Privacy Policy

Last updated: January 24, 2025

GDPR Compliant
EU Data Protection
AssessPro Privacy Policy

1. Introduction

At AssessPro, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our physiotherapy assessment and patient management platform. We are committed to protecting the privacy and security of all personal and health information entrusted to us.

This policy applies to all users of AssessPro, including healthcare professionals, clinic administrators, and patients whose information is processed through our platform.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

  • Name, email address, phone number, and professional credentials
  • Clinic or practice information
  • Billing and payment information
  • Profile information and preferences

2.2 Patient Health Information (PHI)

Healthcare professionals using our platform may input patient health information, including:

  • Patient demographics and contact information
  • Medical history and assessment data
  • Treatment plans and progress notes
  • Clinical test results and measurements
  • Images, videos, and other clinical documentation

2.3 Technical Information

We automatically collect certain technical information, including:

  • IP address, browser type, and device information
  • Usage patterns and feature interactions
  • Log files and system performance data
  • Cookies and similar tracking technologies

3. How We Use Your Information

3.1 Service Provision

We use your information to:

  • Provide and maintain the AssessPro platform
  • Process assessments and generate reports
  • Enable communication between healthcare providers and patients
  • Backup and restore your data

3.2 Account Management

We use your information to:

  • Create and manage user accounts
  • Authenticate users and prevent unauthorized access
  • Process billing and subscription management
  • Provide customer support and technical assistance

3.3 Improvement and Analytics

We may use aggregated, de-identified data to:

  • Improve our services and develop new features
  • Analyze usage patterns and system performance
  • Conduct research to advance physiotherapy practices
  • Generate industry insights and benchmarks

4. Data Security

4.1 Security Measures

We implement comprehensive security measures to protect your information:

  • End-to-end encryption for data transmission and storage
  • Multi-factor authentication and access controls
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance and certification
  • Employee background checks and security training

4.2 Data Centers

Our data is hosted in secure EU-based data centers (Neon PostgreSQL and AWS S3 EU regions) with encryption at rest and in transit. All infrastructure providers maintain industry-leading security certifications including ISO 27001 and SOC 2 compliance standards.

4.3 Incident Response

In the unlikely event of a security incident, we have established procedures to quickly identify, contain, and remediate any issues. We will notify affected users and relevant authorities as required by applicable laws and regulations.

5. Legal Basis for Processing Health Data

5.1 Healthcare Professionals (Data Controllers)

Healthcare professionals using AssessPro are data controllers for patient data. They process patient health information based on legal obligations (medical record-keeping requirements) and legitimate interests (providing healthcare services). AssessPro acts as a data processor on their behalf.

5.2 Role-Based Access Controls

We implement role-based access controls ensuring that healthcare professionals can only access patient information relevant to their professional responsibilities and with appropriate authorization.

6. GDPR Compliance

6.1 Your Rights Under GDPR

As a user in the European Union, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Restrict Processing: Limit how we use your data
  • Right to Object: Object to processing of your personal data

To exercise these rights, please contact our Data Protection Officer at dpo@assesspro.com

6.2 EU-Only Data Storage

All data is stored exclusively in EU-based data centers (AWS EU regions and Neon EU database). We do not transfer personal data outside the European Economic Area (EEA). All service providers we use are GDPR-compliant and have executed Data Processing Agreements with us.

6.3 Data Protection Officer

We have appointed a Data Protection Officer to oversee compliance with data protection laws. You can contact our DPO at dpo@assesspro.com for any privacy-related inquiries.

7. Data Retention

We retain data according to the following periods:

  • Patient Health Data: 10 years after last assessment (in accordance with medical record retention requirements)
  • User Account Data: For the lifetime of your account plus 3 years for audit purposes
  • Audit Logs: Minimum 3 years for security and compliance
  • Team Messages: As configured by team settings (1 day to forever)
  • Payment Records: 7 years for tax compliance

When data is no longer needed, it is securely deleted or anonymized. You can request early deletion, subject to legal and regulatory requirements.

Note: You can export your data at any time from your account settings before requesting deletion.

8. Third-Party Service Providers

We use the following GDPR-compliant service providers. All have executed Data Processing Agreements (DPAs) with us:

Neon (Database Hosting)

Purpose: PostgreSQL database hosting in EU region

AWS S3 (File Storage)

Purpose: Secure file storage in EU region (Frankfurt/Ireland)

Vercel (Application Hosting)

Purpose: Web application hosting in EU region

Stripe (Payment Processing)

Purpose: Secure payment and subscription management (EU entity)

Sentry (Error Monitoring)

Purpose: Application performance and error tracking

9. Your Rights and Choices

9.1 Access and Control

You have the right to:

  • Access and review your personal information
  • Correct inaccurate or incomplete information
  • Request deletion of your data (subject to legal requirements)
  • Export your data in a portable format
  • Opt-out of marketing communications

9.2 Cookie Preferences

You can manage your cookie preferences through your browser settings or our cookie preference center. Note that disabling certain cookies may affect the functionality of our platform.

10. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of our services after such modifications constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

General Privacy Inquiries

Email: privacy@assesspro.com
Phone: +1 (555) 123-4567

Data Protection Officer

Email: dpo@assesspro.com
For GDPR-related inquiries

Mailing Address:
AssessPro Privacy Team
123 Healthcare Ave, Medical District
New York, NY 10001, United States