Privacy Policy

Last updated: 2026-02-08

1) Who we are

Data Controller: Physio Vibe, Str. Universitatii, Nr. 48, Bl. 48B, Sc. A, Mezanin, Ap. 1, Suceava, 720228, RO, Reg. no. J2025028219005, VAT 51659775. Contact: Contact page, +40 791 411 811. If applicable, Data Protection Officer: +40 791 411 811.

2) What we collect

  • Booking requests: name, phone, preferred contact channel (call/WhatsApp/SMS), preferred time window, optional service/variant, note; consent to be contacted.
  • Operational meta: IP (masked or city-level), user agent hash, timestamps, status (new/contacted/scheduled).
  • Attribution: first-party session ID (pv_sid), UTM/gclid/referrer and landing URL/time; only minimal data for performance/analytics with consent where required.
  • Reviews: if you submit a review directly, we store your initials and text; Google reviews are displayed with attribution to Google.

3) Why we use it (lawful bases)

  • Contract / pre-contract: to process your booking request and schedule an appointment.
  • Legitimate interests: Site security, anti-spam, basic lead management, service quality metrics (minimized, privacy-preserving).
  • Consent: marketing/analytics cookies, WhatsApp/SMS confirmations (where required by local law), optional review publication.

4) Cookies, analytics & consent

We use Google Tag Manager and Google Analytics 4 with Consent Mode v2. Without consent, only limited, cookieless pings may be sent. We also use a first-party session cookie (pv_sid) to link a booking request to its landing source (UTMs/gclid/referrer) for basic reporting.

  • Consent tool: On first visit you will see a consent banner. You can change your choices anytime.
  • Turnstile/anti-spam: We may use Cloudflare Turnstile to block bots, which performs a lightweight challenge.

5) Sharing & transfers

We may share limited data with processors strictly for our operations (hosting, security, messaging providers for WhatsApp/SMS, analytics). Google services may process data outside the EU under Standard Contractual Clauses. We require contracts and appropriate safeguards from our providers.

6) Retention

  • Booking requests: typically 90 days if not converted into appointments; if converted, we keep administrative records for 5 years as required by law/accounting.
  • Attribution records (pv_sid): 90 days for non-conversions; aligned with booking records if converted.
  • Server logs/anti-spam: 30-90 days unless needed for security investigations.

7) Your rights

Under GDPR, you may request access, rectification, deletion, restriction, portability, or objection. You may withdraw consent at any time (does not affect prior processing). To exercise your rights, use our contact page. You can also lodge a complaint with the Romanian DPA (ANSPDCP).

8) Security

We implement technical and organizational measures (encryption in transit, access controls, least-privilege, anti-spam/rate limits). No method is 100% secure, but we strive to protect your data.

9) Changes

We may update this policy from time to time. The latest version is always published here.

Book now