Privacy Policy
Last updated: 2 June 2026
1. About this policy
This Privacy Policy explains how BookPhysio.in ("BookPhysio.in", "we", "us") collects, uses, shares and protects your personal information when you use our website, mobile web experience and related services (together, the "Platform").
BookPhysio.in acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (the "DPDP Act") with respect to the personal data of patients who book sessions on the Platform. For data submitted by providers during onboarding, we act both as a Data Fiduciary (for your account details) and as a processor of information you publish on your public profile.
If you do not agree with this policy, please do not use the Platform. By creating an account or making a booking, you confirm that you have read and accepted the terms below.
2. Information we collect
We try to collect only what is needed to deliver a booking and support you after the session. The main categories are listed below.
Account details
Name, email address (used to sign in), mobile number, age band and gender, and your login history.
Booking details
Reason for visit, visit type (clinic or home), selected provider, session date, address for home visits, and booking notes you write.
Payment details
The session fee agreed for your booking and any details needed for your invoice. Payments are currently made directly to your physiotherapist at the time of the session, so we do not collect or store your card, UPI or net-banking details.
Provider profile data
For physiotherapists: IAP or State Council registration number, qualifications, clinic address, consultation fees and service areas.
Device and usage data
IP address, browser type, device identifiers, referring URL, pages viewed, and basic error logs, used for safety and debugging.
Support communications
Messages and attachments you send to our support team, and our replies.
Marketing and attribution data
When you sign up, we record how you found us: the referral source, marketing campaign, and the page you first landed on. We use this to understand which channels bring patients to the platform. We keep this data for up to 3 years and then anonymise it so it can no longer be linked to you personally.
Push notification data
When you enable browser push notifications, we store your push subscription details, including a browser and device identifier (user_agent), so we can deliver notifications to you. We delete this data as soon as you disable notifications or delete your account.
3. How we use your information
- Create and secure your account, including verifying your email address with a one-time code when you sign in.
- Confirm and manage your bookings, and send appointment reminders and status updates by email.
- Verify that listed physiotherapists hold valid IAP or State Council registration.
- Respond to your support requests, investigate issues and improve the Platform.
- Detect fraud, abuse and security incidents, and comply with our legal obligations in India.
We do not use your personal or health information for targeted advertising, and we do not sell it to third parties.
5. Where your data is stored
Your primary data is stored in India (AWS Mumbai, ap-south-1). Some of our third-party processors operate outside India; where data is transferred to them, it is governed by contractual safeguards and applicable data-transfer provisions of the DPDP Act, 2023.
6. Our processors
We engage the following data processors to operate the Platform. Some are located outside India; by using the Platform you acknowledge that your data may be transferred to them.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | India (Mumbai) |
| Vercel | Application hosting and analytics | United States |
| Resend | Transactional email | United States |
| Upstash | Rate limiting | United States / EU |
7. How long we keep data
We keep your personal information only for as long as we need it to provide the service and to meet our legal obligations.
- Account and booking records are retained while your account is active and for up to eight years after closure, in line with Indian tax and accounting rules.
- Payment and invoice records are retained for the period required by the Income Tax Act, 1961 and the CGST Act, 2017.
- Server logs and debug data are typically kept for up to ninety days.
- Marketing and attribution data (referral source, campaign, landing page) is kept for up to 3 years from the date of sign-up, after which it is anonymised and can no longer be linked to your account.
8. Security measures
We use TLS encryption for data in transit, row-level access controls on our database, signed session cookies, rate limiting on sensitive endpoints and strict secret management. No online service can guarantee perfect security, but we take reasonable steps to protect your information and will notify affected users in line with Indian law if a serious breach occurs.
9. Your rights
Subject to the DPDP Act and applicable law, you have the right to:
- Access a summary of the personal data we hold about you and how it is being processed.
- Correct information that is inaccurate, incomplete or out of date.
- Ask us to erase your account and related personal data, where we are not legally required to keep it.
- Withdraw any consent you have given us, at any time, without affecting processing that took place before withdrawal.
- Nominate another individual to exercise these rights on your behalf in case of death or incapacity.
- Raise a grievance with our Grievance Officer, and, if unresolved, with the Data Protection Board of India once it is operational.
To exercise any of these rights, write to us at privacy@bookphysio.in from the email address linked to your account. We aim to respond within thirty days.
11. Children and minors
The Platform is intended for adults aged eighteen and above. Parents or legal guardians may book sessions on behalf of a minor in their care. In those cases, the consent given and the information provided must relate to the guardian's own account, and the guardian remains responsible for the minor's care decisions.
12. Updates to this policy
We may update this policy from time to time to reflect changes in the Platform, the law, or our practices. When we make a material change, we will update the date at the top of this page and, where appropriate, notify you by email or through the site. Continued use of the Platform after an update means you accept the revised policy.
13. Grievance Officer
In line with the DPDP Act, 2023 and the Information Technology (Intermediary Guidelines) Rules, 2021, you can reach our Grievance Officer for any privacy or content-related concern by writing to grievance@bookphysio.in.
We acknowledge grievances within 48 hours and aim to resolve them within 30 days of receipt.
If your complaint remains unresolved, you may escalate it to the Data Protection Board of India.
