Privacy Policy

We are the Data Fiduciary responsible for handling your information.

• Data Fiduciary: Athleto Recovery
• Registered address: Athleto Recovery Lounge, 4th Cross, 2nd Main, Thunga Block, Sri Sai Sakthi Layout, Bettadasanapura, Electronic City, Bangalore 560100, India
• Email: hello@athletorecovery.com
• Phone/WhatsApp: +91 94965 74252
• Grievance Officer (India): Dr. Anshid Rahman k, grievance@athletorecovery.com, +91 94965 74252

Under the IT Act SPDI Rules we publish a Grievance Officer and resolve grievances within one month.

We collect the following categories, depending on how you use our services:

Account and booking data: name, email, phone, city, appointment preferences, booking history, and communications.

Health and consultation data: information you share in intake forms or during sessions, including symptoms, injury history, goals, exercise history, clinician notes, and any posture or workstation images you upload for ergonomics assessments. We do not record sessions unless you give explicit consent. Telemedicine consent rules apply.

Device and usage data: IP address, device and browser details, pages viewed, and cookies or similar identifiers to keep the site secure and improve performance.

Payment data: card details are collected and processed by our payment gateway. We receive limited metadata like payment status, amount, and masked identifiers. Gateways must follow PCI DSS. We do not store full card numbers or CVV.

We process personal data for these purposes:

• Account creation and booking management
• Delivering online physiotherapy and ergonomics consultations, including reviewing your submissions and creating tailored plans
• Sending confirmations, reminders, invoices, and support communications
• Site security, analytics, and service improvement
• Legal compliance and grievance handling

Legal bases under India’s DPDPA include your consent, along with other permitted grounds in the Act. You can withdraw consent at any time, and we will cease processing within a reasonable time unless retention is required by law or to complete services already purchased.

• Patient consent is required for any teleconsultation. If you initiate the consult, consent is treated as implied for that session. If we or a caregiver initiate, explicit consent is needed and recorded in our notes.
• We maintain confidentiality and keep records similar to in-person care.
• We do not record consultations without your express consent.

Our services are for adults. If we become aware that we have collected data from a person under 18 without verifiable parental or guardian consent, we will delete it. The DPDPA defines a child as under 18 and restricts tracking, behavioral monitoring, and targeted ads to children.

We use cookies that are essential for login and bookings, and functional analytics to understand usage and improve performance. You can control cookies in your browser settings, though blocking some cookies may impact features.

Online payments are handled by third-party processors that are responsible for card security under PCI DSS. We receive transaction confirmations and related metadata, not full card numbers.

We share data only with:

• Clinicians and support staff who deliver your care
• Service providers for hosting, video consultations, messaging, analytics, customer support, and payments
• Authorities or advisors where required by law or to protect rights and safety

When using a payment gateway or video platform, your data may be processed by those providers under their own privacy policies.

Your data may be processed outside India by our service providers. Under the DPDPA, cross-border transfers are generally allowed except to countries that the Central Government may restrict. We use contractual and technical safeguards where appropriate.

We retain personal and health records for as long as needed to provide services, meet legal or regulatory requirements, resolve disputes, and maintain proper clinical records. When retention is no longer required, we delete or de-identify data in line with our policies.

We apply administrative, technical, and physical controls such as encryption in transit, restricted access on a need-to-know basis, logging and monitoring, and periodic reviews. Reasonable security practices and a published Grievance Officer are mandated under India’s IT SPDI Rules.

Subject to law, you may:

• Request access to information about your personal data
• Request correction, completion, updating, or erasure
• Use the grievance redressal process
• Nominate another individual to exercise your rights in case of death or incapacity

To exercise these rights, email hello@athletorecovery.com or write to our Grievance Officer. The DPDPA requires grievance handling before approaching the Data Protection Board of India.

If a personal data breach occurs, we will notify the Data Protection Board of India and affected users as required under the DPDPA framework.

Our site may link to third-party sites or use embedded tools for video, scheduling, analytics, or payments. Their privacy practices apply when you use those services, so review their privacy policies.

If the Government of India classifies us as a Significant Data Fiduciary, additional measures will apply such as appointing a Data Protection Officer in India, conducting DPIAs, and independent audits.

We may update this Policy from time to time. We will post the updated version here with a new effective date and notify you when material changes are made.

• Email: hello@athletorecovery.com
• Grievance Officer (India): Dr. Anshid Rahman k, grievance@athletorecovery.com, +91 94965 74252, Athleto Recovery Lounge, 4th Cross, 2nd Main, Thunga Block, Sri Sai Sakthi Layout, Bettadasanapura, Electronic City, Bangalore 560100, India

We aim to resolve grievances promptly and within the statutory period.