Privacy Policy

Version date: October 5, 2025.

Data Administrator: SimpleCity Communications Robert Stupak, 8A/34 Franciszka Klimczak St., 02-797 Warsaw, NIP: PL8941897340, e-mail: rodo@gestaltwarszawa.pl, tel: +48 782 755 330, "Administrator", "we".

Site: https://www.gestaltwarszawa.pl

Service categories: individual psychotherapy (18+), couples psychotherapy (18+), individual and group supervision, intrapersonal training, interpersonal training, personal development workshops and coaching (executive/life).

Language versions: This document is available in Polish and English; in case of discrepancies, the Polish version shall prevail.

1. Purposes and basis of processing

We process your data only to the extent necessary and in accordance with the RODO:

  • Booking and handling of appointments (Article 6(1)(b) of the DPA - performance of a contract) - including the date, form of appointment, organizational communication; we accomplish this through a third-party calendar provider (Zencal).

  • Payment and billing (Article 6(1)(b) and (c) - contract and tax obligations) - identification data, e-mail, amount, date, payment method; payment intermediaries (e.g. Stripe Payments Europe, PayPal Europe).

  • Contact and inquiries (Article 6(1)(f) - legitimate interest) - e-mail/telephone correspondence, answers to questions.

  • IT security maintenance (Article 6.1.f) - server logs, IP address, timestamp; anti-abuse purposes.

  • Educational/organizational materials (Article 6(1)(f)) - sending information necessary for use of services (not marketing).

  • Direct marketing (only with your express consent - Art. 6(1)(a) in connection with PKE) - newsletter/SMS/telephone; consent voluntary, revocable at any time.

  • Contact via WhatsApp messenger (the "WhatsApp" button on the page) - our legitimate interest in responding efficiently and arranging appointments (Article 6(1)(f)). If the communication relates to the performance of a concluded contract (e.g., booking confirmation), the basis is also necessity for the performance of the contract (Article 6(1)(b)). We ask that you do not transmit detailed health information via WhatsApp. If you nevertheless provide them, we process them on the basis of your express consent (Article 9 (2) (a) - always to the minimum extent necessary.

  • Special category data (e.g., health data) in the context of psychotherapy/supervision: as a general rule on the basis of express consent (Article 9(2)(a) RODO); in addition - where justified - we may rely on Article 9(2)( h ) (provision of services of a health nature by a specialist, health care), always to the minimum extent necessary.

2. Scope of data processing

  • Identification and contact: name, email, phone.

  • Booking and billing data: dates, location (online/stationary), amounts, payment status, transaction IDs (without full card details - these remain with the payment operators).

  • Data on the therapeutic/supervision process: collected only within the framework of cooperation (notes, work goals, progress) - private and confidential.

  • Technical data (logs): IP address, timestamp, device/browser information - for security and service maintenance purposes only.

  • Cookies and similar technologies - description in cookies policy.

  • WhatsApp communication data: phone number, WhatsApp name/profile, message content, timestamps and basic call metadata; depending on messenger settings.

3. Data recipients (categories and key processors)

  • Booking supplier: Zencal sp. z o.o. (KRS 0000990807), 65 Mogilska St., 31-545 Krakow - processor for calendar and reservation forms.

  • Payment operators: Stripe Payments Europe, Limited (Ireland) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) - processors for payment processing.

  • Providers of hosting/IT, email service, backup and security tools - only if necessary.

  • Entities authorized by law (e.g., public authorities - when the obligation is based on regulations).

  • WhatsApp Ireland Limited (Meta) - a separate controller of the data processed within its application/website (when you click WhatsApp, you are redirected to WhatsApp services and their privacy policy applies).

  • Provider of the "floating WhatsApp button" component (if used) - the scope and possible cookies/loaded resources are described in the Cookie Policy.

In relationships with processors, we enter into entrustment agreements (Article 28 RODO). Card data is processed by payment operators according to their security standards (e.g. PCI DSS).

4. Transmission outside the EEA

As a general rule, we strive to process data within the EEA. For transfers outside the EEA (e.g., through payment operator services or cloud integrations), we apply appropriate legal safeguards such as Standard Contractual Clauses (SCCs) or, if applicable to the provider, data protection framework mechanisms (e.g., Data Privacy Framework). We provide details upon request. Your use of WhatsApp may involve the processing and transfer of data by WhatsApp outside the EEA - subject to the terms of WhatsApp's privacy policy.

5. Data retention period (retention)

  • Settlement documentation (invoices): until the expiration of the deadlines under tax and accounting regulations.

  • Notes from the therapeutic process/supervision: as a general rule, up to 5 years after the end of cooperation, unless longer storage is necessary to assert or defend claims (within the limits of the statute of limitations).

  • Organizational correspondence (including email, phone and WhatsApp messages): Up to 24 months from the end of the case, or shorter - at your request, unless regulations require longer retention.

  • Marketing data (with consent): To withdraw consent or object.

6. Rights of data subjects

You have the right to: access, rectification, deletion, restriction, portability (where the basis is consent/contract), objection (where the basis is legitimate interest), and to withdraw consent at any time (without affecting the lawfulness of the processing before withdrawal). To the extent that your data is processed by WhatsApp as a separate controller (e.g., messenger metadata), you exercise your rights directly against WhatsApp.

Complaint: you have the right to complain to the President of the DPA (ul. Stanisława Moniuszki 1A, 00-014 Warsaw, uodo.gov.pl).

Requests are realized at rodo@gestaltwarszawa.pl.

7. Voluntariness of providing data

Provision of data is voluntary, but necessary for: conclusion and execution of the contract (reservations, payments, contact). Lack of some data may prevent the provision of services. The use of WhatsApp is optional. You can always choose an alternative channel (email, phone, or booking form).

8. Security

We use adequate technical and organizational measures (encryption of communication, access control, backup, minimization and retention principle). Specific data is available only to an authorized specialist. Communication via WhatsApp (1:1) as a rule uses application encryption mechanisms, but we do not have full control over the platform and its metadata. Therefore, we ask that you do not send detailed health information or confidential content via WhatsApp - transmit such information in session or through secure channels designated by us.

9. Minors

Our services are directed to adults (18+). We do not knowingly collect children's data.

10. Amendments to the document

We may update the Policy due to changes in law or processes. We will notify you of significant changes on the site; the new version is effective as of the date of publication.