Cookie & Third-Party Tools Policy
Pleso Therapy — pleso.me
Effective date: 01/07/2026 — Last updated: 16/06/2026
References in other Pleso documents — including the Terms & Conditions and the Privacy Policy — to the “Cookie Policy” mean this Cookie & Third-Party Tools Policy.
This Policy explains what cookies and similar tracking technologies are, how Pleso Therapy sp. z o.o. (“Pleso”, “we”, “us”) uses them on pleso.me (the “Platform”), and what choices you have.
This document also serves as the public, always-current register of the named third-party tools and service providers used by the Platform. Our Terms & Conditions and Privacy Policy describe the recipients of your data by specific category (type of activity, sub-sector, and location) and refer to this document for the current names of the specific tools and providers behind each category. See Section 3 (Register of Third-Party Service Providers) and Section 4 (Changes to This Register).
This Policy is an integral part of our Privacy Policy, available at pleso.me/en/legal/privacy-policy. Terms used without definition here have the meaning given in the Privacy Policy.
This Policy applies to users in all markets where Pleso operates. Country-specific provisions are set out in Annexes A–C at the end of this document. The Annex that applies to you is determined by your location, not by the language in which you read this document. In case of conflict between the main body and an Annex, the Annex prevails for users in that jurisdiction.
1. What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They allow the website to recognise your device on subsequent visits and to remember certain information about you — such as your preferences, your session, or how you navigated the site.
Cookies can be:
First-party cookies — set directly by Pleso.
Third-party cookies — set by external services we use (e.g., analytics or advertising providers).
Session cookies — deleted automatically when you close your browser.
Persistent cookies — remain on your device for a set period or until you delete them.
Similar technologies include web beacons (small transparent images used to track behaviour), pixels (used by advertising platforms to measure campaign effectiveness), and local storage (data stored in your browser that persists across sessions).
2. How We Use Cookies
We use cookies for four purposes, described below. Only strictly necessary cookies are placed without your consent. All other cookies require your active opt-in via our consent banner. No non-essential cookies or trackers are placed on your device without your prior opt-in consent. This rule applies in all of our markets — under the EU ePrivacy Directive (for Poland, as implemented in national law), the UK Privacy and Electronic Communications Regulations (PECR) for the United Kingdom, and as the standard Pleso voluntarily applies for users in Ukraine. See Annexes A–C for the country-specific legal basis.
Important: Pleso does not place analytics or advertising cookies on pages where therapy services are delivered or where you share health information. This restriction applies across all markets.
2.1 Strictly Necessary Cookies
These cookies are essential for the Platform to function. Without them, you cannot log in, navigate between pages, or use core features. They do not track your browsing behaviour for marketing purposes.
Legal basis: These cookies do not require consent under the ePrivacy Directive / PECR, as they are strictly necessary for the provision of the service you have requested.
| Provider | Purpose | Storage period |
|---|---|---|
| Pleso (first-party) | User session management; authentication; security tokens | Session (up to 12 months) |
| AWS | Secure hosting and content delivery infrastructure | Session / up to 12 months |
| Pleso (first-party) | Language preference; UI personalisation setting | Up to 12 months |
| Jitsi | Video session infrastructure for online therapy | Session |
| CookieYes | Store user’s cookie consent | Session / up to 12 months |
2.2 Analytics Cookies
We use analytics cookies to understand how visitors use the Platform — for example, which pages are visited most, how long users stay, and where they come from. This helps us improve the Platform and the quality of our services.
Legal basis: Article 6(1)(a) GDPR — your consent, given via our cookie consent banner. You can withdraw consent at any time.
These cookies are not placed on pages where therapy services are delivered.
| Provider | Purpose | Storage period | Location |
|---|---|---|---|
| Google Analytics (Google LLC) | Aggregate site usage analysis: page views, traffic sources, user behaviour | Up to 13 months | USA (DPF) |
| Hotjar (Hotjar Ltd) | User experience analysis: heatmaps, session recordings (on non-therapy pages only) | Up to 12 months | EU |
Google Analytics: data is shared with Google, which may further share it in accordance with its privacy policy (policies.google.com/privacy). To opt out of Google Analytics across all sites, install the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout.
2.3 Targeting and Advertising Cookies
Our advertising partners may place targeting cookies on your device through the Platform. These cookies do not store directly identifiable information, but use a unique identifier to recognise your browser and build a profile of your interests based on your online activity. This profile is used to show you more relevant advertisements on other websites.
Legal basis: Article 6(1)(a) GDPR — your consent, given via our cookie consent banner. You can withdraw consent at any time.
These cookies are not placed on pages where therapy services are delivered.
| Provider | Purpose | Storage period | Location |
|---|---|---|---|
| Meta Pixel (Meta Platforms Inc.) | Measuring the effectiveness of advertising campaigns on Facebook and Instagram; remarketing | Up to 90 days | USA (DPF) |
| Google Ads (Google LLC) | Measuring ad performance; remarketing audiences | Up to 13 months | USA (DPF) |
To opt out of Facebook/Meta interest-based advertising: facebook.com/settings?tab=ads
To opt out of Google interest-based advertising: adssettings.google.com
2.4 Functional Cookies
Functional cookies allow the Platform to remember your preferences and provide enhanced, personalised features — for example, your preferred language or communication settings.
Legal basis: Article 6(1)(a) GDPR — your consent, given via our cookie consent banner.
| Provider | Purpose | Storage period |
|---|---|---|
| SendPulse | Email marketing and communication preferences; push notification settings; Popup for Users | Up to 12 months |
3. Register of Third-Party Service Providers
This Section is the public register of the named third-party tools and service providers used by the Platform. The Terms & Conditions and the Privacy Policy describe these recipients by category only; the table below names the specific provider currently behind each category. Providers listed below act as our data processors under Data Processing Agreements with Pleso, except where indicated below as acting as independent controllers for parts of the processing they carry out. You may also request the current list of processors at any time by contacting iod@pleso.me.
| Category | Provider | What they do | Role | Location | Transfer safeguard |
|---|---|---|---|---|---|
| Payment processing | Stripe | Processes payments and recurring Subscription charges; PCI DSS compliant; Pleso never stores full payment card data | Acts as independent controller for parts of the processing | USA / EU (Stripe Payments Europe Ltd., Ireland) | DPF / SCCs (see Section 7) |
| Payment processing | SolidGate | Processes payments and recurring Subscription charges; PCI DSS compliant; Pleso never stores full payment card data | Acts as independent controller for parts of the processing | EU / UK | UK adequacy decision (for UK processing); not applicable within the EU/EEA |
| Payment processing | Klarna | Processes payments and instalment payment options; PCI DSS compliant; Pleso never stores full payment card data | Acts as independent controller for parts of the processing | EU (Klarna Bank AB, Sweden) | Not applicable (EU/EEA) |
| Business meeting scheduling | Calendly Inc., 271 17th St NW, Suite 1000, Atlanta, GA 30363, USA | Scheduling of business meetings for B2B and partnership enquiries only. Not used for client session bookings and never processes client or health data. Acts under a Data Processing Agreement (Calendly Data Processing Addendum: calendly.com/legal/data-processing-addendum) | Processor | USA | DPF / SCCs |
| Video sessions | Jitsi | Video infrastructure for online therapy sessions | Processor | EU | Not applicable (EU/EEA) |
| Email and messaging | SendPulse | Transactional email, newsletters, notifications, and communication preferences | Processor | EU / USA | DPF or SCCs, as applicable (see Section 7) |
| Cloud hosting | AWS (Amazon Web Services) | Hosting and content delivery infrastructure | Processor | EU / USA | DPF or SCCs, as applicable (see Section 7) |
| Web and product analytics | Google Analytics (Google LLC) | Aggregate site usage analysis — excluded from therapy pages | Processor | USA | DPF |
| UX analytics | Hotjar (Hotjar Ltd) | User experience analysis: heatmaps, session recordings — excluded from therapy pages | Processor | EU | Not applicable (EU/EEA) |
| Advertising | Meta Pixel (Meta Platforms Inc.) | Advertising campaign measurement and remarketing — excluded from therapy pages | Processor | USA | DPF |
| Advertising | Google Ads (Google LLC) | Ad performance measurement; remarketing audiences — excluded from therapy pages | Processor | USA | DPF |
| Error monitoring and performance | Sentry (Functional Software, Inc.) | Detection and diagnosis of technical issues; performance monitoring | Processor | USA | EU–US Data Privacy Framework (DPF) / SCCs |
| Consent management | CookieYes (CookieYes Limited) | Operates the cookie consent banner and stores consent records | Processor | United Kingdom | UK adequacy decision |
| Accounting and invoicing | Fakturownia (Fakturownia sp. z o.o.) | Invoicing and accounting software | Processor | Poland (EU) | Not applicable (EU/EEA) |
| Legal and consulting advisors | Not named individually — professional advisors | Legal and consulting support | Processor | Poland / EU | Not applicable (EU/EEA) |
| Social media and review platforms | Meta (Facebook, Instagram), TikTok, Telegram, YouTube, Trustpilot | Official Pleso presences, embedded content, and display and management of user reviews | Independent controllers of data processed on their own services | EU / USA / global | Each platform is responsible for its own transfer safeguards as an independent controller |
Payments are processed exclusively by the PCI DSS-compliant payment processors listed above. Pleso never stores full payment card data.
4. Changes to This Register
Pleso may test, add, replace, or remove third-party tools and service providers, and update the register in Section 3, at any time. When we do, the “Last updated” date at the top of this document changes accordingly.
Updating this register does not require an amendment of the Terms & Conditions or the Privacy Policy. Those documents describe the recipients of your data by specific category (type of activity, sub-sector, and location) and refer to this document as the always-current source of provider names. A change of provider within an existing category does not change what those documents say.
Where we add a new non-essential cookie or tracker, our consent banner will re-appear on your next visit to the Platform; the new tool becomes active only after you give consent through the banner. Adding a provider to this register never means it starts tracking you automatically.
If a change to this register materially affects how your health data is processed, we will additionally notify you by email or by a prominent notice on the Platform.
The exclusion of analytics and advertising tools from pages where therapy services are delivered or where you share health information (Section 2) always applies, regardless of any change to this register.
We recommend checking this page periodically for updates.
5. Third-Party Websites
When using the Platform, you may be directed to other websites — for example, application stores or social media platforms. These websites may use their own cookies, over which we have no control. We recommend reviewing their cookie policies separately.
Social media platforms we use: Instagram, Facebook, TikTok, Telegram, YouTube. These platforms may set their own cookies if you interact with embedded content or links.
6. Managing Your Cookie Preferences
6.1 Our Consent Banner
When you first visit the Platform, a cookie consent banner will appear. You can:
Accept all cookies.
Reject all non-essential cookies.
Customise your preferences by category.
You can change your preferences at any time by clicking the “Cookie Settings” link in the footer of the Platform.
Our consent banner is operated through CookieYes, our Consent Management Platform, which also stores records of the consent choices you make (see the register in Section 3).
6.2 Browser Settings
You can also manage cookies through your browser settings. Most browsers allow you to:
View and delete cookies already stored on your device.
Block all cookies or only third-party cookies.
Set alerts when a cookie is being placed.
Please note: if you disable all cookies, some parts of the Platform may not function correctly — for example, you may not be able to log in or book a session.
Browser-specific guidance:
Firefox: support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
Safari: support.apple.com/guide/safari/manage-cookies-sfri11471
Edge: support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge
7. International Data Transfers via Cookies and Third-Party Tools
Some of our providers are based in the United States. Where cookies or third-party tools result in personal data being transferred outside the EEA or the UK, we rely on the following safeguards:
EU–US Data Privacy Framework (DPF) — for providers self-certified under the European Commission adequacy decision of 10 July 2023 (e.g., Google, Meta).
Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914 — for other US-based providers.
International Data Transfer Agreement (IDTA) — the ICO-issued standalone transfer agreement, for transfers from the UK.
UK Addendum to the EU SCCs (ICO, March 2022) — for transfers from the UK where EU SCCs are already in place.
UK adequacy regulations — where available for the destination country.
8. Your Rights
Where cookies or third-party tools involve the processing of your personal data, you have the same rights as described in our Privacy Policy — including the right to access, rectify, erase, and object to processing, and to withdraw consent at any time.
To exercise your rights, contact: iod@pleso.me
You also have the right to lodge a complaint with the supervisory authority in your country:
| Market | Authority | Contact |
|---|---|---|
| Poland | UODO | uodo.gov.pl |
| United Kingdom | ICO | ico.org.uk / 0303 123 1113 |
| Ukraine | Ukrainian Parliament Commissioner for Human Rights | ombudsman.gov.ua |
9. Changes to This Policy
We may update this Policy when we add or remove tracking tools or providers, or when the law changes. Updates to the Register of Third-Party Service Providers follow the rules in Section 4 and may be made at any time. When we update this Policy, we will update the “Last updated” date at the top of this document. If the changes are material — in particular, if they materially affect how your health data is processed — we will notify you via a prominent banner on the Platform or by email.
We recommend checking this page periodically for updates.
10. Contact
If you have any questions about this Policy, please contact us:
Email: hello@pleso.me
Data Protection Officer: iod@pleso.me
Postal address: Pleso Therapy sp. z o.o., ul. 12 Lutego 25/7, 82-300 Elbląg, Poland
UK Representative: Legal Nodes Ltd | pleso.rep@legalnodes.com
11. Country-Specific Annexes
The following Annexes supplement the main body of this Policy for users in each market. The Annex that applies to you is determined by your location, not by the language version you read. In case of conflict between the main body and an Annex, the Annex prevails for users in that jurisdiction.
Annex A — Poland
Applicable law: EU GDPR; the Polish Act on Personal Data Protection of 10 May 2018 (Dz.U. 2018 poz. 1000, as amended); and, as the Polish national implementation of the ePrivacy Directive, the Act of 12 July 2024 — Electronic Communications Law (Prawo komunikacji elektronicznej), in force since 10 November 2024, art. 399 of which governs the storage of information on end-user devices (cookie consent) and replaced the former Telecommunications Law rule.
Non-essential cookies are placed only with your prior opt-in consent, given via our consent banner, as described in Section 2.
Supervisory authority: Urząd Ochrony Danych Osobowych (UODO) | ul. Stawki 2, 00-193 Warszawa | uodo.gov.pl
Annex B — United Kingdom
Applicable law: UK GDPR (as retained by the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Under PECR Regulation 6, non-essential cookies are placed only with your prior opt-in consent.
International transfers from the UK rely on UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs (ICO, March 2022) — see Section 7.
UK Article 27 Representative: Legal Nodes Ltd, Office 2, Bennet’s House, 21 Leyton Road, Harpenden, England, AL5 2HU | pleso.rep@legalnodes.com
Supervisory authority: Information Commissioner’s Office (ICO) | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF | ico.org.uk | 0303 123 1113
Annex C — Ukraine
Applicable law: Law of Ukraine No. 2297-VI on Personal Data Protection (as amended 2023). Ukraine has no dedicated ePrivacy legislation; Pleso voluntarily applies the EU opt-in consent standard described in Section 2 as the baseline for Ukrainian users, alongside GDPR-equivalent standards.
Pleso does not transmit personal data of Ukrainian users to analytics or advertising trackers on pages related to the delivery of therapeutic services, consistent with the restriction in Section 2 and Annex C of the Privacy Policy.
International transfers: where cookies or tools listed in this Policy result in transfers of Ukrainian users’ personal data abroad, the transfer grounds of Article 29 of Law No. 2297-VI apply, as described in Annex C (International Data Transfers) of the Privacy Policy.
Supervisory authority: Ukrainian Parliament Commissioner for Human Rights (Ombudsperson) | ombudsman.gov.ua
― End of Cookie & Third-Party Tools Policy ―
Pleso Therapy sp. z o.o. | iod@pleso.me | pleso.me
London, N13 4FG, Prime
Apartments, 483 Green Lanes