Last Updated: September 2025
MyPhysioFlow ("we", "us" or "the Service") is committed to protecting your privacy and complying with the Australian Privacy Act 1988 and all other applicable privacy laws. This Privacy Policy explains how we collect, use, store, and disclose personal information when you use our service or website. It also outlines your rights and how you can contact us about your data.
By using MyPhysioFlow, you agree to the collection and use of information in accordance with this Privacy Policy.
When a physiotherapy clinic or provider signs up, we collect information such as the clinic name, contact person's name, email address, and billing details (if subscribing to a paid plan).
MyPhysioFlow connects to third-party practice management systems (e.g., Cliniko, Nookal, Halaxy, etc.) via API, under your direction. We collect only the necessary patient data to track EPC and WorkCover sessions. This typically includes: patient name, unique patient ID, the type of program (EPC or WorkCover), number of sessions authorized and used, dates of patient appointments, and referral or approval expiry dates.
We do not collect or store detailed clinical notes or sensitive medical history from those systems, as our service focuses only on administrative tracking.
We collect analytics about how the MyPhysioFlow dashboard is used (e.g., when you last logged in, features clicked) to improve the Service. This data is generally aggregated and not linked to individual identities, except for basic logging (such as user ID for security/audit logs).
If you contact us for support or feedback, we will collect the information you choose to give us (such as your email, and the content of your communications).
Important: We do not collect any patient information directly from patients. All patient data we handle is obtained via our client clinics and their systems, as needed to provide our service. In terms of Australian Privacy Principles, some of the patient information we handle is health information (sensitive information). We rely on the clinic (as the health service provider) having obtained the patient's consent to share that information with MyPhysioFlow for care management purposes.
We use the collected information for the following purposes:
We process patient session data to display it on your dashboard, determine which patients are "Action Needed", "Pending", "Overdue", etc., and to generate email alerts before deadlines. We use clinic account information to maintain your account, authenticate your login, and provide customer support.
We use your (the clinic user's) email to send you important alerts about patient session quotas or upcoming referral expiries (as part of the service's core functionality). We may also send administrative emails, such as security notices or updates about new features.
We may use and retain certain data as required by law or to ensure we are complying with our legal obligations. For example, we keep logs of data sync operations and access logs to monitor for any unauthorized access and to audit the system's proper functioning.
Aggregated, de-identified data (e.g. average number of expiring EPCs per clinic) may be used internally to analyze usage trends or performance issues. This helps us optimize MyPhysioFlow. These analytics will not identify any individual patient or clinic.
If you are on a paid plan, we use your account and payment information to process subscription payments and manage billing (through our secure payment provider). We do not store full credit card numbers on our servers; any payment details are handled by our payment processor.
Our Commitment: We will not use personal information for any purpose other than providing our service to you, unless we obtain your consent or are required by law. In particular, we do not sell personal data or use patient information for marketing.
MyPhysioFlow understands the sensitive nature of the data we handle and generally will not disclose personal information to third parties except in the limited circumstances described here:
We use trusted third-party providers to host and run MyPhysioFlow: for example, our database and backend are hosted on Supabase (cloud infrastructure) on Australian servers. We may also use an email service (for sending alert emails) and a payment processing service (for handling subscription payments). These providers may process certain personal information only on our behalf and under strict data protection agreements.
As part of providing the service, MyPhysioFlow connects to your chosen practice management system via API. In doing so, we obviously transmit requests that include identifiers (like patient IDs) and receive data from that system. This data interchange is encrypted. We do not send any data to those systems except maybe minimal info needed for the request.
We may disclose information if required by law, court order, or government regulation – for instance, in response to a subpoena or to comply with a notifiable data breach reporting obligation. If an Australian authority lawfully requests access to information, we will comply after verifying the request, and we will inform the affected clients unless legally prohibited from doing so.
Important: We do not disclose patient information to any third party for marketing or non-authorized purposes. Data is shared only as needed to run MyPhysioFlow and as directed by our clinic users.
All personal data is stored on secure servers located in Australia. We do not store your data in other countries. This ensures compliance with Australian data sovereignty preferences and means the data is protected under Australian law.
All data transmission between your browser and our servers is encrypted using SSL/TLS (HTTPS). Our databases encrypt data at rest. In non-technical terms, this means your data is "locked" both when it's sent to us and when it's stored, so that if it were intercepted it would be unreadable.
Each clinic's data in MyPhysioFlow is logically segregated. Users from one clinic cannot access another clinic's information. Within your clinic, you may have multiple physiotherapists or staff using MyPhysioFlow – you can control access by sharing or not sharing the login. We recommend keeping your login credentials secure and using a strong password.
Our team access to personal data is very limited. We do not routinely look at individual patient records unless necessary to resolve a support issue for you. Access to the database and server requires authentication and is restricted to authorized personnel. We also use audit logs to track any access to sensitive data.
Personal information is kept only for as long as necessary to fulfill the purposes of the service or as required by law. If your clinic stops using MyPhysioFlow and cancels the account, we will delete or de-identify your patients' personal information after a defined retention period (generally, we purge data within 30 days of account closure, unless you request immediate deletion).
In the unlikely event of a data breach (such as unauthorized access to our systems) that impacts personal information, we will promptly notify your clinic and any affected individuals, as required by the Notifiable Data Breaches scheme. We will also notify regulators (OAIC) where required.
As a clinic user, you can access and view the patient information in your MyPhysioFlow dashboard at any time. This reflects the data we have about your patients' sessions. If you need a full export of your data, you can contact us at the email below – we can provide your clinic's data in a readable format (e.g., CSV export) on request.
If you notice any information in MyPhysioFlow that is incorrect (for example, a patient's name is misspelled or session count is wrong), the correction should generally be made in the source system (e.g., Cliniko or Nookal) since MyPhysioFlow syncs from there. Once corrected in your practice management system, our next sync will update the dashboard.
We take privacy seriously. If you have a question or concern about how we handle personal information, or if you believe we have breached this Privacy Policy or the Australian Privacy Principles, please contact us and we will do our best to resolve the issue.
Email: ryan@myphysioflow.com.au
Complaints Process: Upon receiving a complaint, our privacy officer will review it and respond within a reasonable timeframe (typically within 5 business days to acknowledge, and aim to resolve within 30 days). If you are not satisfied with our response, you have the right to escalate the matter to the Office of the Australian Information Commissioner (OAIC).
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. If we make significant changes, we will notify our users (for example, via email or a notice on the dashboard). The "Last Updated" date at the top will always indicate the latest revision.
MyPhysioFlow is a tool used by physiotherapy clinics and is not directed to minors or individual consumers. Patient information in the system may include details of children (if they are patients of a physio clinic under an EPC or WorkCover plan), but those are entered by the clinic. Any parental consents for treating minors should be handled by the clinic.
For users visiting our marketing site, we use minimal cookies – primarily for authentication (when you log in) and for basic analytics to understand site traffic. We do not use invasive tracking or advertising cookies.
MyPhysioFlow is proudly built for Australian physios, with privacy and compliance in mind. We regularly review our practices to ensure we meet our legal obligations and safeguard the trust you place in us.