Back home

LEGAL

Privacy Policy

Last updated: 22 May 2026 · Effective immediately

1. Who we are

Physenta(“we”, “us”, “our”) is a digital physiotherapy platform operated from Delhi-NCR, India. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services, in compliance with the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.

2. Information we collect

We collect only the information needed to provide healthcare services to you:

Account data

Name, email address, phone number (if provided), password (hashed), profile photo, date of account creation.

Health data

Symptoms, body areas of pain, pain levels, medical conditions, medications, past ailments, exercise completion logs, voice recordings during AI assessments, ratings of physiotherapists.

Session data

Booking history, video consultation recordings (only if you explicitly consent), chat messages with your assigned physiotherapist or doctor.

Technical data

Device type, browser, IP address (for security), pages visited, login times.

Payment data

Processed by Razorpay. We do not store your card details. We retain transaction IDs and amounts for accounting and refunds.

3. Why we collect it (lawful purposes)

We process your personal data only for these purposes:

  • To provide you with personalised physiotherapy and recovery plans.
  • To connect you with verified physiotherapists and doctors.
  • To process payments and issue receipts.
  • To send service-related notifications (booking confirmations, reminders).
  • To respond to your queries and grievances.
  • To comply with legal obligations including audit and tax requirements.
  • To improve our service quality (using aggregated, anonymised data only).

We do not sell your data to third parties. We do not use your health data for advertising.

4. Your consent

By creating an account, you provide explicit consent for us to process your personal data for the purposes described above. Health data is processed under your explicit consent given at sign-up.

You can withdraw your consent at any time by deleting your account or contacting thesrijansharma@gmail.com. Withdrawal will not affect lawful processing carried out before the withdrawal.

5. Who we share your data with

We share limited data only with parties strictly necessary to provide our service:

Your assigned physiotherapist / doctor

They see your symptoms, plan, and chat history — only what is needed for your care.

Razorpay

For processing payments. Subject to Razorpay's own privacy policy.

Daily.co

For video consultations. Subject to Daily.co's privacy policy. We do not record consultations unless you explicitly opt in.

Cloudinary

For storing exercise demonstration videos. Patient identifiers are not attached.

Resend

For sending you transactional emails (password reset, booking confirmation).

Neon / Vercel

Our hosting and database providers. Data is encrypted in transit and at rest.

We do not transfer your data outside India except where strictly required by the third-party services listed above. We do not share with advertisers or data brokers.

6. How long we keep your data

  • Active accounts: as long as your account is active.
  • Health records: 5 years after last activity, per Indian medical record norms.
  • Payment records: 8 years, per Indian tax law.
  • Deleted accounts: personal identifiers removed within 30 days; anonymised statistical data may be retained.
  • Inactive accounts (no login 24 months): we may contact you before automatic deletion.

7. Your rights under the DPDP Act

As a Data Principal under the DPDP Act, 2023, you have the right to:

  • Access a copy of your personal data — request via your account or email us.
  • Correct inaccurate personal data — edit in your profile or email us.
  • Erase your personal data — use the “Delete my account” button in profile settings.
  • Withdraw consent for processing — see Section 4.
  • Nominate a representative to exercise your rights in case of death or incapacity.
  • Grievance redressal — see Section 11.

We will respond to any request within 30 days. There is no fee for exercising these rights.

8. How we protect your data

  • Passwords are hashed using bcrypt and never stored in plain text.
  • All data in transit is encrypted via HTTPS (TLS 1.3).
  • Database is encrypted at rest by our cloud provider (Neon).
  • Role-based access controls limit who can view what data.
  • Rate limiting and CSRF protection prevent automated abuse.
  • Regular security audits of our codebase.
  • Two-factor authentication available for admin accounts.

9. Data breach notification

In the unlikely event of a personal data breach that may cause harm to you, we will:

  • Notify you within 72 hours via email and in-app alert.
  • Notify the Data Protection Board of India as required.
  • Describe the nature of the breach, data affected, and steps you can take.
  • Take immediate steps to contain and remediate the breach.

10. Children

Our service is intended for users aged 18 years and older. If you are under 18, you may only use our service with verifiable consent from a parent or legal guardian, as required by the DPDP Act for processing children's data.

If we learn we have collected personal data from a child under 18 without parental consent, we will delete it promptly. Parents can contact thesrijansharma@gmail.com to request deletion.

11. Grievance redressal

We take privacy concerns seriously. For any complaint about how we handle your personal data, contact our Grievance Officer:

Grievance Officer

Email: thesrijansharma@gmail.com

Address: Delhi-NCR, India

We will acknowledge your grievance within 24 hours and respond with action taken within 7 working days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDP Act.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email and a banner on the platform at least 7 days before they take effect. Continued use after the effective date means acceptance.

13. Contact us

For any privacy-related question:

Disclaimer: This Privacy Policy is provided for transparency. For legal advice specific to your situation, consult a qualified data privacy lawyer. This document does not create a contract — your rights under the DPDP Act and other applicable laws apply regardless.
Terms & Conditions →Refund Policy →