Privacy Policy
Last updated: 30 May 2026
Who we are
Freudche is operated by Reza Khosravivala in the Netherlands ("we", "Freudche"), the data controller for the personal data described here. When Freudche is used within a clinic under a data processing agreement, that clinic may act as the controller and Freudche as its processor; this policy describes the direct-use case where we are the controller. For any privacy question or to exercise your rights, email reza@freudche.com.
What this policy covers
This explains how the Freudche application handles personal data when a therapist uses it to document and analyze therapy sessions. It is separate from how our website handles a demo booking — for that, see the notice on our contact page. Freudche is in limited pre-launch; the practices below describe how the product works when used.
Whose data we process
(a) the therapist who holds the account (name, email, login, and practice details); (b) the patient — both the identifying details the therapist records (name, contact details, date of birth, notes) and the session itself (audio, transcript, and the analysis derived from them) — this is health data (GDPR Article 9); (c) people mentioned during sessions (e.g. family, colleagues), whose names and described relationships are recorded as part of the patient's record.
What we process and why
We process session audio and transcripts to: transcribe the session, generate a summary, map the people and relationships discussed, and produce therapy-approach-specific observations and editable note templates. To give the therapist continuity, the analysis also detects patterns across a patient's sessions over time (Radar) and draws on that patient's earlier sessions for added context (RAG). The legal basis for all of this is explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR), which every user gives up front as a condition of creating an account; that single consent covers longitudinal pattern detection and the use of prior sessions — there is no separate step to switch them on.
People mentioned in sessions
We hold information about third parties only as part of the patient's record — their name, the relationship the patient describes, and context about how they feature in the patient's life — because contacting each person named in therapy would be impossible and would itself breach confidentiality (Article 14(5)(b) GDPR). Their information is removed when we erase the patient's record.
How we protect your data
Therapy data is the most intimate data there is, and we treat it that way. Concretely:
- All data is encrypted in transit (HTTPS/TLS), and everything is processed and stored on EU-based infrastructure.
- Access is restricted by authentication and role — a session is reachable only by the therapist who owns it and a supervisor within the same practice.
- Before transcripts go to our analysis model, we replace speaker identities with role labels (Patient, Therapist) rather than real names. The spoken content itself is sent as said, so any names a patient happens to mention are processed as part of the dialogue.
- We keep the raw session audio so the therapist can play it back later; it is stored in the EU under the same access controls.
Therapy content falls under the therapist's professional duty of confidentiality (medical secrecy, beroepsgeheim), and we process it under that frame, not around it. Ahead of general availability we are adding encryption of data at rest, tightening access controls, and aligning our security program with the NEN 7510 and ISO 27001 standards before any real patient data is processed.
Who else processes your data
We keep our processor list short and EU-resident. Each receives only the data it needs for its task, and we put a data processing agreement in place with every processor before any real patient data is processed.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| AssemblyAI | Speech-to-text transcription | EU endpoint (Dublin, Ireland) | Uses its own sub-processors, some outside the EEA, under Standard Contractual Clauses |
| Google (Gemini via Vertex AI) | Analysis of session transcripts | EU region (Netherlands) | EEA-resident; covered by the Google Cloud Data Processing Addendum |
| Resend | Transactional email (account and intake) | EU | Standard Contractual Clauses where a transfer applies |
| EU cloud hosting & storage | App hosting and storage of session audio | EU | EEA-resident |
Audio sent for transcription may be processed by AssemblyAI's own sub-processors, some located outside the EEA; those transfers are governed by Standard Contractual Clauses (Article 46 GDPR). Where any other transfer outside the EEA could occur, it is covered by an adequacy decision or Standard Contractual Clauses (Article 45/46 GDPR). We notify account holders before adding or changing a sub-processor.
How long we keep it
Clinical records — including the session audio we keep for playback — are retained for as long as the therapist's professional and legal record-keeping obligations require. Under the Dutch medical treatment law (WGBO) this is generally 20 years from the end of treatment; it varies by jurisdiction. Account and login details are kept for the life of the account. Session audio is not auto-deleted; it stays available to the therapist for the life of the record. AI-generated content and recordings can be deleted on request at any time, subject to those retention obligations.
Data breaches
If a personal-data breach occurs, we notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours where the breach is likely to present a risk, and we inform affected users without undue delay where the risk is high (Articles 33–34 GDPR).
Children's data
Freudche is intended for licensed therapists documenting the care of adult patients; the service is not directed at children. Where therapy involves a minor, the responsible therapist obtains guardian consent in line with their professional obligations before using Freudche for that patient.
Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). You can withdraw your consent at any time without affecting prior processing (Art. 7(3)). To exercise any right or withdraw consent, email reza@freudche.com — we handle requests, including erasure, within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
How the AI works
Freudche analyzes sessions to surface observable patterns — recurring themes, emotional tone, and the relationships a patient describes. To do this it generates indicators, including numeric scores, about the patient and the people they mention (for example, how emotionally present a relationship is). This is profiling in the GDPR sense, and we are open about it: it produces no diagnoses and makes no automated decisions about patients. Every output is a prompt for the therapist's own judgment, never a decision in itself (no solely-automated decision under Article 22 GDPR). You can ask us to explain how an indicator was derived, and to contest or delete it. All clinical judgment remains the therapist's.
Changes
We post changes on this page with an updated date, and notify account holders of material changes.