PSYCHO PRIVACY POLICY

Last updated: April 1, 2025

1. INTRODUCTION

We Are Psycho, S.L. (hereinafter "Psycho", "we", "us" or "our"), with registered office at C. Lepant, 270, registered in the Barcelona Commercial Registry with Tax ID [IN FORMATION], and email address info@wearepsycho.com, as the data controller, is committed to protecting and respecting your privacy.

This Privacy Policy sets out the basis on which we process any personal data we collect from you or that you provide to us through our online therapy platform. Please read this document carefully to understand our practices regarding your personal data and how we will treat it.

2. LEGAL FRAMEWORK

Our Privacy Policy has been designed in accordance with:

The General Data Protection Regulation (EU) 2016/679 (GDPR)
Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPDGDD)
Law 41/2002, of November 14, regulating patient autonomy and rights and obligations regarding clinical information and documentation
The Code of Ethics of the General Council of Official Colleges of Psychologists
Other applicable regulations on data protection and healthcare

3. INFORMATION WE COLLECT

3.1 Personal Data

Identification and Contact Data

Full name
Email address
Phone number
Postal address
Date of birth
ID/NIE/Passport
Image (if you use video conferencing)

Health Data

Clinical and psychological history
Therapy session notes and records
Psychological evaluations
Diagnoses (if applicable)
Treatment plans
Therapeutic progress
Medication (if applicable)

Financial and Billing Data

Credit/debit card data (processed by our payment provider)
Transaction history
Tax information necessary for invoice issuance

Account Data

Username
Password (stored in encrypted form)
Configuration preferences
Appointment history

3.2 Usage and Technical Data

IP address
Browser type and version
Operating system
Access date and time
Pages visited on our platform
Time spent on the platform
Features used
Devices used to access
Login and logout records

4. HOW WE COLLECT YOUR DATA

We collect your personal data through:

Direct registration: When you register on our platform and create an account.
Forms: When completing questionnaires, evaluations, or admission forms.
Therapy sessions: During psychological consultations through our platform.
Communications: Through emails, chats, or calls.
Platform usage: Through cookies and similar technologies that record your activity on the platform.
Payments: When you make transactions through our platform.

5. LEGAL BASIS FOR PROCESSING

We process your personal data based on the following legal grounds:

Contract execution: Processing is necessary for the execution of the therapeutic services contract to which you are a party.
Explicit consent: For processing health data and other sensitive data, we request your explicit consent. You can withdraw it at any time.
Legal obligations: To comply with healthcare, tax, and other legal obligations.
Legitimate interest: To improve our services, ensure platform security, and prevent fraud, provided this interest does not override your fundamental rights.
Vital interest: In exceptional situations where processing is necessary to protect vital interests of the data subject or another natural person (e.g., vital risk situations).

6. PURPOSES OF PROCESSING

We use your personal data to:

6.1 Provision of Therapeutic Services

Facilitate online psychological therapy sessions
Conduct psychological evaluations
Develop and adjust treatment plans
Monitor your therapeutic progress
Maintain an updated clinical history

6.2 Administrative Management

Manage your account and profile
Schedule and remind appointments
Process payments and issue invoices
Respond to your queries and requests
Verify your identity

6.3 Service Improvement

Analyze and improve the quality and effectiveness of our services
Develop new features
Conduct anonymized statistical studies
Resolve technical issues
Personalize your platform experience

6.4 Security and Legal Compliance

Protect platform security
Prevent fraudulent activities
Comply with legal obligations and judicial requirements
Defend our legal rights when necessary

7. DATA RETENTION

We retain your personal data for the time strictly necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting, or reporting requirements.

Specific retention periods:

Health data and clinical documentation: At least 5 years from the discharge date of each care process, in accordance with Law 41/2002 (some autonomous communities may establish longer periods).
Billing data: 6 years, according to tax and commercial legislation.
User and account data: As long as you maintain an active account on our platform and don't request its deletion.
Communications: Up to 3 years from the last interaction.

Once these periods have elapsed, your data will be securely deleted or anonymized, unless there is a legal obligation to retain it for longer.

8. SECURITY MEASURES

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

End-to-end encryption for all therapy sessions
SSL/TLS encryption for all communications with our platform
Data storage on servers located in the European Union
Strict role-based access controls
Two-factor authentication
Regular encrypted backups
Periodic security audits
Ongoing data protection training for our staff
Clean desk policy and secure device management
Security incident response plan

9. DATA SHARING

We do not sell, rent, or share your personal data with third parties, except in the following circumstances:

9.1 Service Providers

We may share your data with service providers who help us operate, audit, and improve our platform:

Payment service providers
Cloud storage providers
Email service providers
Platform analysis and improvement services

All our providers are subject to strict confidentiality and data protection obligations.

9.2 Legal Obligations

We may disclose your data when required by law, judicial process, or government request, including:

In response to a court or administrative order
To comply with legal or regulatory requirements
To protect our legal rights

9.3 Special Situations in the Therapeutic Context

In exceptional circumstances, we may share limited information:

In case of imminent risk of serious harm to you or third parties
With other health professionals involved in your treatment, always with your prior consent
With legal guardians in case of minors, respecting the principle of the best interest of the minor

9.4 International Transfers

We do not transfer data outside the European Economic Area (EEA) unless an adequate level of protection is guaranteed through:

European Commission adequacy decisions
Standard contractual clauses approved by the European Commission
Binding corporate rules
Other valid mechanisms under GDPR

10. YOUR RIGHTS

Under data protection regulations, you have the following rights:

10.1 ARSLOP Rights

Access: Right to obtain confirmation about whether we are processing your personal data and, if so, access it.
Rectification: Right to request correction of inaccurate or incomplete data.
Erasure ("right to be forgotten"): Right to request deletion of your personal data in certain circumstances.
Restriction of processing: Right to request restriction of processing your data in certain circumstances.
Object: Right to object to processing of your data for reasons related to your particular situation.
Portability: Right to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another controller.

10.2 Specific Rights in Healthcare

Right to confidentiality of your health data
Right to be informed about your psychological health status
Right to receive a clinical report if requested
Right to designate persons linked to you for family or factual reasons to receive information about your health (requires express authorization)

10.3 How to Exercise Your Rights

You can exercise your rights by sending a request to:

Email: dpd@wearepsycho.com

To protect your privacy, we may request additional information to verify your identity before processing your request.

We will respond to your request within a maximum period of one month, which may be extended by two more months in cases of special complexity, informing you of such extension.

10.4 Right to File a Complaint

If you consider that the processing of your personal data infringes data protection regulations, you have the right to file a complaint with:

Our Data Protection Officer: dpd@wearepsycho.com
The Spanish Data Protection Agency (www.aepd.es)

11. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies to improve your experience on our platform. For more information about how we use these technologies, please see our [Cookie Policy].

12. MINORS

Our platform may offer services to minors (under 18 years of age) only under the following conditions, in accordance with current Spanish legislation:

For individuals under 18 years of age: Only with express and verifiable consent from parents or legal guardians.
For individuals over 18 years of age: They can consent on their own, although in the therapeutic context we encourage parental or guardian participation when beneficial for the treatment.

We apply additional protections for minors' data and always respect the best interest of the minor, as required by Spanish and European data protection regulations.

13. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) who oversees compliance with data protection regulations. You can contact our DPO at:

Email: dpd@wearepsycho.com

14. CHANGES TO OUR PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of this Privacy Policy and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). We encourage you to review this Privacy Policy periodically to be informed of how we are protecting your information.