Privacy Notice

Version: 1.0 | Effective Date: Nov 18, 2025

1. Introduction and Data Controller

This Privacy Notice explains how we collect, use, share, and protect your personal data when you use the Ekho Psychology platform ("the Platform"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and Swedish healthcare regulations.

Data Controller:
EKHO Psychology
Email: privacy@ekhopsychology.se
Website: www.ekhopsychology.se

For questions about how we process your personal data or to exercise your rights, please contact us using the details above.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Identity and Contact Information

  • Name (first name, last name)
  • Date of birth
  • Email address
  • Phone number
  • Postal address (country, postal code, city, street address)
  • Preferred language and timezone

2.2 Account and Authentication Data

  • Account credentials (email address and password hash)
  • Verification status of email and phone number
  • Account preferences and notification settings
  • Login history and authentication records
  • Verification tokens and security codes

2.3 Appointment and Service Data

  • Appointment scheduling information (date, time, duration)
  • Appointment status and cancellation records
  • Service consumption records
  • Session notes and clinical observations (maintained by healthcare providers)
  • Treatment contracts and care agreements
  • Service delivery outcomes

2.4 Financial and Payment Information

  • Payment transaction records
  • Invoice information
  • Credit and monetary ledger entries
  • Currency and pricing information
  • Payment method details (processed by our payment provider)
  • Refund and adjustment records

2.5 Healthcare and Clinical Data

For services provided by licensed healthcare professionals:

  • Treatment session documentation
  • Clinical notes and observations
  • Service consumption records
  • Treatment plans and care agreements
  • Health-related information necessary for service provision

2.6 Communication Data

  • Messages sent through contact forms
  • Email correspondence
  • Notification preferences
  • Communication history

2.7 Technical and Usage Data

  • IP address (anonymized for analytics purposes)
  • Browser type and version
  • Operating system and device information
  • User agent string
  • Page views and interaction data
  • Session duration and engagement metrics
  • Referrer information and navigation patterns
  • Locale and timezone settings

2.8 Campaign and Attribution Data

  • UTM campaign parameters
  • Advertising click identifiers
  • Landing page and referral source
  • Conversion events
  • Engagement metrics
  • Country of origin (derived from anonymized IP address)

2.9 Legal Compliance Data

  • Consent records for Terms of Service and Privacy Notice
  • IP address and user agent at time of consent
  • Document version and timestamp of acceptance
  • Audit trail information

3. Legal Basis for Processing

We process your personal data on the following legal bases:

3.1 Contract Performance (GDPR Article 6(1)(b))

Processing necessary to provide services you have requested:

  • Account creation and management
  • Appointment scheduling and management
  • Service delivery and session management
  • Payment processing and financial record-keeping
  • Communications related to your use of our services

3.2 Legal Obligation (GDPR Article 6(1)(c))

Processing required by law:

  • Financial record-keeping and tax compliance
  • Healthcare record retention (for licensed healthcare providers)
  • Compliance with accounting and invoicing requirements
  • Responding to legal requests from authorities

3.3 Consent (GDPR Article 6(1)(a))

Processing based on your explicit consent:

  • Analytics and usage tracking for service improvement
  • Campaign attribution and marketing analytics
  • Non-essential communications
  • Processing of special categories of data (where applicable)

You may withdraw your consent at any time through your account settings or by contacting us.

3.4 Legitimate Interests (GDPR Article 6(1)(f))

Processing necessary for our legitimate interests:

  • Fraud prevention and security monitoring
  • Service improvement and development
  • Platform performance optimization
  • Customer support and issue resolution

We carefully balance our legitimate interests against your rights and freedoms before processing data on this basis.

3.5 Special Categories of Data

Healthcare and clinical data constitute special categories of personal data under GDPR Article 9. We process such data:

  • With your explicit consent for treatment purposes
  • As necessary for healthcare provision under applicable laws
  • Subject to additional safeguards and professional confidentiality obligations

4. Healthcare Records and Journaling (Journalföring)

4.1 Healthcare Providers Subject to Swedish Law

Healthcare professionals registered in Sweden and subject to Swedish patient data laws (Patientdatalagen) maintain healthcare records ("journalhandlingar") in accordance with legal requirements. These records:

  • Are retained for a minimum of 10 years from the last contact with the patient
  • Are maintained with appropriate confidentiality and security measures
  • May be accessed by patients in accordance with their rights under Swedish law
  • Are subject to professional secrecy obligations

4.2 Healthcare Providers in Other Jurisdictions

Healthcare professionals registered in other countries are subject to the healthcare record-keeping requirements of their respective jurisdictions. Record retention periods and access procedures may vary based on applicable local laws.

4.3 Platform Provider

As the Platform provider, we maintain technical and administrative records to support healthcare service delivery, including appointment records, service consumption documentation, and contract information. These records are retained in accordance with applicable business record-keeping requirements and may differ from healthcare records maintained by individual practitioners.

4.4 Audio and Visual Recordings

Audio and visual recordings from video or telephone consultations are not stored on the Platform. Healthcare providers are responsible for ensuring compliance with applicable laws if they maintain such recordings independently.

5. Data Sharing and Third-Party Processors

We prioritize keeping your data in-house and only share personal data with third parties when necessary for service delivery or legal compliance.

5.1 Third-Party Service Providers

We engage carefully selected third-party processors who handle personal data on our behalf under strict contractual obligations:

  • SMS Verification Services:
    Provider: Twilio Inc.
    Data shared: Phone numbers, verification codes
    Purpose: Phone number verification and SMS-based authentication
    Location: USA (subject to Standard Contractual Clauses and adequacy decisions)
  • Payment Processing:
    Provider: Stripe, Inc. (via individual healthcare provider accounts)
    Data shared: Email address, payment amount, transaction metadata
    Purpose: Processing payments for services
    Note: Each healthcare provider maintains their own payment processing account; we do not centrally process payments
    Location: USA and Europe (subject to Standard Contractual Clauses and adequacy decisions)

5.2 Other Healthcare Providers

When you are referred to another healthcare provider or when care coordination requires information sharing, your healthcare data may be shared with:

  • The receiving healthcare provider
  • Regional healthcare systems (if applicable)

Such sharing occurs only with your consent or when required by law.

5.3 Legal and Regulatory Authorities

We may disclose personal data to:

  • Tax authorities (for financial compliance)
  • Healthcare regulatory bodies (as required by law)
  • Law enforcement (in response to valid legal requests)
  • Courts and legal representatives (in legal proceedings)

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

6.1 Healthcare Records

  • Swedish Healthcare Providers: Minimum 10 years from last patient contact, in accordance with Swedish law
  • Other Jurisdictions: In accordance with applicable healthcare record-keeping requirements

6.2 Account and Service Data

  • Active Accounts: For the duration of your relationship with us and as long as your account remains active
  • Inactive Accounts: Retained for a reasonable period after inactivity, then anonymized or deleted
  • Service Records: Retained for the duration necessary to provide services and resolve any issues

6.3 Financial Records

  • Transaction Records: Retained in accordance with tax and accounting requirements (typically 7 years)
  • Ledger Entries: Maintained as permanent audit trails for financial accountability

6.4 Legal and Compliance Records

  • Consent Records: Retained for the duration of the relationship and for a period thereafter to demonstrate compliance
  • Audit Trails: Retained in accordance with legal and regulatory requirements

6.5 Analytics and Technical Data

  • Session Data: Retained for 30 days
  • Anonymized Analytics: May be retained indefinitely in aggregated, non-identifiable form

6.6 Deletion and Anonymization

Upon request or after applicable retention periods, we:

  • Permanently delete personal data from active systems
  • Anonymize data where deletion would impair legal or business obligations
  • Ensure backups containing personal data are systematically purged in accordance with our data retention schedule

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right to Access (Article 15)

You may request:

  • Confirmation of whether we process your personal data
  • A copy of your personal data
  • Information about how we process your data

We will provide the first copy free of charge. For additional copies, we may charge a reasonable administrative fee.

7.2 Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings.

7.3 Right to Erasure (Article 17)

You may request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing based on legitimate interests and there are no overriding grounds
  • The data has been unlawfully processed
  • Deletion is required by legal obligation

Limitations: We may refuse deletion requests when retention is necessary for:

  • Compliance with legal obligations (e.g., financial record-keeping, healthcare records)
  • Establishment, exercise, or defense of legal claims
  • Archiving purposes in the public interest

7.4 Right to Restriction of Processing (Article 18)

You may request restriction of processing when:

  • You contest the accuracy of personal data (during verification)
  • Processing is unlawful but you prefer restriction to deletion
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification of legitimate grounds)

7.5 Right to Data Portability (Article 20)

You may request:

  • Your personal data in a structured, commonly used, machine-readable format
  • Transfer of your data directly to another controller (where technically feasible)

This right applies to data processed based on consent or contract and processed by automated means.

7.6 Right to Object (Article 21)

You may object to processing based on:

  • Legitimate interests: You may object for reasons relating to your particular situation
  • Direct marketing: You may object at any time (we do not currently engage in direct marketing)

7.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement.

Swedish Supervisory Authority:
Integritetsskyddsmyndigheten (IMY)
Website: www.imy.se
Email: imy@imy.se
Phone: +46 8 657 61 00

7.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@ekhopsychology.se. We will respond to your request within one month, though this may be extended by two additional months for complex requests.

We may request additional information to verify your identity before processing your request.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

8.1 Healthcare Provider Obligations

Healthcare providers using the Platform are independently responsible for:

  • Maintaining professional confidentiality obligations
  • Implementing appropriate security measures for healthcare data
  • Complying with healthcare-specific data protection requirements

9. Contact and Questions

9.1 Privacy Inquiries

To exercise your GDPR rights or request information about your personal data:
Email: privacy@ekhopsychology.se
Include: Your full name, email address, and specific request
We will respond within one month of verification

9.2 Healthcare Record Access

For access to healthcare records maintained by your healthcare provider:

  • Contact your healthcare provider directly
  • Swedish patients: You have the right to access your journal under Patientdatalagen
  • Healthcare providers will respond in accordance with applicable healthcare regulations

Language: This Privacy Notice is available in English, Swedish, and Hungarian. In case of discrepancies between versions, the English version shall prevail for interpretation purposes.