S
Soveriaclinical platform
Log InStart Free →
HomeLegalPrivacy Policy

Privacy Policy

Last updated: March 14, 2026
·
Version 1.3
GDPR-compliantJurisdiction: EU
01

Who we are

Soveria Platform (hereinafter — "Soveria", "we", "our") is a clinical measurement-based care platform for mental health professionals and their clients.

We take the protection of your personal data seriously. This Privacy Policy describes what data we collect, how we use it, and what rights you have regarding your data.

Data Controller

Soveria Platform · Email: privacy@soveria.co · DPO: dpo@soveria.co

02

Data we collect

Data you provide

  • Registration data: name, email, password (hashed)
  • Professional data (for specialists): qualifications, specialization, license number
  • Clinical data: assessment results, clinical notes, treatment protocols
  • Session data: records of therapeutic sessions, notes
  • Contact data: phone, address (optional)

Data we collect automatically

  • Technical data: IP address, browser type, operating system
  • Usage data: visit times, pages viewed, platform actions
  • Cookies and similar technologies (see Cookie Policy)

⚠️ Clinical health data belongs to a special category of personal data (Art. 9 GDPR). We process it exclusively based on your explicit consent.

03

Processing purposes

We process your data for the following purposes:

PurposeLegal basisData category
Service provisionContract performance (Art. 6(1)(b))Registration, professional
Clinical data processingExplicit consent (Art. 9(2)(a))Clinical, assessment data
Technical supportLegitimate interest (Art. 6(1)(f))Contact, technical
Platform securityLegitimate interest (Art. 6(1)(f))Technical, logs
Legal complianceLegal obligation (Art. 6(1)(c))All categories
What this means for you

We use your data only for the stated purposes. Each purpose has a specific legal basis under GDPR.

04

Third-party sharing

We share your data only in the following cases:

  • Your therapist (for clients) — within the therapeutic relationship
  • Subcontractors (sub-processors) — for technical platform operations
  • By legal requirement — if obligated by court order or regulator request

Data Sub-processors

ProviderPurposeCountry
Hetzner Online GmbHServer hosting, data storageGermany (EU)
Resend Inc.Transactional email deliveryUSA (SCC)
Stripe Inc.Payment processingUSA (SCC)
05

Retention periods

Data typeRetention periodBasis
Registration dataUntil account deletionContract performance
Clinical data5 years after treatment endsProfessional standards
Technical logs90 daysLegitimate interest
Financial data7 yearsTax legislation
Consent records3 years after withdrawalConsent verification
Account deletion

When you delete your account, your registration data is removed within 30 days. Clinical data may be retained longer per professional standards.

06

Your rights

Right of access

Request a copy of all your personal data we process

Right to rectification

Correct inaccurate or incomplete personal data

Right to erasure

Right to be forgotten — request deletion of your data

Right to portability

Receive your data in a machine-readable format

Right to object

Object to the processing of your data

Right to restriction

Restrict the processing of your personal data

To exercise any of these rights, contact our DPO: dpo@soveria.co. We will process your request within 30 days.

07

Security

  • TLS 1.3 for all connections
  • JWT authentication with short-lived tokens
  • Password hashing (bcrypt, 12 rounds)
  • Rate limiting on sensitive endpoints
  • Role-based access control (RBAC)
  • Regular encrypted backups
  • Servers in Hetzner Frankfurt, Germany (EU)
Incident notification

In case of a data breach, we will notify the supervisory authority within 72 hours (Art. 33 GDPR) and affected individuals without undue delay (Art. 34 GDPR).

08

Cookies

We use a limited set of cookies for platform operation. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

09

Policy changes

We may update this Privacy Policy. We will notify you of material changes via email or through a platform notification.

By continuing to use the platform after changes are published, you accept the updated policy.

Version history

v1.3 (Mar 2026) — Updated sub-processors · v1.2 (Jan 2026) — Added retention periods · v1.0 (Oct 2025) — First version

10

Contact DPO

If you have questions about our Privacy Policy or wish to exercise your rights, contact our Data Protection Officer (DPO).

Data Protection Officer
We are always ready to answer your questions
dpo@soveria.co
Primary communication channel
30 days
Maximum response time for requests
BfDI
Supervisory authority: Bundesbeauftragter für den Datenschutz
Privacy Policy · Version 1.3 · March 14, 2026
Related documents
Terms of UseCookie PolicyGDPR