When you use therapy.eu.com (“the website”), you accept and agree to our Terms of Use and to this Privacy Policy. If you do not agree to the policies described in these two documents, you may not use the website.

The website includes a directory of therapists (“providers”) who can help you talk through life challenges via online video sessions and online messaging.

When you use the website you might provide us with certain personal information -- that is, information by which you can be uniquely identified, private information shared with your therapist, and scheduling and payment information for therapy sessions.

• When you visit the website, our servers log your IP address, which contains information about your location, and which pages you visit.
• When you create an account, you provide your email address and optionally your name. We save this data in order to communicate with you.
• When you use the website to coordinate with your therapist on appointment times or other administrative issues, we save the data from these interactions.
• When you use the website to chat with your therapist, we save the data from these interactions.
• When you pay for your online sessions, you provide your name, address, credit card, and other information to our payment processing provider.
• We can review your payment history by requesting a report from our payment processing provider. This includes dates and amounts of payments, but does not include your credit card information or address.
• When you provide feedback about a provider or about your experience on the website, we store that information, and in the case of therapist reviews we display the information publicly.

Additionally, for providers using this site, we request and store your name, date of birth, bank account information for payments, email address, and the information about yourself that you share on your profile. We will also request and store proof of the degrees and other qualifications you claim to have.

• The website site administrator has access to the information for all users. However, the administrator only accesses information on a need-to-know basis. One reason for needing to know would be a dispute about services or payments.
• Providers have access to the personal information only of the clients they work with.
• Your provider has access to the personal information you share with them during sessions, and over online chat. The video sessions are not recorded, but your provider may take notes. Your provider agrees to treat the information you provide them, whether recorded as notes or not, as confidential according to the standards of the GDPR law.
• If you have questions about the details of your provider's privacy practices, please ask your provider. If you believe your provider is not following appropriate privacy standards, please let us know.

• The website is hosted on the Google Cloud Platform (GCP) and we have a HIPAA Business Associate Agreement with Google. This agreement assures the same level of data protection as is required by U.S. law for personal health information.
  • We use Google Workspace for email, GCP Compute Engine for running the website, Google Cloud SQL for data storage and backup, and Google Identity Platform for authentication. Google Workspace and Google Cloud have achieved HITRUST CSF certification (https://cloud.google.com/security/compliance/hitrust). HITRUST contains a set of prescriptive controls that relate to the organizational processes and technical controls for processing, storing, and transmitting sensitive data. We have a HIPAA Business Associate Agreement (BAA) in place with Google.
  • Gmail in Google Workspace (a) uses encryption for data in transit whenever possible, (b) stores emails with encryption, and (c) does not scan emails for advertising purposes.
  • We timeout your session after a period of inactivity so that, for instance, data shown on your screen will not be visible to someone else in your environment.
  • The Cloud SQL database provides data encryption at rest and in transit, private connectivity with Virtual Private Cloud and firewall protection. It is compliant with SSAE 16, ISO 27001, PCI DSS, and HIPAA. The database and the compute instance are in the same data center so most database operations never leave the center.
• Our payment provider is Square, owned by Block, Inc. We have a HIPAA Business Associate Agreement with Block. Square adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
• We perform periodic reviews of these security measures to make sure they are working, and to consider if they need modification.

A cookie is a small piece of data that a website saves on your computer/device, which can be used for various purposes, such as saving a session identifier or login information to make it easier for you to log in, or to make it easier for a website to track you from one visit to another.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some features of the website.

To receive a copy of your data, send a request to contact@therapy.eu.com.

To request that some of your data be modified or corrected, send a request to contact@therapy.eu.com. We reserve the right to deny such modifications or corrections if we determine they are false.

To request that some or all of your data be deleted, send a request to contact@therapy.eu.com. Be aware that some data may be retained as allowed or required by law. We reserve the right to deny information requests that are unduly burdensome as allowed by law.

The following information is shared for the purpose of complying with the California Consumer Privacy Act of 2018 ("CCPA") and the California Privacy Rights Act ("CPRA") of 2023.

The PHI and other data mentioned above may correspond to certain categories under the CCPA and CPRA.

Identifiers
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
• Protected classification characteristics under California or federal law
• Internet or other similar network activity
• Geolocation data
• Sensitive Personal Information
• Professional or employment-related information

In adherence to the California Privacy Protection Act (CalOPPA, https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/):

• Users can visit the website anonymously.
• Our Privacy Policy link includes the word “Privacy”, and can easily be found on the homepage of the website.
• Users will be notified of any privacy policy changes on our Privacy Policy page.
• Users are able to change their personal information by emailing us at contact@therapy.eu.com

This section is relevant to you if you are from the European Economic Area (the EEA), United Kingdom, and Switzerland (together “European Area Countries”).

Under the privacy laws of the EEA, we are considered to be the controller of your data.

• We have a legitimate interest (as defined by the GDPR and UK General Data Protection Regulation Notice) to manage the website including matching clients with therapists, scheduling sessions, and paying for sessions. We also have a legitimate interest in monitoring our platform and in keeping our users and our platform secure and safe from fraud.
• There may be cases when we are legally obligated to share information with legal or law enforcement authorities to protect you or another person from immediate danger. The preference will always be to get your consent before sharing data in such cases.

Some of the information we collect may be considered “sensitive personal information” in the UK and EEA.

Insofar as these data may be considered sensitive personal information, the lawful bases for collecting and storing this data are:

• It is used for the purpose of your well-being.
• Our right to provide the services of the website.
• The substantial public interest in the topic of the website.
• The consent of the client or provider. If consent is the legal basis, you have the right to rescind your consent at any time.

Residents of European Area Countries have the following rights:

• You may request a copy of the data we have about you, known as a “subject access request”. We will get the data to you within 30 days. You can request the data in an electronic format that, among other uses, could be used to move, copy, or transfer your data to a different organization, known as the “right to data portability”.
• You may request that we modify data we have about you that you think is inaccurate, known as the “right to rectification”. We will make the changes unless we determine that they are incorrect.
• You may request that we delete your data, known as the “right to erasure”. Keep in mind that in some cases we have a legal obligation to keep your data in a backup database.
• You may object to the use of your data where we rely upon consent as the legal basis for storing it, known as the “right to object”. Keep in mind that (a) the deletion of certain data may mean we can no longer provide you services, and (b) in some cases we have a legal obligation to keep your data in a backup database.
• We do not do profiling or automated decision-making. This means that by default your “Rights concerning automated decision-making and profiling” are protected.
• We do not transfer your data to third parties, aside from your therapist(s) and our payment service provider. This means that by default your “right to restrict processing” is protected.

To exercise any of the rights listed, email us at contact@therapy.eu.com. GDPR gives you the right to file a complaint with the appropriate authority in your country if you have concerns about our use of your data.

When this policy changes, we will notify you through the website. We encourage you to periodically review this page for the latest information.

This website, therapy.eu.com, is owned and operated by Satsub Studios LLC, a business in Washington State, USA.

This document was last updated on September 13, 2023.