Health data and cloud software: what clinic owners must verify (GDPR-ready mindset)
Posture assessments generate identifiable health-related data. If you move from paper to a cloud platform, your obligations as a clinic do not disappear—they become more visible. This guide supports owners and DPOs in physiotherapy organisations when reviewing tools like PosturalCheck alongside qualified legal advice.
At a glance
- Clarify who is data controller for patient files versus what the vendor processes as processor.
- Map retention, access roles, and export/deletion before go-live—not after the first incident.
- Use vendor documentation (privacy policy, security overview, DPA) as audit evidence, not marketing claims.
Controller, processor, and what your contract must say
In typical EU-style frameworks, the clinic that decides why and how patient data is processed acts as controller. The SaaS vendor usually processes data on your instructions as processor, which should be documented in a Data Processing Agreement. When evaluating PosturalCheck, confirm how subprocessors, storage region, and support access are described so your registry of treatments stays accurate.
Transparency to patients: purposes tied to real workflows
Your privacy notice should reflect concrete activities: capturing posture images, generating PDF reports, sharing materials with the patient, and internal quality review. If you enable optional features (e.g. sharing links), describe them plainly. Generic “we care about privacy” pages do not replace purpose limitation and retention rules aligned to your specialty.
How many credits does each analysis type use?
Fast, Standard, Advanced, and Dynamic analyses use different credit amounts—there’s a dedicated guide in this hub; Pricing also has plans and FAQs on monthly renewal.
Explore pricingOperational security: accounts, roles, and least privilege
Operational risk is reduced when every staff member has the minimum permissions needed—view-only versus full analysis rights, separate admin accounts, and offboarding checklists when someone leaves. Ask how audit trails work for sensitive actions. PosturalCheck is built around organisation and role concepts; your policy should define who may generate, export, or delete analyses.
Vendor questions that actually surface gaps
Request clear answers on encryption in transit, backup strategy, incident notification timelines, and data export. Test your own procedures: can you produce a patient export within the timeframe your policy promises? Combine technical due diligence with staff training so the tool’s security features are actually used.
Common questions
- Is this article legal advice?
- No. It is operational guidance for clinic governance. Always confirm requirements with counsel qualified in your jurisdiction.
Related guides
- Vendor due diligence for health and posture software: questions clinics should ask
A structured questionnaire for data controllers evaluating SaaS: subprocessors, encryption, access logs, and how platforms like PosturalCheck fit procurement.
Read article - DPA checklist when contracting SaaS for posture and imaging workflows
Clause-level reminders for processors: subprocessors, international transfers, assistance with DSARs, and PosturalCheck as part of your vendor stack.
Read article - GDPR data minimisation in practice for posture clinics
Concrete steps beyond buzzwords: fields you collect, retention, and configuring PosturalCheck to avoid hoarding.
Read article
From reading to the product: plans and credits at a glance
On Pricing you can compare subscriptions, monthly credits included, operator seats, and features (PDF reports, comparisons, stats, roles).
Go to pricing