Data protection & privacy

AVG‑compliant gegevensverwerking

We process personal data according to the highest privacy standards and in full compliance with the GDPR. ‘GDPR-compliant’ is a brief way of saying that we explain clearly what data we record and why, we do not keep any more data than is strictly necessary, and you remain in control. The practical effect of this is extensively described in our privacy statement and in the conditions of use.

• Data minimisation: we only ask for the data that we genuinely need
• Clear objectives, retention periods and bases for data use
• Right to access, correction and erasure
• No sale or marketing misuse of data
• Processing agreements with all our partners

For employers: we act as a processor; you remain the controller. Practical agreements are outlined in the conditions of use and processing agreement.

Elektronisch cliëntdossier (ECD)

Our practitioners make use of MijnDiAd, an electronic client record system that satisfies the care standards. In short: medical data requires extra security.

• ISO 27001 and NEN 7510 certified (international/Dutch security standards)
• Dutch data centres with 24/7 security
• Daily encrypted backups
• Mandatory two-factor authentication
• Retention period in accordance with the Medical Treatment Contracts Act (WGBO), usually 20 years

Only the practitioner has access to the entire record; IT can only view the technically necessary metadata. Details about processing: see our privacy statement.

Beveiligde communicatie

We ensure that we only use secure channels for sending sensitive information. Examples include Zivver for e-mail and encrypted file transfer. Encrypted means that a message will remain unreadable to outsiders, even when intercepted.

• Secure email via Zivver for documents and reports
• Secure transport by means of TLS/SSL when sending and receiving
• Secure chat function within the platform
• No sensitive data sent through unsecured channels (such as regular e-mail)

When you contact us, we handle your data carefully. You can find out exactly what this means in our privacy statement.

Veilig online beeldbellen

For online sessions, we use LiveKit. This is specially designed for confidential conversations. ‘End-to-end encryption’ means that only you and your practitioner can listen in — we cannot.

• End-to-end encryption (E2EE)
• No recording or storage of conversations
• EU servers under GDPR protection
• SOC 2 Type II audits and periodic penetration tests
• Strict access control and logging

As soon as the conversation ends, all call data disappears. Rest assured that there’s nothing that can be viewed or listened to again.

Enterprise cloud‑infrastructuur

Our web app runs on Microsoft Azure (EU region). In plain language, this means that your data is located in Europe, is encrypted by default, and is continuously monitored.

• Encryption at rest (FIPS 140-2) and in transit (TLS)
• Data storage within the European Union
• Continuous monitoring, patching and intrusion detection
• Layered access control and comprehensive logging
• Automatic security updates

We describe the parties we deal with and why in our privacy statement.

Datalekprotocol & respons

If something goes wrong unexpectedly, we will take action quickly and transparently. A data breach means that there has been unauthorised access to data. We limit the damage and inform those involved where necessary.

• Investigation commences within 24 hours
• Dutch Data Protection Authority notified within 72 hours (if required)
• Direct damage limitation, forensic analysis and lessons learned
• Clear communication to stakeholders and clients
• Structural improvements to prevent recurrence

Data Protection Officer: Koen Gubbels — [email protected]. For the formal agreements, please view our privacy statement and conditions of use.

If you have any questions, please send us an e-mail at [email protected].