Privacy (Patients)

• Your therapist Your therapist is the data controller under GDPR: they decide what data to collect, for what purpose, and for how long. To exercise your rights, they are your primary point of contact.
• Theramate (Playfields SPRL) We provide the tools your therapist uses every day (hosting, encryption, management platform). They decide what happens with your data, not us. We never access the content of your clinical data in clear text, and we share it with no one. In GDPR terms, this is called a data processor bound by a Data Processing Agreement (DPA).
• Address Playfields SPRL, Brussels, Belgium

• Identity Last name, first name, date of birth, communication language
• Contact Email and phone number if you or your therapist provided them
• Appointments Dates, times, brief reasons, attendance
• Clinical data Session notes, questionnaires, shared documents (only what is relevant to your care)
• Technical data Connection logs strictly limited to technical support and security

Your data is used exclusively to provide your therapeutic care: preparing sessions, keeping clinical history, notifying you of appointments, sharing documents (questionnaires, reports, attestations). No other use. No advertising. No resale.

To run the platform, we rely on technical subprocessors. All are bound to Theramate by a GDPR-compliant subprocessing agreement.

• Google Cloud (Belgium) Primary hosting, database, serverless functions, authentication. europe-west1 datacenter located in Belgium.
• Scaleway (France) Sovereign European cloud used for selected processing and storage. Infrastructure and datacenters entirely located in France.
• Mistral (France) Sovereign AI provider for selected clinical processing. No training on your data, no API-side storage. Infrastructure and datacenters entirely located in France.
• Google AI provider for selected clinical processing. No training on your data, no API-side storage.
• Stripe (Ireland) If your therapist bills via Theramate: payment processing and billing data only

• Appointment confirmation and reminder Sent by your therapist via Theramate
• Booking link If your therapist shares a public booking link
• Shared documents Questionnaires, reports, attestations sent by your therapist
• Temporary access links To view a shared document without creating an account

No marketing emails. No newsletters. Only what is strictly necessary for your therapeutic care.

Retention duration is set by your therapist, in compliance with the legal obligations applicable to their profession. In Belgium, the patient record is generally kept for 30 years after the end of care (Act of 22 August 2002 on patients' rights). After this period, your data is irreversibly deleted.

• Access Request a copy of the data concerning you
• Rectification Have inaccurate information corrected
• Erasure Request deletion, subject to legal retention obligations
• Portability Receive your data in a reusable format
• Objection and restriction Object to processing or request its restriction

To exercise these rights, contact your therapist (data controller) first. If you cannot reach them, write to privacy@theramate.pro and we will guide you through the process.

If you are a minor or under guardianship, the rights above are exercised by your legal representative, under applicable law. From the age of discernment (typically between 12 and 16, depending on the situation and maturity), the minor may exercise certain rights related to their own health.

You have the right to lodge a complaint with a data protection authority, notably in the EU Member State where you reside or work. In Belgium, the competent authority is the Data Protection Authority (APD/GBA), Rue de la Presse 35, 1000 Brussels, dataprotectionauthority.be.