PRIVACY POLICY 

Wood Physiotherapy Pte. Ltd. |  www.woodphysiotherapy.com

Effective Date: 1 May 2023   |   Version 1.0

Your Privacy Matters to Us.

At Wood Physiotherapy Pte. Ltd. we are committed to protecting your personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA). This Privacy Policy explains how we collect, use, disclose, and protect your personal data — including sensitive health information — when you interact with our clinic, our website (www.woodphysiotherapy.com), or our services.

Please read this policy carefully. By using our services or website, you acknowledge that you have read and understood its terms.

  1   Who We Are and Scope of This Policy 

Wood Physiotherapy Pte. Ltd. ('we', 'us', 'our', or 'the Clinic') is a specialist physiotherapy and pain management centre registered in Singapore. We operate both a physical clinic at 360 Orchard Road and a website at www.woodphysiotherapy.com.

This Privacy Policy applies to:

•       All patients who visit, register with, or receive treatment at the Clinic;

•       Visitors to our website who submit enquiries, book appointments, or interact with any web form;

•       Individuals whose personal data is provided to us by a referring doctor, insurer, employer, or legal representative;

•       Any person whose personal data we collect in the course of providing physiotherapy, rehabilitation, or pain management services.

This policy does not apply to third-party websites, platforms, or services that may be linked from our website. We are not responsible for the privacy practices of those third parties.

  2   Types of Personal Data We Collect 

We collect only the personal data that is necessary for the purposes described in this policy. The categories of personal data we may collect include:

2.1  Identification and Contact Information

•       Full name (as per NRIC or passport)

•       NRIC, FIN, or passport number (where applicable)

•       Date of birth and gender

•       Nationality and marital status

•       Residential or mailing address

•       Mobile number, home or office telephone number

•       Email address

•       Occupation and employer details

2.2  Medical and Health Information (Sensitive Personal Data)

Sensitive Data Notice: Health and medical information is classified as sensitive personal data under the PDPA. We collect and use such data only with your explicit consent and subject to strict confidentiality safeguards.

•       Medical history, existing conditions, current medications and results from medical examinations and tests, including but not limited to nerve velocity tests, stress tests, positron emission tomography (PET) scans, blood tests, and bone density tests. For oncology and related cases, specialized diagnostic data such as DNA tests, biopsies, Pap smears, endoscopies, and other cancer-related investigations.

•       Allergies and known drug or substance reactions

•       Surgical history and previous physiotherapy treatment

•       Pain levels, symptoms, and clinical assessment findings

•       Diagnostic imaging reports (X-ray, MRI, CT scan, ultrasound)

•       Treatment notes, progress notes, and session records

•       Discharge summaries and clinical outcome data

•       Workers' compensation, motor vehicle accident, or insurance claim details

2.3  Appointment and Billing Information

•       Appointment dates, times, and session history

•       Treatment packages purchased and session balances

•       Payment method and billing records

•       Insurance policy numbers, insurer details, and claim references

•       MediSave and Integrated Shield Plan information (where applicable)

2.4  Emergency Contact Information

•       Emergency contact name, relationship, and telephone number

2.5  Website and Online Activity Data

•       IP address and device type

•       Browser type and operating system

•       Pages visited, time spent on pages, and referring URL

•       Form submissions (booking requests, enquiries, newsletter sign-ups)

•       Cookie and tracking data (see Section 11)

2.6  Communications Data

•       Emails, WhatsApp messages, or other correspondence sent to us

•       Feedback, complaints, and survey responses

•       Marketing consent preferences and opt-out records

  3   How We Collect Your Personal Data 

We collect personal data through the following means:

•       Patient Registration: When you complete our Physical / In-Clinic Patient Registration Form at the clinic.

•       Online Booking Form: When you submit a booking request via the Book Appointment page on our website.

•       Online Enquiry Form: When you submit an enquiry or contact us via the Contact Us page on our website.

•       Referrals: When a doctor, specialist, employer, or insurer refers you to us and provides your personal data to facilitate the referral.

•       Telephone / WhatsApp: When you call or message us to make an appointment, enquire about our services, or follow up on your treatment.

•       In-Clinic Assessments: During clinical assessments, consultations, and treatment sessions, where our physiotherapists record clinical findings, treatment plans, and progress notes.

•       Insurance & Legal: When your insurer, employer, Workers' Compensation Board, or legal representative provides us with your details in connection with a claim or legal proceeding.

•       Website Cookies: Automatically via cookies and tracking technologies when you visit our website (see Section 11).

•       Third Parties: From healthcare providers, hospitals, or other allied health professionals involved in your care who share relevant information with your consent.

  4   Purposes for Which We Use Your Personal Data 

We collect, use, and disclose your personal data only for the purposes for which it was collected or for directly related purposes, as described below:

4.1  Provision of Healthcare Services

•       Scheduling, confirming, and managing your physiotherapy appointments

•       Conducting clinical assessments, diagnoses, and developing individualised treatment plans

•       Delivering physiotherapy, rehabilitation, and pain management services

•       Monitoring your clinical progress and adjusting treatment plans accordingly

•       Communicating relevant health updates, home exercise instructions, or follow-up care advice

4.2  Administrative and Business Operations

•       Maintaining accurate and up-to-date patient records

•       Processing payments, issuing receipts and invoices, and managing billing

•       Administering treatment packages, tracking session balances, and managing package validity

•       Communicating with you regarding appointments, cancellations, rescheduling, and clinic updates

•       Responding to your enquiries, feedback, or complaints

4.3  Insurance and Legal Purposes

•       Facilitating insurance claims, direct billing arrangements, and MediSave / Integrated Shield Plan processing (if applicable)

•       Preparing, issuing, and submitting medical-legal reports, insurance reports, or clinical summaries as authorised by you (see Section 5)

•       Communicating with your insurer, insurance agent, employer, or legal representative as authorised

•       Complying with legal obligations, court orders, regulatory requirements, or government directives

•       Cooperating with investigations by regulatory or law enforcement authorities where required by law

4.4  Marketing and Promotional Communications (Opt-In)

Consent Required: We can only send you appointment reminders and will only send you marketing or promotional messages if you have provided us with your explicit consent. Your consent may be withdrawn at any time by contacting us at [email protected] or by clicking 'unsubscribe' in any marketing email. We also comply strictly with Singapore's Do Not Call (DNC) Registry.

•       Sending information about our services, promotions, health tips, and clinic updates via SMS, email, or WhatsApp

•       Sending appointment reminders, health-related notifications, and wellness tips

•       Conducting patient satisfaction surveys or feedback collection

4.5  Website, Analytics, and Improvement

•       Improving the functionality, content, and user experience of our website

•       Monitoring website performance, traffic patterns, and booking system usage

•       Analysing service usage trends to improve clinical and operational quality

•       Preventing fraud, unauthorised access, and other security threats

  5   Disclosure and Sharing of Personal Data 

We do not sell, rent, or trade your personal data. We may share your personal data with the following categories of recipients, and only to the extent necessary for the stated purpose:

•       Internal Healthcare Team: Physiotherapists, clinical staff, and administrative personnel of Wood Physiotherapy who are involved in your care or the management of your records. Access is limited on a need-to-know basis.

•       Insurers & TPAs: Your health insurer, motor vehicle insurer, travel insurer, or third-party administrator (TPA) for the purpose of processing your insurance claim, facilitating direct billing, or responding to claim queries — subject to your written authorisation.

•       Employers & Solicitors: Your employer, HR department, Workers' Compensation Board, or legal representative, where you have provided written authorisation or where required by applicable law (e.g. WICA claims).

•       Referring Physicians: Doctors, specialists, surgeons, or allied health professionals who referred you to us or who are jointly involved in your care, for the purpose of coordinating your treatment.

•       IT & Platform Providers: Trusted third-party service providers who support our operations, including appointment management systems, billing software, payment processors, website hosting, and data storage. These providers are bound by confidentiality obligations and may not use your data for any other purpose.

•       Marketing Platforms: Email, SMS, or messaging service providers used to deliver marketing communications — only where you have provided explicit consent and are not registered on the DNC Registry.

•       Government & Regulators: The Ministry of Health (MOH), Allied Health Professions Council (AHPC), Personal Data Protection Commission (PDPC), courts, or other regulatory or law enforcement authorities, where required by law or a valid legal order.

•       Overseas Transfers: Some of our IT service providers may be located or operate servers outside Singapore. Where personal data is transferred overseas, we ensure such recipients provide a standard of data protection comparable to the PDPA. We will not transfer your data internationally without taking reasonable steps to protect it.

Insurance Reports: Where your insurer or a legal representative requests a clinical report, medical-legal opinion, or records relating to your treatment, we will only release such information where you have signed our Third-Party Disclosure & Insurance Report Authorisation (contained in the Patient Registration Form). This authorisation can be revoked at any time in writing.

  6   Consent 

6.1  How We Obtain Consent

We obtain your consent for the collection, use, and disclosure of your personal data in the following ways:

•       By signing or acknowledging our Patient Registration Form at the clinic, which includes a data protection consent clause;

•       By ticking the PDPA consent checkbox on our online Booking Form or Enquiry Form before submitting the form;

•       By verbally providing consent during your consultation for specific clinical or sensitive procedures (e.g. dry needling);

•       By signing the Third-Party Disclosure & Insurance Report Authorisation where you authorise release of records to an insurer or legal representative.

6.2  Deemed Consent

In certain circumstances, your consent may be implied from the context of your interaction with us. For example, by booking an appointment and attending the clinic, you are deemed to have consented to the collection of information necessary to provide you with physiotherapy services.

6.3  Withdrawal of Consent

You may withdraw your consent for any purpose at any time by contacting us in writing using the details in Section 13. Please note that withdrawal of consent may affect our ability to continue providing certain services to you. We will advise you of the likely consequences before you finalise your withdrawal.

Withdrawal of consent does not affect the lawfulness of any collection, use, or disclosure of your personal data that occurred before the withdrawal.

  7   Retention and Disposal of Personal Data 

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable Singapore law or professional guidelines — whichever is the longer period:

•       Medical & Clinical Records: Minimum 6 years from the date of last treatment, or as stipulated by the MOH or AHPC, whichever is longer. Records of minors are retained until the patient turns 21, or for 6 years from last treatment — whichever is later.

•       Billing and Payment Records: Minimum 5 years from the date of the financial transaction, in accordance with applicable accounting and tax requirements.

•       Insurance & Legal Records: For the duration of any active insurance claim or legal proceeding, plus a further 6 years from its conclusion.

•       Marketing Data: Until you withdraw consent or request deletion, subject to any applicable retention requirements.

•       Website & Analytics Data: Up to 24 months from the date of collection, unless retained longer for legal or security purposes.

When personal data is no longer needed and the applicable retention period has expired, we will securely destroy, delete, or anonymise the data using industry-standard methods to prevent unauthorised recovery.

  8   Your Rights Under the PDPA 

As a data subject under Singapore's PDPA, you have the following rights in relation to your personal data held by us:

•       Right of Access: You may request access to the personal data we hold about you, including information about the purposes for which it is being used and the persons or organisations to whom it has been disclosed.

•       Right to Correction: If you believe that personal data we hold about you is inaccurate, incomplete, or misleading, you may request that we correct it. We will correct or update the data as soon as practicable unless we have reasonable grounds for not doing so.

•       Right to Withdrawal of Consent: You may withdraw consent for our use of your personal data at any time (see Section 6.3). We will inform you of the likely consequences before acting on your withdrawal.

•       Right to Data Portability: Where applicable under the PDPA, you may request that your personal data be transmitted to another organisation in a commonly used machine-readable format.

•       Right to Request Deletion: Where your personal data is no longer required for the purpose it was collected and there is no legal obligation on us to retain it, you may request deletion. We will review and respond to your request in accordance with the PDPA.

To exercise any of the above rights, please submit a written request to our Data Protection Officer using the contact details in Section 13. We will acknowledge your request within 3 business days and respond substantively within 30 days of receipt.

Please note that some requests may be subject to exceptions under the PDPA (for example, we may be required to retain certain records by law, or disclosure may affect another individual's privacy).

  9   Security Measures 

We take the security of your personal data seriously and implement reasonable and appropriate technical, physical, and administrative safeguards to protect it from unauthorised access, collection, use, disclosure, alteration, or destruction.

9.1  Technical Measures

•       Encryption of data in transit and at rest where applicable

•       Secure access controls and password protection for systems holding patient data

•       Firewall and network security for our website and IT infrastructure

•       Regular software updates and security patches

•       Use of reputable, security-certified third-party service providers

9.2  Physical Measures

•       Secure, locked storage of physical patient records

•       Restricted access to areas where patient data is stored or processed

•       CCTV monitoring at clinic premises

9.3  Administrative Measures

•       Staff training on data protection obligations and PDPA compliance

•       Access to patient records limited to authorised personnel on a need-to-know basis

•       Confidentiality obligations imposed on all staff and service providers

•       Incident response procedures for potential data breaches

Notwithstanding the above, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security.

  10   Data Breach Notification 

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

•       Conduct an internal assessment to determine the nature and extent of the breach as soon as we become aware of it;

•       Notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessing that the breach is notifiable, as required under the PDPA;

•       Notify affected individuals in a timely manner where the breach is likely to result in significant harm to them, providing sufficient information for them to take protective steps;

•       Take immediate remedial action to contain the breach and prevent further unauthorised access or disclosure;

•       Maintain a record of data breaches, including those that are not notifiable, in accordance with our internal data governance procedures.

If you believe that your personal data held by us has been compromised, please contact us immediately using the details in Section 13.

  11   Cookies and Online Tracking 

Our website (www.woodphysiotherapy.com) uses cookies and similar tracking technologies to improve user experience, monitor website performance, and support online booking functionality:

•       Essential Cookies: Required for the website to function properly, including maintaining session state, enabling online booking, and supporting form submissions. These cookies cannot be disabled without affecting core website functionality.

•       Analytics Cookies: Used to collect anonymised data about how visitors use our website, including pages visited, time spent, and navigation paths. This helps us improve our website content and user experience. (e.g. Google Analytics)

•       Functional Cookies: Remember your preferences (such as language or region settings) to provide a more personalised experience on return visits.

•       Marketing Cookies: Used to deliver relevant information about our services to you if you have consented to marketing communications. These cookies track your interactions with our content. Disabled by default unless you opt in.

11.1  Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner. By clicking 'Accept All', you consent to the use of all categories of cookies. You may also select 'Manage Preferences' to customise your cookie settings.

11.2  Disabling Cookies

You may disable cookies at any time through your browser settings. Please note that disabling essential cookies may affect the functionality of our website, including the ability to complete online bookings. Most browsers allow you to manage cookies via the 'Settings' or 'Privacy' menu.

11.3  Third-Party Tracking

Our website may include links to or integrations with third-party services (such as Google Maps or social media plugins). These third parties may set their own cookies when you interact with their content. We are not responsible for the privacy practices of third-party services.

  12   Marketing Communications and DNC Compliance 

We respect your right to control how we communicate with you for marketing purposes. We are committed to complying with both the PDPA and the Personal Data Protection (Do Not Call Registry) Regulations.

12.1  Opt-In Marketing

We will only send you promotional or marketing messages (including via SMS, phone call, fax, or email) if you have:

•       Provided your explicit written consent on our Patient Registration Form or online forms; and

•       Not registered your telephone number on Singapore's Do Not Call (DNC) Registry, or have provided us with clear consent to contact you notwithstanding DNC registration.

12.2  Types of Marketing Communications

With your consent, we may contact you about:

•       New physiotherapy services, treatment programmes, or specialist referral services offered by the Clinic

•       Promotional offers, package discounts, or seasonal wellness programmes

•       Health and wellness tips, exercise guides, or physiotherapy-related educational content

•       Clinic updates, new therapist introductions, or operating hours changes

12.3  Opt-Out / Unsubscribe

You may withdraw your consent for marketing communications at any time and at no cost to you by:

•       Emailing us at [email protected] with the subject line 'Unsubscribe'

•       Clicking the 'Unsubscribe' link in any marketing email we send you

•       Calling us at +65 8332 4106 and requesting removal from our marketing list

Withdrawal of marketing consent will not affect your ability to receive service-related communications such as appointment confirmations, session reminders, or billing notices.

  13   Contact Us — Data Protection Officer 

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact our Data Protection Officer:

Data Protection Officer

Wood Physiotherapy Pte. Ltd.

360 Orchard Road, #06-04, International Building, Singapore 238869

Email: [email protected]

Phone: +65 8332 4106

Office Hours: Monday – Friday, 9:00am – 7:00pm  |  Saturday, 9:00am – 2:00pm

We will acknowledge receipt of your request within 3 business days and aim to provide a substantive response within 30 days. If your request is complex or involves a large volume of data, we may extend this period and will notify you accordingly.

  14   Changes to This Privacy Policy 

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable legal requirements. Where changes are material, we will notify you by:

•       Posting a prominent notice on our website homepage;

•       Sending an email or SMS notification to registered patients; or

•       Displaying the updated policy on our notice board at the clinic.

The date of the most recent revision is indicated at the top of this policy. We encourage you to review this policy periodically to stay informed about how we protect your personal data.

Your continued use of our services or website after the effective date of any revised policy constitutes your acceptance of the updated terms, to the extent permitted by law.

ACKNOWLEDGEMENT

By using our services, completing our registration form, or submitting any form on our website, you acknowledge that you have read, understood, and agreed to this Privacy Policy.