Privacy Policy

Introduction

Purpose and Scope of the Policy

This Privacy Policy ("Policy") defines the rules for processing the personal data of Professional Users and Clients in connection with the use of the Superwizor AI mobile and/or web application ("App"), provided by Euphire sp. z o.o. ("Service Provider", "We").

The purpose of the Policy is to ensure transparency and fulfill the information obligations arising from Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"). The Service Provider is committed to protecting the privacy of all individuals whose data it processes and ensuring compliance with GDPR regulations.

Definitions of Key Terms

For the purposes of this Policy, the following terms have the following meanings:

• App: The Superwizor AI software in mobile (iOS, Android) and/or web versions, serving as a tool to support Professional Users in analyzing therapy and coaching sessions.
• Service Provider: Euphire sp. z o.o., with its registered office at ul. Odrzańska 10a/48, Kraków, Poland, registered under KRS number 0000907254, NIP 6793219020.
• Professional User (Professional): A psychoanalyst, psychologist, psychiatrist, therapist, coach, group practice, or other organization providing mental health or personal development services.
• Client: A natural person whose personal data is processed by the Professional User in connection with the services they provide, using the App. Provisions concerning Clients apply accordingly to other persons participating in a session (e.g., a partner in couples therapy, family members).
• Personal Data: Any information relating to an identified or identifiable natural person.
• Health Data: Personal data relating to the physical or mental health of a natural person revealing information about their health status (Art. 4(15) GDPR).
• Transcription: The automatic text record of an audio recording, generated by speech recognition technology.
• Session Report: A structured document automatically generated by artificial intelligence based on the session transcription.
• HiTOP: The Hierarchical Taxonomy of Psychopathology — a dimensional symptom assessment system whose measurements the App generates based on transcriptions.
• Processing: Any operation or set of operations performed on personal data.
• Data Controller: An entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data Processor: An entity that processes personal data on behalf of the controller.
• Envelope Encryption: An encryption technique where data is encrypted with a unique data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by Cloud KMS. This provides a double layer of protection.

Part I: Information for Professional Users

1. Data Controller of Professional Users' Personal Data

The Data Controller for the personal data of Professional Users, in the scope of data provided during the registration process, account management, payments, and App usage, is: Euphire sp. z o.o. ul. Odrzańska 10a/48, Kraków, Poland KRS: 0000907254, NIP: 6793219020

For any matters related to the processing of your data, including data protection matters, please contact:

• E-mail address: kontakt@superwizor.ai

2. Purposes, Legal Bases, and Processing Period

We process the following categories of Professional Users' data:

• Identification and contact data (first name, last name, e-mail address, phone number — if provided).
• Registration data (Firebase account identifier, password hash — for e-mail/password registration).
• Authentication data (identity provider authentication tokens — Google, Apple — for social login).
• Profile data (profile photo, professional title, selected therapeutic modality, time zone, UI language preferences, report style preferences).
• Payment data (subscription-related information processed by Stripe; the Service Provider does not store full payment card data).
• App usage data (system logs, IP addresses, device type and version, operating system version, App version, diagnostic and analytics events recorded in the Service Provider's own infrastructure — we do not use third-party analytics tools).

Processing Purposes:

1. Performance of the App service agreement (Art. 6(1)(b) GDPR) — until the expiration of the statute of limitations for claims.
2. Handling payments and settlements (Art. 6(1)(b) and (c) GDPR) — for the period required by tax regulations (5 years from the end of the tax year).
3. Technical support and complaint handling (Art. 6(1)(f) GDPR) — until the ticket is resolved.
4. Ensuring security and preventing abuse (Art. 6(1)(f) GDPR) — system logs are retained as a rule for 30 days, and analytics events for 90 days.
5. Service personalization (Art. 6(1)(b) GDPR) — customizing report style, interface language, and therapeutic modality to User preferences — for the duration of the Agreement.
6. Service lifecycle communications (Art. 6(1)(b) and (f) GDPR) — e-mails necessary for the performance of the Agreement or informing about its status (e.g., welcome message, address verification, quota warnings, subscription renewal reminders) — for the duration of the Agreement.
7. Direct marketing of own services by electronic means (Art. 6(1)(a) GDPR in conjunction with Art. 398 of the Polish Electronic Communications Law of 12 July 2024) — solely upon separate, voluntary consent (e.g., given during registration); consent may be withdrawn at any time without affecting the lawfulness of processing carried out before its withdrawal. Every marketing message includes an opt-out option.

3. The Service Provider's Role in Processing Clients' Data

Regarding Clients' personal data, the Professional User is the Data Controller. The Service Provider is solely the Data Processor, processing data upon the documented instruction of the Controller under the concluded Data Processing Agreement (DPA).

The Service Provider processes Clients' data solely to provide the Services to the Professional User, i.e., transcription of recordings, generation of Session Reports, HiTOP measurements, and building contextual memory. The Service Provider does not use Clients' data for any of its own purposes, including marketing, research, or training artificial intelligence models.

4. Obligations of the Professional User as Controller

As Controllers, you bear full responsibility for the compliance of processing with regulations, including:

• Ensuring an appropriate legal basis (e.g., Art. 9(2)(h) or (a) GDPR).
• Fulfilling the information obligation (Art. 13 GDPR) — in particular, informing the Client and all other persons participating in the session about the recording of the session and the use of the App.
• Exercising Clients' rights (access, rectification, erasure, data portability, objection).
• Ensuring data security on your side.

5. Technical and Organizational Measures

The Service Provider applies advanced security measures appropriate to the high risk associated with processing special categories of data (health data):

Data residency and region control:

• The infrastructure processing session data (recordings, transcriptions, reports, contextual memory) is located in the europe-central2 (Warsaw, Poland) region of the Google Cloud Platform. Resource locations are defined in infrastructure-as-code configuration, subject to version control and reviews.
• The only exception is the Vertex AI service (used for generating reports and embeddings), located in the europe-west4 (Netherlands) region — still within the European Economic Area (EEA). The Speech-to-Text service uses a dedicated European endpoint (eu-speech.googleapis.com).

Encryption of data at rest:

• CMEK (Customer-Managed Encryption Keys): Key infrastructure services (Cloud Storage, Cloud SQL, Secret Manager) use encryption keys managed by the Service Provider in Cloud KMS (keyring superwizor-keyring), with automatic rotation every 90 days.
• Envelope Encryption: All special categories of data (transcriptions, session reports, HiTOP measurements, RAG contextual memory) are encrypted at the application level using an AEAD algorithm. Each record has a unique data encryption key (DEK), which is encrypted with a master key (KEK) managed in Cloud KMS. This means that even if database access were obtained, the data remains unreadable without access to Cloud KMS.

Encryption of data in transit:

• All connections use the TLS/SSL protocol.
• Inter-service communication occurs via gRPC (HTTP/2) with encryption.

Network isolation:

• Access to the database (Cloud SQL PostgreSQL) takes place over encrypted channels, from services running within a private VPC network (via VPC Connector); direct network access is restricted to a strictly defined, controlled list of authorized addresses used for administration.

Access control:

• Each microservice has a dedicated Service Account with minimal permissions (principle of least privilege, Zero Trust).
• CI/CD processes authenticate via Workload Identity Federation (no long-lived access keys).
• User authentication is handled by Firebase Authentication (supported methods: e-mail/password, Google Sign-In, Apple Sign-In).

Audio recording lifecycle:

• Audio recordings are deleted from Cloud Storage immediately after successful transcription.
• Regardless of the processing outcome, every recording is subject to automatic, permanent deletion by the Object Lifecycle Management (OLM) mechanism configured at the GCS bucket level, triggered after 48 hours from upload. Once deleted, the recording cannot be recovered.

Data deletion and audit:

• User and Client data is deleted using a soft delete mechanism (marking deleted_at), which provides the audit trail required by GDPR.
• Permanent, irreversible deletion from the database takes place after 30 days from marking, as part of a recurring permanent data deletion process; every run of the process is recorded in the audit event log.
• Every significant data operation is recorded in the audit events table.

Monitoring and testing:

• Continuous monitoring of logs and metrics via Google Cloud Logging and Cloud Monitoring.
• Regular security reviews of infrastructure and code.

6. Data Recipients, Data Transfer, and Sub-processors

In providing the services, we use the following trusted providers (data recipients):

Clients' session data (audio recordings, transcriptions, session reports, HiTOP measurements, contextual memory) is processed and stored exclusively within the European Economic Area (EEA) — in the europe-central2 (Warsaw) and europe-west4 (Netherlands) regions — and is not transferred to third countries.

With respect to selected Professional Users' data (payment data, e-mail address for message delivery, authentication data, push tokens), transfers to the USA may occur — exclusively to entities providing appropriate safeguards referred to in Chapter V GDPR (the European Commission's adequacy decision on the EU-US Data Privacy Framework or standard contractual clauses). A copy of the relevant safeguards can be obtained by contacting us.

All providers are bound by data processing agreements. Google Cloud Platform holds ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3 certifications.

The User will be informed of any intended change concerning the addition or replacement of a Sub-processor processing Clients' data at least 14 days in advance, in accordance with the terms of the DPA.

7. Rights of the Professional User

You have the following rights:

• The right of access to data (Art. 15 GDPR).
• The right to rectification of data (Art. 16 GDPR).
• The right to erasure — "the right to be forgotten" (Art. 17 GDPR).
• The right to restriction of processing (Art. 18 GDPR).
• The right to data portability (Art. 20 GDPR).
• The right to object — in particular to processing based on legitimate interest (Art. 21 GDPR).
• The right to withdraw consent at any time — to the extent processing is based on consent (Art. 7(3) GDPR); withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
• The right to lodge a complaint with the supervisory authority (President of the Personal Data Protection Office — UODO, ul. Stawki 2, 00-193 Warsaw, Poland).

To exercise your rights, please contact us at: kontakt@superwizor.ai.

Part II: Information for Clients

1. Who is Responsible for Your Data?

The Controller of your data within therapy or coaching sessions is your therapist/coach/physician. They decide what data is collected, for what purpose they use the Superwizor AI App, and they are responsible for informing you about the session being recorded.

2. Who Processes Your Data?

Euphire sp. z o.o. (the App Provider) processes your data solely as a Data Processor — on behalf of and at the instruction of your therapist/coach/physician. We do not use your data for any of our own purposes, including training artificial intelligence models.

3. What Data is Processed and How?

When your therapist uses the App, the following data is processed:

1. The audio recording of your session — it is uploaded to encrypted servers in the European Union (Warsaw), deleted immediately after transcription is completed, and at the latest — regardless of the processing outcome — by an automatic cleanup mechanism triggered 48 hours after upload. Once deleted, the recording cannot be recovered.
2. The transcription (text record of the conversation) — generated automatically by speech recognition technology. Speakers in the transcription are marked with labels describing their role in the conversation (e.g., "Therapist", "Patient", or in coaching sessions "Coach", "Client") or with neutral labels (e.g., "Person 1") when the role cannot be determined — without using first or last names. These labels are assigned automatically and may be corrected by your therapist. The transcription is encrypted and stored in encrypted form.
3. The session report — generated automatically by artificial intelligence based on the transcription. It contains a session analysis and dimensional measurements. It is available only to your therapist in read-only mode (they cannot edit it in the App). The report is encrypted. The report is auxiliary in nature — it does not constitute a diagnosis, and its final interpretation belongs to your therapist.
4. Contextual memory — a short session summary and related thematic threads, stripped of direct identifying data (no first names, last names, or place names — pseudonymized), may be retained in encrypted form to help your therapist maintain continuity of care between sessions.

Your data is available exclusively to your therapist — no other App User has access to it.

4. Security of Your Data

Your data is protected by advanced encryption technologies:

• Recordings, transcriptions, and reports are encrypted both in transit (TLS/SSL) and at rest (envelope encryption with keys managed in Google Cloud KMS).
• Audio recordings are deleted immediately after transcription, at the latest by an automatic mechanism triggered after 48 hours.
• Your session data is stored exclusively on servers located in the European Economic Area (Warsaw, Poland; AI analysis — Netherlands).
• Deletion of the account by your therapist results in cascading deletion of all associated Client data (permanent deletion takes place after a 30-day protective period).

5. Your Rights

You have the right to access, rectify, erase, restrict the processing of, and port your data. To exercise your rights, contact your therapist/coach/physician, who is the Controller of your data and is directly responsible for fulfilling your rights.

You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO, ul. Stawki 2, 00-193 Warsaw, Poland).

Part III: The superwizor.ai Website

This part applies to visitors of the website available at superwizor.ai (the "Website"), regardless of whether they use the App. The controller of the personal data of Website visitors is Euphire sp. z o.o. (contact details — Part I, item 1).

1. Contact Form

When using the contact form, you provide: name, e-mail address, subject, and message content. We process this data to handle your inquiry (Art. 6(1)(f) GDPR — legitimate interest in communicating with interested persons), for the period necessary to resolve the matter, and subsequently for the limitation period of potential claims. Messages are delivered to our e-mail inbox via our notification infrastructure.

2. Account Registration

The registration forms on the Website (therapist or organization registration) collect the data described in Part I of this Policy (including first name, last name, e-mail address, phone number, professional title, and for organizations — company registration and address data, including the tax ID). This data is transmitted directly to our system (identity-svc) and processed under the rules described in Part I.

3. Payments (Stripe Checkout)

The subscription purchase process takes place on Stripe's payment pages. As part of the payment process, Stripe collects — as a processor, and to the extent required by payment services regulations as an independent controller — data such as: e-mail address, phone number, payment card data, billing address, and tax ID (for B2B invoicing and automatic VAT calculation). Details — Part I, item 6, and Stripe's privacy policy.

4. Informational Materials (Lead Magnet)

The Website provides informational materials (e.g., a page for clients), and downloading or signing up for them may take place via a form operated by the external provider Tally (Tally Forms — a provider based in Belgium, EEA), acting as our processor. The scope of data covers the data provided in the form (e.g., e-mail address). We process this data to deliver the requested material (Art. 6(1)(b) GDPR), and for further marketing communication — only with separate consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time.

5. Server Logs

While browsing the Website, the hosting infrastructure automatically records standard technical data: IP address, date and time of the request, URL, and browser identifier (user agent). We process this data to ensure the security and proper operation of the Website (Art. 6(1)(f) GDPR) and retain it for a limited period (as a rule, up to 30 days).

6. Cookies and Similar Technologies

The Website does not use analytics or marketing tools (no Google Analytics, advertising pixels, etc.) and does not display ads. Only technologies necessary for the operation of the Website are used:

• remembering the selected language version (PL/EN),
• cookies necessary for payment processing, set by Stripe only on the payment process pages (including for fraud prevention — in accordance with Stripe's cookie policy).

These technologies are necessary to provide services requested by the user and, as such, do not require separate consent (under the applicable Polish telecommunications / electronic communications law provisions). If we implement analytics or marketing tools in the future, we will update this Policy and — where required — ask for consent.

7. Rights of Website Visitors

Website visitors have the rights described in Part I, item 7 (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, complaint to the President of UODO). Contact: kontakt@superwizor.ai.

Final Provisions

The Service Provider reserves the right to amend this Policy in connection with the evolution of law, technology, or the scope of services provided. Professional Users will be informed of any significant change at least 14 days in advance.

The current version of the Policy is always available in the "Legal Information" section of the App settings and on the Website at superwizor.ai/legal/privacy.