Privacy Policy

We process personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): Provision of the therapist directory, management of user accounts and subscriptions.
• Consent (Art. 6(1)(a) GDPR): Web analytics (Matomo), functional cookies (OpenStreetMap maps), contact form.
• Legitimate interests (Art. 6(1)(f) GDPR): Technical operation of the website, security, error detection.
• Legal obligation (Art. 6(1)(c) GDPR): Retention of billing data in accordance with tax regulations.

During registration, we collect the following data:

• Name
• Email address
• Password (stored encrypted, not visible to us)
• Language preference (German/English)

This data is required to provide your user account (legal basis: performance of a contract). You may optionally enable two-factor authentication — this stores an encrypted TOTP secret and recovery codes.

Retention period: Until you delete your account. After account deletion, your data is first deactivated for 30 days (soft delete) to allow reversal of accidental deletions. After that, all personal data is permanently deleted.

Therapists who register provide the following data for publication in the directory:

• Name, title and contact details (email, phone, website)
• Practice addresses and locations
• Specialisations, areas of expertise and target groups
• Biography texts (German and English)
• Profile photos
• Information about session formats, payment options and spoken languages

This data is displayed in the public directory after approval by the operator (legal basis: performance of a contract). Profile changes are recorded in an internal log accessible only to the operator.

Location data: Practice addresses are converted into geographic coordinates using the OpenStreetMap Nominatim service to enable proximity search. The coordinates themselves are not publicly displayed.

Photos: Uploaded profile photos are stored encrypted on servers within the EU and are visible in the public directory with an active Profil+ subscription. When an account is deleted, all photos are permanently removed from the server.

For processing Profil+ subscriptions, we use the payment service provider Stripe Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). During the payment process, the following data is transmitted to Stripe:

• Email address
• Billing address
• Payment information (credit card data is processed exclusively by Stripe and is not stored on our servers)
• VAT identification number (for EU tax processing)

On our servers, we only store a customer number, subscription status, payment method type and the last four digits of the credit card (legal basis: performance of a contract).

Stripe also processes data in the USA. Data transfer is based on EU Commission Standard Contractual Clauses. For more information, see Stripe's Privacy Policy.

For sending email notifications and managing therapist contacts, we use the service Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany).

The following data of registered therapists is transmitted to Brevo:

• Name and email address
• Subscription status (Profil+/Free)
• Profile approval status
• Location(s) and professional categories

This transfer serves communication with therapists (e.g. status notifications, payment notices) and is based on the performance of a contract. Brevo processes this data on servers within the EU. When an account is deleted, the data is also removed from Brevo.

Our website uses the following cookies:

You can adjust your cookie preferences at any time via the cookie banner at the bottom of the screen. Necessary cookies cannot be disabled as they are essential for the operation of the website.

We use Matomo, a privacy-friendly web analytics solution. Matomo is only activated when you explicitly consent via the cookie banner (legal basis: consent).

With active consent, the following is collected: pages visited, approximate origin (country/region), browser used and device type. We operate Matomo on our own instance — your data is not shared with third parties. IP addresses are anonymised before storage.

You can withdraw your consent at any time via the cookie banner.

To detect and fix technical errors, we use the service Sentry (Functional Software Inc., USA). Sentry is only activated with your consent via the cookie banner.

In the event of an error, technical information is collected: error message, affected page, browser type and the sequence of actions before the error. We deliberately do not transmit personal data such as name or email address to Sentry. Data transfer to the USA is based on Standard Contractual Clauses.

To display practice locations on a map, we use OpenStreetMap map tiles. These are only loaded when you consent via the cookie banner (legal basis: consent).

When loading the map, your IP address is transmitted to the servers of the OpenStreetMap Foundation (OSMF, United Kingdom). For more information, see the OSMF Privacy Policy.

For converting addresses into coordinates (proximity search), we use the OpenStreetMap Nominatim service. These queries are performed server-side — your IP address is not transmitted to Nominatim.

This website is hosted on servers of Hetzner Online GmbH (Industriestraße 25, 91710 Gunzenhausen, Germany). All data is stored on servers within the EU.

When you visit the website, the web server automatically collects:

• IP address of the requesting device
• Date and time of access
• Browser and operating system used
• Page accessed and referring page (referrer)

This data is technically necessary for delivering the website and is stored in session management for the duration of your session (maximum 120 minutes). Server log files are automatically deleted after 14 days (legal basis: legitimate interest).

Under the GDPR, you have the following rights:

• Access (Art. 15): You may request information about your data stored by us.
• Rectification (Art. 16): You may request the correction of inaccurate data.
• Erasure (Art. 17): You may request the deletion of your data. An account deletion function is available in your user account. After a 30-day safety period, all data is permanently deleted.
• Restriction (Art. 18): You may request the restriction of processing.
• Data portability (Art. 20): You may download your data in a machine-readable format. A corresponding export function is available in your account settings.
• Objection (Art. 21): You may object to the processing of your data based on legitimate interests.
• Withdrawal of consent (Art. 7(3)): Consent given (e.g. cookie preferences) may be withdrawn at any time.

To exercise your rights, please contact office@therapeutensuche.at.

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at