EMDR Online

EMDR Online

Privacy Policy

Last updated: 2026-06-23

1. Data controller

The controller of personal data is , Politechniczna 9/5, 80-180 Gdańsk, 5833100159. Data contact: kontakt@emdronline.pl.

2. What data we process

Therapists (account holders)

  • email address, name (if provided), preferred language;
  • password — stored only in hashed form (never as plain text);
  • subscription and billing data: Stripe customer ID, subscription status and period (we do not store full card details);
  • technical sign-in data: IP address and browser information (user agent), server logs.

Clients (people opening a session link)

The Client view (/s/<token>) works without login and without an account. We collect no personal data from the Client and use no analytics or profiling on that view. By design, the ball's position is computed locally in the browser — we do not transmit session content, only the motion parameters (tempo, amplitude, appearance) needed for synchronisation.

Practitioner directory listing (optional)

A Therapist may voluntarily create a listing in the public practitioner directory. We process this data only if the Therapist chooses to join the directory. It includes:

  • data published in the directory (visible to all visitors once the listing is approved): display name, photo, bio, location (country/region/city), languages, client groups, focus areas, EMDR training level and body, booking method and fee information;
  • credential document (e.g. an EMDR certificate) — uploaded for verification. The document is private, accessible only to our review team, and is never published;
  • verification status and the date the listing was approved.

The Therapist can hide the listing (it stops appearing in the directory) or delete it at any time. Deleting the account also deletes the listing together with the credential document.

People who make contact through the directory

The contact form on a listing forwards the message directly to the Therapist. For this purpose we process the sender's name, email address and message — solely to deliver it to the chosen Therapist. The Therapist's email address is not disclosed to the sender (replies go via the "reply-to" field).

3. Purposes and legal bases (GDPR)

  • providing the Service and managing the account — Art. 6(1)(b) GDPR (performance of a contract);
  • billing and accounting obligations — Art. 6(1)(c) GDPR (legal obligation);
  • security, abuse prevention, establishing/defending claims — Art. 6(1)(f) GDPR (legitimate interest);
  • publishing the directory listing — Art. 6(1)(a) GDPR (the Therapist's consent, which can be withdrawn by hiding or deleting the listing), together with credential verification based on the uploaded document;
  • forwarding a contact-form message to the Therapist — Art. 6(1)(f) GDPR (the legitimate interest of the sender and the Therapist in making contact);
  • handling enquiries and complaints — Art. 6(1)(b)/(f) GDPR.

4. Recipients (processors)

  • Stripe — payment and subscription processing;
  • infrastructure / hosting provider (servers in the European Union);
  • transactional email provider (e.g. password-reset messages and directory contact-form messages).

These parties process data under data-processing agreements and only as needed to provide the Service.

Public directory: data in a listing approved for publication is visible to all directory visitors and may be indexed by search engines. The credential document is never published.

5. Transfers outside the EEA

Where a provider processes data outside the European Economic Area, this is done under appropriate safeguards (e.g. Standard Contractual Clauses approved by the European Commission).

6. Retention

We keep account data for the term of the agreement and afterwards for the period needed for billing and limitation of claims; billing data is kept for the period required by tax law. Technical logs are retained for a limited time for security. Listing data and the credential document are kept until the Therapist deletes the listing or the account; contact-form messages are forwarded to the Therapist and are not permanently archived by us.

7. Your rights

You have the right to access, rectify, erase, restrict and port your data, to object, and to withdraw consent (where processing is based on it). You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (PUODO).

8. Cookies

We use only cookies strictly necessary for the Service to work (e.g. maintaining the sign-in session and CSRF protection). We do not use marketing or tracking cookies without your consent.

9. Security

We apply technical and organisational measures appropriate to the risk, including encrypted transport (TLS) and storing passwords only in hashed form.

10. Changes to this policy

This policy may be updated. The date of the latest change is shown at the top of the page.

11. Contact

For data protection matters: kontakt@emdronline.pl.