Privacy Policy
Last updated: November 2025
1) Who we are (Data Controller)
Therapsy STP SRL (“Therapsy”, “we”, “us”, “our”)
Via Giovanni Battista Boeri 11, 20141 Milano (MI), Italy
VAT/Tax ID (P.IVA & C.F.): 14203210969 – REA: MI-2765995 – SDI: USAL8PV – ATECO: 86.93.00
Email (privacy & general): info@therapsy.it – PEC: therapsy@pec.it
Telephone: +39 393 433 1887
No Data Protection Officer (DPO) appointed. Contact info@therapsy.it for privacy matters.
Roles at a glance
Therapsy = Controller for platform, administrative, billing, support and marketing data.
Therapists = Independent Controllers for clinical data processed during therapy (including any transcripts and AI session summaries). You will receive or can request the therapist’s own privacy notice.
For certain Meta Pixel website events, Therapsy and Meta Platforms Ireland may act as joint controllers at the moment of collection (see §10).
2) What we do
We run a digital platform that: matches patients with licensed therapists; manages bookings and reminders; hosts online sessions via Zoom; processes payments via Stripe; provides support via email/phone/WhatsApp; and manages scheduling/workflow via Wise.live. Minors may use the service only with parent/guardian consent and signature of the informed consent.
3) Personal data we process
3.1 Account & identification
Name, surname, email, phone number, residency address, tax code, date and city of birth.
3.2 Pre-assessment / matching (may include health data)
Free-text description of reasons/difficulties and preferences for therapist (these may disclose health data).
3.3 Booking & usage
Appointments (date/time/status), rescheduling/attendance, reminders, internal identifiers, device/technical logs (e.g., IP, user agent) produced by our systems and providers (e.g., Wise.live).
3.4 Payments & invoicing
Payer name, address, tax/VAT details, invoice details, payment status and Stripe payment tokens.
We do not store card numbers on our systems. Card details are collected and stored by Stripe on Stripe systems (PCI-DSS) to enable automatic recurring monthly charges and other payments.
Fiscal items (where applicable): fees may include statutory items such as ENPAP 2% welfare contribution; €2 stamp duty for invoices exceeding €77.47; and VAT exemption for healthcare services under Art. 10(1)(18) of DPR 633/1972. Charges are automatically collected monthly to your saved payment method; you can update your card in your account at any time. Receipts are issued at the time of payment.
3.5 Communications & support (incl. phone voicebot)
Emails and support tickets; WhatsApp messages where you contact us there; calls to +39 393 433 1887 handled by an AI voice assistant provided by Aptiva Srl (Italy) for customer care. The voicebot gives general information only and does not ask for or store health data. Callers are instructed not to share clinical information by phone. Limited call metadata (e.g., calling number, time, duration) may be processed for operations.
3.6 Marketing & analytics
Newsletter/marketing subscription status (via ActiveCampaign); cookie/tracking identifiers; analytics data (GA4, Microsoft Clarity, Google Tag Manager) and advertising data (Google Ads, Meta Pixel/Ads) only with consent.
3.7 Therapists’ data (collaborators)
Name, CV, contacts, VAT, professional board number, insurance details, IBAN, contracts, administrative/performance data.
3.8 AI session summaries, recordings & clinical supervision (clinical)
When enabled via Wise.live/Zoom, AI-generated session summaries may be created for the therapist only as notes/reminders. These, and any recordings/transcripts, are clinical data under the therapist’s separate controllership.
Clinical consultation/supervision: therapists may, at their discretion, seek professional consultation to improve care. Such activities occur under the therapist’s independent controllership and, where feasible, with anonymised/de-identified information consistent with professional secrecy.
Therapsy does not access clinical content.
4) Where data come from
Directly from you; generated by our systems during use; from our providers (Wise.live, Stripe, Zoom, ActiveCampaign); and—where you consent—from cookies/trackers on our site.
5) Purposes, legal bases and retention
| Purpose | Examples | Legal basis | Retention |
|---|---|---|---|
| Account, booking, platform operation & support | Account setup, booking flows, reminders, customer care | Contract (Art. 6(1)(b)); Legitimate interest for quality/security (Art. 6(1)(f)) | Account lifetime + 24 months of inactivity; core security logs 90 days |
| Pre-assessment & matching (may include health data) | Reading your difficulties/preferences to match a therapist | Explicit consent for health data (Art. 9(2)(a)); Contract(Art. 6(1)(b)) | Until matching + 6 months. If therapy starts, subsequent clinical data are under the therapist |
| Operational communications | Confirmations, reminders, service notices (email/SMS/WhatsApp/phone info) | Contract (Art. 6(1)(b)) | Account life; comms logs up to 12 months |
| Payments, invoicing & taxes; optional TStransmission | Charges, invoices, accounting; Sistema Tessera Sanitaria | Legal obligation (Art. 6(1)(c)) | 10 years (Italian law). TStransmission only with your opt-in |
| Security, fraud prevention & IT monitoring | Security logs, access controls, incident handling | Legitimate interest (Art. 6(1)(f)) | Core logs 90 days; incident records up to 24 months |
| Marketing communications | Newsletter/updates via ActiveCampaign | Consent (Art. 6(1)(a)) | Until withdrawal; we prune inactive contacts after 24–36 months |
| Web analytics & advertising | GA4, Clarity, GTM, Google Ads, Meta Pixel/Ads | Consent via CMP | Per cookie/tracker lifetime (see Cookie Policy) |
| Phone customer care (Aptiva voicebot) | Info calls only (no health data) | Contract/Legitimate interest(Art. 6(1)(b)/(f)) | Call metadata/logs up to 90 days |
Session recordings and AI summaries. Sessions are not recorded unless both patient and therapist give prior written consent. Any recording, transcript or AI summary is clinical data under the therapist’s controllership. Therapsy does notaccess clinical recordings.
Deletion confirmations & backups. When we delete personal data at the end of the relevant retention (or upon valid erasure request), we send you an email confirmation of deletion where applicable. Backup copies that may contain your data are permanently purged within 90 days of deletion.
Therapists’ data retention. Personal data of therapists/collaborators are deleted 1 year after the end of the collaboration, unless longer retention is required by law (e.g., accounting).
6) Is provision of data mandatory?
Some data are required to enter into or perform the service (account, contact, booking, payment) or to comply with the law (billing/tax). If not provided, we may be unable to deliver the service. TS transmission is optional and recorded only with your opt-in. Marketing and non-essential cookies are optional.
7) Children
The service can be provided to minors only with parent/guardian consent and signature of the informed consent. We may take reasonable steps to verify such consent.
8) Recipients, processors and international transfers
8.1 Wise.live (core platform processor)
We use Wise.live (processor under Art. 28 GDPR) for scheduling and workflow. It processes, on our documented instructions: patient master data; bookings; reminders; invoice metadata and payment events via Stripe API; therapist assignment; session metadata; and AI summaries (when enabled).
Zoom integration: meeting links/sessions via Zoom. Clinical content/AI summaries fall under the therapist(independent controller).
Stripe integration: recurring/monthly charges via Stripe; card details are stored by Stripe, not by Therapsy.
Informed consent & documents: consent forms are sent, signed and archived in the patient record.
Security & access: role-based; therapists see only assigned patients; staff access is need-to-know.
Location & transfers: primary hosting in the EU. If non-EEA sub-processors are used, transfers rely on Standard Contractual Clauses (SCCs) with supplementary measures.
8.2 Other key providers
Stripe (payments/tokenization) – Processor for us; Controller for card data stored on Stripe systems
ActiveCampaign (email marketing/automation) – Processor
Zoom (video meetings) – independent provider integrated; meeting content under therapist’s control
Google (GA4/GTM), Microsoft Clarity, Google Ads, Meta (Pixel/Ads) – independent controllers for their own purposes where you consent
Aptiva Srl (Italy) – Processor for the AI voicebot on our phone line
8.3 International transfers
Our primary servers are in the EU. Some providers may process data outside the EEA (e.g., US). We use SCCs, carry out Transfer Impact Assessments (TIAs) and apply supplementary measures (e.g., IP masking/pseudonymisation). Where strictly necessary and no other safeguard applies, we may seek your explicit consent (Art. 49(1)(a)).
We maintain Data Processing Agreements with our processors (including Wise.live, Stripe, ActiveCampaign, Aptiva Srl).
9) Cookies and tracking
We use a consent management platform (Iubenda CMP) that blocks non-essential cookies by default and offers equally prominent Accept and Reject options with granular preferences. GA4 IP anonymization is enabled. See our Cookie Policy (footer) for details and to change your choices at any time.
10) Joint controllership (Meta)
For certain Meta Pixel events on our website, Therapsy and Meta Platforms Ireland may be joint controllers for the initial collection and transmission of data; thereafter, Meta acts as an independent controller. The essence of the joint-controller arrangement is made available by Meta. Marketing technologies are activated only with your consent.
11) Automated decision-making / profiling
We do not make decisions producing legal or similarly significant effects solely by automated means. AI session summaries are productivity tools for therapists and do not make automated decisions about you.
12) Security
We implement technical and organisational measures appropriate to risk (Art. 32 GDPR), including TLS encryption in transit, role-based access, least-privilege principles, confidentiality undertakings for staff/contractors, secure backups, logging and incident response. Staff who may handle onboarding information hinting at health are bound by strict confidentiality. Do not share clinical details by phone; use our secure platform channels.
13) Your rights
You may access, rectify, erase, restrict, and port your data; object to processing based on legitimate interests; and withdraw consent at any time (without affecting prior lawfulness). We may request information necessary to verify your identity. We respond within 30 days of receiving a complete request, extendable as permitted by law.
How to exercise your rights: info@therapsy.it.
You may also lodge a complaint with the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali): www.garanteprivacy.it.
For clinical records (including recordings/transcripts/AI summaries), please contact your therapist(independent controller). You can also write to info@therapsy.it and we will route your request.
14) Changes to this notice
We may update this notice to reflect legal or operational changes. If changes are material, we will notify you by email and/or a prominent website notice. Where required (e.g., new consent-based purposes), we will seek your renewed consent.