Privacy Policy
Physiodemy Ltd
Last updated: 5 May 2026
Version: 1.0 (DRAFT — subject to solicitor review before publication)
IMPORTANT. This Privacy Policy has been drafted to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Items in [SQUARE BRACKETS] are operational placeholders for you to confirm. Have a solicitor or qualified data protection adviser review this document before publication. This document is not legal advice.
1. About this Policy
This Privacy Policy explains how Physiodemy Ltd ("Physiodemy", "we", "us", "our") collects, uses, stores, shares and protects your personal data when you visit https://physiodemy.com (the "Site"), create an account, purchase a course, subscribe to our mailing list, or otherwise interact with our services (the "Services").
We are the data controller for the personal data we process about you, unless we expressly state otherwise (for example, where we act as a data processor for an Organisational Account customer in respect of Seat Holder data — see section 11).
This Policy should be read alongside our Terms and Conditions at https://physiodemy.com/terms-and-conditions/ and our Cookie Policy at https://physiodemy.com/cookie-policy/.
2. Who we are and how to contact us
- Legal name: Physiodemy Ltd
- Companies House number: 12360582 (incorporated in England and Wales)
- Registered office: 1 The Avenue, St Marys Island, Chatham, England, United Kingdom, ME4 3AU
- Email for privacy enquiries: [email protected]
- Data Protection point of contact: [Name / "The Director"], contactable at the email above. We are not currently required to appoint a statutory Data Protection Officer (DPO) under Article 37 UK GDPR.
We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER — register at ico.org.uk if not already done; Physiodemy must register if it processes personal data electronically].
3. The personal data we collect
We collect and process the following categories of personal data:
3.1 Information you provide
- Account data: name, email address, password (hashed), professional title, country.
- Profile data: profile photo (optional), bio, professional registration body and number (optional, where you self-identify as a Healthcare Professional).
- Order data: billing name and address, course(s) purchased, transaction reference, invoice details.
- Payment data: processed by Stripe and/or PayPal; we do not store full payment-card details (see section 6).
- Course-activity data: progress through Course modules, quiz answers and scores, time spent, certificates issued, assignment submissions.
- Communications: any message, query or feedback you send us by email, contact form, or course comments and forums.
- Marketing preferences: your consent or opt-out for our newsletter and other marketing.
3.2 Information collected automatically
- Device & connection data: IP address, browser type and version, device type, operating system, language, time zone.
- Usage data: pages visited, referrer, clickstream, session duration, search terms entered on the Site.
- Cookies and similar technologies: see our Cookie Policy.
- Video viewing data: Vimeo collects analytics about which Course videos you watch and how long for; this is shared with us in aggregated form (see section 6).
3.3 Information we receive from third parties
- Payment confirmation data from Stripe and PayPal (transaction reference, status, last 4 digits of card, country of card issuer — never the full card number).
- Marketing-platform engagement data from our email service provider (open rates, click rates, unsubscribes).
- Anti-fraud signals from payment providers and security tools.
3.4 Special category data
We do not intentionally collect special category data (such as health, racial or ethnic origin, religion, biometric or genetic data). If you choose to share special category data in a course assignment, forum post or support enquiry — for example, by describing a patient case — you do so at your own risk and you must not include identifiable patient data without lawful basis (see Terms section 9.1).
3.5 Children
The Services are intended for adults (18+). We do not knowingly collect data from children. If you believe a child has provided personal data to us, please contact us at [email protected] and we will delete it promptly.
4. How we use your personal data, and our lawful basis
UK GDPR requires us to identify a lawful basis for each processing activity. Our uses, and the corresponding lawful basis under Article 6 UK GDPR, are set out in the table below.
| # | Purpose | Lawful basis |
|---|---|---|
| 1 | Create and administer your Account, authenticate you when you log in | Contract — necessary to perform our contract with you (Terms of Use) |
| 2 | Process Course purchases, take payment, issue invoices and refunds | Contract + Legal obligation (UK tax/accounting law) |
| 3 | Deliver Courses, track your progress, issue certificates | Contract |
| 4 | Provide customer support, respond to queries and complaints | Contract + Legitimate interests (resolving issues, improving service) |
| 5 | Send service / transactional emails (Order Confirmations, password resets, course updates, security notices) | Contract + Legitimate interests |
| 6 | Send marketing emails about new Courses, blog posts and offers | Consent (we ask you to opt in; you can withdraw at any time) — or, where lawful, soft-opt-in under PECR for similar products to Customers, with clear opt-out at every email |
| 7 | Site analytics (Google Analytics) and Course analytics to improve our Services | Consent (via our cookie banner) |
| 8 | Prevent fraud, secure the Site, investigate abuse | Legitimate interests (protecting Physiodemy, our Users and the public) + Legal obligation |
| 9 | Comply with legal, regulatory or court orders; defend legal claims | Legal obligation + Legitimate interests |
| 10 | Manage business transfers (e.g. sale of the business) | Legitimate interests |
You have the right to object to processing based on our legitimate interests — see section 9.
5. Marketing communications
We will only send you marketing emails if you have given us express consent (for example, by ticking an unticked opt-in box at sign-up) or, in limited cases permitted by PECR, if you are an existing customer and the marketing relates to similar Courses.
Every marketing email we send contains a one-click unsubscribe link. You can also unsubscribe at any time by emailing [email protected] or by adjusting your Account preferences.
We do not sell, rent, or trade your personal data to third parties for their own marketing.
6. Who we share your personal data with
We share personal data only with carefully-selected service providers who help us run the Services. Each is bound by a written contract that imposes UK GDPR-compliant obligations, including confidentiality, security and the prohibition on using your data for their own purposes (other than as expressly permitted).
| Recipient | Role | Data shared | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd | Card payment processing | Name, email, billing address, transaction details | Ireland (EEA) / USA |
| PayPal (Europe) S.Ã r.l. et Cie, S.C.A. | Alternative payment processing | Name, email, transaction details | Luxembourg (EEA) / USA |
| Google LLC (Google Analytics) | Site analytics | Pseudonymous IP address, device/usage data | USA (with EU-US Data Privacy Framework safeguards) |
| Vimeo Inc. | Course video hosting and analytics | Aggregated viewing data, IP address | USA (with appropriate safeguards) |
| [Mailchimp / MailerLite / your chosen ESP] | Email marketing platform | Name, email, marketing engagement data | USA / EEA depending on provider |
| [Hosting provider name — e.g. SiteGround, Krystal, Cloudways] | Web hosting and backups | All Site data | [UK / EEA — to confirm with provider] |
| WPLMS plugin / VibeThemes | LMS functionality embedded in WordPress | Course-progress data (within site only; no transmission off-site unless add-ons enabled) | N/A — runs on our hosting |
| HMRC, accountants, auditors | Statutory tax & accounting | Order, invoice and refund records | UK |
| Legal advisers, insurers, regulators | Where required to defend or assert legal rights | As needed | UK |
| Acquirer in a corporate transaction | Due diligence and transfer | As needed | As applicable |
We will also disclose personal data where required to do so by law, court order, or to comply with a regulatory obligation.
7. International transfers
Some of our service providers (notably Stripe, PayPal, Google, Vimeo and email-marketing platforms) are based outside the United Kingdom. When we transfer your personal data outside the UK, we ensure that one of the following safeguards is in place:
- the country has been designated by the UK government as providing an "adequate" level of data protection (e.g. EEA countries; the USA in respect of organisations certified under the UK Extension to the EU-US Data Privacy Framework);
- the transfer is governed by UK International Data Transfer Agreements (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum, plus a transfer risk assessment; or
- another lawful safeguard under Article 46 UK GDPR.
You can request a copy of the safeguards in place by emailing [email protected].
8. How long we keep your personal data
We retain personal data only for as long as necessary for the purposes set out above, or as required by law.
| Data | Retention |
|---|---|
| Account data | For the lifetime of your Account, plus 12 months after closure (so we can reinstate if you change your mind), then deleted or anonymised |
| Course-progress and certificate records | 6 years after Course completion (to allow you to evidence CPD to your regulator) |
| Order, invoice and tax records | 6 years after the end of the relevant tax year (HMRC requirement under the Companies Act 2006 and tax legislation) |
| Marketing data | Until you unsubscribe or 24 months of inactivity, whichever is sooner |
| Support correspondence | 24 months after closure of the query |
| Server, security and access logs | 12 months |
| Cookies | See our Cookie Policy for cookie-by-cookie expiry |
After the applicable retention period, we will securely delete or irreversibly anonymise your personal data.
9. Your rights under the UK GDPR
You have the following rights in relation to your personal data. We will respond within one month of receiving a verifiable request (extendable by two further months for complex requests, with notice to you).
- Right to be informed — the purpose of this Policy.
- Right of access — to obtain a copy of the personal data we hold about you (a "Subject Access Request").
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten") — to have your personal data deleted in certain circumstances. Note that we may need to retain some data to meet legal obligations (e.g. tax records).
- Right to restrict processing — to limit how we use your data while a query is investigated.
- Right to data portability — to receive your data in a structured, machine-readable format and transmit it to another controller.
- Right to object — to processing based on legitimate interests, and (absolute right) to direct marketing.
- Rights in relation to automated decision-making and profiling — we do not currently make decisions about you using solely automated means that produce legal or similarly significant effects.
- Right to withdraw consent — at any time, where processing is based on consent.
To exercise any right, contact us at [email protected]. Exercising your rights is free of charge in most cases. We may need to verify your identity before responding.
If you are not satisfied with our response, you have the right to complain to the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Web: https://ico.org.uk/make-a-complaint/
We would, however, appreciate the chance to address your concerns first.
10. Security
We take the security of personal data seriously and apply appropriate technical and organisational measures, including:
- TLS/SSL encryption of all data in transit between your browser and our servers;
- Encrypted storage of databases and backups;
- Hashed passwords (we cannot see your password);
- Access controls limiting Account access to authorised Physiodemy personnel on a need-to-know basis;
- Regular software updates and security patches to WordPress core, themes and plugins (subject to our change-control policy);
- Off-site backups held in a secure environment with the same controls;
- Incident-response plan with notification to the ICO within 72 hours where required by Article 33 UK GDPR.
No system can be guaranteed 100% secure. If we become aware of a personal data breach affecting your rights and freedoms, we will notify you in accordance with our legal obligations.
11. Organisational (B2B) Accounts — controller / processor split
Where Physiodemy supplies Course access to an Organisation (e.g. a club, clinic, university or employer) and the Organisation allocates seats to its named Seat Holders, the Organisation is the data controller of the Seat Holders' personal data and Physiodemy acts as a data processor for usage and progress data we generate on the Organisation's behalf, in addition to acting as data controller in respect of the Account-level data we collect to operate our Services.
A separate Data Processing Addendum is available on request from [email protected].
12. Cookies and similar technologies
We use cookies and similar technologies as described in our Cookie Policy at https://physiodemy.com/cookie-policy/. You can accept, reject or manage non-essential cookies via our consent banner.
13. Third-party links
The Services may contain links to third-party websites and resources. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party site you visit.
14. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Where the change is material, we will give registered Users reasonable notice (by email or prominent on-site notice) before it takes effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.
15. How to contact us
For any question, concern or request relating to your personal data:
Physiodemy Ltd
Registered office: 1 The Avenue, St Marys Island, Chatham, England, United Kingdom, ME4 3AU
Company number: 12360582 (England and Wales)
Email: [email protected]
End of Privacy Policy — version 1.0, last updated 5 May 2026. © Physiodemy Ltd. All rights reserved.