Privacy Policy
Wefeel.space Ltd
Last updated: 9 July 2026 Version: 1.0
1. Who we are
Wefeel.space Ltd ("Wefeel", "we", "us", "our") operates the website wefeel.space, a platform connecting Polish-speaking individuals — in Poland and abroad — with Polish-speaking mental health professionals.
Data Controller: Wefeel.space Ltd Ireland
Data protection contact: gdpr@wefeel.space
2. Scope of this policy
This policy explains how we collect, use, store and share personal data when you:
- visit wefeel.space;
- create an account (as a client or as a therapist);
- submit a contact form or a matching questionnaire;
- book a session with a therapist through our platform;
- subscribe to, or take part in, our educational content and community activities.
This policy does not cover how an individual therapist processes your data once you enter into a therapeutic relationship with them. See Section 6.
3. Controllers and roles
Our understanding of the arrangement:
- Wefeel is the controller of personal data processed on the platform: account data, contact enquiries ("leads"), booking records, site analytics, and communications with us.
- Each therapist is a separate, independent controller of the personal data they process in the course of providing therapy — including clinical notes, session content and any health records. Therapists are bound by their own professional obligations, including professional confidentiality and their own regulator's requirements.
- When we pass your enquiry to a therapist, this is a disclosure between independent controllers, not a transfer to a processor acting on our instructions.
Note on terminology. A "data processing agreement" (DPA) governs a controller–processor relationship, in which the processor acts only on the controller's documented instructions. A therapist exercising independent clinical judgement and holding clinical records does not typically meet that definition; they act as a controller in their own right. If Wefeel has entered into DPAs with therapists on the basis that they are processors, that characterisation should be reviewed. Depending on the facts, the correct arrangement may be independent controllers (Article 6) or joint controllers (Article 26 GDPR), the latter requiring a transparency arrangement to be made available to data subjects.
4. What personal data we collect
4.1 Data you give us directly
| Category | Data | Where |
|---|---|---|
| Account data | Name, email address, password (hashed), interface language | Registration, login |
| Client profile | Display name, contact details | Client onboarding |
| Therapist profile | Name, biography, photograph, professional categories, languages, base country, city of practice, time zone, session price | Therapist registration and profile editing |
| Contact enquiries | First name, last name, email, telephone, city, message content | Contact forms (site-wide, therapist profile pages, /kontakt) |
| Booking data | Name, telephone, time zone, appointment time, whether it is a first visit, optional note | Booking flow |
| Payment data | Processed by Stripe; we do not store full card details | Subscription/payment flows |
4.2 Data we collect automatically
| Category | Data | Basis |
|---|---|---|
| Technical data | IP address, browser type, device, operating system | Necessary cookies / legitimate interests |
| Usage data | Pages visited, referring URL, language version, approximate country | Analytics cookies (consent) |
| Security data | Bot-detection signals from Cloudflare Turnstile on our forms | Legitimate interests (fraud/abuse prevention) |
4.3 Special category data (health data)
Our contact forms include a free-text message field. Users frequently describe difficulties relating to their mental health in that field. Information about mental health is special category data under Article 9 GDPR and attracts heightened protection.
We ask you not to include more health information than is necessary to be matched with an appropriate therapist. However, where you do provide such information, we process it only on the basis of your explicit consent (Article 9(2)(a) GDPR), given when you submit the form.
5. Why we process your data and our legal basis
| Purpose | Legal basis (Art. 6 GDPR) | Additional basis for health data (Art. 9) |
|---|---|---|
| Providing and maintaining your account | Performance of a contract, Art. 6(1)(b) | — |
| Handling your contact enquiry and passing it to a therapist | Steps prior to a contract at your request, Art. 6(1)(b) | Explicit consent, Art. 9(2)(a) |
| Managing bookings and appointments | Performance of a contract, Art. 6(1)(b) | Explicit consent, Art. 9(2)(a) |
| Sending service emails (confirmations, notifications) | Performance of a contract, Art. 6(1)(b) | — |
| Preventing spam and abuse of our forms | Legitimate interests, Art. 6(1)(f) | — |
| Site analytics and measuring marketing effectiveness | Consent, Art. 6(1)(a) | — |
| Complying with legal obligations (tax, accounting) | Legal obligation, Art. 6(1)(c) | — |
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Where we rely on legitimate interests, you have the right to object (see Section 10).
6. Sharing your data with therapists
When you submit an enquiry through a therapist's profile page, or book a session, we share the relevant details with that therapist so they can respond to you and provide the service you have requested.
The therapist then processes your data as an independent controller. Their handling of your information — including any clinical notes and records they create — is governed by:
- their own privacy notice;
- their professional and regulatory obligations, including confidentiality;
- the retention rules applicable to their profession, which will typically require clinical records to be retained for a period considerably longer than our own retention period.
We do not have access to the content of your therapy sessions or to any clinical records a therapist creates.
7. Service providers (processors)
We use the following providers, which process personal data on our behalf under written data processing agreements. All hosting and primary data storage is located in the European Economic Area.
| Provider | Purpose | Location of processing |
|---|---|---|
| Neon | Database hosting | European Union |
| Vercel | Website hosting and delivery | European Economic Area |
| Neon Auth | Authentication, verification and password-reset emails | European Economic Area |
| Resend | Transactional and notification emails | European Economic Area |
| Cloudflare | DNS, bot protection (Turnstile) | Global network |
| Stripe | Payment processing | European Economic Area |
Important. Several of the providers listed above are established in, or transfer personal data to, the United States. Where that is the case, we rely on the transfer mechanisms described in Section 8. Wefeel has stated that data is hosted in Europe; this must be verified provider by provider, since default configurations for Vercel, Resend and Stripe do not always keep processing within the EEA.
8. International transfers
Where we transfer personal data outside the European Economic Area, we ensure an appropriate safeguard under Chapter V GDPR is in place. In practice this means one of:
- an adequacy decision of the European Commission (for example, the EU–US Data Privacy Framework, where the recipient is certified under it);
- the European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary by additional technical and organisational measures following a transfer impact assessment.
You may request a copy of the safeguards we rely on by writing to gdpr@wefeel.space.
9. How long we keep your data
| Data | Retention period | Rationale |
|---|---|---|
| Account data | For as long as your account is active, then 30 days after deletion | Contract; short grace period for accidental deletion |
| Contact enquiries (leads) that do not lead to a booking | 12 months from submission | Legitimate interests; allows follow-up and demonstrates handling |
| Contact enquiries containing health data | 12 months, unless you withdraw consent sooner | Explicit consent |
| Booking records | 6 years | Irish statutory retention for records supporting financial statements |
| Payment and invoicing records | 6 years | Irish tax law (Taxes Consolidation Act) |
| Analytics data | Up to 14 months | Aligned with standard analytics retention settings |
| Server and security logs | 90 days | Security and abuse prevention |
Clinical records created by a therapist are retained by that therapist under their own professional rules, which typically require a substantially longer period. Those periods are outside our control.
At the end of the applicable period we delete or irreversibly anonymise the data.
10. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you, and receive a copy;
- rectify inaccurate or incomplete data;
- erasure ("right to be forgotten"), where one of the grounds in Article 17 applies;
- restrict processing in certain circumstances;
- data portability — receive data you provided to us in a structured, commonly used, machine-readable format;
- object to processing based on our legitimate interests, and to direct marketing at any time;
- withdraw consent at any time, where processing is based on consent — including consent to cookies and to the processing of health data;
- not be subject to a decision based solely on automated processing which produces legal or similarly significant effects. We do not carry out such automated decision-making. Our matching questionnaire filters our therapist directory according to criteria you select; it does not make a decision about you.
To exercise any of these rights, contact gdpr@wefeel.space. We will respond within one month, which may be extended by two further months for complex requests.
Complaints. If you believe we have not handled your data lawfully, you may lodge a complaint with the Irish Data Protection Commission (dataprotection.ie), or with the supervisory authority in your country of residence or place of the alleged infringement. In Poland, this is the Prezes Urzędu Ochrony Danych Osobowych (uodo.gov.pl).
11. Cookies and similar technologies
We use cookies and similar technologies to operate the site, to understand how it is used, and — with your consent — to measure the effectiveness of our marketing.
11.1 Categories
| Category | Purpose | Consent required |
|---|---|---|
| Necessary | Authentication and session management; language preference; recording your cookie choices; bot protection on forms (Cloudflare Turnstile) | No — these are essential to provide a service you have requested |
| Analytics | Understanding how visitors use the site so that we can improve it | Yes |
| Marketing | Measuring the effectiveness of advertising and, where applicable, showing relevant advertising | Yes |
11.2 Your choices
When you first visit the site from the European Union, the European Economic Area or the United Kingdom, we ask for your consent before setting any analytics or marketing cookies. Necessary cookies are always set.
You may accept all cookies, reject all non-essential cookies, or choose by category. Rejecting is as easy as accepting. Non-essential cookies are not set unless you consent; the underlying scripts are not loaded at all.
You can change or withdraw your choice at any time through the "Cookie settings" link in the site footer.
Your preferences are stored in a cookie that expires after 12 months, after which we will ask again.
Where you access the site from outside the EU, EEA and UK, we may set analytics and marketing cookies without first requesting consent, in accordance with the law applicable in your jurisdiction. You may still exercise your choices via "Cookie settings".
12. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, restricted administrative access, rate limiting and bot protection on public forms.
No system is completely secure. If a personal data breach occurs which is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of it, and will notify you directly where the breach is likely to result in a high risk to you.
13. Children
Our services are directed at adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact gdpr@wefeel.space and we will delete it.
14. Changes to this policy
We may update this policy from time to time. Where changes are material, we will notify you — for example by email or through a prominent notice on the site — before they take effect. The version number and "last updated" date at the top of this document indicate the current version.
15. Contact
Wefeel.space Ltd Ireland
Data protection enquiries: gdpr@wefeel.space