Privacy Policy

Wefeel.space Ltd

Last updated: 9 July 2026 Version: 1.0


1. Who we are

Wefeel.space Ltd ("Wefeel", "we", "us", "our") operates the website wefeel.space, a platform connecting Polish-speaking individuals — in Poland and abroad — with Polish-speaking mental health professionals.

Data Controller: Wefeel.space Ltd Ireland

Data protection contact: gdpr@wefeel.space


2. Scope of this policy

This policy explains how we collect, use, store and share personal data when you:

  • visit wefeel.space;
  • create an account (as a client or as a therapist);
  • submit a contact form or a matching questionnaire;
  • book a session with a therapist through our platform;
  • subscribe to, or take part in, our educational content and community activities.

This policy does not cover how an individual therapist processes your data once you enter into a therapeutic relationship with them. See Section 6.


3. Controllers and roles

Our understanding of the arrangement:

  • Wefeel is the controller of personal data processed on the platform: account data, contact enquiries ("leads"), booking records, site analytics, and communications with us.
  • Each therapist is a separate, independent controller of the personal data they process in the course of providing therapy — including clinical notes, session content and any health records. Therapists are bound by their own professional obligations, including professional confidentiality and their own regulator's requirements.
  • When we pass your enquiry to a therapist, this is a disclosure between independent controllers, not a transfer to a processor acting on our instructions.

Note on terminology. A "data processing agreement" (DPA) governs a controller–processor relationship, in which the processor acts only on the controller's documented instructions. A therapist exercising independent clinical judgement and holding clinical records does not typically meet that definition; they act as a controller in their own right. If Wefeel has entered into DPAs with therapists on the basis that they are processors, that characterisation should be reviewed. Depending on the facts, the correct arrangement may be independent controllers (Article 6) or joint controllers (Article 26 GDPR), the latter requiring a transparency arrangement to be made available to data subjects.


4. What personal data we collect

4.1 Data you give us directly

CategoryDataWhere
Account dataName, email address, password (hashed), interface languageRegistration, login
Client profileDisplay name, contact detailsClient onboarding
Therapist profileName, biography, photograph, professional categories, languages, base country, city of practice, time zone, session priceTherapist registration and profile editing
Contact enquiriesFirst name, last name, email, telephone, city, message contentContact forms (site-wide, therapist profile pages, /kontakt)
Booking dataName, telephone, time zone, appointment time, whether it is a first visit, optional noteBooking flow
Payment dataProcessed by Stripe; we do not store full card detailsSubscription/payment flows

4.2 Data we collect automatically

CategoryDataBasis
Technical dataIP address, browser type, device, operating systemNecessary cookies / legitimate interests
Usage dataPages visited, referring URL, language version, approximate countryAnalytics cookies (consent)
Security dataBot-detection signals from Cloudflare Turnstile on our formsLegitimate interests (fraud/abuse prevention)

4.3 Special category data (health data)

Our contact forms include a free-text message field. Users frequently describe difficulties relating to their mental health in that field. Information about mental health is special category data under Article 9 GDPR and attracts heightened protection.

We ask you not to include more health information than is necessary to be matched with an appropriate therapist. However, where you do provide such information, we process it only on the basis of your explicit consent (Article 9(2)(a) GDPR), given when you submit the form.


5. Why we process your data and our legal basis

PurposeLegal basis (Art. 6 GDPR)Additional basis for health data (Art. 9)
Providing and maintaining your accountPerformance of a contract, Art. 6(1)(b)
Handling your contact enquiry and passing it to a therapistSteps prior to a contract at your request, Art. 6(1)(b)Explicit consent, Art. 9(2)(a)
Managing bookings and appointmentsPerformance of a contract, Art. 6(1)(b)Explicit consent, Art. 9(2)(a)
Sending service emails (confirmations, notifications)Performance of a contract, Art. 6(1)(b)
Preventing spam and abuse of our formsLegitimate interests, Art. 6(1)(f)
Site analytics and measuring marketing effectivenessConsent, Art. 6(1)(a)
Complying with legal obligations (tax, accounting)Legal obligation, Art. 6(1)(c)

Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Where we rely on legitimate interests, you have the right to object (see Section 10).


6. Sharing your data with therapists

When you submit an enquiry through a therapist's profile page, or book a session, we share the relevant details with that therapist so they can respond to you and provide the service you have requested.

The therapist then processes your data as an independent controller. Their handling of your information — including any clinical notes and records they create — is governed by:

  • their own privacy notice;
  • their professional and regulatory obligations, including confidentiality;
  • the retention rules applicable to their profession, which will typically require clinical records to be retained for a period considerably longer than our own retention period.

We do not have access to the content of your therapy sessions or to any clinical records a therapist creates.


7. Service providers (processors)

We use the following providers, which process personal data on our behalf under written data processing agreements. All hosting and primary data storage is located in the European Economic Area.

ProviderPurposeLocation of processing
NeonDatabase hostingEuropean Union
VercelWebsite hosting and deliveryEuropean Economic Area
Neon AuthAuthentication, verification and password-reset emailsEuropean Economic Area
ResendTransactional and notification emailsEuropean Economic Area
CloudflareDNS, bot protection (Turnstile)Global network
StripePayment processingEuropean Economic Area

Important. Several of the providers listed above are established in, or transfer personal data to, the United States. Where that is the case, we rely on the transfer mechanisms described in Section 8. Wefeel has stated that data is hosted in Europe; this must be verified provider by provider, since default configurations for Vercel, Resend and Stripe do not always keep processing within the EEA.


8. International transfers

Where we transfer personal data outside the European Economic Area, we ensure an appropriate safeguard under Chapter V GDPR is in place. In practice this means one of:

  • an adequacy decision of the European Commission (for example, the EU–US Data Privacy Framework, where the recipient is certified under it);
  • the European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary by additional technical and organisational measures following a transfer impact assessment.

You may request a copy of the safeguards we rely on by writing to gdpr@wefeel.space.


9. How long we keep your data

DataRetention periodRationale
Account dataFor as long as your account is active, then 30 days after deletionContract; short grace period for accidental deletion
Contact enquiries (leads) that do not lead to a booking12 months from submissionLegitimate interests; allows follow-up and demonstrates handling
Contact enquiries containing health data12 months, unless you withdraw consent soonerExplicit consent
Booking records6 yearsIrish statutory retention for records supporting financial statements
Payment and invoicing records6 yearsIrish tax law (Taxes Consolidation Act)
Analytics dataUp to 14 monthsAligned with standard analytics retention settings
Server and security logs90 daysSecurity and abuse prevention

Clinical records created by a therapist are retained by that therapist under their own professional rules, which typically require a substantially longer period. Those periods are outside our control.

At the end of the applicable period we delete or irreversibly anonymise the data.


10. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you, and receive a copy;
  • rectify inaccurate or incomplete data;
  • erasure ("right to be forgotten"), where one of the grounds in Article 17 applies;
  • restrict processing in certain circumstances;
  • data portability — receive data you provided to us in a structured, commonly used, machine-readable format;
  • object to processing based on our legitimate interests, and to direct marketing at any time;
  • withdraw consent at any time, where processing is based on consent — including consent to cookies and to the processing of health data;
  • not be subject to a decision based solely on automated processing which produces legal or similarly significant effects. We do not carry out such automated decision-making. Our matching questionnaire filters our therapist directory according to criteria you select; it does not make a decision about you.

To exercise any of these rights, contact gdpr@wefeel.space. We will respond within one month, which may be extended by two further months for complex requests.

Complaints. If you believe we have not handled your data lawfully, you may lodge a complaint with the Irish Data Protection Commission (dataprotection.ie), or with the supervisory authority in your country of residence or place of the alleged infringement. In Poland, this is the Prezes Urzędu Ochrony Danych Osobowych (uodo.gov.pl).


11. Cookies and similar technologies

We use cookies and similar technologies to operate the site, to understand how it is used, and — with your consent — to measure the effectiveness of our marketing.

11.1 Categories

CategoryPurposeConsent required
NecessaryAuthentication and session management; language preference; recording your cookie choices; bot protection on forms (Cloudflare Turnstile)No — these are essential to provide a service you have requested
AnalyticsUnderstanding how visitors use the site so that we can improve itYes
MarketingMeasuring the effectiveness of advertising and, where applicable, showing relevant advertisingYes

11.2 Your choices

When you first visit the site from the European Union, the European Economic Area or the United Kingdom, we ask for your consent before setting any analytics or marketing cookies. Necessary cookies are always set.

You may accept all cookies, reject all non-essential cookies, or choose by category. Rejecting is as easy as accepting. Non-essential cookies are not set unless you consent; the underlying scripts are not loaded at all.

You can change or withdraw your choice at any time through the "Cookie settings" link in the site footer.

Your preferences are stored in a cookie that expires after 12 months, after which we will ask again.

Where you access the site from outside the EU, EEA and UK, we may set analytics and marketing cookies without first requesting consent, in accordance with the law applicable in your jurisdiction. You may still exercise your choices via "Cookie settings".


12. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, restricted administrative access, rate limiting and bot protection on public forms.

No system is completely secure. If a personal data breach occurs which is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of it, and will notify you directly where the breach is likely to result in a high risk to you.


13. Children

Our services are directed at adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact gdpr@wefeel.space and we will delete it.


14. Changes to this policy

We may update this policy from time to time. Where changes are material, we will notify you — for example by email or through a prominent notice on the site — before they take effect. The version number and "last updated" date at the top of this document indicate the current version.


15. Contact

Wefeel.space Ltd Ireland

Data protection enquiries: gdpr@wefeel.space