delete) — request deletion of your account and all associated personal data. To exercise this right, contact us at the address below. We will complete deletion within 30 days.
- Grievance redressal — lodge a complaint if you believe your data has been mishandled
8. Data Retention
We retain your data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g. transaction records for GST compliance, which are retained for 7 years per Indian tax law).
9. Children
PhysioKer is not intended for use by persons under the age of 18. If a parent or guardian is booking on behalf of a minor for paediatric physiotherapy, the adult's account is used and the adult is the data principal.
10. Changes to This Policy
We may update this policy as the platform evolves. Material changes will be communicated via email to registered users at least 7 days before taking effect.
11. Contact / Grievance Officer
For data requests, deletion requests, or complaints: