Privacy policy
1. Data controller
The controller of personal data is PsycheClinic with its registered office in Warsaw (ul. Wrocławska 2A, 01-493 Warsaw), e-mail: info@psycheclinic.eu,
tel. 22 679 59 59.
2. Categories of personal data
The administrator processes the following categories of data: identification, address, and contact details, as well as – to the extent necessary to provide services – information about health status provided voluntarily by the client. PsycheClinic does not keep medical records within the meaning of the Act on Patient Rights and the Patient Rights Ombudsman.
3. Purposes of data processing
We process personal data for the purpose of:
a) Realizing services – Article 6 section 1 point b of GDPR (necessary for the performance of the contract).
b) Communication with the client – scheduling, confirming, and canceling appointments, answering inquiries (Article 6 section 1 points b and f of GDPR).
c) Handling payments – including data processing in Stripe, Przelewy24 systems, card payments and BLIK (Article 6 section 1 point b of GDPR).
d) Providing online services – including video calls via Google Meet, Zoom (Article 6 section 1 point b of GDPR).
e) Marketing contacts – sending information about special offers, promotions, invitations to social media (Instagram, Facebook) – only on the basis of consent (Article 6 section 1 point a of GDPR).
f) Ensuring security – video monitoring in the premises, operated only by authorized persons (Article 6 section 1 point f of GDPR).
4. Scope of data processed
Depending on the type of service and form of contact, we may process, among other things: name, surname, email address, telephone number, home address (if required for settlements) and health data necessary to carry out the therapeutic process.
5. Data recipients
As part of providing our services, data may be transferred to the following categories of recipients:
a) Appointment booking and management systems – Setmore, Calendly, Booksy, ZnanyLekarz, Twój Psycholog and other booking platforms.
b) Payment systems – Stripe, PayU, Przelewy24, Tpay, payment terminal operators (e.g. Elavon, Worldline, eService, SumUp).
c) Cloud and communication service providers – Google (Gmail, Calendar, Drive, Meet, Ads, Analytics, Tag Manager), Meta (WhatsApp), Zoom, Microsoft (Outlook, Teams, OneDrive).
d) Transcription tools – supporting therapeutic work.
e) Legal, accounting and IT support – accounting offices, law firms, IT service providers – only to the extent necessary to provide services.
f) Cooperating specialists and entities – psychologists and psychotherapists running separate businesses, and other entities supporting the service delivery process. In such cases, we only transfer basic patient data (name, surname, telephone number, email address) to the extent necessary for the provision of services, based on agreements and in accordance with data protection regulations.
6. Transfer of data outside the EEA
Data is not transferred outside the European Economic Area, unless:
a) the client uses online services from outside the EU (e.g. video call),
b) uses tools whose servers are located outside the EEA (e.g. Stripe, Google, Plaud Note).
In such cases, the transfer takes place on the basis of appropriate legal safeguards, including standard contractual clauses.
7. Discretion and anonymity
We ensure discretion not only in the office, but also in the digital space. Thanks to the special status of our facility in Google systems, in-person visits do not appear on the timeline in Google Maps or in the location history.
8. Commercial information and social media
With the client's consent, we may send invitations to follow our social media profiles (Instagram, Facebook) and information about special offers and promotions via email or SMS.
9. Video monitoring
In order to ensure the safety of people and property, we use video monitoring in the common areas of the building (entrance, reception, corridors).
a) Monitoring does not include therapy rooms or toilets.
b) The legal basis for processing is the legitimate interest of the administrator (Article 6(1)(f) GDPR).
c) We store recordings for a maximum of 3 months, unless it is necessary to secure them in connection with legal proceedings.
Only authorized persons have access to the recordings.
10. Data retention period
for the duration of the contract and service provision:
a) in the case of contact details for marketing purposes – until consent is withdrawn,
b) in the case of data from initial forms – a maximum of 12 months from their submission,
c) video surveillance recordings – up to 30 days, unless regulations require a longer period.
11. Rights of the data subject
You have the right to:
a) access your data,
b) correct your data,
c) delete your data (“right to be forgotten”),
d) restrict processing,
e) transfer your data,
f) object to processing,
g) withdraw your consent at any time,
h) lodge a complaint with the President of the Personal Data Protection Office.
12. Security
We use organizational and technical measures to ensure data protection, including encryption, access control, and regular reviews of procedures. Access to video surveillance recordings and booking and email systems is limited to authorized personnel. Customer details are not shared externally without a valid legal basis.
13. Voluntary data provision
Providing data is voluntary but necessary for the provision of services. Failure to provide data will make it impossible to arrange a visit or provide the service.
This version of the policy is effective from August 10, 2025.