Skip to main content
IJFysio

Privacy Policy

How we collect, use, and protect your data

Last updated: 2026-03-20

1. Introduction

IJFysio respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, share, and protect your personal information when you visit our website or use our services. This policy has been prepared in accordance with the General Data Protection Regulation (GDPR) and its Dutch implementation.

2. Data Controller

The data controller responsible for processing your personal data is:

IJFysio B.V.

Amsterdam IJburg Diemerparklaan 35, 1087 GN Amsterdam, Nederland

KvK: [TODO]

For questions about this privacy policy or your data, you can reach us using the contact details shown below.

info@ij-fysio.nl

+31201234567

3. What Data We Collect

We collect different types of information depending on how you interact with our website:

3.1 Website Visitors

When you visit our website, we collect minimal technical data:

  • IP address (anonymised by our analytics provider)
  • Browser type and version
  • Pages visited and referring URL
  • Date and time of visit

This data is used to improve website functionality and detect security issues. We do not use this data to identify individual visitors.

3.2 Contact Forms

When you fill out the contact form, we collect:

  • Name
  • Email address
  • Phone number (optional)
  • Message/question

This information is used to respond to your inquiry and contact you.

3.3 Appointment Booking

When you book an appointment online via Cal.eu (European instance), we collect:

  • Name
  • Email address
  • Phone number
  • Preferred date and time
  • Reason for appointment (optional)

This data is used to schedule your appointment and send you reminders.

Cal.eu processes this data as a data processor. Cal.eu (European instance) ensures data remains within the EU.

3.4 Cookies and Local Storage

Our website uses very few cookies and storage mechanisms:

Strictly Necessary

The following storage is essential for the website to function and is exempt from consent under the Dutch Telecommunications Act (Telecommunicatiewet):

  • Cookie consent preferences (ijfysio_cookie_preferences) — stored in your browser's local storage to remember your consent choice
  • Cloudflare Turnstile cookies — set only on the platform signup form for bot protection (strictly necessary security measure)

These are exempt from consent requirements because they are strictly necessary for the website to function or to provide a service you explicitly requested.

Third-Party Services (Consent Required)

The following services are only loaded after you give your consent via our cookie banner:

  • Google Reviews widget (Elfsight) — displays patient reviews from Google. Loads scripts from Elfsight and Google servers.
  • Google Maps — interactive map in the footer showing our practice location. Loads content from Google servers.
  • Google Fonts — loaded indirectly by the above services. Google receives your IP address when these fonts are loaded.

These services are blocked by default and only activated when you click "Accept All" or enable "Third-party Services" in the cookie settings. You can withdraw your consent at any time via the Cookie Preferences button in the footer.

We do not use Google Analytics or any other analytics cookies. Our planned analytics solution (Plausible Analytics) is cookie-free and GDPR-compliant by design.

4. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

Consent (Art. 6(1)(a) GDPR)

For loading third-party services (Google Reviews widget, Google Maps) that may transfer data to external providers. You can withdraw consent at any time via the Cookie Preferences button.

Performance of a Contract (Art. 6(1)(b) GDPR)

For processing appointment bookings, processing is necessary for the performance of our services.

Legal Obligation (Art. 6(1)(c) GDPR)

For tax administration and compliance with accounting requirements.

Legitimate Interest (Art. 6(1)(f) GDPR)

For improving our website, fraud prevention, bot protection (Cloudflare Turnstile), and network security.

5. How We Use Your Data

We use your personal data for the following purposes:

  • Responding to your questions and requests
  • Scheduling and managing appointments
  • Improving our website and services
  • Complying with legal obligations
  • Protecting against fraud and automated abuse (bot protection)
  • Displaying patient reviews (only with your consent)
  • Showing our practice location on an interactive map (only with your consent)

6. Sharing Data with Third Parties

We only share your data with third parties when necessary for our service delivery. We never sell your personal data to third parties.

Cal.eu (Appointment Scheduling)

Purpose: For managing online appointment bookings

Location: European Union (Cal.eu instance)

Safeguards: Data Processing Agreement, GDPR compliant, data stored within EU

We use Cal.eu (European instance) to ensure all booking data remains within the EU for GDPR compliance.

Elfsight (Google Reviews Widget)

Purpose: For displaying verified Google Reviews on our homepage. Only loaded after you give consent.

Location: European Union / United States

Safeguards: Loaded only after explicit consent. Elfsight proxies Google reviewer photos and loads scripts from its CDN (Cloudflare). A Cloudflare cookie (_cfuvid) may be set by Elfsight's servers.

When loaded, Elfsight connects to multiple external domains including elfsightcdn.com, service-reviews-ultimate.elfsight.com, and Google Fonts servers.

Google Maps (Interactive Map)

Purpose: For displaying an interactive map of our practice location in the website footer. Only loaded after you give consent.

Location: United States (Google LLC)

Safeguards: Loaded only after explicit consent via cookie banner. Embedded as an iframe which limits data access to the embedding page.

When loaded, Google receives your IP address and may set cookies within the Google Maps iframe. Google Fonts are also loaded, which transfers your IP address to Google servers.

Cloudflare Turnstile (Bot Protection)

Purpose: For protecting platform signup forms against automated abuse and bot attacks

Location: Global (Cloudflare Inc.)

Safeguards: Strictly necessary security measure, exempt from consent. Processes browser fingerprint and IP address for bot detection only. Does not track users across websites.

GoHighLevel (Communication)

Purpose: For sending emails, WhatsApp messages, and feedback requests (such as satisfaction surveys and review requests)

Location: United States

Vercel (Website Hosting)

Purpose: For hosting our website

Location: Netherlands/EU data centres

Safeguards: Data Processing Agreement

Resend (Email Service)

Purpose: For sending appointment confirmations and contact form responses

Location: United States

Safeguards: Data Processing Agreement and EU-US Data Privacy Framework

Supabase (Database & File Storage)

Purpose: For securely storing practice data and staff profile images displayed on the website. Used for admin portal infrastructure.

Location: Frankfurt, Germany (EU)

Safeguards: Data Processing Agreement, SOC 2 Type II certified, encryption at rest and in transit, GDPR compliant

All data stored in EU data centres. Clinical client records are covered under a separate client privacy policy (WGBO compliance).

Upstash (Performance Cache & Rate Limiting)

Purpose: For improving admin portal performance and for distributed rate limiting to protect against brute-force attacks

Location: Frankfurt, Germany (EU)

Safeguards: Data Processing Agreement, SOC 2 Type II certified, AES-256 encryption at rest, TLS 1.3 encryption in transit, automatic data expiry (5-minute cache TTL, 15-minute rate limit TTL)

Upstash Redis is used for admin portal infrastructure only. All cached data is encrypted and expires automatically.

We never sell your personal data to third parties.

7. Data Retention Periods

We do not retain your data longer than necessary for the purposes for which it was collected:

Contact form submissions: 2 years after last contact

Appointment data: 2 years after last appointment

Analytics data: aggregated only, no individual visitor records retained (Plausible Analytics — planned)

Consent preferences: stored in your browser until you clear them or revoke consent

Note: Clinical client records are not covered by this website privacy policy. For information about client data, see our separate client privacy policy in accordance with the Dutch Medical Treatment Contracts Act (WGBO).

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR)

You have the right to know whether we process personal data about you and to receive a copy of that data.

Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate or incomplete data corrected.

Right to Erasure / 'Right to be Forgotten' (Art. 17 GDPR)

You have the right to have your data deleted in certain circumstances, such as when the data is no longer needed or when you withdraw your consent.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to restrict the processing of your data in certain situations.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format and to transfer it to another data controller.

Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your data based on legitimate interest or for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3) GDPR)

If we process your data based on consent, you have the right to withdraw that consent at any time. You can do this via the Cookie Preferences button in the footer of our website or by contacting us directly.

To exercise any of these rights, contact us using the details in the Contact section below. We will respond to your request within 30 days.

You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) if you believe we are not processing your data correctly.

9. Security Measures

We take the security of your data seriously and have implemented the following measures:

  • HTTPS encryption for all website traffic
  • Secure hosting infrastructure with EU data centres
  • Field-level encryption for sensitive data (AES-256-GCM)
  • Limited access to personal data (authorised personnel only)
  • Regular security updates and patches
  • Strong password and multi-factor authentication requirements for administrative access
  • Automated backups with encryption
  • Bot protection on forms (Cloudflare Turnstile)
  • Rate limiting to prevent brute-force attacks

In the unlikely event of a data breach, we will inform affected individuals and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, as required by GDPR.

10. Links to External Websites

Our website may contain links to external websites (such as social media platforms). We are not responsible for the privacy policy or content of these external sites. We recommend reading the privacy policies of these sites before sharing personal information.

11. Children

Our services are intended for persons aged 18 and older. We do not knowingly collect personal data from children under 16 without parental/guardian consent. If you believe we have inadvertently collected data from a child, please contact us.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The date of the last update is shown at the top of this page. Significant changes will be communicated via a notice on our website.

We recommend checking this policy regularly to stay informed about how we protect your data.

13. Contact

For questions about this privacy policy or to exercise your rights, you can contact us:

Email: info@ij-fysio.nl

Phone: +31201234567

Mail: Amsterdam IJburg Diemerparklaan 35, 1087 GN Amsterdam, Nederland

We strive to respond to all privacy-related questions within 30 days.