Privacy Policy

Last updated: October 2025

This Privacy Policy explains how Pleso Therapy sp. z o.o. ("Pleso", "we", "us") collects, uses, and protects your information when you use our website, matching quiz, chatbot, booking, and dashboard (the "Services"). By using the Services, you agree to this Policy.

Who We Are

PLESO THERAPY sp. z o.o., ul. 12 Lutego 25/7, 82-300 Elbląg, Poland. NIP: 5783155594, KRS: 0000980227, REGON: 522652856. Contact: hello@pleso.me.

What We Collect

  • Account and Authentication: name, email, and sign-in identifiers (e.g., Google OAuth). Session cookies to keep you signed in.
  • Usage and Device Data: log data, IP address, device/browser information, and interactions with the app (for security and performance).
  • Matching and Care Preferences: information you choose to provide in the quiz or chatbot to help match you to an appropriate therapist. We minimize the health-related data we process and use it only to deliver the Service.
  • Support and Communications: messages and contact details when you reach out to us.
  • Payments: payment processing is handled by our payment provider; we do not store full card details. We retain basic transaction metadata for accounting and fraud prevention.
  • Cookies: essential cookies for authentication and security; optional analytics only with your consent where required.

How We Use Information

  • Provide and secure the Services, including authentication and session management.
  • Match you with appropriate clinicians and support therapist‑supervised care.
  • Process bookings and payments and provide customer support.
  • Improve performance, reliability, and user experience.
  • Provide aggregate, de‑identified analytics to employers—never individual therapy data.
  • Comply with legal obligations and enforce terms.

Legal Bases (GDPR)

  • Contract: to deliver core functionality you request.
  • Legitimate interests: safety, fraud prevention, product improvement.
  • Consent: optional analytics/marketing where applicable.
  • Legal obligation: tax, accounting, and regulatory compliance.

Sharing and Disclosure

  • Service providers: cloud hosting, authentication (e.g., Google), payments, email, analytics—bound by contracts and security obligations.
  • Therapists: limited information needed to provide care, under confidentiality obligations.
  • Employers: only aggregated, de‑identified insights—never individual records.
  • Legal: when required by law or to protect rights and safety.

International Transfers

If data is transferred outside the EEA/UK, we use appropriate safeguards such as Standard Contractual Clauses and implement technical and organizational measures.

Retention

We keep personal data only as long as necessary for the purposes described above, such as the duration of your account, legal retention periods, and dispute resolution. We de‑identify or delete data when no longer needed.

Security

We use industry‑standard safeguards, including encryption in transit, access controls, and secure development practices. We operate under frameworks consistent with GDPR and our security program aligns with ISO 27001 principles.

Your Rights

  • Access, correct, delete, or restrict processing of your personal data.
  • Object to processing or request data portability where applicable.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local supervisory authority.

Children

Our Services are not directed to children under 16. If we learn that we have collected personal data from a child, we will delete it.

Changes to This Policy

We may update this Policy from time to time. If changes are material, we will provide notice. Your continued use of the Services after changes take effect constitutes acceptance.

Contact

For privacy questions or requests, contact us athello@pleso.me.