PRIVACY POLICY
Pleso Therapy — pleso.me
Effective date: 01/07/2026 — Last updated: 16/06/2026
Dear User,
This Privacy Policy explains how Pleso Therapy collects, uses, and protects your personal data when you use our platform at www.pleso.me (the “Platform”). We want this to be clear and readable. If something is unclear, please contact our Data Protection Officer (details below).
This Policy applies to users in all markets where Pleso Therapy operates.
In this Policy, “Specialists” means the qualified therapists who provide sessions via the Platform (the same term is used in our Terms & Conditions).
This Policy does not name individual third-party tools or service providers. Instead, it describes the recipients of your data by specific category (type of activity, sub-sector, and location), as permitted by Article 13(1)(e) GDPR. The always-current named register of the specific tools and providers we use — including cookies, their names, durations, and opt-out instructions — is published in our standalone Cookie & Third-Party Tools Policy at pleso.me/en/legal/cookie-policy. You may also request the names of specific processors at any time from iod@pleso.me.
Jurisdiction-specific provisions for each country are set out in Annexes A–C at the end of this document. The Annex that applies to you is determined by your location, not by the language in which you read this Policy. In case of conflict between the main body and an Annex, the Annex prevails for users in that jurisdiction.
I. Data Controller and Data Protection Officer
Data Controller: Pleso Therapy sp. z o.o., ul. 12 Lutego 25/7, 82-300 Elbląg, Poland | KRS: 0000980227 | REGON: 522652856 | NIP: 5783155594 (hereinafter: “Pleso”, “we”, “us”)
Data Protection Officer (DPO): Marta Gajewko | Email: iod@pleso.me
UK Article 27 Representative: Legal Nodes Ltd, Office 2, Bennet’s House, 21 Leyton Road, Harpenden, England, AL5 2HU | Email: pleso.rep@legalnodes.com
General enquiries: hello@pleso.me
II. Legal Framework
We process personal data in compliance with:
EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — applies to all users, and directly to users in Poland.
Polish Act on Personal Data Protection — Act of 10 May 2018 (Dz.U. 2018 poz. 1000, as amended).
UK General Data Protection Regulation (UK GDPR) — retained in UK law via the European Union (Withdrawal) Act 2018.
UK Data Protection Act 2018.
UK Privacy and Electronic Communications Regulations (PECR).
Ukrainian Law No. 2297-VI on Personal Data Protection (as amended 2023). Pleso applies GDPR-equivalent standards as a baseline for Ukrainian users.
Ukrainian Law on the Mental Health Protection System.
Where this Policy refers to “GDPR” it means EU GDPR. UK-specific and Ukraine-specific provisions are noted separately in the relevant Annexes.
III. What Data We Collect and Why
3.1 Platform Visitors
Data: IP address, browser and device information, cookies and usage data.
Purpose: Ensuring the proper technical functioning of the Platform; understanding how the Platform is used so we can improve it.
Legal basis: Article 6(1)(f) GDPR — legitimate interests.
3.2 Platform Registration and Therapeutic Sessions (Clients)
Data: Name, surname, residential address, email, phone number, session booking data, payment information.
Purpose: Providing the Services (organising and delivering therapy sessions through the Platform, in Pleso’s own name); processing payments; issuing invoices; managing your account.
Legal basis:
Article 6(1)(b) GDPR — performance of a contract.
Article 6(1)© GDPR — compliance with legal obligations (tax, accounting).
Article 6(1)(f) GDPR — legitimate interests (claims management, platform security).
Session scheduling takes place through Pleso’s own in-app scheduling tool, built and operated by Pleso; no third-party scheduling provider is involved.
3.3 Subscriptions, Bundles and Payments
Where you purchase a single Session, a Bundle (a prepaid purchase of a specified number of Sessions, which may be one-off or auto-renewing), or a Subscription (a Bundle that renews automatically at the end of each billing cycle), we process additional data to manage billing. Every purchase is credited to your account as Tokens — internal, non-monetary balance units exchangeable for Sessions; a Subscription credits its included Tokens upon each renewal, valid for the current billing cycle. Your Token balance and transaction history are processed as account data under Article 6(1)(b) GDPR.
Data: Account and plan identifiers (the plan or Bundle you purchased, its status and billing period), renewal dates, transaction history, invoicing details, and account balance (including Tokens and any remaining legacy Gift Voucher balances).
Payment card data is never stored by Pleso. Your card details are collected and held by PCI DSS-certified payment service providers, which act as our processors or as independent controllers for parts of the payment processing. These providers are named in the register in the Cookie & Third-Party Tools Policy at pleso.me/en/legal/cookie-policy.
Purpose: Charging one-off and recurring Subscription fees; sending renewal reminder emails at least 7 calendar days before each Subscription charge; sending price-change notices; processing refunds and Token credits; invoicing and accounting.
Legal basis:
Article 6(1)(b) GDPR — performance of a contract (billing, renewals, reminders, refunds).
Article 6(1)© GDPR — compliance with legal obligations (tax, accounting).
Article 6(1)(f) GDPR — legitimate interests (fraud prevention, establishment and defence of claims).
Gift Vouchers are no longer offered for sale. Legacy Gift Vouchers already issued remain valid until their original expiry date; we continue to process the associated balance and redemption data until that date and thereafter for the applicable retention periods in Section VII.
3.4 Specialist Data
Pleso processes personal data of Specialists who register on the Platform as independent subcontractors. This data is processed separately from client data.
Data collected: Full name, gender, date of birth, contact details (including mobile phone number), professional qualifications and experience, languages spoken, profile image and biography, bank account details for payment processing, tax identification number (TIN), country of tax residence, registered business address and business registration details.
Purpose: Onboarding and verifying Specialists; enabling clients to select a Specialist; processing payments to Specialists; compliance with professional standards; compliance with platform-operator tax reporting obligations, including Council Directive (EU) 2021/514 (DAC7) as implemented in Poland — reporting of Specialist identification and remuneration data to the competent tax authority — and other tax and accounting obligations.
Legal basis:
Article 6(1)(b) GDPR — performance of the subcontractor agreement between Pleso and the Specialist.
Article 6(1)© GDPR — compliance with legal obligations, including platform-operator tax reporting under Council Directive (EU) 2021/514 (DAC7) as implemented in Poland, and other tax and accounting obligations.
Article 6(1)(f) GDPR — legitimate interests (verification of professional credentials, platform integrity).
Role clarification: Pleso is the data controller for Specialist profile and payment data, and for the operation of the Platform, Specialist verification, bookings, billing, user support, and complaints handling. During a therapy session, the Specialist acts as an independent data controller for the clinical content of the session (clinical notes, clinical assessment, therapeutic decisions), subject to their professional secrecy obligations. Pleso does not access the content of sessions. To the extent Pleso and a Specialist jointly determine the purposes and means of processing, they act as joint controllers within the meaning of Article 26 GDPR; the essence of the joint-controller arrangement is available to users on request from iod@pleso.me.
3.5 Health Data During Therapy
When you use Pleso’s therapy services, health and mental health data is processed in the course of providing care.
Legal basis: Article 9(2)(h) GDPR — processing necessary for health or social care provision, combined with Article 6(1)(b) for the underlying contract.
Safeguard: This data is processed under the obligation of professional secrecy by qualified health professionals (Specialists) and is subject to enhanced security measures. Pleso does not access the content of therapeutic sessions.
Any unauthorised disclosure of session content by a Specialist constitutes a breach of professional secrecy and of the Specialist’s agreement with Pleso. Pleso investigates every reported breach and may suspend or permanently remove the Specialist from the Platform; the Specialist may additionally face professional disciplinary, civil and criminal liability under applicable law. Where such a breach amounts to a personal data breach, Pleso applies the notification procedure described in Section X. Suspected breaches can be reported to iod@pleso.me.
3.6 Contact Enquiries
Data: Name, email, phone number, and any information you voluntarily include.
Purpose: Responding to your enquiry.
Legal basis: Article 6(1)(f) GDPR — legitimate interests.
3.7 Social Media
Pleso maintains official profiles on third-party social networking, video-sharing, instant-messaging, and customer review platforms. The current list of platforms where Pleso maintains an official presence is published in the Cookie & Third-Party Tools Policy at pleso.me/en/legal/cookie-policy.
Data: Name or username, publicly available profile information, content you voluntarily share.
Purpose: Sharing information about our services; responding to comments and messages; building Pleso’s brand.
Legal basis: Article 6(1)(f) GDPR — legitimate interests.
3.8 Newsletter and Marketing
Data: Name, email address.
Purpose: Sending information about Pleso’s services, offers, and updates.
Legal basis: Article 6(1)(a) GDPR — your consent. Newsletter sign-up is opt-in and entirely voluntary. You are not required to subscribe in order to use the Platform.
Withdrawal: Click “Unsubscribe” in any email, or contact hello@pleso.me. Withdrawal does not affect the lawfulness of prior processing.
3.9 Claims and Legal Purposes
Purpose: Establishing, investigating, or defending against legal claims.
Legal basis: Article 6(1)(f) GDPR — legitimate interests.
3.10 Business Contact Form
Data collected: Name, email address, phone number, company name, and any information you voluntarily include.
Purpose: Responding to business enquiries and evaluating potential partnerships.
Legal basis: Article 6(1)(b) GDPR — steps taken at your request prior to entering into a contract; Article 6(1)(f) GDPR — legitimate interests.
IV. Special Category (Health) Data — Summary
Mental health data receives the highest level of protection under GDPR Article 9:
| Processing Activity | Data | Legal Basis | Notes |
|---|---|---|---|
| Therapy sessions | Session content, mental health history | Art. 9(2)(h) — healthcare provision | Under professional secrecy; Pleso has no access to session content |
| Quality reviews | User feedback referencing health | Art. 9(2)(h) + Art. 6(1)(f) | Anonymised where possible |
| Crisis response | Data necessary to protect life or health | Art. 9(2)(c) — vital interests | Used only in crisis situations — see Section 4.1 |
Data Protection Impact Assessment: Pleso has conducted a DPIA in accordance with GDPR Article 35 for the processing of special category mental health data. Contact iod@pleso.me for information.
Pleso does not share mental health data with advertising platforms or use it to build marketing audience segments. Analytics and tracking tools are excluded from all pages where therapy services are delivered — see Section V.
4.1 Crisis Situations and Emergency Information
Pleso is not an emergency or crisis service. Our matching questionnaire does not ask about suicidal thoughts or other crisis indicators, and we do not collect this information before therapy begins. Instead, the Platform displays an informational screen with the contact details of emergency services and crisis helplines, so that anyone in immediate distress can reach appropriate help straight away. Displaying this information involves no processing of your personal data. If you are in immediate danger, please contact your local emergency services.
Disclosure in case of risk to life. Where there are reasonable grounds to believe that a user is at immediate risk of serious harm to themselves or others — for example, where this becomes apparent during a Session — Pleso or the Specialist may be required or permitted to disclose relevant information to emergency services or competent authorities, without prior notice and without your consent, in accordance with applicable law. In particular: in Poland, disclosure is permitted under Article 9(2)© GDPR where it is necessary to protect the vital interests of the data subject; in the United Kingdom, disclosure may occur under the UK GDPR and applicable safeguarding legislation; and in Ukraine, disclosure may occur in accordance with Article 40 of the Law of Ukraine on the Mental Health Protection System, which permits disclosure to prevent serious harm to the health or life of the person or third parties.
V. Who We Share Your Data With
We share your data only where necessary and with appropriate safeguards. All third-party processors operate under Data Processing Agreements with Pleso. Certain recipients — in particular payment service providers and customer review platforms — act as independent controllers for parts of the processing they carry out; this is indicated in the named register referred to below.
5.1 Categories of Data Processors
We describe recipients by specific category; the always-current named register is published in our Cookie & Third-Party Tools Policy, and you may request the names of specific providers at any time from iod@pleso.me.
| Category | What They Do | Location |
|---|---|---|
| Cloud infrastructure and hosting providers (IaaS/PaaS) | Store and serve Platform data on secure servers | EU and USA |
| Video-conferencing technology providers | Enable video therapy sessions | EU |
| Payment service providers (PCI DSS-certified) | Process one-off and recurring payments securely; hold payment card data | EU and USA |
| Email and messaging automation providers | Send transactional emails, newsletters, and notifications | EU and USA |
| Web and product analytics providers | Help us understand how the Platform is used — excluded from therapy pages | EU and USA |
| UX and behavioural analytics providers (heatmaps, session replay) | Analyse user experience to improve Platform design — excluded from therapy pages | EU |
| Advertising networks and campaign measurement providers (marketing pixels) | Measure the effectiveness of marketing campaigns — excluded from therapy pages | USA |
| Customer review platform providers | Collect, display, and manage user reviews | EU |
| Error monitoring and performance providers | Detect and fix technical issues | USA |
| Accounting, legal, and consulting advisors | Provide accounting, legal, or consulting support | Poland / EU |
| State authorities | Where required by court order or applicable law | Varies |
5.2 Analytics Restriction
Pleso does not transmit directly identifying personal data (such as your name or email address) to advertising or analytics tools, and such tools are excluded from all pages where therapy services are delivered. This restriction is technically enforced.
5.3 Other Recipients
Pleso may also disclose personal data to authorised state administration bodies where required by law.
VI. International Data Transfers
Some of our processors are based in the United States. Where your data is transferred outside the EEA, we ensure protection through:
EU–US Data Privacy Framework (DPF) — where the processor is self-certified under the framework recognised by the European Commission adequacy decision of 10 July 2023.
Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914, Module 2 (Controller to Processor).
UK International Data Transfer Addendum — the ICO-issued UK Addendum to EU SCCs (March 2022) for UK-related transfers.
EU Commission adequacy decisions — where available for non-EEA countries.
For transfers where no adequacy decision or appropriate safeguards exist, we will seek your explicit consent under Article 49(1)(a) GDPR and inform you of the associated risks.
You may request details about the specific safeguards applied to any transfer — including which transfer mechanism applies to a specific provider — by contacting iod@pleso.me.
VII. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (clients) | Duration of account + applicable claims limitation period (3–6 years depending on jurisdiction — see Annexes) |
| Therapy session data | Booking and session metadata held by Pleso (session dates, booking and attendance history): duration of the account + the applicable limitation period (see Annexes A–C). Clinical records of therapy held by your Specialist as an independent controller under professional secrecy (clinical notes, clinical assessments, correspondence relevant to the therapeutic relationship): retained for the health-record retention period applicable in the relevant jurisdiction — for example, at least 7 years after the end of therapy in the United Kingdom (or until a client who was a minor turns 25), in line with professional-body practice; for Ukraine, see Annex C. These retention obligations override erasure requests — under Article 17(3)(b) GDPR the right to erasure does not apply where processing is necessary for compliance with a legal obligation. |
| Specialist data | Duration of subcontractor relationship + 6 years (tax and legal compliance) |
| Subscription and billing data (plan identifiers, renewal dates, transaction history) | Duration of account + applicable limitation period; invoicing records per the tax retention periods below |
| Newsletter consent records | Until consent withdrawn; consent record retained up to 5 years after withdrawal for compliance evidence |
| Contact enquiry data | Duration necessary to resolve the enquiry + applicable limitation period |
| Tax and invoicing data | Poland: 5 years / UK: 6 years / Ukraine: 7 years |
| Security logs | 5 years, or until completion of any related investigation or legal proceedings |
| Cookies data | In accordance with your consent; per-tool durations are listed in the Cookie & Third-Party Tools Policy |
| Your situation | How long we keep your data |
|---|---|
| Registered but never started therapy — no erasure request | 3 years after your last login, then automatically deleted. |
| Started therapy — no erasure request | Account and personal data: duration of account + applicable limitation period (see Annexes A–C). Therapy session data: subject to any longer statutory health record requirements per jurisdiction. |
| Registered but never started therapy — erasure requested | Deleted within 30 days of the verified erasure request. |
| Started therapy — erasure requested | Account and personal data deleted within 30 days. Clinical records (session dates, clinical notes, correspondence relevant to the therapeutic relationship) are retained for the statutory health-record retention period applicable in the relevant jurisdiction — under Article 17(3)(b) GDPR the right to erasure does not apply to them; after the statutory period expires they are deleted or irreversibly anonymised. Data subject request logs and consent records retained for 5 years for compliance purposes. |
VIII. Your Rights
To exercise any right below, contact iod@pleso.me. We will respond within 30 days. Before fulfilling requests concerning health data, we will verify your identity via email confirmation and an additional step (SMS code or security questions).
8.1 Rights Under EU GDPR
Access (Art. 15) — obtain a copy of your data, including the identity of specific recipients.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17) — request deletion (“right to be forgotten”). The right to erasure does not extend to clinical records of therapy during the statutory health-record retention periods (Article 17(3) GDPR) — see Section VII.
Restriction (Art. 18) — limit how we use your data.
Portability (Art. 20) — receive your data in a machine-readable format.
Object (Art. 21) — object to processing based on legitimate interests.
Automated decision-making (Art. 22) — see Section XI.
Withdraw consent (Art. 7(3) / Art. 9) — at any time, without affecting prior processing.
Lodge a complaint: Poland — UODO, ul. Stawki 2, 00-193 Warszawa (uodo.gov.pl).
8.2 Rights Under UK GDPR (United Kingdom)
UK users have equivalent rights under UK GDPR and the Data Protection Act 2018. All rights listed in 8.1 apply.
Lodge a complaint: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF | ico.org.uk | 0303 123 1113.
8.3 Rights Under Ukrainian Law (Ukraine)
Ukrainian users have rights of access, correction, deletion, and objection under Law No. 2297-VI, mirroring the rights listed in 8.1. Additional rights specific to Ukraine are set out in Annex C.
Lodge a complaint: Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua).
8.4 Providing Data is Voluntary
Providing data when registering or purchasing services on the Platform is voluntary; however, not providing it may prevent use of certain features or services. Providing data for marketing is entirely voluntary and does not affect your ability to use the Platform.
IX. Children’s Data
While our Services may be made available to Minor Users (as defined in the relevant Terms & Conditions), the protection of children’s privacy is of the utmost importance to us. The following conditions apply.
Service age policy. Under the Terms & Conditions, Services are provided to Minor Users — persons under 18 years of age — only upon a proactive written request submitted by a parent or legal guardian to hq@pleso.me. Pleso Therapy will provide the applicable consent documentation and onboarding procedure upon receipt of such a request. In the absence of such a request, access to the Platform is available only to persons who are 18 years of age or older, confirmed by a self-declaration at registration. Services to Minor Users in the United Kingdom are currently suspended pending implementation of additional safeguards required under applicable UK law. Services are not provided to persons under 14 years of age.
Age of digital consent. The age at which a Minor may independently provide consent for the processing of their personal data in relation to information society services varies by jurisdiction: 16 years in Poland (GDPR Article 8, as implemented without a lower age derogation); 13 years in the United Kingdom (UK GDPR Article 8); and 18 years in Ukraine (Law of Ukraine No. 2297-VI on Personal Data Protection), where no specific digital consent age has been established and the general age of majority applies. Below the applicable age threshold, use of the Platform and provision of personal data is permitted only with the explicit consent and active involvement of a parent or legal guardian.
Verification of parental consent. Where a proactive request has been received and Services are being provided to a Minor User, Pleso reserves the right to implement technical and organisational measures to verify that parental or guardian consent has been granted, proportionate to the nature and risk of the processing. This may include requiring the parent or guardian to provide contact information, confirm their identity, or take such other steps as are necessary and set out in the Terms & Conditions. For UK users, these measures will be designed in accordance with the ICO’s Age Appropriate Design Code (Children’s Code) and the safeguarding conditions in Schedule 1, Part 1 of the Data Protection Act 2018, once Services to Minor Users in the United Kingdom are reinstated.
Data minimisation. We collect only the minimum amount of health and identity data from Minor Users that is strictly necessary to perform the Services. Such data is treated with the highest level of security and confidentiality, and is not used for profiling, marketing, or any purpose beyond Specialist matching.
Rights of parents and guardians. Parents or legal guardians have the right to access the personal data collected from their child, request its rectification or erasure, and withdraw consent for further collection or processing at any time. To exercise these rights, please contact our Data Protection Officer at iod@pleso.me. We will respond within 30 days of receiving the request.
Parental acknowledgement. By submitting a proactive request for a Minor User to access the Platform, the parent or legal guardian acknowledges and agrees to the processing of the Minor’s sensitive personal data (health and identity) for the purpose of Specialist matching as described in this Policy, and confirms that they hold parental responsibility or equivalent authority under applicable law.
X. Data Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, network firewalls, regular vulnerability testing, access logging, staff training on data protection, and contractual security requirements for all processors.
Please keep your login credentials confidential and do not share your password with others.
Breach notification: In the event of a personal data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and notify you directly where the risk is high (GDPR Art. 34).
XI. Automated Decision-Making and Profiling
Pleso may use limited profiling for statistical analysis and marketing. No decisions that significantly affect you are made solely on the basis of automated processing. All Specialist matching and care-related decisions involve human oversight.
XII. Cookies and Tracking Technologies
We use cookies and similar technologies (web beacons, pixels, local storage) to operate the Platform, analyse usage, and deliver relevant content. We use a consent management platform to allow you to accept, reject, or customise your preferences. No non-essential cookies are placed until you actively consent.
Important: Analytical and advertising trackers are not used on pages where therapy services are delivered or where health information is shared.
For full details — including the names of specific tools and providers, cookie names, per-tool durations, and opt-out instructions — see our standalone Cookie & Third-Party Tools Policy at pleso.me/en/legal/cookie-policy.
XIII. Changes to This Policy
We may update this Privacy Policy when we introduce new features or when the law changes. When we do, we will update the effective date at the top of this page and notify you via email or a prominent Platform notice if the changes are material. Material changes are notified at least 14 calendar days in advance, in line with the Terms & Conditions.
Changes to the named register of specific tools and providers are made in the Cookie & Third-Party Tools Policy, which may be updated at any time without amending this Privacy Policy, provided the change stays within the recipient categories described in Section 5.1.
XIV. Contact
| Contact | Details |
|---|---|
| Data Protection Officer | iod@pleso.me |
| General enquiries | hello@pleso.me |
| UK Article 27 Representative | Legal Nodes Ltd / pleso.rep@legalnodes.com |
| Postal address | Pleso Therapy sp. z o.o., ul. 12 Lutego 25/7, 82-300 Elbląg, Poland |
Supervisory Authorities
| Market | Authority | Contact |
|---|---|---|
| Poland | UODO | uodo.gov.pl |
| United Kingdom | ICO | ico.org.uk / 0303 123 1113 |
| Ukraine | Ukrainian Parliament Commissioner for Human Rights | ombudsman.gov.ua |
ANNEX A — POLAND
This Annex supplements the main Privacy Policy for users in Poland. In case of conflict, this Annex prevails.
A.1 Additional Legal Framework
Polish Act on Personal Data Protection (ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych, Dz.U. 2018 poz. 1000, as amended) applies. Pleso Therapy sp. z o.o. is registered in Poland and is directly subject to UODO supervision.
A.2 Retention
Tax and invoicing records: 5 years from the end of the fiscal year (Polish tax law). Account and contract data: duration of account + 6 years (general limitation period, Article 118 of the Polish Civil Code).
A.3 Supervisory Authority
Urząd Ochrony Danych Osobowych (UODO) | ul. Stawki 2, 00-193 Warszawa | uodo.gov.pl
A.4 Electronic Marketing
Marketing communications to users in Poland are sent only with prior consent under Article 398 of the Act of 12 July 2024 — Electronic Communications Law (Prawo komunikacji elektronicznej), in force since 10 November 2024, which replaced the former rules in Article 172 of the Telecommunications Law and Article 10 of the Act on the Provision of Services by Electronic Means. Consent may be withdrawn at any time by clicking “Unsubscribe” in any email or contacting hello@pleso.me.
A.5 Language
For users located in Poland, this Policy is available in Polish. In the event of discrepancies between language versions, the Polish version prevails.
ANNEX B — UNITED KINGDOM
This Annex supplements the main Privacy Policy for users in the United Kingdom. In case of conflict, this Annex prevails.
B.1 Legal Framework
UK GDPR (as retained by the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, and PECR apply. Health data of UK users is processed on the basis of Article 9(2)(h) UK GDPR in conjunction with section 10 of, and the conditions in Schedule 1, Part 1 of, the Data Protection Act 2018 (health or social care purposes), under the responsibility of professionals subject to an obligation of professional secrecy.
B.2 UK Article 27 Representative
As Pleso Therapy sp. z o.o. is not established in the United Kingdom, we have appointed a UK representative under Article 27 UK GDPR:
Legal Nodes Ltd, Office 2, Bennet’s House, 21 Leyton Road, Harpenden, England, AL5 2HU | pleso.rep@legalnodes.com
UK users may contact Legal Nodes Ltd on matters relating to the processing of their personal data.
B.3 International Transfers from the UK
Transfers from the UK rely on: UK adequacy regulations; International Data Transfer Agreement (IDTA); or UK Addendum to EU SCCs (ICO, March 2022).
B.4 Retention
Tax and invoicing records: 6 years from the end of the tax year (UK tax law). Account and contract data: duration of account + 6 years (Limitation Act 1980), applied UK-wide as Pleso’s operational standard.
B.5 Electronic Marketing
Marketing communications to UK users are sent only with prior consent under PECR Regulation 22. Consent may be withdrawn at any time by clicking “Unsubscribe” in any email or contacting hello@pleso.me.
B.6 Supervisory Authority
Information Commissioner’s Office (ICO) | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF | ico.org.uk | 0303 123 1113
B.7 ICO Registration
Pleso Therapy’s current ICO registration status is published on the Platform’s privacy page for UK users.
ANNEX C — UKRAINE
This Annex supplements the main Privacy Policy for users in Ukraine and incorporates the substance of the Privacy Addendum UA (edition of 18 March 2026). In case of conflict, this Annex prevails.
C.1 Additional Legal Framework
Law of Ukraine No. 2297-VI on Personal Data Protection (as amended 2023).
Law of Ukraine on the Mental Health Protection System.
Tax Code of Ukraine (for retention of fiscal data).
C.2 Data Controller under Ukrainian Law
For the purposes of the Ukrainian Law on Personal Data Protection, Pleso Therapy sp. z o.o. acts as the owner of personal data (volodilets personalnykh danykh) within the meaning of the Law of Ukraine No. 2297-VI on Personal Data Protection. DPO contact: iod@pleso.me.
C.3 Professional Secrecy
The content of therapy sessions constitutes professional secrecy under Article 5 of the Law of Ukraine on the Mental Health Protection System and is protected regardless of the form of storage. Pleso, as Platform operator, does not access the content of sessions. Sessions are not recorded unless expressly agreed in writing by both the user and the Specialist.
Exceptions to professional secrecy are permitted only in cases provided for by law, including: (a) an immediate threat to the life or health of the user or third parties; (b) domestic violence or violence against a child or a person lacking legal capacity, to the extent disclosure is required or permitted by Ukrainian law; © a court order. Disclosure is made to the minimum extent necessary and only to the bodies designated by law (see also clause 13.4 of the Terms & Conditions and Section 4.1 of this Policy).
C.4 Special Category Data — Enhanced Provisions
Sensitive data (mental health information, content of questionnaire at registration, information provided to the Specialist during a session) constitutes health data under Article 7 of the Ukrainian Law on Personal Data Protection and Article 9 GDPR, and is subject to enhanced protection. Legal basis: explicit consent provided via a separate checkbox at registration (Article 7 of Law No. 2297-VI), applied alongside the GDPR-baseline healthcare basis described in Sections 3.5 and IV of this Policy (Article 9(2)(h) GDPR); consent operates as a confirming layer over the healthcare basis, as described in clause 13.3 of the Terms & Conditions. Retention: questionnaire and matching data is deleted within 30 days of a verified erasure request or account closure, whichever occurs first. Clinical records of therapy are retained for the applicable statutory health-record retention period notwithstanding any erasure request (the equivalent of Article 17(3)(b) GDPR); after that period they are deleted or irreversibly anonymised. See the general retention schedule in Section VII for full details.
C.5 Analytics Restriction
Pleso does not transmit directly identifying personal data of Ukrainian users (such as name or email address) to web analytics, UX analytics, advertising pixel, or equivalent tracking tools, and such tools are excluded from all pages where therapy services are delivered. This restriction is technically enforced.
C.6 International Data Transfers
Transfers of Ukrainian users’ personal data to member states of the EEA (including Poland) and to other states party to the Council of Europe Convention 108 are permitted under Article 29 of the Law of Ukraine No. 2297-VI on Personal Data Protection, as such states are deemed to ensure an adequate level of protection. Where data is transferred to providers in other states (in particular the United States — see Sections V and VI), Pleso relies on the user’s unambiguous consent to the transfer, given at registration, together with contractual safeguards equivalent to the EU Standard Contractual Clauses.
C.7 Retention
Tax and invoicing records: 7 years (Tax Code of Ukraine). Account data: duration of account + 3 years (limitation period). Questionnaire and matching data: deleted within 30 days of a verified erasure request or account closure. Clinical records of therapy: retained for the applicable statutory health-record retention period notwithstanding any erasure request, then deleted or irreversibly anonymised (see C.4). Security logs: 5 years or until completion of related investigation.
C.8 Data Subject Rights under Ukrainian Law
In addition to the rights in Section VIII, Ukrainian users have the right to:
Know the sources of collection, the location, and the purpose of processing of their personal data (Article 8 of the Law).
Receive information on the conditions under which access to personal data is granted to third parties (Article 8 of the Law).
Lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights or approach a court.
Identity verification for health data requests: confirmation via the email registered on the Platform plus an additional step (SMS code or security questions). Pleso maintains a register of data subject requests. Acknowledgement of receipt is sent within 3 business days.
C.9 Supervisory Authority
Ukrainian Parliament Commissioner for Human Rights (Ombudsperson) | ombudsman.gov.ua
― End of Privacy Policy ―
Pleso Therapy sp. z o.o. | iod@pleso.me | pleso.me
London, N13 4FG, Prime
Apartments, 483 Green Lanes