BookPhysio.in
Data Protection

Privacy Policy

Last updated: April 2026

1. About this policy

This Privacy Policy explains how BookPhysio.in ("BookPhysio", "we", "us") collects, uses, shares and protects your personal information when you use our website, mobile web experience and related services (together, the "Platform").

BookPhysio acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (the "DPDP Act") with respect to the personal data of patients who book sessions on the Platform. For data submitted by providers during onboarding, we act both as a Data Fiduciary (for your account details) and as a processor of information you publish on your public profile.

If you do not agree with this policy, please do not use the Platform. By creating an account or making a booking, you confirm that you have read and accepted the terms below.

2. Information we collect

We try to collect only what is needed to deliver a booking and support you after the session. The main categories are listed below.

Account details

Name, mobile number, optional email, age band and gender, and your login history.

Booking details

Reason for visit, visit type (clinic or home), selected provider, session date, address for home visits, and booking notes you write.

Payment details

Razorpay transaction identifiers, amount, GST details on invoices, and refund status. We do not store your full card number or UPI PIN.

Provider profile data

For physiotherapists: IAP or State Council registration number, qualifications, clinic address, consultation fees and service areas.

Device and usage data

IP address, browser type, device identifiers, referring URL, pages viewed, and basic error logs, used for safety and debugging.

Support communications

Messages and attachments you send to our support team, and our replies.

3. How we use your information

  • Create and secure your account, including mobile OTP verification through MSG91.
  • Confirm and manage your bookings, send appointment reminders and status updates by SMS or email.
  • Process payments and refunds through Razorpay, and generate GST-compliant invoices.
  • Verify that listed physiotherapists hold valid IAP or State Council registration.
  • Respond to your support requests, investigate issues and improve the Platform.
  • Detect fraud, abuse and security incidents, and comply with our legal obligations in India.

We do not use your personal or health information for targeted advertising, and we do not sell it to third parties.

4. How we share information

We share the minimum amount of information needed to deliver the service. The main recipients are:

  • Your selected physiotherapist, who receives your name, contact number, booking notes and address (for home visits) so the session can take place.
  • Payment processors (Razorpay and its partner banks) to handle payments, refunds and chargebacks.
  • Messaging providers (MSG91 for SMS and OTP, Resend or a similar provider for email) strictly to deliver transactional messages.
  • Cloud and infrastructure providers (such as Supabase and Vercel) that host our database, authentication and application.
  • Professional advisors, such as auditors and lawyers, where required for running the business.
  • Regulators, law-enforcement authorities and courts, where we are legally required to disclose information.

5. How long we keep data

We keep your personal information only for as long as we need it to provide the service and to meet our legal obligations.

  • Account and booking records are retained while your account is active and for up to eight years after closure, in line with Indian tax and accounting rules.
  • Payment and invoice records are retained for the period required by the Income Tax Act, 1961 and the CGST Act, 2017.
  • Server logs and debug data are typically kept for up to ninety days.

6. Security measures

We use TLS encryption for data in transit, row-level access controls on our database, signed session cookies, rate limiting on sensitive endpoints and strict secret management. Payment card details are handled entirely by Razorpay and never touch our servers. No online service can guarantee perfect security, but we take reasonable steps to protect your information and will notify affected users in line with Indian law if a serious breach occurs.

7. Your rights

Subject to the DPDP Act and applicable law, you have the right to:

  • Access a summary of the personal data we hold about you and how it is being processed.
  • Correct information that is inaccurate, incomplete or out of date.
  • Ask us to erase your account and related personal data, where we are not legally required to keep it.
  • Withdraw any consent you have given us, at any time, without affecting processing that took place before withdrawal.
  • Nominate another individual to exercise these rights on your behalf in case of death or incapacity.
  • Raise a grievance with our Grievance Officer, and, if unresolved, with the Data Protection Board of India once it is operational.

To exercise any of these rights, write to us at privacy@bookphysio.in from the mobile number or email linked to your account. We aim to respond within thirty days.

8. Cookies and tracking

We use a small number of first-party cookies to keep you signed in, remember your language preference and protect the site from abuse. We do not use third-party advertising cookies or behavioural tracking. You can block or clear cookies in your browser settings, but some parts of the site, such as login, may stop working correctly if you do so.

9. Children and minors

The Platform is intended for adults aged eighteen and above. Parents or legal guardians may book sessions on behalf of a minor in their care. In those cases, the consent given and the information provided must relate to the guardian's own account, and the guardian remains responsible for the minor's care decisions.

10. Updates to this policy

We may update this policy from time to time to reflect changes in the Platform, the law, or our practices. When we make a material change, we will update the date at the top of this page and, where appropriate, notify you by email or through the site. Continued use of the Platform after an update means you accept the revised policy.

11. Grievance Officer

In line with the DPDP Act, 2023 and the Information Technology (Intermediary Guidelines) Rules, 2021, you can reach our Grievance Officer for any privacy or content-related concern.

Email: grievance@bookphysio.in

Response time: within fifteen working days of a valid complaint.