en
Physiotherapy to improve everyday life!

Privacy notice

Last updated 16 April 2026

Data Controller

Company / Business name: ArkiFysio
Business ID: 3610902-4
Address: Viipurinkatu 12 L 113, 00510 HELSINKI
Phone: +358 41 325 5642
Email: veeti@arkifysio.fi

Contact person: Veeti Anttila
Phone: +358 41 325 5642
Email: veeti@arkifysio.fi

Purpose of Processing Personal Data

Personal data is processed for the following purposes:

  • Provision of physiotherapy and wellness services
  • Planning, implementation and follow-up of treatment
  • Management of the customer relationship
  • Appointment booking and communication
  • Invoicing and accounting
  • Fulfilment of statutory obligations

Legal Basis for Processing

The processing of personal data is based on:

  • Customer relationship (contract)
  • Provision of healthcare services
  • Statutory obligations
  • The customer’s consent (where necessary)

Health data is a special category of personal data and is processed only within the limits permitted by law.

Personal Data Processed

The following data may be processed in the register where necessary:

  • Name
  • Personal identity code (only for physiotherapy services)
  • Contact details (phone, email, address)
  • Health data (medical history, diagnoses, treatment information)
  • Appointment information
  • Billing information

Retention Period of Data

Personal data is stored only for as long as necessary:

  • Patient records are retained in accordance with statutory retention periods
  • Other data is retained for as long as the customer relationship is valid and thereafter for the period required by the Accounting Act

Regular Sources of Data

Data is primarily obtained from:

  • The customer
  • Other healthcare professionals, where necessary and with the customer’s consent

Disclosure of Data

Data may be disclosed to:

  • Authorities in cases required by law
  • Kela or insurance companies with the customer’s consent
  • Other healthcare providers with the customer’s consent

Transfer of data outside the EU/EEA

As a rule, data is not transferred outside the EU/EEA.
If any transfers are made, an adequate level of data protection is ensured in accordance with legislation.

Register protection

Personal data is appropriately protected as follows:

  • Electronic systems are protected with usernames and passwords. Patient records require also identification with ID-card
  • Access to data is restricted only to those who, based on their work duties, have the right to process the data
  • Paper materials are stored in locked premises

Rights of the data subject

The data subject has the right to:

  • Inspect their own data
  • Request the rectification of inaccurate data
  • Request restriction of processing
  • Object to processing
  • Lodge a complaint with a supervisory authority

Data requests must be made in writing to the controller.

Automated decision-making

No automated decision-making or profiling is used in the register.

Updating the privacy notice

The privacy notice may be updated when necessary.
Latest update: 16 April 2026