Privacy Policy
Last updated: April 28, 2026
1. Identification of the Controller and the Processor
1.1 Service provider
| Holder | Rayan Chelouati |
| Status | Natural person, self-employed professional (Art. 10 LSSI-CE) |
| NIF/NIE | Y2655152T |
| Address | Calle Mezquita, Edificio Velazquez, 11202 Algeciras (Cadiz), Spain |
| General email | contacto [arroba] vret.es |
| Data protection email | privacidad [arroba] vret.es |
| Security / breach email | seguridad [arroba] vret.es |
| Activity | Development and commercialization of virtual reality SaaS software for psychology professionals |
1.2 VRET’s dual role
VRET acts in two different roles depending on the type of data:
- Controller of the data of the contracting professional (psychologist, clinic), of the website visitors and of the leads who fill in forms. The purposes are described in section 4.
- Processor (Art. 28 GDPR) of the patient data processed on behalf of the psychologist or clinic, within the VRET platform. The Controller of that data is the contracting professional or clinic; VRET executes their documented instructions.
2. Scope of Application
This Privacy Policy governs the processing of personal data carried out through the VRET website (the “Website”), the VRET SaaS platform (the “Software”) and commercial and contractual communications.
This policy is drafted in compliance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), Law 41/2002, of 14 November, the basic law regulating patient autonomy and rights and obligations regarding clinical information and documentation, and Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
3. Data We Collect
3.1 Contracting Professional’s data
| Category | Data | Purpose |
|---|---|---|
| Identification | Name, surname, professional registration number, professional email | Professional verification, account creation, contractual communications |
| Contact | Phone, professional address | Technical support, contract management |
| Professional | Specialty, clinic name, number of therapists | Service configuration, plan segmentation |
| Billing | NIF, tax domicile, bank or card details (processed by Stripe) | Payments, billing, tax obligations |
| Software use | Access logs, aggregated usage metrics, sessions carried out | Support, security, service improvement |
| Internal audit | Administrative actions (who did what within the platform), SHA-256 hash of the IP with a salt rotated every 90 days, truncated browser user-agent. In the audit trail the IP is never stored in the clear (only its salted hash). The IP in the clear is only kept, and separately, as legal evidence of the acceptance of consents and of the contract (INET column, Art. 7.1 GDPR) and in lead forms for anti-fraud and rate-limiting purposes (see 3.4). | Compliance (Art. 30 GDPR), traceability of critical actions, fraud detection and security incidents |
3.2 Patient Data (VRET as Processor)
On behalf of the Controller psychologist or clinic, VRET processes the following categories of patient data:
- Pseudonym chosen by the psychologist (an alias such as “P-2024-001”). VRET does not receive or store DNI, full name, date of birth, or any other direct identifier of the patient.
- Clinical notes entered by the professional during the session (free text).
- SUDS markers (Subjective Units of Distress Scale 0-10) and other specific clinical markers.
- Session telemetry: scenario used, duration, intensity applied, virtual environment events.
- Virtual environment recordings (optional and at the psychologist’s discretion): capture of the VR environment shown to the patient, with the psychologist’s audio and, where applicable, the patient’s voice. The recording does not include the patient’s real image.
Legal nature of this data: although the direct identifier is a pseudonym, the data remains linked to a specific individual via the psychologist’s clinical record. Under Recital 26 GDPR, WP29 Opinion 4/2007 on the concept of personal data, and CJEU case law (case C-582/14, Breyer), it remains personal data. The content (clinical notes, SUDS, behavior during exposure) reveals the patient’s mental health status, which makes it health-related data under Art. 4.15 and Recital 35 GDPR, subject to the general prohibition of Art. 9.1 and to the exceptions of Art. 9.2.
Applicable legal basis: Art. 6.1.b GDPR (performance of the contract between the patient and the professional) in combination with Art. 9.2.h GDPR (processing necessary for the purposes of medical or social care or treatment, managed by a professional subject to the obligation of professional secrecy). This legal basis is exercised by the Controller psychologist; VRET documents and backs it up in the DPA.
3.3 Website browsing data
| Category | Data | Legal Basis |
|---|---|---|
| Technical cookies | Session, interface preferences | Necessary for operation (do not require consent) |
| Usage analytics (Google Analytics 4, Microsoft Clarity) | Page views, interaction events, heatmaps and session recordings with sensitive inputs masked | Consent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE) — only if you accept it in the banner |
| Advertising measurement (LinkedIn Insight Tag) | Attribution of conversions from LinkedIn Ads campaigns and custom audience | Consent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE) |
| Campaign attribution (UTM, gclid, li_fat_id) | First-touch and last-touch persistence in first-party cookies to know which campaign attracted each lead | Consent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE) — attribution cookies are only written if you accept advertising measurement in the banner |
Full detail in the Cookie Policy.
3.4 Lead and newsletter subscriber data
When the professional fills in a resource download form (lead magnet) or subscribes to the newsletter, we collect:
- Professional email (mandatory).
- Type of practice, specialty or phobia treated (optional, for content segmentation).
- Lead origin (source URL, UTM parameters, slug of the requested resource).
- IP address and browser user-agent, exclusively for anti-fraud and rate-limiting purposes.
Double opt-in. After filling in the form, you will receive a confirmation email. Your email will not enter our list until you click the confirmation link. Until then, the technical record is kept for a maximum of 30 days to avoid duplicates, after which it is deleted if not confirmed.
Legal basis: explicit consent (Art. 6.1.a GDPR) given via checkbox and reconfirmed via double opt-in. You may withdraw consent at any time using the “unsubscribe” link present in the footer of each email, or by writing to privacidad [arroba] vret.es.
Retention: as long as you keep the subscription active. After 24 months without opening any email, it will be considered an implicit unsubscribe and the record will be deleted. If you withdraw consent, the data is deleted within a maximum of 30 days, except for retention of the unsubscribe record to evidence the exercise of the right.
4. Legal Bases for Processing (summary)
| Processing | Legal basis | Reference |
|---|---|---|
| Provision of the SaaS service to the professional | Contract performance | Art. 6.1.b GDPR |
| Processing of patient data on behalf of the professional | Healthcare by a professional bound by secrecy + contract performance | Art. 9.2.h + Art. 6.1.b GDPR |
| Billing and payments | Contract performance and legal tax obligation | Art. 6.1.b + Art. 6.1.c GDPR |
| Support and security communications | Contract performance | Art. 6.1.b GDPR |
| Commercial communications about similar products (existing customers) | Legitimate interest | Art. 6.1.f GDPR + Art. 21.2 LSSI-CE |
| Newsletter and lead magnet downloads | Explicit consent (double opt-in) | Art. 6.1.a GDPR + Art. 21.1 LSSI-CE |
| Product improvement and aggregated analytics | Legitimate interest | Art. 6.1.f GDPR |
| Compliance with accounting and tax obligations | Legal obligation | Art. 6.1.c GDPR |
| Defense of claims | Legitimate interest | Art. 6.1.f GDPR |
Clarification on Art. 9. Unlike previous versions of this policy, VRET expressly acknowledges that it processes health-related data (Art. 9.1 GDPR) in its role as Processor, under the exception of Art. 9.2.h and with the safeguards of Art. 32 (technical and organizational measures described in section 8 and, in greater technical detail, at /security).
5. Recipients and Subprocessors
5.1 We do not sell data
VRET does not sell, rent or transfer personal data to third parties for commercial purposes. Nor do we use the patient’s clinical data to train our own or third-party artificial intelligence models (binding clause incorporated into the DPA).
5.2 Processing subprocessors
The canonical and up-to-date list of subprocessors is Annex III of the DPA.
| Provider | Service | Jurisdiction | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Primary PostgreSQL database (clinical data) | EU — Ireland (AWS eu-west-1) | DPA Art. 28 + standard clauses for US support |
| Cloudflare R2 | Object storage (VR environment recordings) | EU | DPA Art. 28 |
| Hetzner Online GmbH | Compute / backend hosting | EU — Germany | DPA Art. 28 |
| Auth0 / Okta Inc. | Authentication and SSO | EU (operation) + US (support) | DPA Art. 28 + DPF |
| Stripe Payments Europe Ltd. | Payment processing (no clinical data) | Ireland + US | DPA Art. 28 + DPF |
| vret_redis (self-hosted on Hetzner) | Redis cache and pub/sub (no clinical data) | EU — Germany | Covered by Hetzner (DPA Art. 28) |
| Resend | Transactional email | EU + US | DPA Art. 28 + DPF |
| Google LLC (Google Analytics 4) | Website usage analytics (only with consent) | US + EU — Ireland | DPA Art. 28 + DPF |
| Microsoft Corporation (Clarity) | Heatmaps and session replays with sensitive inputs masked (only with consent) | US + EU — Ireland | DPA Art. 28 + DPF |
| LinkedIn Corporation (Insight Tag) | Advertising measurement of LinkedIn Ads campaigns (only with consent) | US + EU — Ireland | DPA Art. 28 + DPF |
| Sentry | Error telemetry with PII redaction | EU (Frankfurt region) | DPA Art. 28 |
| Cloudflare Inc. | CDN, WAF and DNS | Global with EU jurisdiction | DPA Art. 28 + DPF |
| Calendly | Demo scheduling (no clinical data) | US | DPA Art. 28 + DPF |
5.3 International transfers
Patient clinical data is not subject to international transfer outside the European Economic Area in the ordinary operation of the service.
Subprocessors located in or connected to the United States (Stripe, Auth0/Okta, Resend, Cloudflare, Calendly) operate under the EU-US Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023, pursuant to Art. 45 GDPR) and, where applicable, additionally under the Standard Contractual Clauses approved by the Commission (Art. 46.2.c).
5.4 Disclosures to authorities
VRET may disclose data to public authorities where there is a legal obligation (judicial order, reasoned request from a competent authority). In such cases we notify the Controller unless the authority expressly prohibits it.
6. Retention Periods
| Data | Period | Justification |
|---|---|---|
| Active professional account data | For the duration of the contractual relationship | Contract performance |
| Patient clinical data (notes, SUDS, telemetry, recordings) | Under the control of the Controller professional: during the term of the contract; after cancellation, a 30-day window for export and 60 days until operational deletion, unless the Controller instructs otherwise to keep it longer | The professional must retain the clinical record for the period of Art. 17 of Law 41/2002 (5 years minimum from the discharge date of each care process). VRET assists the Controller in keeping the information for the necessary time, on documented instruction |
| Billing data | 6 years after termination | Art. 30 Commercial Code |
| Tax data and accounting records | 4 years after termination (extended to 6 if a special regime applies) | General Tax Law (Arts. 66 et seq.) and Commercial Code |
| Audit trail and security events | 5 years (immutable record) | Accountability (Art. 5.2 GDPR) and the need to defend claims |
| Technical cookies | 13 months maximum | Spanish Data Protection Agency Guidelines on cookies (2023) |
| Leads and newsletter | As long as the subscription is kept; implicit unsubscribe after 24 months without interaction | List hygiene and proportionality |
| Record of unsubscribes and rights exercises | 3 years | To evidence the exercise of the right before the Spanish Data Protection Agency |
After these periods, the data will be securely deleted (including backups, in the backup expiration cycle) or irreversibly anonymized for internal statistical purposes.
7. Rights of the Data Subject (ARCO+)
In accordance with Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:
| Right | Description | GDPR Article |
|---|---|---|
| Access | Obtain confirmation of whether we process your data and access it | Art. 15 |
| Rectification | Request the correction of inaccurate data | Art. 16 |
| Erasure | Request the deletion of your data (“right to be forgotten”) | Art. 17 |
| Restriction | Request that processing be restricted | Art. 18 |
| Portability | Receive your data in a structured, machine-readable format | Art. 20 |
| Objection | Object to processing based on legitimate interest | Art. 21 |
| Not to be subject to automated decisions | VRET does not make automated decisions with legal effects on the data subject | Art. 22 |
How to exercise your rights
- If you are a contracting professional: write to privacidad [arroba] vret.es with the subject “Exercise of GDPR rights”.
- If you are a patient: address yourself in the first instance to your psychologist or clinic, which is the Controller of your clinical record. If you do not receive a response or need escalation, you can write to us at the same address and we will help you identify the Controller.
- Response time: 30 calendar days (extendable to 60 days in complex cases, subject to prior notification).
- Identification: you must prove your identity by attaching a copy of your DNI/NIE or an equivalent document.
- Free of charge: the exercise of these rights is free, except for manifestly unfounded or excessive requests.
Right to lodge a complaint with the supervisory authority
If you consider that the processing of your data infringes the regulations, you can lodge a complaint with the Spanish Data Protection Agency: www.aepd.es — C/ Jorge Juan 6, 28001 Madrid. We recommend contacting us first: most incidents are resolved without the need to escalate.
8. Security Measures (Art. 32 GDPR)
VRET implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing (Art. 9 health data at multi-clinic scale). Executive summary:
- Encryption in transit: TLS 1.2+ mandatory on all connections.
- Encryption at rest: AES-256 on the hosting provider’s disks; additional field-level encryption with AES-256-GCM envelope encryption over the sensitive clinical data columns.
- Isolation between customers: Row-Level Security at the PostgreSQL engine level with a NOBYPASSRLS application role.
- Robust authentication: SSO/OIDC; support for MFA; JWT tokens signed with RS256 and revocable in real time upon password change.
- Minimum employee access: no team member accesses clinical data in ordinary operation. Support access is managed through an auditable break-glass mechanism (each access logged with justification, scope and customer notification). The full SOP is included in the DPA.
- Encrypted backups with 7-day retention, in the same EU environment.
- Monitoring: access logs, anomaly detection, security alerts and error telemetry with automatic redaction of clinical PII.
- Testing: automated battery of tenant isolation tests on every deployment.
- Training: personnel with access to production systems sign a confidentiality commitment and receive mandatory GDPR training.
The updated technical detail is available at /security.
9. Security Breach Notification
In the event of a personal data security breach that poses a risk to the rights and freedoms of data subjects:
- Notification to the Spanish Data Protection Agency: within a maximum of 72 hours from becoming aware of the breach (Art. 33 GDPR).
- Notification to those affected: without undue delay when the breach poses a high risk (Art. 34 GDPR).
- Notification to the Controller: when VRET acts as Processor, it will notify the Controller without undue delay from the moment it becomes aware of the breach, so that the latter can comply with its own obligations (Art. 33.2 GDPR). Target time: 24 hours from detection.
- Internal record: we keep a record of all security breaches, including circumstances, effects and corrective measures, in accordance with Art. 33.5 GDPR.
- Contact: seguridad [arroba] vret.es
10. Record of Processing Activities (Art. 30)
VRET maintains a Record of Processing Activities in accordance with Art. 30 of the GDPR and Art. 31 of the LOPDGDD, which is available to the Spanish Data Protection Agency upon request.
11. Impact Assessment (DPIA)
Given that VRET processes health-related data (Art. 9 GDPR) at scale, we have carried out a Data Protection Impact Assessment in accordance with Art. 35 GDPR. The DPIA identifies the risks to the rights and freedoms of data subjects, the mitigation measures adopted and the residual risk.
The DPIA is available to qualified auditors and customer DPOs under NDA. Requests to privacidad [arroba] vret.es.
12. Cookie Policy
Full detail of the cookies used, their purpose and period in the Cookie Policy. Summary: by default VRET only installs necessary technical cookies. Usage analytics (Google Analytics 4, Microsoft Clarity) and advertising measurement (LinkedIn Insight Tag) are only activated if you accept them in the cookie banner (Google Consent Mode v2 with default denial).
13. Data Protection Officer (DPO)
VRET processes special category data (health) as its main activity and at multi-clinic scale. For this reason, the designation of a Data Protection Officer is mandatory in accordance with Art. 37.1.b and 37.1.c of the GDPR and Art. 34 LOPDGDD. VRET will designate the DPO (internal or external), notify its designation to the Spanish Data Protection Agency and publish its contact details in this policy before the entry of the first production customer. Until that moment, the data protection functions are assumed directly by the Provider through the privacidad [arroba] vret.es channel.
For queries related to data protection: privacidad [arroba] vret.es.
14. Amendments
VRET reserves the right to modify this Privacy Policy to adapt it to legislative developments or business practice. Any substantial modification will be communicated to registered users at least 30 days in advance by email and prominent publication on the platform. We keep a version history available upon request to evidence the version applicable at any given time.
15. Applicable Legislation
This Privacy Policy is governed by:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation, GDPR).
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
- Law 41/2002, of 14 November, the basic law regulating patient autonomy and rights and obligations regarding clinical information and documentation.
- Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE), regarding cookies and electronic communications.