Book

Last Updated: December 24, 2025

Introduction

Body Mechanics ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our physiotherapy appointment booking platform and related services provided by Body Mechanics.

Information We Collect

Personal Information

We collect personal information that you provide when:

  • Creating an account on our platform
  • Booking physiotherapy appointments
  • Communicating with healthcare providers
  • Contacting our support team

This may include:

  • Name, email, phone number, and address
  • Date of birth and health information
  • Payment and insurance information
  • Appointment preferences and history

Automatically Collected Information

We may automatically collect:

  • Device and browser information
  • Usage data (pages visited, time spent)
  • IP address and location data (with consent)
  • Cookies and similar technologies

How We Use Your Information

Healthcare Services

  • Scheduling and managing appointments
  • Providing treatment and care coordination
  • Maintaining medical records
  • Sending appointment reminders

Platform Operations

  • Managing user accounts
  • Processing payments
  • Providing customer support
  • Improving our services
  • Ensuring security and preventing fraud

Communications

  • Service notifications and updates
  • Educational health information
  • Marketing communications (with consent)
  • Responding to inquiries

How We Share Your Information

We do not sell your personal information. We may share information with:

  • Healthcare providers involved in your care
  • Service providers (payment processors, authentication providers, etc)
  • When required by law
  • With your explicit consent

Data Security

We implement appropriate security measures to protect your information, including encryption, access controls, and regular security assessments.

Your Privacy Rights

You have the right to:

  • Access your personal information
  • Request corrections or deletions
  • Receive a copy of your data
  • Opt-out of marketing communications
  • Withdraw consent at any time

Exercise Your Rights

To exercise any of these rights or for questions about your data:

Cookies and Tracking

We use cookies and similar technologies to improve your experience. These include essential cookies (required for the site to function) and analytics cookies (to understand usage).

You can manage your cookie preferences through our consent banner or your browser settings. Visit our Privacy Preferences page for more information.

Data Retention

We retain your information as long as necessary to provide services, comply with legal obligations, and maintain medical records as required by healthcare regulations.

When no longer needed, we securely delete or anonymize your data.

Children's Privacy

Our digital services are not directed to children under 18. For healthcare services to minors, we require parental or guardian consent. If you believe a child has provided information without consent, please contact us.

Google Data

When you use Google services to connect with Body Mechanics (Sign in with Google or Google Calendar integration), we handle your Google data as described below.

Sign in with Google for All Users

Data Accessed

When you sign in with Google or link your Google account to Body Mechanics, we access the following data from your Google account:

  • Your Google account ID (unique identifier)
  • Your Google email address
  • Your Google profile name
  • Your Google profile picture/avatar URL
  • OAuth scopes: openid, email, profile (or their full URL equivalents)

Purpose

We use your Google authentication data to provide the following features:

  • Enable password-free sign-in to your Body Mechanics account
  • Create your account automatically without requiring a separate password
  • Verify your email address through Google's authentication (no separate email verification needed)
  • Pre-fill your profile information (name, email, profile picture) to simplify account setup
  • Sync your profile data when you update your Google account information (optional, with your consent)
  • Provide secure authentication for sensitive actions like email changes or data exports
  • Enable two-factor authentication bypass for Google-authenticated users (since Google provides strong authentication)

Storage

We store the following Google authentication data in our secure database:

  • OAuth access tokens and refresh tokens: Stored securely to maintain your authentication session
  • Google Account ID: To uniquely identify your Google account
  • Google email address: Stored separately from your primary account email (which may differ)
  • Google profile name: To track your Google account name and detect changes
  • Google profile picture URL: Both the original Google URL and a local copy we download and store
  • Granted OAuth scopes: To track what permissions you've granted
  • Token expiration dates: To manage token refresh and validity
  • Last profile sync timestamp: To track when we last checked for profile updates

Profile synchronization: If you initially sign in with Google or previously synced Google profile information, we may automatically sync updates to your name, email, or avatar from your Google account.

Profile Picture Handling

When you sign in with Google, we handle your profile picture as follows:

  • Download and store locally: We download your Google profile picture and store a copy on our servers (not a direct link to Google's servers)
  • Separate avatars: We maintain both your "Google avatar" (synced from Google) and your "profile avatar" (the one displayed on your account)
  • Automatic sync option: You can choose to automatically sync your profile avatar with your Google avatar when your Google picture changes
  • Manual control: You can manually sync, upload a different picture, or revert to your Google avatar at any time
  • Background updates: If enabled, we periodically check if your Google avatar has changed

Sharing

We share Google authentication data only with:

  • Google LLC: Your authentication requests are transmitted to Google's OAuth servers to verify your identity

We do not sell, rent, or share your Google user data with any other third parties. Your Google authentication tokens and profile data remain on our servers and are not transferred to external services.

Retention & Deletion

We retain your Google authentication data until:

  • You manually unlink your Google account from your profile settings
  • You delete your Body Mechanics account
  • Your account remains inactive for 24 months
  • Google revokes our access to your account

You can unlink your Google account by:

Upon unlinking: We immediately delete all stored Google authentication tokens and stop syncing your profile data from Google. Your downloaded Google avatar remains available in your profile, but we no longer check Google for updates. Note: Unlinking Google does not delete your Body Mechanics account - you can continue using your account with email/password authentication (you'll need to set a password if you haven't already).

Security

We protect your Google authentication data using industry-standard security measures:

  • TLS encryption in transit: All authentication requests between our servers and Google are encrypted using TLS 1.2 or higher
  • Database access controls: OAuth tokens are stored in a secure database with strict access controls
  • Application-level security: Tokens are only accessible through authenticated user sessions
  • Secure credential management: Google OAuth client credentials are stored in environment variables, never in code
  • Token validation: We validate token expiration and automatically refresh expired tokens
  • Minimal scope requests: We only request openid, email, and profile scopes for basic authentication
  • Token rotation: Short-lived access tokens (typically 1 hour) are automatically refreshed
  • CSRF protection: OAuth flows include state parameters to prevent cross-site request forgery attacks
  • Session security: Google authentication is tied to your secure session and cannot be hijacked

Google Calendar Integration for Service Providers

Data Accessed

When you connect your Google Calendar to Body Mechanics, we access the following data from your Google account:

  • Event summaries (titles)
  • Event start and end times (date, time, timezone)
  • Event descriptions (content field)
  • Event locations (address/location field)
  • Event extended properties (custom metadata we add to track our app-created events)
  • Calendar metadata (calendar ID, name, summary, description, timezone, location)
  • Your Google account email address and Google account ID

Purpose

We use your Google Calendar data to provide the following features:

  • Display your calendar availability when booking appointments
  • Prevent double-booking by checking for conflicts with existing events
  • Synchronize your Body Mechanics appointments with your Google Calendar
  • Update calendar events when appointments are rescheduled or cancelled
  • Enable providers to view their appointment schedule in their preferred calendar application
  • Enable real-time synchronization by establishing a webhook connection with Google Calendar (this allows us to receive instant notifications when you add, modify, or delete events in your Google Calendar, keeping our conflict-checking system up-to-date)

Actions on Your Behalf

Following explicit action (such as clicking "Book Appointment" or "Connect Calendar"), we may create or update events in your Google Calendar to:

  • Create new calendar events when you book an appointment
  • Update existing calendar events when you reschedule an appointment
  • Cancel calendar events when you cancel an appointment
  • Add appointment details including provider name, location, and appointment notes
  • Add video conference links for telehealth appointments

We only perform these actions after you have explicitly authorized the calendar connection and taken a specific action that requires calendar interaction.

Storage

We store the following Google-related data in our secure database:

  • OAuth access tokens and refresh tokens: Stored securely in our database to maintain your calendar connection
  • Google Calendar IDs: Your primary calendar ID (typically "primary")
  • Google Calendar Event IDs: IDs of calendar events we create, to track and update them
  • Google Account information: Your Google account ID and email address
  • Webhook information: Channel IDs and resource IDs for real-time sync notifications from Google
  • Sync timestamps: Last sync time and token expiration dates
  • Calendar settings: Your preferences for event visibility and sync behavior

Caching of calendar events: To prevent scheduling conflicts, we periodically sync and cache your Google Calendar events in our database. We store the event start time, end time, and basic metadata necessary for conflict detection. These cached events are stored as appointment records marked as "personal" events and are automatically refreshed during the sync process. This allows us to check for conflicts without making real-time API calls to Google on every booking attempt.

Sharing

We share Google user data only with:

  • Google LLC: Your calendar data is transmitted to Google's servers to perform calendar read/write operations via the Google Calendar API

We do not sell, rent, or share your Google user data with any other third parties. Your Google Calendar tokens and data are not transferred to any external subprocessors or services.

Retention & Deletion

We retain your Google Calendar connection data until:

  • You manually disconnect your Google Calendar from your account settings
  • You delete your Body Mechanics account
  • Your account remains inactive for 24 months
  • Google revokes our access to your account

You can delete your Google Calendar connection by:

Upon disconnection: We immediately delete all stored tokens, calendar IDs, webhook registrations, and sync state data from our database. Webhooks with Google are stopped to prevent further notifications. Calendar events we previously created remain in your Google Calendar under your control, but we can no longer access or modify them. Note: The OAuth tokens are deleted from our system, but to fully revoke access you should also visit your Google Account permissions page.

Security

We protect your Google Calendar data using industry-standard security measures:

  • TLS encryption in transit: All data transmitted between our servers and Google APIs is encrypted using TLS 1.2 or higher
  • HTTPS only: Calendar webhook endpoints require HTTPS in production environments
  • Database access controls: OAuth tokens are stored in a secure database with strict access controls limiting who can query or modify token data
  • Application-level security: Tokens are only accessible through authenticated user sessions and are validated before use
  • Secure credential management: Google API credentials (client ID, client secret) are stored in environment variables, never committed to code repositories
  • Token validation: We validate token expiration and automatically refresh expired tokens using secure refresh token flows
  • Minimal scope requests: We only request the calendar scope (full calendar access) and userinfo.email scope (to identify your Google account)
  • Token rotation: Short-lived access tokens (typically 1 hour) are automatically refreshed, and old tokens are immediately invalidated by Google
  • Webhook security: Real-time sync webhooks use unique channel IDs and resource IDs to prevent unauthorized webhook creation
  • CSRF protection: OAuth flows include state parameters to prevent cross-site request forgery attacks

Google API Services User Data Policy Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Calendar data solely to provide and improve our appointment booking features and do not transfer this data to any other party except as described in this policy.

Changes to This Policy

We may update this Privacy Policy from time to time. We encourage you to review this policy periodically to stay informed.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Body Mechanics Privacy Officer

Email: contact@bodymechanics.mt

Phone: +356 7970 8712

Address:
Cosmed Pharmacy, Villambrosa Street, Hamrun