Privacy Policy

  • General Remarks

 

 

The Privacy Policy is a document prepared to ensure the security of the personal data of the Service Users being processed. In this document, we explain who acts as the data controller, what is the purpose of personal data processing, to which entities the Administrator may entrust personal data, and what rights Service Users have in this regard.

 

 

  • Definitions 

 

 

  1. Whenever the regulations refer to:
  1. Personal Data Administrator - it should be understood as FIZJO AI sp. z o.o. with its registered office in Lublin (20-213 Lublin), Gospodarcza 26 Street, entered into the Register of Entrepreneurs of the National Court Register, maintained by the District Court in Lublin with its seat in Świdnik, VI Commercial Division of the National Court Register under the KRS number: 0000907841, NIP: 9462707299, REGON: 389254058, hereinafter referred to as: the Administrator.
  2. Newsletter - should be understood as a voluntary and free service in the form of an e-mail message, regarding information about new promotional offers or services of the Administrator published in the Service.
  3. Physiotherapist Account – should be understood as an account created during registration in the Service by the Physiotherapist, enabling in particular the creation and personalization of therapeutic exercises for their Patients, creating training plans, monitoring their progress, and exchanging information with the Patient.
  4. Patient Account – should be understood as an account created during registration in the Service by the Administrator or Physiotherapist, enabling in particular browsing of content contained in the Service, training plans, monitoring of progress, and exchanging information with the Physiotherapist.
  5. Physiotherapist – should be understood as a person with appropriate education and qualifications to restore, develop, and maintain the physical fitness of a Patient, who, through the Service, can create and personalize therapeutic exercises for their Patients, create training plans, monitor Patients' progress, and contact them.
  6. Patient – should be understood as a natural person who is at least 18 years old, has legal capacity, uses the Service through a Patient Account, and has concluded an agreement in a scope not directly related to their business activity in order to use the services of a Physiotherapist.
  7. GDPR - should be understood as the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  8. Service - should be understood as an internet platform available at fizjoai.pl, run by the Administrator, through which the Physiotherapist can create and personalize therapeutic exercises for their Patients, create training plans, monitor Patients' progress, and contact them.
  9. Agreement - should be understood as an agreement concluded between the Physiotherapist, Patient, and the Administrator, specifying the rules for providing services electronically.
  10. Service Recipient – should be understood as a person who uses the Service belonging to the Administrator.
  11. User – should be understood as a natural person who is at least 18 years old, has legal capacity, and uses the Service through a Patient Account or a Physiotherapist Account.

 

 

  • Physiotherapist Account and Patient Account

 

  1. A Service Recipient wishing to register in the Service as a Physiotherapist must provide the data specified below. The Physiotherapist uses the Service after creating a Physiotherapist Account and its activation by the Administrator.
  2. To create an account, the Physiotherapist provides in the form such data as: First and Last Name, Company Name, address, NIP number or KRS number in the case of entities registered in the National Court Register, e-mail address, contact phone.
  3. After creating the account, the Administrator will process the Physiotherapist's data indicated in point 2 above.
  4. The form completed by the Physiotherapist during Registration in the Service to create an account is implemented using encrypted sessions, which aim to increase the protection of data transmission. 
  5. Data processed by the Administrator is stored and processed with appropriate security measures that meet the requirements of Polish law.
  6. The Physiotherapist is the personal data administrator within the meaning of the Act of 10 May 2018 on the protection of personal data, which is processed as part of the services provided through the Service.
  7. The Physiotherapist bears full responsibility for the existence of a legal basis for processing the personal data of Patients entered in the Service. The Administrator is not responsible for the scope, manner, and legality of personal data collected and processed by the Physiotherapist.
  8. The Physiotherapist, as the personal data administrator, entrusts the Administrator with the processing of personal data in connection with the implementation of services available in the Service. 
  9. A Service Recipient wishing to register in the Service as a Patient should contact the Administrator or Physiotherapist, as they do not have the ability to independently register an account in the Service. The activation of the Patient Account takes place electronically by clicking on the link sent by the Administrator marked with the field "activate account". Clicking on the "activate account" field by the Patient transfers the Patient to the Service, where registration takes place. The Patient uses the Service after account activation.
  10. The Administrator will process the Patient's data indicated by the Physiotherapist. The Administrator will process such Patient data as: First name, last name, e-mail address, contact phone, and other data entered into the Service by the Physiotherapist, such as weight, height, age, past injuries.
  11. The data will be processed by the Administrator to guarantee safe use of the services available in the Service, improve efficiency, and enhance the functionality of the Service.
  12. The Physiotherapist and Patient independently decide on the login and password to the Service. The login must contain at least X characters and the password must contain at least X characters.
  13. When using services provided electronically, the User is exposed to the risk of interference with their data by unauthorized persons, receiving unwanted mail, data phishing, or infection of the User's system with malicious software. It is recommended to take appropriate care of the security of their personal data. To this end, it is recommended, among others:
  1. not to share their password and login to the Service with third parties;
  2. to use the current version of the software;
  3. to check the certificate before logging into the Service.
  1. In case of password loss, use the "Remind password" option. If you still cannot log in, it is recommended to contact the Administrator to regain access to the account.

 

 

  • Voluntary Provision of Data

 

 

  1. Providing the personal data specified in chapter III point 2 of this Privacy Policy by the Physiotherapist is voluntary, but necessary in case of wanting to register an account in the Service and conclude an Agreement with the Administrator.
  2. Providing the Patient's personal data specified in chapter III point 10 of this Privacy Policy by the Physiotherapist is voluntary, but necessary in case of wanting to register an account in the Service for the Patient and conclude an agreement with the Administrator. The Patient consents to the processing of their personal data by activating the Patient account.
  3. Providing personal data by the User in the form of an email address is voluntary, but necessary in case of wanting to receive the Newsletter with current information and offers.

 

 

  • Information on Personal Data Processing

 

 

  1. The Administrator processes the User's personal data only to the extent that enables the proper provision of services related to the concluded Agreement.
  2. The Physiotherapist declares that they are aware that termination of the Agreement with the Administrator and deletion of the account in the Service will result in the termination of the data processing entrustment agreement. Termination of the data processing entrustment agreement will result in the inability to provide services in the field of processing data for which the Administrator is the controller.
  3. The Administrator and Physiotherapist are separate controllers of Patients' personal data.
  4. The Administrator and Physiotherapist process Users' personal data for their own purposes.

 

 

  • Purposes and Bases for Processing Personal Data

 

 

  1. For the purpose of using the Services within the Service, including concluding and performing the Agreement on using the Administrator's services, the Administrator will process the data provided by the Physiotherapist in the form during account registration, such as: first and last name, company, address, NIP number, KRS number in the case of entities registered in the KRS, email address, contact number. The legal basis for such processing is Article 6(1)(b) of the GDPR, which allows the processing of personal data if it is necessary for the performance of a contract.
  2. For the purpose of creating registers required by the GDPR, including a register of Users who have objected in accordance with the GDPR, the Administrator processes the email address and first and last name, if provided by the User. The legal basis for such processing is Article 6(1)(c) of the GDPR, which allows the processing of personal data if the processing is necessary for compliance with a legal obligation to which the Personal Data Administrator is subject.
  3. For the purpose of sending email notifications in the form of a Newsletter, the Administrator processes the email address provided in the form. If the User is interested in receiving the Newsletter, they must provide an email address in the registration form and consent to receiving the Newsletter by checking the appropriate checkbox in the Service. The legal basis for such processing is Article 6(1)(a) of the GDPR, which allows the processing of personal data based on voluntarily given consent.
  4. For the purpose of marketing, including direct marketing, by conducting marketing of own products and services, consisting of communication with the User, including direct communication for the purpose of advertising and promotion of the Administrator's services via the User's email address or telephone number. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows the processing of personal data if the Personal Data Administrator pursues its legitimate interest (marketing of own services and products).
  5. For the purpose of implementing new or developing functionalities of the Service and Applications, through the analysis of necessary new solutions to be introduced, development of Service services, testing of implemented solutions. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows the processing of personal data if the Personal Data Administrator pursues its legitimate interest (developing and ensuring the security of the Service and Applications).
  6. For the purpose of using cookies in the Service, the Administrator processes the information referred to in Chapter IX of the Privacy Policy. The legal basis for such processing is Article 6(1)(a) of the GDPR, which allows the processing of personal data based on voluntarily given consent.
  7. For the purpose of satisfaction survey on the services offered, the Administrator processes the email address provided in the form by the User. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows the processing of personal data if the Personal Data Administrator pursues its legitimate interest (getting Users' opinions on the services offered and adapting to expectations).
  8. For analytical and statistical purposes regarding the examination of the activity of Service Recipients or Users in the Service, the Administrator processes such data as approximate location, type of operating system, type of web browser, visited subpages, date and time of website visits. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows the processing of personal data if the Personal Data Administrator pursues its legitimate interest (monitoring Users' activity on the website).
  9. For the purpose of establishing, pursuing, or defending against claims related to the concluded agreement or the processing of the User's personal data. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows the processing of personal data if the Personal Data Administrator pursues its legitimate interest (pursuit or defense against claims).

 

 

  • Method of Personal Data Protection

 

 

  1. The form filled out by the Physiotherapist during registration to conclude an Agreement with the Administrator, as well as the process of logging into the User's Account in the Service, is implemented using encrypted sessions, which aim to increase the protection of data transmission. Data in the form of a password for accessing the User's Account is encrypted using one-way encryption algorithms, making it impossible to later decrypt it. 
  2. Data processed by the Administrator is stored and processed with appropriate security measures that meet the requirements of Polish law.

 

 

  • Period of Personal Data Processing

 

 

  1. The User's personal data will not be processed for a period longer than required by law or provided for in the Administrator's internal regulations. The User's personal data will be processed until there is a legal basis for their processing, i.e.:
  1. deletion of the account by the User;
  2. withdrawal of consent by the User or achievement of the processing purpose;
  3. raising an objection by the User or achievement of the processing purpose.
  1. In case of account deletion in the Service or termination of the Agreement, the User's personal data will be processed for no longer than is necessary for the purposes of considering complaints and possible claims related to the use of the Administrator's services - until the limitation period for claims.
  2. In case of using the Service by a Service Recipient who is not logged in or registered, the data will be processed for the duration of using the Service or storing cookies on the Service Recipient's device.

 

 

  • Cookies and Similar Technologies

 

 

  1. The Administrator uses cookies (so-called cookies), which are short text information, stored on the Service Recipient's device. They can be read by the Administrator's system as well as by other entities whose services the Administrator uses (e.g. Google, Facebook).
  2. The Administrator's Service can place a cookie file in the browser if the browser allows it. The browser allows a website to access only the cookie files placed by that site.
  3. Cookie files and other technologies are used for the following purposes:
  1. adapting the content of the Service to the Service Recipient's preferences and optimizing the use of the Service;
  2. creating statistics that aim to track the Service Recipient's activity and learn how they use the Service. For this purpose, the Administrator uses tools such as Google Analytics.
  1. The Administrator uses the following types of cookie files:
  1. necessary - enabling the proper functioning of the system
  2. functional - enabling the adaptation of the Service to the User's choices;
  3. analytical - enabling the processing of information about the manner of using the Service, studying statistics, and improving efficiency.
  1. The most common solution used by software for browsing websites (web browser) is the default use of cookies and other technologies on the Service Recipient's device. However, the Service Recipient can change these settings at any time.
  2. It should be noted that disabling or limiting the use of cookie files may cause difficulties in using the Service, e.g. in the form of longer loading time, limitations in using functionalities, etc.
  3. Additional information about cookie files is available, among others, in the "Help" section in your web browser's menu.

 

 

  • Users' Rights Related to the Processing of Personal Data

 

 

  1. The Administrator informs that each User has the right to:
  1. access their personal data;
  2. rectify personal data;
  3. delete personal data;
  4. restrict data processing;
  5. data portability;
  6. object to the processing of personal data;
  7. withdraw consent to the extent that data is processed on this basis;
  8. lodge a complaint with a supervisory authority, i.e., the President of the Office for Personal Data Protection.
  1. The above rights can be exercised by the User through:
  1. sending an e-mail directly to the Administrator at the address: [email protected];
  2. in case of wanting to withdraw consent: clicking on the link in the email message, attached to the message sending the Newsletter;
  3. in case of wanting to lodge a complaint with the supervisory authority: the complaint should be lodged directly with the President of the Office for Personal Data Protection.

 

 

  • Transfer of Personal Data

 

 

  1. The User's personal data may be transferred to entities processing personal data at the request of the Administrator, e.g., IT service providers, marketing agencies, based on agreements concluded with these entities.
  2. The necessity to transfer the User's personal data may result from legal provisions or a decision of the competent authority also to other public or private entities. The Administrator ensures that each case of making personal data available to public or private entities will be carefully analyzed for compliance with applicable law. 
  3. The Administrator provides the Patient in the Service with the possibility to use the AI module, with the help of which the quality and number of exercises performed by the Patient is assessed. The Administrator declares that neither the Administrator nor the AI module records video and audio of the Patient's exercises and thus does not transfer or store this content. 

 

 

  • Transfer of Personal Data to Third Countries

 

 

Entrusting Users' personal data for further processing to external entities takes place within the European Economic Area and in accordance with Article 45(1) of the GDPR, to entities in third countries or international organizations only if the Commission has determined that the third country, territory, or specified sector or specified sectors in that third country or the international organization in question ensures an adequate level of protection.

 

 

  • Final Provisions

 

 

  1. The Administrator reserves the right to make changes or additions to this Privacy Policy. 
  2. The User will be informed of changes to the Privacy Policy by email to the address provided during account registration.
  3. The current content of the Privacy Policy is published in the Service. 
  4. The privacy policy is effective from 2023-02-01