Privacy Policy

EMDR Digital is responsible for processing your personal data as described in this policy.

For any questions, contact us at:

info@emdrdigital.com

We collect different types of data depending on whether you use the platform as a therapist or participate as a patient.

2.1 Therapist Account Data

When you create an account, we collect:

• Name, email address, and chosen username
• Authentication credentials (email/password or Google Sign-In)
• Professional preferences (stimulation settings, theme, language)

Stored in Google Cloud Firestore (Belgium/Netherlands, EU).

Legal basis: contract performance (Art. 6(1)(b) GDPR).

2.2 Patient Records

Therapists enter patient information into the platform:

• Name, date of birth, contact details (email, phone)
• Gender and emergency contact information
• Clinical notes and therapy observations

Only the patient's name is required. All other fields are optional and entered at the therapist's discretion.

This data may include special category health data under Art. 9 GDPR. The therapist acts as data controller for their patients' clinical records; EMDR Digital processes this data on the therapist's behalf.

Stored in Google Cloud Firestore (Belgium/Netherlands, EU).

Legal basis: explicit consent and/or necessity for healthcare (Art. 9(2)(a) and (h) GDPR).

2.3 Session Data

During therapy sessions, the following data may be generated:

• Session data (date, duration, stimulation configuration)
• Audio recordings (only when explicitly started by the therapist with patient consent)
• Automatic transcriptions generated from audio recordings
• AI-generated analysis (narrative summary, ICES targets, key people, therapeutic recommendations)

Video is never recorded. Only audio is recorded, and only when the therapist explicitly enables it and the patient consents.

Stored in Google Cloud Firestore and Firebase Storage (Belgium/Netherlands, EU).

2.4 Patient Session Participation

Patients join sessions without creating an account. Their identity in the session is determined by the patient record the therapist has selected. During participation:

• A camera snapshot is held in server memory for waiting room admission — never saved to disk, cleared when the session ends
• Audio from the video call is processed only if recording is enabled with consent

2.5 Technical & Diagnostic Data

For platform stability, we collect:

• Browser type, device information, and timezone
• IP addresses in server access logs
• Connection quality metrics

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — ensuring platform reliability.

We process your data for the following purposes:

• Providing the therapy platform and video call service
• Generating transcriptions from session audio recordings
• Producing AI-powered session analysis and clinical reports
• Maintaining platform security (access control, rate limiting)
• Diagnosing and resolving technical issues
• Sending service notifications (account verification, important updates)

When a session is recorded and transcribed, the transcript is analyzed by Google Vertex AI (Gemini) to generate clinical reports. This processing takes place in Madrid, Spain (EU).

The AI receives the session transcript, patient first name, therapist name, session date, and patient demographics (age and gender). It generates a narrative summary, ICES targets, key people mentioned, significant dates, and therapeutic recommendations.

Google processes this data under their Data Processing Agreement and does not use it to train their AI models. All processing remains within the European Union.

We retain data only as long as necessary for its purpose:

• Therapist account data — until account deletion
• Patient records — until the therapist deletes them
• Session data and analysis — until the therapist deletes them
• Audio recordings — automatically deleted after 90 days
• Temporary audio processing files — deleted immediately after transcription
• Diagnostic logs — 30 days
• Webhook event logs — 90 days

We share data only with the following EU-based service providers, all with Data Processing Agreements in place:

We do not sell personal data. We do not share data with advertisers. No personal data is transferred outside the European Union.

We use minimal browser storage and no tracking technologies:

• One functional cookie (sidebar_state) to remember your layout preference
• localStorage for non-personal preferences: language, theme, and device settings
• Firebase Auth tokens in IndexedDB (managed automatically by the Firebase SDK)

We do not use tracking cookies, analytics, advertising trackers, or any third-party scripts.

We protect your data with multiple layers of security:

• All browser communications encrypted with TLS (HTTPS/WSS)
• Video and audio calls protected with DTLS-SRTP encryption
• Data at rest encrypted with AES-256 on Google Cloud
• Server-to-server communications protected by IP-based firewalls
• Access controls and rate limiting on all API endpoints
• All infrastructure hosted exclusively in the European Union

Video calls are encrypted in transit but not end-to-end encrypted. The media server processes audio and video for call routing and, when enabled, recording.

Under the GDPR, you have the right to:

• Access — obtain a copy of your personal data (Art. 15)
• Rectification — correct inaccurate data (Art. 16)
• Erasure — request deletion of your data (Art. 17)
• Restriction — limit how we process your data (Art. 18)
• Portability — receive your data in a structured format (Art. 20)
• Object — oppose processing based on legitimate interest (Art. 21)

To exercise any of these rights, contact us at info@emdrdigital.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es, or with the supervisory authority in your country of residence.

EMDR Digital is designed for licensed therapists. We do not knowingly collect data directly from minors. Patients under 16 participate under the responsibility of their therapist and legal guardians.

We may update this policy to reflect changes in our practices or legal requirements. Registered users will be notified of significant changes via email. The date at the top of this page indicates the latest revision.

For questions about this privacy policy or your personal data:

info@emdrdigital.com