Privacy Policy

Last updated: April 28, 2026

1. Identification of the Controller and the Processor

1.1 Service provider

HolderRayan Chelouati
StatusNatural person, self-employed professional (Art. 10 LSSI-CE)
NIF/NIEY2655152T
AddressCalle Mezquita, Edificio Velazquez, 11202 Algeciras (Cadiz), Spain
General emailcontacto [arroba] vret.es
Data protection emailprivacidad [arroba] vret.es
Security / breach emailseguridad [arroba] vret.es
ActivityDevelopment and commercialization of virtual reality SaaS software for psychology professionals

1.2 VRET’s dual role

VRET acts in two different roles depending on the type of data:

  • Controller of the data of the contracting professional (psychologist, clinic), of the website visitors and of the leads who fill in forms. The purposes are described in section 4.
  • Processor (Art. 28 GDPR) of the patient data processed on behalf of the psychologist or clinic, within the VRET platform. The Controller of that data is the contracting professional or clinic; VRET executes their documented instructions.

2. Scope of Application

This Privacy Policy governs the processing of personal data carried out through the VRET website (the “Website”), the VRET SaaS platform (the “Software”) and commercial and contractual communications.

This policy is drafted in compliance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), Law 41/2002, of 14 November, the basic law regulating patient autonomy and rights and obligations regarding clinical information and documentation, and Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).

3. Data We Collect

3.1 Contracting Professional’s data

CategoryDataPurpose
IdentificationName, surname, professional registration number, professional emailProfessional verification, account creation, contractual communications
ContactPhone, professional addressTechnical support, contract management
ProfessionalSpecialty, clinic name, number of therapistsService configuration, plan segmentation
BillingNIF, tax domicile, bank or card details (processed by Stripe)Payments, billing, tax obligations
Software useAccess logs, aggregated usage metrics, sessions carried outSupport, security, service improvement
Internal auditAdministrative actions (who did what within the platform), SHA-256 hash of the IP with a salt rotated every 90 days, truncated browser user-agent. In the audit trail the IP is never stored in the clear (only its salted hash). The IP in the clear is only kept, and separately, as legal evidence of the acceptance of consents and of the contract (INET column, Art. 7.1 GDPR) and in lead forms for anti-fraud and rate-limiting purposes (see 3.4).Compliance (Art. 30 GDPR), traceability of critical actions, fraud detection and security incidents

3.2 Patient Data (VRET as Processor)

On behalf of the Controller psychologist or clinic, VRET processes the following categories of patient data:

  • Pseudonym chosen by the psychologist (an alias such as “P-2024-001”). VRET does not receive or store DNI, full name, date of birth, or any other direct identifier of the patient.
  • Clinical notes entered by the professional during the session (free text).
  • SUDS markers (Subjective Units of Distress Scale 0-10) and other specific clinical markers.
  • Session telemetry: scenario used, duration, intensity applied, virtual environment events.
  • Virtual environment recordings (optional and at the psychologist’s discretion): capture of the VR environment shown to the patient, with the psychologist’s audio and, where applicable, the patient’s voice. The recording does not include the patient’s real image.

Legal nature of this data: although the direct identifier is a pseudonym, the data remains linked to a specific individual via the psychologist’s clinical record. Under Recital 26 GDPR, WP29 Opinion 4/2007 on the concept of personal data, and CJEU case law (case C-582/14, Breyer), it remains personal data. The content (clinical notes, SUDS, behavior during exposure) reveals the patient’s mental health status, which makes it health-related data under Art. 4.15 and Recital 35 GDPR, subject to the general prohibition of Art. 9.1 and to the exceptions of Art. 9.2.

Applicable legal basis: Art. 6.1.b GDPR (performance of the contract between the patient and the professional) in combination with Art. 9.2.h GDPR (processing necessary for the purposes of medical or social care or treatment, managed by a professional subject to the obligation of professional secrecy). This legal basis is exercised by the Controller psychologist; VRET documents and backs it up in the DPA.

3.3 Website browsing data

CategoryDataLegal Basis
Technical cookiesSession, interface preferencesNecessary for operation (do not require consent)
Usage analytics (Google Analytics 4, Microsoft Clarity)Page views, interaction events, heatmaps and session recordings with sensitive inputs maskedConsent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE) — only if you accept it in the banner
Advertising measurement (LinkedIn Insight Tag)Attribution of conversions from LinkedIn Ads campaigns and custom audienceConsent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE)
Campaign attribution (UTM, gclid, li_fat_id)First-touch and last-touch persistence in first-party cookies to know which campaign attracted each leadConsent (Art. 6.1.a GDPR + Art. 22.2 LSSI-CE) — attribution cookies are only written if you accept advertising measurement in the banner

Full detail in the Cookie Policy.

3.4 Lead and newsletter subscriber data

When the professional fills in a resource download form (lead magnet) or subscribes to the newsletter, we collect:

  • Professional email (mandatory).
  • Type of practice, specialty or phobia treated (optional, for content segmentation).
  • Lead origin (source URL, UTM parameters, slug of the requested resource).
  • IP address and browser user-agent, exclusively for anti-fraud and rate-limiting purposes.

Double opt-in. After filling in the form, you will receive a confirmation email. Your email will not enter our list until you click the confirmation link. Until then, the technical record is kept for a maximum of 30 days to avoid duplicates, after which it is deleted if not confirmed.

Legal basis: explicit consent (Art. 6.1.a GDPR) given via checkbox and reconfirmed via double opt-in. You may withdraw consent at any time using the “unsubscribe” link present in the footer of each email, or by writing to privacidad [arroba] vret.es.

Retention: as long as you keep the subscription active. After 24 months without opening any email, it will be considered an implicit unsubscribe and the record will be deleted. If you withdraw consent, the data is deleted within a maximum of 30 days, except for retention of the unsubscribe record to evidence the exercise of the right.

4. Legal Bases for Processing (summary)

ProcessingLegal basisReference
Provision of the SaaS service to the professionalContract performanceArt. 6.1.b GDPR
Processing of patient data on behalf of the professionalHealthcare by a professional bound by secrecy + contract performanceArt. 9.2.h + Art. 6.1.b GDPR
Billing and paymentsContract performance and legal tax obligationArt. 6.1.b + Art. 6.1.c GDPR
Support and security communicationsContract performanceArt. 6.1.b GDPR
Commercial communications about similar products (existing customers)Legitimate interestArt. 6.1.f GDPR + Art. 21.2 LSSI-CE
Newsletter and lead magnet downloadsExplicit consent (double opt-in)Art. 6.1.a GDPR + Art. 21.1 LSSI-CE
Product improvement and aggregated analyticsLegitimate interestArt. 6.1.f GDPR
Compliance with accounting and tax obligationsLegal obligationArt. 6.1.c GDPR
Defense of claimsLegitimate interestArt. 6.1.f GDPR

Clarification on Art. 9. Unlike previous versions of this policy, VRET expressly acknowledges that it processes health-related data (Art. 9.1 GDPR) in its role as Processor, under the exception of Art. 9.2.h and with the safeguards of Art. 32 (technical and organizational measures described in section 8 and, in greater technical detail, at /security).

5. Recipients and Subprocessors

5.1 We do not sell data

VRET does not sell, rent or transfer personal data to third parties for commercial purposes. Nor do we use the patient’s clinical data to train our own or third-party artificial intelligence models (binding clause incorporated into the DPA).

5.2 Processing subprocessors

The canonical and up-to-date list of subprocessors is Annex III of the DPA.

ProviderServiceJurisdictionTransfer safeguard
Supabase Inc.Primary PostgreSQL database (clinical data)EU — Ireland (AWS eu-west-1)DPA Art. 28 + standard clauses for US support
Cloudflare R2Object storage (VR environment recordings)EUDPA Art. 28
Hetzner Online GmbHCompute / backend hostingEU — GermanyDPA Art. 28
Auth0 / Okta Inc.Authentication and SSOEU (operation) + US (support)DPA Art. 28 + DPF
Stripe Payments Europe Ltd.Payment processing (no clinical data)Ireland + USDPA Art. 28 + DPF
vret_redis (self-hosted on Hetzner)Redis cache and pub/sub (no clinical data)EU — GermanyCovered by Hetzner (DPA Art. 28)
ResendTransactional emailEU + USDPA Art. 28 + DPF
Google LLC (Google Analytics 4)Website usage analytics (only with consent)US + EU — IrelandDPA Art. 28 + DPF
Microsoft Corporation (Clarity)Heatmaps and session replays with sensitive inputs masked (only with consent)US + EU — IrelandDPA Art. 28 + DPF
LinkedIn Corporation (Insight Tag)Advertising measurement of LinkedIn Ads campaigns (only with consent)US + EU — IrelandDPA Art. 28 + DPF
SentryError telemetry with PII redactionEU (Frankfurt region)DPA Art. 28
Cloudflare Inc.CDN, WAF and DNSGlobal with EU jurisdictionDPA Art. 28 + DPF
CalendlyDemo scheduling (no clinical data)USDPA Art. 28 + DPF

5.3 International transfers

Patient clinical data is not subject to international transfer outside the European Economic Area in the ordinary operation of the service.

Subprocessors located in or connected to the United States (Stripe, Auth0/Okta, Resend, Cloudflare, Calendly) operate under the EU-US Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023, pursuant to Art. 45 GDPR) and, where applicable, additionally under the Standard Contractual Clauses approved by the Commission (Art. 46.2.c).

5.4 Disclosures to authorities

VRET may disclose data to public authorities where there is a legal obligation (judicial order, reasoned request from a competent authority). In such cases we notify the Controller unless the authority expressly prohibits it.

6. Retention Periods

DataPeriodJustification
Active professional account dataFor the duration of the contractual relationshipContract performance
Patient clinical data (notes, SUDS, telemetry, recordings)Under the control of the Controller professional: during the term of the contract; after cancellation, a 30-day window for export and 60 days until operational deletion, unless the Controller instructs otherwise to keep it longerThe professional must retain the clinical record for the period of Art. 17 of Law 41/2002 (5 years minimum from the discharge date of each care process). VRET assists the Controller in keeping the information for the necessary time, on documented instruction
Billing data6 years after terminationArt. 30 Commercial Code
Tax data and accounting records4 years after termination (extended to 6 if a special regime applies)General Tax Law (Arts. 66 et seq.) and Commercial Code
Audit trail and security events5 years (immutable record)Accountability (Art. 5.2 GDPR) and the need to defend claims
Technical cookies13 months maximumSpanish Data Protection Agency Guidelines on cookies (2023)
Leads and newsletterAs long as the subscription is kept; implicit unsubscribe after 24 months without interactionList hygiene and proportionality
Record of unsubscribes and rights exercises3 yearsTo evidence the exercise of the right before the Spanish Data Protection Agency

After these periods, the data will be securely deleted (including backups, in the backup expiration cycle) or irreversibly anonymized for internal statistical purposes.

7. Rights of the Data Subject (ARCO+)

In accordance with Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:

RightDescriptionGDPR Article
AccessObtain confirmation of whether we process your data and access itArt. 15
RectificationRequest the correction of inaccurate dataArt. 16
ErasureRequest the deletion of your data (“right to be forgotten”)Art. 17
RestrictionRequest that processing be restrictedArt. 18
PortabilityReceive your data in a structured, machine-readable formatArt. 20
ObjectionObject to processing based on legitimate interestArt. 21
Not to be subject to automated decisionsVRET does not make automated decisions with legal effects on the data subjectArt. 22

How to exercise your rights

  • If you are a contracting professional: write to privacidad [arroba] vret.es with the subject “Exercise of GDPR rights”.
  • If you are a patient: address yourself in the first instance to your psychologist or clinic, which is the Controller of your clinical record. If you do not receive a response or need escalation, you can write to us at the same address and we will help you identify the Controller.
  • Response time: 30 calendar days (extendable to 60 days in complex cases, subject to prior notification).
  • Identification: you must prove your identity by attaching a copy of your DNI/NIE or an equivalent document.
  • Free of charge: the exercise of these rights is free, except for manifestly unfounded or excessive requests.

Right to lodge a complaint with the supervisory authority

If you consider that the processing of your data infringes the regulations, you can lodge a complaint with the Spanish Data Protection Agency: www.aepd.es — C/ Jorge Juan 6, 28001 Madrid. We recommend contacting us first: most incidents are resolved without the need to escalate.

8. Security Measures (Art. 32 GDPR)

VRET implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing (Art. 9 health data at multi-clinic scale). Executive summary:

  • Encryption in transit: TLS 1.2+ mandatory on all connections.
  • Encryption at rest: AES-256 on the hosting provider’s disks; additional field-level encryption with AES-256-GCM envelope encryption over the sensitive clinical data columns.
  • Isolation between customers: Row-Level Security at the PostgreSQL engine level with a NOBYPASSRLS application role.
  • Robust authentication: SSO/OIDC; support for MFA; JWT tokens signed with RS256 and revocable in real time upon password change.
  • Minimum employee access: no team member accesses clinical data in ordinary operation. Support access is managed through an auditable break-glass mechanism (each access logged with justification, scope and customer notification). The full SOP is included in the DPA.
  • Encrypted backups with 7-day retention, in the same EU environment.
  • Monitoring: access logs, anomaly detection, security alerts and error telemetry with automatic redaction of clinical PII.
  • Testing: automated battery of tenant isolation tests on every deployment.
  • Training: personnel with access to production systems sign a confidentiality commitment and receive mandatory GDPR training.

The updated technical detail is available at /security.

9. Security Breach Notification

In the event of a personal data security breach that poses a risk to the rights and freedoms of data subjects:

  • Notification to the Spanish Data Protection Agency: within a maximum of 72 hours from becoming aware of the breach (Art. 33 GDPR).
  • Notification to those affected: without undue delay when the breach poses a high risk (Art. 34 GDPR).
  • Notification to the Controller: when VRET acts as Processor, it will notify the Controller without undue delay from the moment it becomes aware of the breach, so that the latter can comply with its own obligations (Art. 33.2 GDPR). Target time: 24 hours from detection.
  • Internal record: we keep a record of all security breaches, including circumstances, effects and corrective measures, in accordance with Art. 33.5 GDPR.
  • Contact: seguridad [arroba] vret.es

10. Record of Processing Activities (Art. 30)

VRET maintains a Record of Processing Activities in accordance with Art. 30 of the GDPR and Art. 31 of the LOPDGDD, which is available to the Spanish Data Protection Agency upon request.

11. Impact Assessment (DPIA)

Given that VRET processes health-related data (Art. 9 GDPR) at scale, we have carried out a Data Protection Impact Assessment in accordance with Art. 35 GDPR. The DPIA identifies the risks to the rights and freedoms of data subjects, the mitigation measures adopted and the residual risk.

The DPIA is available to qualified auditors and customer DPOs under NDA. Requests to privacidad [arroba] vret.es.

12. Cookie Policy

Full detail of the cookies used, their purpose and period in the Cookie Policy. Summary: by default VRET only installs necessary technical cookies. Usage analytics (Google Analytics 4, Microsoft Clarity) and advertising measurement (LinkedIn Insight Tag) are only activated if you accept them in the cookie banner (Google Consent Mode v2 with default denial).

13. Data Protection Officer (DPO)

VRET processes special category data (health) as its main activity and at multi-clinic scale. For this reason, the designation of a Data Protection Officer is mandatory in accordance with Art. 37.1.b and 37.1.c of the GDPR and Art. 34 LOPDGDD. VRET will designate the DPO (internal or external), notify its designation to the Spanish Data Protection Agency and publish its contact details in this policy before the entry of the first production customer. Until that moment, the data protection functions are assumed directly by the Provider through the privacidad [arroba] vret.es channel.

For queries related to data protection: privacidad [arroba] vret.es.

14. Amendments

VRET reserves the right to modify this Privacy Policy to adapt it to legislative developments or business practice. Any substantial modification will be communicated to registered users at least 30 days in advance by email and prominent publication on the platform. We keep a version history available upon request to evidence the version applicable at any given time.

15. Applicable Legislation

This Privacy Policy is governed by:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation, GDPR).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
  • Law 41/2002, of 14 November, the basic law regulating patient autonomy and rights and obligations regarding clinical information and documentation.
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE), regarding cookies and electronic communications.