Privacy Policy

Information about the protection of your personal data

1. Data Controller

The data controller responsible for data processing on this website is:

MMag. Dr. Gregor Studlar BA (MatchYour GmbH i.G.)

Domgasse 14

4020 Linz, Austria

datenschutz@matchyourtherapy.at

2. Data Collection

Account Data

During registration, we collect: Name, email address, encrypted password. For therapists additionally: Professional qualifications, practice address, specializations.

Matching Data

For therapy matching, we collect information about: Therapy preferences, format preferences (online/in-person), location, preferred language. This data is processed anonymously and not shared with therapists unless you explicitly consent.

Usage Data

We automatically collect: IP address (anonymized), browser type, operating system, access times, pages visited. This data serves security and service improvement purposes.

3. Legal Basis

Art. 6 (1) a GDPR:Consent (e.g., newsletter, sharing matching results)
Art. 6 (1) b GDPR:Contract fulfillment (account management, matching service)
Art. 6 (1) c GDPR:Legal obligations (invoice retention)
Art. 6 (1) f GDPR:Legitimate interests (security, fraud prevention)

4. Special Category: Health Data

During the matching process, you may voluntarily provide information about your mental well-being. This data is subject to special protection under Art. 9 GDPR.

Processing only with your explicit consent (Art. 9 (2) a GDPR)
Data is stored encrypted
No third-party access without your release
Deletion possible at any time upon request

5. Third Parties & Data Transfer

We use the following service providers who process data on our behalf:

Vercel Inc.

Hosting (servers in Frankfurt, EU)

Stripe Inc.

Payment processing (SCC, certified)

Resend

Email delivery (transactional emails, USA/SCC)

Cloudinary

Image optimization & storage

Neon

Database (PostgreSQL, EU servers)

Groq Inc.

AI analysis for matching (USA) – filtered data

Unsplash Inc.

Embedded stock photos (USA/SCC) – when loading images, your IP address may be transmitted to Unsplash

PostHog Inc.

Web analytics (EU servers) – consent required

Special Protection for AI Processing

For AI-powered matching, we use Groq Inc. (USA). To protect your privacy, we have implemented the following technical measures:

Automatic anonymization: Before each API call, structured fields (name, city) are replaced with placeholders (e.g. [NAME], [CITY_T]). Free-text inputs are additionally scrubbed by regex filters: email addresses, Austrian phone numbers (+43/06xx), street addresses and postal code-city combinations are automatically detected and replaced with placeholders such as [EMAIL], [PHONE], [ADDRESS] and [LOCATION].
Reduced identifiability: Groq only receives anonymized therapy preferences (categories, scores, methods) from which typical identification features have been removed. When therapist and patient are in the same city, this is communicated as contextual information without revealing the actual city name.
No training with your data: Your data is not used to train AI models
Temporary processing: Data is only processed for the duration of the request and not stored

These technical measures are designed to prevent the transmission of personal data to Groq. Structured fields (name, city) are replaced with fixed placeholders, and free-text inputs are additionally filtered through regular expressions. The filtering is verified through automated tests.

Data processing agreements according to Art. 28 GDPR or corresponding data protection agreements exist with all service providers that process personal data on our behalf.

International Data Transfers (Schrems II)

Some of our service providers are based in the USA or other third countries. We have implemented the following safeguards for these transfers:

EU Standard Contractual Clauses (SCC) according to Art. 46 (2) c GDPR
Supplementary technical measures (encryption, pseudonymization)
Transfer Impact Assessments (TIA) for each US provider
Preference for EU server locations where possible

Providers in EU/EEA: Vercel (Frankfurt), Neon (EU), PostHog (EU). Providers with SCC: Stripe, Cloudinary, Resend, Unsplash. Image uploads are processed exclusively through our server — your IP address is not transmitted to Cloudinary. For Groq, we implement additional technical filtering measures (see above). Analytics tools (PostHog) are only activated with your consent, both client-side and server-side.

6. Automated Decision-Making

In accordance with Art. 22 GDPR, we inform you about the use of automated decision-making:

AI-powered Matching

Our matching algorithm uses artificial intelligence to suggest suitable therapists. These suggestions are based on your therapy preferences, preferences, and location.

Your Rights

Matching results are recommendations, not binding decisions
You freely decide which therapists to contact
You can request a manual review of results at any time
You can express your point of view and contest the decision

For a manual review or questions about our automated systems, contact us at: datenschutz@matchyourtherapy.at

7. Cookies

Our website uses cookies. We distinguish between:

Necessary Cookies

Session cookies for login and security. These are required for website operation.

Functional Cookies

Store your preferences like language and theme. Only with your consent.

Analytics Cookies (optional)

With your explicit consent, we use the following analytics tools to improve our service:

PostHog (EU servers): Analysis of user behavior to optimize the matching process. Provider: PostHog Inc., data is processed on EU servers.

These tools are only activated after your active consent in the cookie banner. You can withdraw your consent at any time.

You can change your cookie settings at any time via the cookie banner or in your browser.

8. Your Rights

According to GDPR, you have the following rights:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)

Right to Complain

You have the right to complain to the Austrian Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
dsb@dsb.gv.at

9. Data Retention

Account dataUntil account deletion
Matching data12 months after last use
Billing data7 years (legal retention requirement)
Server logs30 days

10. Data Protection Contact

For questions about data protection or to exercise your rights, please contact us at:

datenschutz@matchyourtherapy.at

We will respond to your request within 30 days.

Last updated: March 2026