Privacy Policy

1. INTRODUCTION

1.1. Purpose of this Privacy Policy
1.1.1. Protection of personal data: The purpose of this Privacy Policy is to inform you how PhysioDock.com collects, processes, stores, and protects your personal data.
1.1.2. Transparency and control: We want you to understand which data we collect, why we collect it, and how you can exercise your rights.
1.1.3. Privacy as a priority: PhysioDock.com is committed to complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1.2. Who this Policy applies to
This Privacy Policy applies to everyone interacting with PhysioDock.com, including:
1.2.1. Visitors: Individuals who visit and use our website, including forum and blog.
1.2.2. Registered users: Individuals who have created a user account with us.
1.2.3. Course participants: Individuals who participate in courses or webinars through PhysioDock.com.
1.2.4. Members: Individuals with paid memberships, including PhysioDock Plus members.
1.2.5. Customers: Individuals who purchase products or services from our platform.

1.3. What this Policy covers
1.3.1. Processing activities: This Policy covers all processing of personal data that occurs on PhysioDock.com, including:
– Registration of user accounts and subscriptions.
– Purchase of products, courses, and services.
– Use of the AI diagnosis bot and other AI tools.
– Activity in forums and comment sections.
– Cookies and analytics tools.
1.3.2. Controller responsibility: PhysioDock.com is the data controller for your personal data.

1.4. Date of last update
This Privacy Policy was last updated on: [Insert date]
Previous versions of the Policy are available upon request.

1.5. We encourage users to read this Policy carefully
1.5.1. Read carefully: We encourage you to read the entire Privacy Policy to understand how we process your data.
1.5.2. Consent: By using PhysioDock.com, you consent to the processing of personal data in accordance with this Policy.
1.5.3. Questions: If you have questions about this Policy or your privacy rights, contact us at: privacy@physiodock.com.

2. WHAT THIS PRIVACY POLICY COVERS

2.1. Coverage of all services provided by PhysioDock.com
2.1.1. Comprehensive coverage: This Privacy Policy applies to all collection, storage, processing, and sharing of personal data related to the use of services provided by PhysioDock.com. This includes, but is not limited to:
– Creation and administration of user accounts.
– Participation in forum discussions, courses, and webinars.
– Use of PhysioDock Plus membership.
– Use of the AI diagnosis bot and other AI tools.
– Purchase of products and services through the platform.
– Contact with customer service or support.
2.1.2. Third-party services connected to PhysioDock: This Policy also covers how we process data received through third-party providers that assist us with payments, analytics, and marketing, but it does not apply to third-party platforms you may visit via links on our site.

2.2. Use of cookies
2.2.1. Inclusion of cookies: This Privacy Policy covers our use of cookies and similar technologies that collect information about your activity on PhysioDock.com.
2.2.2. Reference to guidelines: For more details on how we use cookies and how you can manage your consent, please read our:
– Cookie Policy (link to our policy).
2.2.3. Purpose of cookies: Our cookies may be used to improve the user experience, analyze traffic, and personalize content and ads.

2.3. Relationship between this Privacy Policy and the Terms of Use
2.3.1. Complementary documents: This Privacy Policy supplements our Terms of Use and describes how we process your personal data.
2.3.2. Priority: If there is a conflict between the Terms of Use and this Privacy Policy regarding personal data, this Privacy Policy shall prevail.
2.3.3. Consent through use: By accepting our Terms of Use, you also consent to the processing of your personal data as described in this Policy.

2. WHAT THIS PRIVACY POLICY COVERS

2.1. Coverage of all services provided by PhysioDock.com
2.1.1. Comprehensive coverage: This Privacy Policy applies to all services offered by PhysioDock.com, including:
– User accounts: Registration, administration, and login.
– Forum: Posting, commenting, and interacting with other users.
– AI services: Use of the AI diagnosis bot and PhysioDock AI.
– Courses and webinars: Participation in courses, events, and professional discussions.
– Membership: Administration of PhysioDock Plus membership.
– Online store: Purchase of products or services.
– Newsletters and marketing: Distribution of information and offers.
2.1.2. Third-party services: The Policy also applies to personal data we receive through third-party services (e.g., payment providers and analytics tools) when you use our services.

2.2. Use of cookies
2.2.1. Inclusion of cookies: This Privacy Policy also covers our use of cookies and similar tracking technologies on PhysioDock.com.
2.2.2. Purpose of cookies: Cookies are used to:
– Improve the functionality of the website.
– Analyze user behavior and optimize the user experience.
– Provide personalized content and advertisements.
2.2.3. Cookie Policy: For more details on how we use cookies and how you can manage your settings, please read our:
– Cookie Policy (link to our policy).

2.3. How this Policy relates to the Terms of Use
2.3.1. Complementary document: This Privacy Policy forms part of and supplements our Terms of Use.
2.3.2. Precedence in case of conflict: If a conflict arises between the Terms of Use and this Privacy Policy concerning the processing of personal data, this Privacy Policy shall take precedence.
2.3.3. Consent through use: By accepting the Terms of Use, you confirm that you have read and agree to the contents of this Privacy Policy.

3. WHAT THIS PRIVACY POLICY DOES NOT COVER

3.1. This Policy does not apply to third-party websites linked from PhysioDock.com
3.1.1. Independent third-party websites: This Privacy Policy does not apply to third-party websites, even if you access them via links from PhysioDock.com. This includes:
– External articles, blogs, or professional resources.
– Third-party forums or social media we reference.
– Online stores or other platforms we collaborate with.
3.1.2. Their own privacy responsibility: Each third-party website has its own privacy policies and guidelines. We encourage you to read their policies carefully before providing personal data.
3.1.3. No responsibility for third parties: PhysioDock.com is not responsible for how third-party websites collect, store, or use your data.

3.2. This Policy does not apply to services provided by advertisers or partners
3.2.1. Third-party advertising: If you click on ads displayed on PhysioDock.com, for example via Google AdSense, this Policy does not apply to information you provide directly to the advertiser.
3.2.2. Partner services: If you purchase products or services from a partner advertised on PhysioDock.com, your personal data will be processed under that partner’s privacy policy.
3.2.3. Third-party payment solutions: If you use a third-party payment solution (e.g., Stripe or PayPal) for purchases via PhysioDock.com, the third-party provider’s privacy policy applies to the payment process.

3.3. Recommendations to the user
3.3.1. Read third-party policies: We recommend that you always review the privacy policies of third-party websites and services you visit via our links.
3.3.2. Be aware of third-party settings: Check your privacy settings on third-party platforms, especially social media.

4. THIRD-PARTY WEBSITES

4.1. PhysioDock may contain links to external websites
4.1.1. External links: PhysioDock.com may contain links to third-party websites, including:
– External professional articles and research reports.
– Advertisements and partner services.
– Course platforms or webinars provided by partners.
4.1.2. For information only: These links are provided to offer useful information or recommendations, but do not necessarily imply endorsement or affiliation between PhysioDock.com and the third-party providers.

4.2. Users should read the privacy policy on third-party websites
4.2.1. Their own privacy responsibility: When you leave PhysioDock.com and visit third-party websites, their privacy policies apply. We encourage you to:
– Read third-party privacy policies before providing personal information.
– Check how third-party websites process and store data.
4.2.2. Social media: If you interact with our profiles on social media platforms (e.g., Facebook, Instagram, or LinkedIn), the platform’s privacy policy applies to your data.

4.3. PhysioDock is not responsible for data processing on external sites
4.3.1. No control over third parties: PhysioDock.com has no control over how third-party websites collect, store, or process your personal data.
4.3.2. No liability for loss or damage: We are not responsible for loss, damage, or privacy breaches arising from your use of third-party websites. This includes:
– Misuse of your personal data by third-party websites.
– Use of cookies or tracking technologies on third-party sites.
– Security breaches at third-party providers.
4.3.3. No joint controllership: PhysioDock.com is not a joint controller with third-party websites unless expressly agreed.

4.4. Recommendations to the user
4.4.1. Check browser settings: Configure your browser to block third-party cookies if you wish to limit data collection on external websites.
4.4.2. Use privacy tools: Use tools such as browser privacy extensions to control third-party tracking.
4.4.3. Be mindful of permissions: If you use third-party accounts (e.g., Google or Facebook) to log into PhysioDock, check which permissions you grant.

5. ADVERTISING AND THIRD-PARTY ADVERTISING PLATFORMS

5.1. Ads may be displayed via third-party providers
5.1.1. Third-party advertising platforms: PhysioDock.com may display ads served by third-party providers, including:
– Google Ads (Google Display Network)
– Meta Ads (Facebook, Instagram)
– Other programmatic advertising platforms
5.1.2. Automatic data collection: These third-party providers may use cookies and similar technologies to collect data about your activity on PhysioDock.com and other websites.
5.1.3. Purpose of advertising: Ads may promote products, courses, webinars, or services relevant to physiotherapy and health.

5.2. Ads may be tailored to the user’s interests (targeted marketing)
5.2.1. Personalized ads: Ads shown on PhysioDock.com may be targeted based on:
– Your browsing behavior on PhysioDock.com (e.g., pages visited or courses viewed).
– Your interests and preferences based on third-party cookies.
– Location data (if you have consented to location services).
5.2.2. Behavioral advertising: Third-party providers may use information about your activity on PhysioDock.com to show you relevant ads on other websites and social media.
5.2.3. No sharing of sensitive data: PhysioDock never shares sensitive health information with advertisers.

5.3. How users can opt out of targeted advertising
5.3.1. Via privacy settings on PhysioDock:
– In our Privacy Settings you can choose to limit the use of cookies for targeted advertising.
– You can withdraw consent for marketing cookies at any time.
5.3.2. Via third-party tools:
– Google Ads: Manage ad settings in Google Ad Settings.
– Meta Ads (Facebook and Instagram): Manage preferences in Meta Ad Preferences.
– Your Online Choices: Use Your Online Choices to control how ads are shown from various advertisers.
5.3.3. Via browser settings:
– You can block or delete cookies in your browser settings.
– Use browser extensions like “Privacy Badger” or “Ghostery” to control tracking.

5.4. Consequences of opting out of targeted advertising
5.4.1. Ads will not disappear: You will still see ads, but they will be general and not tailored to your interests.
5.4.2. Limited user experience: Certain features on PhysioDock.com may be less relevant if you block all cookies.

6. WHAT DATA WE COLLECT AND HOW WE USE IT

6.1. Data collected directly from the user
We collect personal data that you provide when using our services. This includes:

6.1.1. When registering an account:
– Name: Used to identify you as a user and personalize services.
– Email address: Used for login, notifications, and communication.
– Password: Stored in encrypted form and used for secure login.
– Username: Displayed in forums and comment sections.

6.1.2. When purchasing products or services:
– Billing address: Used to issue invoices in accordance with the Norwegian Bookkeeping Act.
– Phone number: Used for delivery updates or support.
– Payment information: Collected via third-party payment solutions (e.g., Stripe or PayPal). PhysioDock.com does not store card details.

6.1.3. When registering for courses:
– Participant details: Name, email, and contact information are recorded for course administration.
– Course log: Participation, progress, and attendance history are stored to provide certificates and statistics.
– Evaluations: If you submit course feedback, it is stored anonymously or linked to your course progress.

6.1.4. When participating in forums:
– Posts and comments: We store all content you publish in the forum.
– Likes and reactions: Interactions with other users’ posts are recorded to encourage active participation.
– Reporting log: If you report inappropriate content, this is recorded together with your user ID.

6.1.5. For PhysioDock Plus membership:
– Subscription details: Start date, membership type, and associated benefits.
– Payment history: Invoices and payment status are stored in accordance with the Norwegian Bookkeeping Act.
– Use of membership benefits: E.g., downloaded courses, discount codes, or access to exclusive articles.

6.2. Data collected automatically
When you use PhysioDock.com, we automatically collect certain information using cookies and similar technologies:

6.2.1. Device information:
– Browser type: To optimize page display.
– IP address: Used for security purposes (e.g., blocking suspicious activity).
– Operating system: To tailor technical support and user experience.

6.2.2. User behavior:
– Pages visited: To analyze which parts of the site are most popular.
– Clicks and navigation: To improve usability.
– Time spent on the site: To understand how users interact with our services.

6.2.3. Location data (if you have consented):
– Used to display relevant content based on your geographic location (e.g., courses near you).
– Collected via browser or device settings.

6.2.4. Log files:
– Error reports: To identify and fix technical issues.
– Technical events: Information about crashes and performance issues.
– Security logs: Events related to unusual login attempts or security breaches.

6.3. Data from third-party sources
In some cases, we receive information from third parties who assist us:

6.3.1. Information from social media:
If you choose to log in via Google, Facebook, or other social media, we receive:
– Name and profile image: To create or update your user account.
– Email address: To link the login to your existing user profile.
We do not collect information about your social media activity beyond what is necessary for login.

6.3.2. Anonymous analytics data from third-party tools:
We use tools such as Google Analytics to analyze how PhysioDock.com is used. This may include:
– Number of visitors and page views
– Average time on page
– Demographic data (in anonymized form)
Analytics data are anonymous and cannot be traced back to you as an individual.

6.3.3. Information from partners:
If you participate in joint campaigns or events with our partners (e.g., a course with a professional association), we may receive:
– Name and contact information: To register you as a participant.
– Course progress: To issue shared course certificates or certifications.

6.4. How we use the collected data
The data we collect are used to:

6.4.1. Service delivery: Create user accounts, process purchases, and manage memberships.
6.4.2. User experience: Personalize content, recommend courses, and improve site navigation.
6.4.3. Security: Prevent fraud, protect against unauthorized access, and safeguard site integrity.
6.4.4. Analytics and development: Understand user behavior and improve our products and services.
6.4.5. Marketing: Show relevant ads (if you have consented) and send newsletters to opted-in users.
6.4.6. Legal obligations: Comply with laws and regulations, including bookkeeping and tax requirements.

6.5. Data storage and security
– Data are stored on secure servers with encrypted databases.
– We limit access to your information to employees and partners who need it to deliver the services.
– Payment data are always handled by PCI-DSS-certified third-party providers.

7. PURPOSES FOR PROCESSING PERSONAL DATA

We process your personal data for specific and legitimate purposes. The main purposes are:

7.1. To create and manage user accounts
7.1.1. Account creation: Username, email, and password are used to register and manage your account.
7.1.2. User settings: We store your preferences and settings, such as language and consents.
7.1.3. Account security: We use IP addresses and login history to protect your account from unauthorized access.
7.1.4. History: Course progress, forum posts, and orders are linked to your account to provide a complete service experience.

7.2. To process purchases and deliver products, courses, and subscriptions
7.2.1. Order processing: We process invoice details, name, and delivery address to fulfill orders for courses, memberships, or products.
7.2.2. Payment administration: Payment information is handled by certified third-party payment providers (e.g., Stripe), while we store payment status and invoices for bookkeeping.
7.2.3. Course administration: Participation, course progress, and certificates are linked to your account.
7.2.4. Membership administration: We process subscription status and payment history for PhysioDock Plus.

7.3. To send newsletters and notifications (consent only)
7.3.1. Newsletters: If you consent, we use your email to send:
– News and updates about PhysioDock.com
– Offers on courses and products
– Exclusive member benefits
7.3.2. Course reminders: We send reminders about upcoming courses, webinars, or events you’ve registered for.
7.3.3. Consent-based communication: You can unsubscribe at any time via the link at the bottom of our emails.

7.4. To provide personalized content and recommendations based on user activity
7.4.1. Personal recommendations: We analyze your behavior to suggest relevant courses and articles.
7.4.2. Targeted advertising: If you have consented to cookies, we may show targeted ads based on your interests.
7.4.3. Tailored forum experience: We show relevant discussions and topics based on your past posts and interactions.
7.4.4. Course suggestions: We may recommend courses based on your completed courses or search history.

7.5. To improve our services through analysis of user behavior
7.5.1. Usage analytics: We collect anonymous data on how users navigate PhysioDock.com to improve the experience.
7.5.2. Technical performance: We analyze error reports and technical logs to ensure the site runs optimally.
7.5.3. User surveys: If you participate in surveys or provide feedback, we use this to further develop our services.
7.5.4. Testing new features: We may run A/B tests to identify solutions that provide the best user experience.

7.6. To protect PhysioDock against fraud, abuse, and illegal activity
7.6.1. Fraud prevention: We use security logs, IP addresses, and login history to detect unusual activity (e.g., repeated failed logins).
7.6.2. Forum moderation: Posts and comments are monitored to detect and remove harassment, hate speech, or illegal content.
7.6.3. Legal action: We may use collected data to assist law enforcement in investigating illegal activity occurring via PhysioDock.com.
7.6.4. Access control: We use multi-factor authentication (2FA) to protect user and admin accounts.

7.7. To comply with legal obligations (e.g., bookkeeping)
7.7.1. Bookkeeping: We store purchase history, invoices, and payment information in accordance with the Norwegian Bookkeeping Act.
7.7.2. Tax and duties: Payment information is stored to meet tax and reporting obligations.
7.7.3. Government access: If we receive a lawful request from authorities (e.g., the police or the Norwegian Data Protection Authority), we may be required to disclose relevant personal data.
7.7.4. Documentation: Consent records (e.g., for newsletters) are stored to demonstrate GDPR compliance.

7.8. Additional information
– We only process personal data necessary for the stated purposes.
– If we intend to use data for a new purpose not described here, we will seek your consent before such processing.
– All purposes rely on legal bases such as consent, contract performance, legal obligations, or legitimate interests.

8. LEGAL BASES FOR PROCESSING

Under the GDPR, we must have a valid legal basis to collect and process personal data. The bases we use are:

8.1. Consent (GDPR Article 6(1)(a))
8.1.1. Purpose: We obtain your consent when processing data for purposes not necessary to fulfill a contract or legal obligation.
8.1.2. When we seek consent:
– Marketing: Before sending newsletters, campaigns, or offers via email or SMS.
– Newsletters: Only users who actively opt in will receive newsletters.
– Cookies: Before storing cookies used for tracking or targeted advertising.
8.1.3. Right to withdraw consent:
– You can withdraw consent at any time via “My Settings” or the unsubscribe link in newsletters.
– Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8.2. Contract performance (GDPR Article 6(1)(b))
8.2.1. Purpose: We process personal data to fulfill our contractual obligations to you.
8.2.2. When we use this basis:
– Subscription: Processing data for PhysioDock Plus membership, including billing and renewals.
– Courses: Registration, course progress, attendance records, and certificates.
– Product purchases: Processing orders, delivery information, and payment history.
8.2.3. Consequences of missing data: If you do not provide necessary information, we cannot create or deliver the services you have ordered.

8.3. Legal obligation (GDPR Article 6(1)(c))
8.3.1. Purpose: We process certain personal data to comply with legal duties under Norwegian law.
8.3.2. When we use this basis:
– Accounting and bookkeeping: We store purchase history, invoices, and payment details in accordance with the Norwegian Bookkeeping Act (stored for at least 5 years).
– Tax and reporting obligations: We may share information with tax authorities if required.
– Government access: Upon request from public authorities (e.g., the Norwegian Data Protection Authority or the Police), we may disclose necessary information.
8.3.3. Retention requirement: We retain data as long as required by applicable laws.

8.4. Legitimate interests (GDPR Article 6(1)(f))
8.4.1. Purpose: We process certain personal data based on our legitimate interests, where processing is necessary to operate, improve, and protect our services.
8.4.2. When we use this basis:
– Service analytics and improvement: User behavior is analyzed to understand service use and enhance the experience (may include anonymized Google Analytics data).
– Developing new services: Data from surveys and feedback are used to develop new features or courses.
– Fraud and abuse prevention: Security logs and monitoring help detect unauthorized logins, unusual activity, and potential threats.
– Forum moderation: We monitor forum content to prevent harassment, spam, or illegal activity.
8.4.3. Balancing test: Where we rely on legitimate interests, we carefully assess whether our interests outweigh the user’s privacy. We take protective measures, such as using anonymized data where possible.

8.5. Combination of legal bases
In some cases, we may process your data under multiple bases simultaneously. For example, we may process your data to fulfill a contract (e.g., a course purchase) while also retaining the data to meet bookkeeping obligations.

8.6. Examples of legal bases in practice
– Sending newsletters: Consent
– Processing course purchases: Contract performance
– Retention of invoices: Legal obligation (Norwegian Bookkeeping Act)
– Analyzing user behavior: Legitimate interests
– Forum moderation: Legitimate interests
– Targeted advertising: Consent (cookies)

8.7. Right to information about legal bases
You have the right to know which legal basis we rely on for your personal data. If you want more information or have objections, contact us at privacy@physiodock.com.

9. PROCESSING CHILDREN’S DATA

9.1. No intentional collection from children under 13
9.1.1. Age limit: PhysioDock.com targets adults and professional users, and we do not knowingly collect personal data from children under 13.
9.1.2. Preventive measures: During registration, users must confirm they are over 13.

9.2. Account deletion upon discovery of unlawful registration
9.2.1. If a child under 13 registers:
– We will immediately deactivate the account.
– All associated personal data will be deleted from our systems.
9.2.2. Notice to parent/guardian: If we discover an unlawful registration, we may notify the child’s parent or guardian if we have sufficient contact information.

9.3. Rights of parents or guardians
9.3.1. Access and deletion: Parents or guardians have the right to:
– Obtain access to the information we hold about their child.
– Require that we delete the information immediately.
9.3.2. How to contact us: Parents or guardians can request deletion via:
– Email: privacy@physiodock.com
– Contact form: PhysioDock.com/contact

9.4. Extra safeguards for courses for children
If PhysioDock offers courses or events for children under 13 in the future, we will:
– Obtain written consent from a parent or guardian.
– Delete information after the course is completed unless otherwise agreed.

9.5. Legal basis for processing children’s data
Processing data about children under 13 only occurs with parental consent in accordance with GDPR Article 8 and the Norwegian Personal Data Act.

10. WHEN AND HOW WE SHARE YOUR DATA

We share personal data with third parties only when necessary to provide our services, comply with legal obligations, or protect our rights. We may share your data in the following situations:

A) With third-party data processors (acting on our behalf)
We use third-party processors to perform services for us. These processors handle data solely according to our instructions and under data processing agreements that protect your privacy.

10.1. Payment providers:
Used to handle payments securely.
Examples: Stripe, Vipps, PayPal.
No card details are stored by PhysioDock; all payment information is handled by the payment providers.

10.2. Email and newsletter providers:
Used to send newsletters, campaigns, and course notifications.
Examples: MailChimp, Brevo (Sendinblue).
We share only your email address and any preferences you selected.

10.3. Analytics tools:
Used to understand user behavior and improve our services.
Examples: Google Analytics, Hotjar.
Data are shared in anonymized or aggregated form where possible.

10.4. Cloud and hosting providers:
Used for secure data storage and service operations.
Examples: AWS (Amazon Web Services), Google Cloud.
Data are stored on secure, encrypted servers.

10.5. Customer support tools:
Used to manage inquiries and complaints.
Examples: Zendesk, Intercom.
Conversations, emails, and chat history are stored in connection with support requests.

B) Where required by law
In some cases, we are required to share personal data with public authorities or other legal entities. This occurs only when mandated by law.

10.6. Sharing with authorities:
– Tax authorities: For reporting revenue and other statutory requirements.
– Norwegian Data Protection Authority (Datatilsynet): Upon request in privacy matters.
– Police: In connection with investigations of criminal acts or fraud.

10.7. During investigations of illegal activity:
We may share data if we have reason to believe it is necessary to:
– Protect our rights, users, or the public.
– Investigate breaches of our Terms of Use.
– Assist in investigations of identity theft, fraud, or abuse.

10.8. Legal proceedings:
If we receive a court order or other legal mandate, we are required to disclose the data specified in that order.

C) In the event of a merger or acquisition
If PhysioDock becomes part of a merger, acquisition, or asset transfer, personal data may be transferred to the new owner.

10.9. Transfer upon change of ownership:
If PhysioDock is sold, merged, or transferred to another entity, your personal data will be transferred as part of the assets.
The new owner is obligated to process your data in accordance with this Privacy Policy.

10.10. Notice of transfer:
If such a transfer occurs, we will inform you by email or a clear notice on our website.
You will have the opportunity to close your account or withdraw consents if you do not want your data transferred to the new owner.

D) We never share your data for commercial exploitation without consent
– We do not sell, rent, or trade your personal data with third parties for marketing purposes.
– We do not share sensitive information—such as health data, course progress, or user profiles—with third-party advertisers.

E) Security when sharing data
We require all third-party processors to:
– Comply with the GDPR and Norwegian privacy legislation.
– Maintain strong security measures, including encryption in transit and at rest.
– Refrain from using your data for their own purposes.

11. THIRD-PARTY PROCESSORS AND DATA PROCESSING AGREEMENTS

11.1. List of key vendors processing data on our behalf
PhysioDock.com uses third-party processors to deliver services, manage data, and improve the user experience. These processors handle personal data exclusively on our behalf and according to our instructions. Key vendors include:

11.1.1. Payment providers:
– Stripe (payment processing) – Handles card payments and billing.
– Vipps (payment processing) – Fast and secure mobile payments.
– PayPal (payment processing) – For international payments.

11.1.2. Email and communications providers:
– MailChimp (newsletters) – Sends emails and campaigns to users who have given consent.
– Brevo (Sendinblue) (email notifications) – Handles email alerts about courses, invoices, and memberships.

11.1.3. Analytics tools:
– Google Analytics (user analytics) – Analyzes traffic and user behavior on the website.
– Hotjar (user behavior) – Maps how users navigate to improve the experience.

11.1.4. Cloud and hosting providers:
– Amazon Web Services (AWS) (processing and storage) – Stores data on secure, encrypted servers.
– Google Cloud Platform (GCP) (cloud services) – Used to run certain services.

11.1.5. Customer support tools:
– Zendesk (customer support) – Manages support requests and chat logs.
– Intercom (live chat) – Used to provide rapid support via chat.

11.1.6. Advertising and marketing platforms:
– Meta Ads (Facebook & Instagram) – Targeted ads for users who have given consent.
– Google Ads – Displays relevant ads based on user interests.

11.2. All processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance
11.2.1. GDPR compliance: All third-party processors we use are required to comply with the GDPR under signed DPAs.
11.2.2. Contents of the DPA: Our DPAs specify, among other things:
– Data are processed in accordance with our instructions.
– Data may not be used by the processor for its own purposes.
– Adequate technical and organizational security measures are in place.
– Sub-processors may not be used without our consent.
11.2.3. Security requirements: All processors must:
– Use encryption when transferring and storing personal data.
– Implement firewalls and access controls to protect data.
– Notify PhysioDock.com immediately in the event of a data breach.

11.3. Data are processed only under our instructions and not used for other purposes
11.3.1. Purpose limitation: Processors may not use personal data received from us for their own commercial purposes.
11.3.2. No resale: Our processors are not permitted to sell, rent, or share data with other third parties without our explicit consent.
11.3.3. Return and deletion: Upon termination of a DPA, the processor must either return all data or delete them according to our instructions.
11.3.4. Audit rights: PhysioDock.com reserves the right to conduct audits or request documentation confirming that processors comply with the GDPR and our contractual terms.

11.4. Processing outside the EU/EEA (international transfers)
11.4.1. Transfers to third countries: If a processor transfers personal data outside the EU/EEA (e.g., to the USA), we ensure that:
– The transfer complies with the GDPR, and
– Valid transfer mechanisms are used, such as:
– Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
– Frameworks such as the EU–US Data Privacy Framework (where applicable), and
– Transfers are safeguarded with appropriate technical measures, such as end-to-end encryption.

11.5. Examples of our processors’ purposes

ProcessorServicePurpose

Stripe, Vipps, PayPalPayment solutionsHandle payments and subscriptions

MailChimp, BrevoEmail deliverySend newsletters and course notifications

Google Analytics, HotjarAnalytics toolsImprove user experience based on behavior

AWS, Google CloudCloud servicesSecure storage of personal data

Zendesk, IntercomCustomer supportManage inquiries and chat dialogs

11.6. How we keep your data safe with our processors
– Data Processing Agreements (DPAs): All processors sign binding agreements governing how they handle your data.
– Technical security measures: Encryption, multi-factor authentication (2FA), and continuous security monitoring.
– Data minimization: We share only what is necessary for the processor to perform its task.
– Regular audits: We regularly verify that our processors comply with the GDPR and our contractual requirements.

12. RETENTION PERIODS — HOW LONG WE KEEP PERSONAL DATA

We retain personal data for as long as necessary to fulfill the purposes for which they were collected and to comply with legal obligations. When a retention period expires, the data are securely deleted or anonymized. Below are our retention periods for different data types:

12.1. Account information
Retention:
– As long as the user has an active account.
– Up to 2 years after account deletion, unless other legislation requires longer storage.
Purpose:
– Maintain service history if the account is reopened.
– Ensure security and prevent fraud.
Deletion: After 2 years, all associated personal data (including user ID, email, and username) are anonymized.

12.2. Payment history
Retention: 5 years from the end of the financial year to which the transaction relates, pursuant to Section 13 of the Norwegian Bookkeeping Act.
Purpose:
– Comply with legal obligations relating to accounting and tax.
– Document payments in case of complaints or disputes.
Deletion: Payment history is automatically deleted from our active systems after 5 years, but may be retained longer in backups if required by law.

12.3. Course and event history
Retention: Up to 3 years after the course ends.
Purpose:
– Document course participation and progress.
– Issue course certificates or attendance confirmations upon request.
– Improve future courses based on participant feedback.
Deletion: After 3 years, participation data are anonymized so they cannot be traced back to you.

12.4. Marketing consents
Retention:
– Stored until you withdraw consent.
– Upon withdrawal, the data are deleted within 30 days.
Purpose:
– Document valid consent for sending newsletters and marketing.
– Send relevant offers and updates to subscribers.
Deletion: When consent is withdrawn, all marketing communications stop and the consent record is deleted.

12.5. Analytics and log data
Retention:
– Retained for 2 years, then anonymized.
– Aggregated statistics may be kept longer but without any link to individuals.
Purpose:
– Understand user behavior and improve our services.
– Detect errors and ensure technical stability.
Deletion: After 2 years, all identifiers (such as IP addresses, device data, and usage behavior) are anonymized.

12.6. Other data
– Support inquiries: Stored for 2 years after the case is closed, to document prior contact and improve support.
– Reported forum posts: Stored for 1 year after removal of the post, to document guideline breaches.

12.7. Deletion and anonymization
When the retention period expires, we will:
– Delete data (complete removal from our systems), or
– Anonymize data (remove identifiers so they can no longer be linked to an individual). Anonymized data may be used for statistical purposes.
We use security protocols to ensure deletion protects your privacy.

12.8. Examples of retention periods in practice

Data typeRetentionPurpose

Account informationUp to 2 years after deletionAccount recovery & fraud prevention

Payment history5 years (Bookkeeping Act)Accounting & tax

Course/event history3 years after course endsCertificates & documentation

Marketing consentsUntil withdrawnNewsletters & campaigns

Analytics & logsAnonymized after 2 yearsUX improvements & security

12.9. Your rights regarding deletion
You have the right to:
– Request access: See what information we store about you.
– Request deletion: Have data deleted that are no longer necessary.
– Request restriction: Ask us to pause processing while we assess an objection.
To exercise these rights, contact us at privacy@physiodock.com.

13. INFORMATION SECURITY — HOW WE PROTECT YOUR DATA

PhysioDock.com takes information security seriously and has implemented technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or destruction. Key measures include:

13.1. SSL/TLS encryption for data in transit
13.1.1. SSL/TLS: All data transferred between your browser and our servers are protected with SSL/TLS encryption. This protects:
– Login information (username and password)
– Payment details (via providers such as Stripe and Vipps)
– Personal data during registration and use of our services
13.1.2. HTTPS: The entire PhysioDock.com site uses HTTPS. A padlock in the address bar confirms an encrypted connection.

13.2. Regular security checks and vulnerability testing
13.2.1. Penetration testing: We conduct regular pentests to identify and close security gaps.
13.2.2. Vulnerability scanning: We scan for known vulnerabilities, such as:
– SQL injection
– Cross-site scripting (XSS)
– Brute-force attacks
13.2.3. Security updates: We continuously update software and third-party tools to protect against new threats.

13.3. Access controls — Only authorized personnel can access personal data
13.3.1. Least privilege (PoLP): Only staff and partners who need access to perform their duties are granted access.
13.3.2. Two-factor authentication (2FA): All admins and staff with system access use 2FA.
13.3.3. Access logs: All access to personal data is logged and monitored. Suspicious activity triggers security alerts.
13.3.4. Training: Employees receive regular training in privacy, data security, and GDPR.

13.4. Data backups with regular restoration testing
13.4.1. Automated backups: We take daily backups of critical data.
13.4.2. Encrypted storage: Backups are stored encrypted on secure servers with our cloud providers (e.g., AWS or Google Cloud).
13.4.3. Restore testing: We regularly test restores to ensure rapid recovery in case of data loss or system failure.
13.4.4. Retention: Backups are stored for 90 days; older copies are automatically deleted.

13.5. Measures against unauthorized access, hacking, and data breaches
13.5.1. Firewalls & IDS: Advanced firewalls and intrusion detection systems monitor and block suspicious traffic.
13.5.2. Rate limiting: We limit login attempts to prevent brute-force attacks.
13.5.3. Encryption of sensitive data:
– All passwords are hashed using strong algorithms (e.g., bcrypt).
– Payment data are handled exclusively by PCI-DSS–certified providers.
13.5.4. Secure development practices:
– We use secure coding (e.g., input validation) to prevent vulnerabilities.
– Development and production environments are isolated.

13.6. Incident response plan
13.6.1. Notifications: In the event of a personal data breach, we will:
– Notify affected users without undue delay and within 72 hours where required, in line with GDPR Article 33.
– Inform the Norwegian Data Protection Authority, describing scope, consequences, and measures taken.
13.6.2. Incident handling: A dedicated team immediately takes steps to contain damage and restore normal operations.
13.6.3. Post-incident review: We perform a root-cause analysis and implement measures to prevent recurrence.

13.7. Information Security Officer
Our Information Security Officer (CISO) oversees and improves our security measures. All routines are reviewed annually to ensure compliance with current standards and best practices.

13.8. Examples of our security controls in practice

Security controlPurpose

SSL/TLS encryptionProtects data in transit

Two-factor authentication (2FA)Prevents unauthorized access

Daily backupsEnables rapid data recovery

Firewalls & IDSDefends against hacking and intrusions

Password hashingProtects login credentials

Penetration testingFinds and closes security gaps

13.9. Your rights as a user
You have the right to information about how your data are secured.
You can request an overview of our security routines by contacting privacy@physiodock.com.

14. DATA BREACH NOTIFICATION

PhysioDock.com follows GDPR-compliant procedures for handling data breaches. We commit to notifying both users and authorities about serious incidents that may affect your personal data.

14.1. User notification in case of a data breach
14.1.1. Prompt notice: If a breach poses a risk to your rights or privacy, we will notify you without undue delay. This applies where the breach could lead to loss of control over your data, identity theft, financial loss, or other significant harm.
14.1.2. How we notify:
– Email to your registered address
– Push notifications or in-account messages if you are logged in
– A notice on our website if direct notification is not possible
14.1.3. What the notice includes:
– What happened: Description of the breach
– What data were affected: Types of personal data leaked or compromised
– Measures taken: How we limited the damage and what you can do to protect yourself

14.2. Reporting to the Norwegian Data Protection Authority (Datatilsynet)
14.2.1. Within 72 hours: For serious breaches that pose a risk to privacy rights, we will report to Datatilsynet without undue delay and no later than 72 hours after becoming aware of the breach.
14.2.2. Report contents:
– Description of the breach (what happened, when, and scope)
– Affected data types (e.g., name, email, payment history)
– Consequences for affected users
– Measures taken to limit damage and prevent future breaches
14.2.3. If reporting exceeds 72 hours: We will state the reason for the delay and provide required information on a rolling basis.

14.3. Measures to limit damage
14.3.1. Immediate response: Upon detecting a breach, we activate our incident plan, including:
– Isolating affected systems to prevent further spread
– Revoking compromised access
– Prompting users to reset passwords if needed
14.3.2. Technical investigation: We perform a thorough technical review to identify the cause and ensure it cannot recur.
14.3.3. Communication: We keep affected users updated with further actions and recommendations.

14.4. Examples of breaches that may trigger notification
– Unauthorized access: A third party gains access to accounts or payment information.
– Data loss: Sensitive data are lost due to system error or hacking.
– Ransomware attack: Data are encrypted by an attacker demanding ransom.
– Misdirection: Personal data is accidentally sent to the wrong recipient.

14.5. User rights in the event of a breach
– Right to information: To know whether your data were affected and what we are doing to protect you.
– Right to guidance: To receive recommendations (e.g., change passwords, enable 2FA).
– Right of access: To request which of your data were affected.

14.6. Lessons learned and improvements
After handling a breach, we conduct an internal review to identify:
– Cause: How the breach occurred.
– Impact: The extent of the damage.
– Improvements: What to do to prevent similar incidents.

14.7. Contact
If you have questions about a data breach or want more information, contact us at:
Email: privacy@physiodock.com
Phone: (to be provided later)

​

​

​​