Privacy Policy

Information notice pursuant to Articles 13–14 of EU Regulation 2016/679 (GDPR). Last revision: May 2026.

1. Data Controller

The Data Controller is Ri-Hub S.r.l. S.T.P., with registered office in Italy. To exercise the rights granted by the GDPR and for any enquiry, please write to privacy@ri-hub.it.

Legal identification: Ri-Hub S.r.l. S.T.P. — Registered office: Corso Assarotti 19/1, 16043 Chiavari (GE), Italy — VAT/Tax ID (P.IVA/C.F.): 02992670998 — REA GE-525421 — Share capital: €10,000 fully paid up — PEC: ri-hub@pec.it

2. Processing of health data (Article 9 GDPR)

Ri-Hub is an online physiotherapy platform: when you use the service we collect and process data concerning health (special category under Article 9 GDPR), in particular: answers to medical history questionnaires, pain levels, descriptions of symptoms, therapeutic objectives and treatment plans. Video consultations are delivered in real time and are not recorded or retained in any audio or video form.

Legal basis. The processing of health data is based on two cumulative grounds: the data subject's explicit consent (Art. 9(2)(a) GDPR) collected upon signing the healthcare informed consent, and the performance of a healthcare contract (Art. 9(2)(h) GDPR) to which the data subject is a party. The processing also complies with the Guidelines of the Italian Data Protection Authority on telemedicine and with the indications of the European Data Protection Board (EDPB). Without the provision of such data, the requested healthcare service cannot be delivered.

Prohibition of dissemination and secondary use. Health data are processed exclusively for the purposes of care, diagnosis and management of the rehabilitation pathway of the individual patient. Ri-Hub DOES NOT disseminate, transfer, sell or disclose health data to third parties other than the expressly authorised entities listed in § 5 (the assigned physiotherapist and the technology providers appointed as Data Processors). Health data are never used for advertising, profiling or marketing purposes under any circumstances.

Storage on systems compliant with European law. Health data are stored on cloud infrastructure located within the European Economic Area (EEA) with GDPR-compliant providers, with encryption both in transit (TLS 1.3) and at rest. No health data are transferred outside the EU/EEA. Any non-EU technology processors (e.g. Stripe for payments) process only administrative and accounting data — never health data — on the basis of Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR).

Professional secrecy. The physiotherapists who access health data are registered with the professional Register and bound by professional secrecy pursuant to Art. 622 of the Italian Criminal Code, Art. 200 of the Italian Code of Criminal Procedure and the professional Code of Conduct. Access to health data is restricted to the assigned patient only (data minimisation principle, Art. 5(1)(c) GDPR) and tracked in immutable audit logs.

Pseudonymisation and minimisation. Where technically feasible, health data are pseudonymised or encrypted at the application level. Aggregate statistics for internal use or for partner clinics/companies are provided exclusively in anonymous and aggregate form, with no possibility of re-identifying the individual patient.

3. Categories of personal data processed

Identification data: first name, surname, tax code, date of birth, address, contact details.
Identity documents (image).
Authentication credentials: email, hashed password, Google token if accessed via OAuth.
Health data: medical history, pain, symptoms, treatment plans, results of assessment questionnaires. Video sessions are not recorded.
Payment data: handled by the Stripe provider (we do not store card details).
Technical data: IP address, access logs, device identifiers (if Capacitor is installed).
Aggregate and anonymous usage data (only if you have accepted analytics cookies).

4. Purposes of processing

Provision of the online physiotherapy service (basis: contract / explicit consent under Art. 9).
Administrative and accounting management (basis: legal obligation).
App security, fraud prevention and diagnostics (basis: legitimate interest).
Service communications and notifications relating to appointments (basis: contract).
Marketing and newsletter only if you have given separate consent at registration (basis: consent, revocable at any time).
Aggregate analytics only if you have accepted analytics cookies (basis: consent, revocable from the cookie banner).

5. Recipients and external processors

All the entities listed below are appointed as Data Processors pursuant to Art. 28 GDPR through a specific contractual instrument. No party outside this list has access to your data. Health data are accessible exclusively to the assigned physiotherapist; all other providers process strictly technical/administrative data.

Partner physiotherapists: access the health data of the assigned patient only in order to deliver the service. Registered with the professional Register and bound by professional secrecy under Art. 622 of the Italian Criminal Code. No physiotherapist may view data of patients not assigned to them.
EU cloud hosting (data centres located within the European Economic Area): application infrastructure and database. No non-EU transfer for health data. TLS encryption in transit + at-rest encryption on volumes.
Stripe (Ireland + USA): payment processing. Processes administrative data only (amount, email, billing details). Never health data. Any non-EU transfer is based on Standard Contractual Clauses under Art. 46 GDPR.
Google LLC: only if you sign in with your Google account (OAuth limited to email + profile) or if the physiotherapist has enabled synchronisation of their own Google Calendar (scope calendar.events, read/write limited to events created by Ri-Hub). Never patient health data. Non-EU transfer based on Standard Contractual Clauses.
PostHog (EU cloud, eu.i.posthog.com): anonymous aggregate analytics, only after explicit consent through the cookie banner. IP not tracked; session replay disabled. Never health data.
Brevo (Sendinblue): sending of transactional emails and newsletters. EU servers. Processes only email + name.
Twilio Video (Ireland + USA): delivery of real-time video consultations via channels encrypted in transit (SRTP/DTLS). Twilio's SFU servers relay the audio/video streams between physiotherapist and patient; video consultations are NOT recorded or retained. Non-EU transfer based on Standard Contractual Clauses under Art. 46 GDPR.
Apple Inc. (USA): only if you sign in with your Apple ID via "Sign in with Apple". Processes only the Apple identifier + email (optional anonymous relay). Never health data. Non-EU transfer based on SCC.
Firebase Cloud Messaging (Google LLC, USA): for push notifications on the Android and iOS app. Processes only an opaque device token. Never health data in the payload. Non-EU transfer based on SCC.
MinIO (self-hosted object storage, EU region): retention of signed informed-consent documents (PDF + ID card front/back). Internal Ri-Hub servers, access restricted to authorised technical staff only and to the assigned physiotherapist. Volume-level at-rest encryption.
Ri-Hub internal CRM (self-hosted EU server, domain crm.ri-hub.it): patient-record management system accessible only to Ri-Hub clinical/administrative staff bound by professional secrecy and confidentiality agreements. Receives automatic event sync: registration, scheduled anamnesis, signed consent, session purchases, completed sessions.
Calendly (USA): only if the physiotherapist has connected their Calendly account to synchronise availability outside Ri-Hub. Processes only slot metadata (dates/times), no clinical data. Non-EU transfer based on SCC.
Google Analytics 4 (Google LLC, USA): aggregate usage metrics only after explicit consent through the cookie banner. IP anonymised, ad personalisation disabled by default. Never health data. SCC.

6. Google API Services User Data — specific disclosure

This section is provided to comply with the Google API Services User Data Policy and the Google APIs Terms of Service.

Important — who is concerned. The Google API integration is an opt-in feature available exclusively to physiotherapists partnering with Ri-Hub, who can choose to synchronise the appointments managed through the app onto their own Google Calendar. Patients do NOT use any Google API in the context of the service: patient authentication happens via email/password or "Sign in with Apple". If you are a patient, this section does not apply to your use of the service.

6.1 Google data accessed by Ri-Hub ("Data Accessed")

When a physiotherapist runs the Google OAuth flow inside Ri-Hub, the app requests only the minimum scopes strictly necessary for the feature being enabled. No other scope is ever requested.

Physiotherapist's Google identity: scope https://www.googleapis.com/auth/userinfo.email. Ri-Hub receives from Google only the verified email address, used to associate the integration with the physiotherapist's existing Ri-Hub account.
Google Calendar sync: scope https://www.googleapis.com/auth/calendar.events. Ri-Hub reads and writes only the events created and managed by the app itself. We do NOT request the full calendar scope nor calendar.readonly: the rest of the physiotherapist's calendar remains completely invisible to Ri-Hub.

Ri-Hub NEVER accesses: Gmail content, Drive/Docs, Photos, Contacts, search history, location, YouTube or any other Google service.

6.2 How Ri-Hub uses Google data ("Data Usage")

Google email: solely to associate the Calendar integration with the correct physiotherapist account in Ri-Hub. No other use. Never used for profiling nor for training AI/ML models.
Google Calendar events: to write on the physiotherapist's calendar the appointments confirmed with patients through Ri-Hub (each event is created as "Ri-Hub: Session with [Patient]"); to read back only the events previously created by Ri-Hub, in order to detect cancellations or edits made directly by the physiotherapist on Google Calendar and keep the app's availability in sync. Each Ri-Hub event carries a proprietary metadata marker that uniquely identifies it.

6.3 Sharing of Google data with third parties ("Data Sharing")

Ri-Hub does NOT transfer, sell or share data obtained through Google APIs with any third party, with two narrow exceptions strictly necessary to deliver the service:

Cloud hosting in the European Economic Area (EU data center) where the Ri-Hub backend runs: Google data received transits and resides there as part of normal service delivery. The hosting provider is appointed as Data Processor under Art. 28 GDPR.
Returning the data back to the physiotherapist themselves inside the Ri-Hub interface (e.g. showing the physio the sync status of a Calendar event they just managed).

Google data is never used for advertising, profiling, marketing, AI/ML model training, nor for any purpose other than the OAuth functionality described above. Google data is never transferred outside the EEA in the context of Ri-Hub's use.

6.4 Storage and protection ("Data Storage & Protection")

In transit: all calls to Google APIs use HTTPS/TLS 1.3.
At rest: Google access tokens and refresh tokens are encrypted at the application layer before being persisted to the database, on top of the volume-level at-rest encryption.
Access control: Google tokens and derived data are accessible only to the Ri-Hub backend running on EU infrastructure. No employee accesses tokens in cleartext: any operational access requires a documented exception logged in the audit trail.
Localisation: Google data received is stored exclusively within the European Economic Area.
Audit log: every meaningful token use (refresh, Calendar API call) is logged for security purposes.

6.5 Retention and deletion ("Data Retention & Deletion")

OAuth tokens (access + refresh): kept while the integration is active. Deleted immediately when the user disconnects the integration from the app, or when Google revokes them.
Physiotherapist's Google email: kept while the Calendar integration is active (see § 8 of this policy for general account retention criteria).
Google Calendar events created by Ri-Hub: the event on the physiotherapist's calendar remains until they delete it; the internal reference in Ri-Hub is removed when the appointment is cancelled in the app or when the integration is disconnected.

How to revoke / delete Google data from Ri-Hub:

Inside the Ri-Hub app: Settings → Integrations / Google Calendar → "Disconnect" — this removes the access/refresh tokens, stops writing to Calendar, and clears sync metadata.
From Google: https://myaccount.google.com/permissions → revoke access for "Ri-Hub". Ri-Hub detects the revocation on the next call and clears the tokens.
Full deletion of the Ri-Hub account: email privacy@ri-hub.it or use the in-app Delete account function. Removal of associated Google data happens together with account deletion.

Limited Use disclosure. Ri-Hub's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Your rights (Articles 15–22 GDPR)

You have the right to: access your data, rectify them, obtain their erasure ("right to be forgotten"), restrict processing, receive them in a portable format, object to processing, and withdraw at any time the consents you have given (including analytics cookies and marketing) without prejudice to the lawfulness of processing based on consent before its withdrawal.

You may also lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

To exercise your rights, write to privacy@ri-hub.it. Deletion of the account in the app entails the removal of personal data within 30 days; for tax and contractual obligations, certain records (e.g. invoicing, appointments) are retained in pseudonymised form for the period required by law.

8. Retention period

Account and health data: for the entire duration of the contractual relationship and up to 10 years after its termination, solely for the purpose of mandatory retention of the medical record and tax documentation.
Authentication tokens: refresh token renewed at each access, maximum validity of 365 days of inactivity.
Anonymous analytics data (PostHog): 12 months.
Technical security logs: 6 months.

9. Security measures

We adopt technical and organisational measures appropriate to the risk pursuant to Art. 32 GDPR:

Encryption in transit: TLS 1.3 mandatory on all connections between app/site and backend; no communication in clear.
Encryption at rest: the volumes on which health data reside are encrypted at the disk level; OAuth tokens and the most sensitive data are further encrypted at the application level.
Authentication: refresh tokens with SHA-256 hashing and automatic rotation; passwords are never stored in clear (hashed with standard PBKDF2/argon2 algorithms).
Access control (RBAC): distinct patient / physiotherapist / administrator roles with least-privilege access; the physiotherapist sees only the data of patients assigned to them.
Audit log: immutable logging of access to health data, retained for 6 months for security purposes.
Backups: encrypted and versioned backups, stored in an EU region and tested periodically.
EU localisation: health data reside exclusively on cloud infrastructure within the European Economic Area; no non-EU transfer of health data.
Provider security standards: the hosting and cloud providers used operate with ISO 27001 / SOC 2 certifications and are GDPR-compliant.
Training and procedures: staff are trained on privacy + security; data breach management plan with notification to the Italian Data Protection Authority within 72 hours (Art. 33 GDPR) and to the data subject in case of high risk (Art. 34).

10. Minors

The service is not intended for users under 14 years of age. For users between 14 and 18 years of age, processing requires the consent of the holder of parental responsibility (Italian Legislative Decree 101/2018, Art. 2-quinquies). If you are a parent and suspect that a child under 14 has created an account, contact privacy@ri-hub.it to request immediate deletion.

For detailed information on the use of cookies (necessary, analytics, etc.) please see our Cookie Policy. You can change your preferences at any time via the cookie banner on the home page.

12. Changes

This notice may be updated. The current version is published at ri-hub.it/en/privacy and is mirrored in the app at app.ri-hub.it/privacy to ensure access also in Capacitor offline mode. Last revision: May 2026.