Privacy Policy

At PsychoSpace, we care about your privacy. This Privacy Policy explains how we collect, use, and protect your personal data while using our platform. Our goal is to provide the highest level of security and transparency in processing data related to mental health support.

We collect data necessary to provide services, including information provided during registration (name, email), data from matching tests, and technical data about the device. All contents of therapeutic sessions and journal entries are encrypted and inaccessible to unauthorized persons, including PsychoSpace administration.

In accordance with GDPR, you have the right to access your data, rectify it, delete it ('the right to be forgotten'), and restrict processing. You can also withdraw your consent to data processing at any time, which may result in restricted access to certain service features.

We use cookies to optimize the service's operation and analyze traffic. These files allow us to remember your preferences and adjust the interface to your needs. You can manage cookie settings directly in your web browser.

In matters related to personal data protection, you can contact our Data Protection Officer at: privacy@psychospace.io or in writing to our headquarters address indicated in the Contact tab.

The data controller is R-BIT Software Rafał Białek, ul. Cyfrowa 6, 71-441 Szczecin, Poland, NIP: 8571919887, REGON: 361718692. You can contact the Data Protection Officer (IOD) at: iod@psychospace.io.

We process your personal data based on: (a) your consent (Art. 6(1)(a) GDPR) — for marketing communications and cookies; (b) contract performance (Art. 6(1)(b) GDPR) — to provide our services; (c) legal obligations (Art. 6(1)(c) GDPR) — tax and accounting requirements; (d) legitimate interest (Art. 6(1)(f) GDPR) — platform security, analytics, and service improvement.

We retain your data only as long as necessary: Profile data — until account deletion (30-day grace period after request); Journal entries — 10 years after the end of the therapeutic relationship; Clinical notes — 10 years (medical documentation requirement, Patient Rights Act Art. 29); Financial transaction records — 5 years (Polish Tax Ordinance Art. 70 §1); System logs — 1 year; Backups — 90 days. Inactive accounts are automatically deleted after 2 years of inactivity.

We use the following third-party service providers who may process your data: Certified cloud database provider (EU region) — profile data, encrypted journal content; Mailtrap (email delivery) — transactional emails; Stripe (payment processing) — payment data; Certified cloud hosting provider (EU region) — application hosting. All providers are GDPR-compliant and have Data Processing Agreements in place.

All primary data storage and processing occurs within the European Economic Area (EEA). Some subprocessors (e.g., Stripe) may transfer data to the US under Standard Contractual Clauses (SCCs) approved by the European Commission. For details, contact our DPO.

Under GDPR, you have the following rights: Right of access (Art. 15) — request a copy of your data; Right to rectification (Art. 16) — correct inaccurate data; Right to erasure (Art. 17) — request deletion ('right to be forgotten'); Right to restriction (Art. 18) — limit processing; Right to data portability (Art. 20) — export your data in machine-readable format; Right to object (Art. 21) — object to processing; Right to withdraw consent (Art. 7(3)) — withdraw previously given consent at any time. To exercise any of these rights, contact iod@psychospace.io or use the built-in privacy tools in your account settings. You also have the right to lodge a complaint with the Polish Data Protection Authority (UODO — Urząd Ochrony Danych Osobowych) at uodo.gov.pl.

Your journal entries and session notes are protected with end-to-end encryption (XSalsa20-Poly1305). This means your content is encrypted on your device before being transmitted and stored. Only you and therapists you explicitly share with can decrypt this content. PsychoSpace cannot access your encrypted journal content — we practice zero-trust architecture. Encryption keys are stored only on your devices, never on our servers in unencrypted form.

Therapists are required to use multi-factor authentication (MFA) when accessing patient data. This adds an additional layer of security beyond passwords, ensuring that even if a password is compromised, patient data remains protected.

Our AI matching system assists in finding suitable therapists based on your preferences and needs. However, the final decision about which therapist to work with is always yours. The AI matching does not produce legal effects or similarly significantly affect you. It is an assistive tool, not an automated decision-maker.

PsychoSpace is intended for users aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us immediately at iod@psychospace.io.

We may update this privacy policy from time to time. Material changes will be communicated via email and/or a notice on our platform. The date of the last update is shown at the top of this page.

We collect data in the following ways: (a) Information you provide directly — when you register an account, complete your profile, write journal entries, book sessions, or contact us; (b) Information generated through platform use — matching questionnaire responses, session scheduling data, therapist-patient relationship status; (c) Technical data automatically collected — IP address, browser type, device information, access timestamps, and error logs for security and debugging purposes; (d) Payment data — processed by Stripe; we never store full credit card numbers on our servers.

We follow the principle of data minimization as required by GDPR Art. 5(1)(c). We only collect data that is strictly necessary to provide our services. Profile fields are limited to essential information. Journal content is end-to-end encrypted — even we cannot read it. We do not collect sensitive special category data unless explicitly required for the therapeutic matching process (and only with your explicit consent). We regularly review our data collection practices to ensure we collect no more than necessary.