Privacy Policy

Lisa Zwirschitz · Address: in preparation · Email: support@selfdimension.com

• Upon registration: name, email address, chosen password (hashed), practice form.
• During tool use: client folder credentials (name and hashed password) as well as session data (boards, snapshots, reflections). Client content is end-to-end encrypted.
• Upon contact request: name, email, message content.
• Server logs: IP address, browser type, access time (max. 30 days retention).

Art. 6 (1) (b) GDPR (contract performance) for account data and tool usage. Art. 6 (1) (a) GDPR (consent) for marketing communication. Art. 9 (2) (h) GDPR in conjunction with therapeutic confidentiality for client data processed on behalf of therapists.

All data is stored on servers of Hetzner Online GmbH in Germany (Falkenstein). Transmission is encrypted via TLS. Storage of client content is end-to-end encrypted. This means: even we as the operator cannot view the content of your sessions, boards or reflections. Data does not leave the EU.

We use the following data processors:

• Hetzner Online GmbH (hosting, Germany)
• Cloudflare Inc. (DNS management)
• Resend Inc. (transactional emails such as confirmations and password reset)

Data processing agreements according to Art. 28 GDPR are in place with all listed providers.

We only use technically necessary cookies (login session, language preference). We do not use tracking cookies, fingerprinting, or third-party analytics.

You have the right at any time to information (Art. 15 GDPR), correction (Art. 16), deletion (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). Please send requests to support@selfdimension.com. You also have the right to lodge a complaint with the competent supervisory authority.

Therapists who use Selfdimension are controllers within the meaning of the GDPR for their client data. We process this data exclusively on their behalf and on their instructions. Due to end-to-end encryption, we have no technical access to the content. Therapists conclude a data processing agreement (DPA) with us automatically upon sign-up in accordance with Art. 28 GDPR.

• Account data: as long as your account exists. Deletion within 30 days after account deletion.
• Client data: according to therapeutic retention obligations (typically 10 years).
• Server logs: automatic deletion after 30 days.
• Contact inquiries: until final response, then max. 6 months.

No transfer to third countries outside the EU takes place. All data and processors are based in the EU or are subject to standard contractual clauses.

We reserve the right to amend this privacy policy if necessary due to new technical features or changes in case law. The current version is always available on this page.