Privacy Policy
Last updated:
1. Introduction & Identity of the Data Controller
ARRISE – Academy for Research & Orthopaedic Rehabilitation, Innovation and Sports Medicine Excellence ("ARRISE", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and safeguard information about you when you use our website, platform, or services.
Controller: ARRISE
Address: Dorpsstraat 11, 2950 Kapellen, Belgium
Email: privacy@arrise.be
Phone: +32 484 54 59 04
VAT / Company number: BE 1234.567.890
RIZIV/INAMI recognition: Yes – recognised physiotherapy practice
2. Legal Framework
We process personal data in accordance with:
- Regulation (EU) 2016/679 (GDPR)
- The Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data
- The Belgian Act of 22 August 2002 on patients' rights
- Any applicable sector-specific legislation governing healthcare data in Belgium
3. Personal Data We Collect
3.1 Data you provide directly
- Contact details (name, email address, phone number)
- Account credentials (email, hashed password)
- Appointment requests and scheduling information
- Health and medical information provided for the purpose of treatment (special category data under Article 9 GDPR)
- Session and rehabilitation reports
- Academy course enrolments and progress
- Shop orders, billing address, and payment reference (we do not store full card numbers)
- Messages sent via the contact form
3.2 Data collected automatically
- IP address and approximate geographic location
- Browser type, operating system, and device identifiers
- Pages visited, referring URLs, and session duration
- Cookies and similar tracking technologies (see Section 9)
4. Purposes & Legal Bases for Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing physiotherapy and rehabilitation treatment | Art. 6(1)(b) – contract; Art. 9(2)(h) – healthcare |
| Managing patient appointments and scheduling | Art. 6(1)(b) – contract |
| Processing academy enrolments and delivering training | Art. 6(1)(b) – contract |
| Processing shop orders and payments | Art. 6(1)(b) – contract |
| Responding to contact form enquiries | Art. 6(1)(b) – pre-contractual / Art. 6(1)(f) – legitimate interest |
| Sending service-related emails (confirmations, reminders) | Art. 6(1)(b) – contract |
| Marketing & newsletters (with opt-in) | Art. 6(1)(a) – consent |
| Security, fraud prevention, and abuse detection | Art. 6(1)(f) – legitimate interest |
| Compliance with legal and regulatory obligations | Art. 6(1)(c) – legal obligation |
| Anonymous research & clinical quality improvement | Art. 6(1)(f) – legitimate interest (data anonymised) |
5. Special Category Data – Health Information
As a healthcare provider, we necessarily process health and medical data about patients. Such data constitutes a "special category" under Article 9 GDPR and receives the highest level of protection. We process this data exclusively for the purpose of providing care, under the supervision of qualified healthcare professionals, and only to the extent necessary for diagnosis, treatment, rehabilitation, and follow-up. Access is restricted to the healthcare professionals directly involved in your care and is protected by strict confidentiality obligations.
6. Who We Share Your Data With
We do not sell your personal data. We may share data with:
- Crossuite – appointment & practice management platform (data processor, Belgium)
- Payment processors – for secure transaction handling
- Email delivery providers – for transactional and marketing emails
- Cloud hosting providers – for website and data storage
- Referring physicians or medical colleagues – only with your explicit consent or where legally required
- Health insurers / RIZIV/INAMI – for reimbursement procedures, as required by law
- Legal authorities – when required by a court order or applicable law
All processors are bound by data processing agreements ensuring GDPR-compliant handling of your data.
7. Retention Periods
| Category | Retention period |
|---|---|
| Patient medical records | 30 years after last treatment (Belgian healthcare law) |
| Appointment & session data | 10 years |
| Invoicing & financial records | 7 years (Belgian accounting law) |
| Contact form messages | 3 years |
| Marketing consent & email lists | Until withdrawn, then deleted within 30 days |
| Website analytics (anonymised) | 13 months |
| Account data (inactive accounts) | Deleted after 3 years of inactivity |
8. Your Rights Under the GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@arrise.be. We will respond within 30 days.
Right of access
Request a copy of all personal data we hold about you (Article 15 GDPR).
Right to rectification
Ask us to correct inaccurate or incomplete data (Article 16 GDPR).
Right to erasure
Request deletion of your data where there is no longer a lawful basis for processing (Article 17 GDPR). Note: medical record retention obligations may limit this right.
Right to restriction
Ask us to restrict processing of your data in certain circumstances (Article 18 GDPR).
Right to portability
Receive your data in a structured, machine-readable format (Article 20 GDPR).
Right to object
Object to processing based on legitimate interests or for direct marketing (Article 21 GDPR).
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Right to lodge a complaint
You may file a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at dataprotectionauthority.be.
9. Cookies & Tracking
We use cookies and similar technologies. The types we use include:
- Strictly necessary cookies – session management, CSRF protection, authentication. Cannot be disabled.
- Preference cookies – language selection and dark/light mode. No consent required.
- Analytics cookies – anonymised traffic statistics. Require your consent.
- Marketing cookies – only set if you opt in to marketing communications.
You can manage or withdraw cookie consent at any time via your browser settings or by contacting us.
10. Data Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration, or destruction. These include TLS encryption in transit, bcrypt-hashed passwords, role-based access controls, regular security reviews, and data minimisation practices. In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
11. International Data Transfers
We primarily store and process data within the European Economic Area (EEA). Where any service provider transfers data outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions under Chapter V GDPR).
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email (for registered users) or through a prominent notice on our website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
13. Contact & Complaints
For any questions about this Privacy Policy or to exercise your rights, contact our privacy team:
Email: privacy@arrise.be
Address: ARRISE, Dorpsstraat 11, 2950 Kapellen, Belgium
Phone: +32 484 54 59 04
If you are not satisfied with our response, you may lodge a complaint with the Belgian Data Protection Authority (GBA/APD), Rue de la Presse 35, 1000 Brussels.