Privacy Policy

This policy explains what personal data we process, why, and the rights you have. We process health data, which the GDPR treats as a special category, with extra care.

Last updated: 2026-06-22

This is a working draft, not final legal text. It will be reviewed by a qualified EU data-protection lawyer before launch.

Who is responsible for your data

The data controller is the operator of Avand. For clinical records created during your care, your treating therapist is a joint controller. Our full identity and contact details are on our Legal notice page.

What data we collect

  • Account data — your name, email, language, and sign-in details.
  • Health data — intake answers, session and contract records, messages, and notes created during your care.
  • Usage data — privacy-friendly, cookieless analytics and security logs.
  • Payment data — billing details handled by our payment provider; we do not store full card numbers.

Our legal bases

  • Performance of a contract — to provide the service you sign up for (Art 6(1)(b)).
  • Explicit consent — for processing you opt into, which you may withdraw at any time (Art 9(2)(a)).
  • Provision of health care — clinical records created by your therapist (Art 9(2)(h)).
  • Legal obligation — where the law requires us to keep records (Art 6(1)(c)).

Special-category (health) data

Therapy notes, messages and session recordings or transcripts can reveal health information. We restrict who can access them, encrypt sensitive fields, and only involve processors bound to protect them.

How long we keep your data

We keep account data while your account is open. Clinical records are kept for the period required by medical-records law (in the Netherlands, the WGBO requires retention for roughly 20 years), after which they are deleted. This means some data cannot be erased on request until that period ends.

Who we share data with

We use a small set of vetted processors to run the service, each under a data-processing agreement. The full, current list with their location and safeguards is published in our Trust Center.

View our subprocessors

International transfers

Our primary data stays in the EU. A few processors may handle data outside the EU; where they do, we rely on Standard Contractual Clauses and additional safeguards, listed in our Trust Center.

Your rights

  • Access — get a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal retention limits.
  • Portability — export your data in a machine-readable format.
  • Restriction and objection — limit or object to certain processing.
  • Withdraw consent — at any time, without affecting earlier processing.
  • Complain — to your supervisory authority (in the Netherlands, the Autoriteit Persoonsgegevens).

How to exercise your rights

Signed-in users can export or delete their account from account settings. For any other request, contact our privacy team:

Manage your dataprivacy@avand.online

Contact

Questions about this policy or your data? Reach our privacy contact:

privacy@avand.online