Privacy Policy
1. Introduction
Umebi is committed to protecting the privacy and security of the personal data of its users and mental-health professionals. This document explains, in a clear and transparent manner, how we collect, use, store, share and protect your personal data, in accordance with:
- Regulation (EU) 2016/679 — General Data Protection Regulation (“GDPR”);
- Law No. 58/2019 of 8 August, which implements the GDPR in Portugal; and
- any other applicable legislation and guidelines issued by the Portuguese Data Protection Authority (“CNPD”).
This policy applies to all visitors, registered users, mental-health professionals, partners and any person interacting with the umebi.com platform and mobile applications (hereinafter, the “Platform”).
2. Data Controller and Contact
The data controller is Umebi, Lda.
For any data-protection matters, please contact us at hello@umebi.com.
3. Personal Data We Collect
We collect only the data that is strictly necessary (data-minimisation principle):
3.1 Data provided by all users
- Full name;
- Email address;
- Telephone number;
- Date of birth (to verify minimum age);
- Tax Identification Number (NIF);
- Address (country, postcode, city, street and number);
- Payment details (last 4 digits of the card; Stripe token) — we never store full card data.
3.2 Data provided by mental-health professionals
- Professional registration number / licence with the Portuguese Psychologists Association (OPP);
- Identification document (citizen card or passport);
- Updated criminal-record certificate;
- Academic diplomas and certificates;
- Bank details for fee processing.
3.3 Usage and technical data
- IP address, device type, operating system, browser and language;
- Access logs, in-app events and usage metrics;
- Cookies and similar identifiers (see section 8).
3.4 Sensitive health data
When you use our tele-therapy services, you may share information concerning your mental health. Such data is considered special-category data under Article 9 GDPR and is processed only with explicit consent and/or when necessary for the provision of health care by professionals bound by confidentiality.
4. Purposes and Legal Bases
| Purpose | Legal basis | Examples |
|---|---|---|
| Account creation & management | Art.º 6.º 1 b) GDPR — contract performance | Account activation, password reset |
| Provision of tele-therapy services (health data) | Art.º 9.º 2 h) GDPR — health care / explicit consent | Video sessions, messaging between user and therapist |
| Payment processing | Art.º 6.º 1 b) & 1 c) GDPR — contract / legal obligation | Charging via Stripe, invoice issuance |
| Compliance with legal & regulatory duties | Art.º 6.º 1 c) GDPR — legal obligation | Requirements of OPP, ERS, Tax Authority, anti-money-laundering |
| Platform improvement & customer support | Art.º 6.º 1 f) GDPR — legitimate interest | Usage analytics, A/B tests, ticket handling |
| Direct marketing (newsletter) | Art.º 6.º 1 a) GDPR — consent | Sending well-being articles and resources |
| Fraud prevention & security | Art.º 6.º 1 f) GDPR — legitimate interest | Detecting suspicious logins, identity verification |
You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5. Recipients and International Transfers
We share data only with processors that:
- act in strict accordance with Umebi’s documented instructions;
- offer adequate security guarantees; and
- have signed a data-processing agreement with us.
5.1 Main processors
| Category | Entity | Location | Safeguards |
|---|---|---|---|
| Payments | Stripe Payments Europe, Ltd. | EU | PCI-DSS encryption, Standard Contractual Clauses (SCC) |
| Hosting | Vercel Inc. | EU (Frankfurt/Paris regions) | ISO 27001, SOC 2, encryption at rest |
| Analytics | Google Ireland Ltd. (Google Analytics 4 — anonymised IP) | EU/EEA | IP masking, retention controls |
If data is transferred outside the EEA, we ensure appropriate safeguards (SCC, adequacy decisions or BCR).
5.2 Public-data disclosure
Personal data that is made public on the Platform by mental-health professionals or users — for example name, profile photo or comments — may be reused by Umebi in other contexts (including promotional materials) without additional permission requests. We assume that, by publishing this data publicly, the data subject consents to such use.
If at any time you do not want your public data to be shared in this way, simply email privacy@umebi.com requesting exclusion, and we will process your request without undue delay.
6. Security
We apply technical and organisational measures in line with Article 32 GDPR, including:
- TLS 1.3 encryption for all communications;
- AES-256 encryption of data at rest and in backups;
- Multi-factor authentication for sensitive accounts;
- Continuous logging and monitoring of access and events;
- Regular penetration testing and vulnerability assessments;
- Incident-management policy with notification to the CNPD and data subjects within the statutory deadlines.
7. Retention
Data is kept only for the strictly necessary period:
- Account data: for the duration of the contractual relationship; 5 years after last activity to defend legal claims;
- Billing data: 10 years (Article 123-4 CIRC and 40 IVA Code);
- Application logs: up to 24 months for security and audit purposes;
- Professionals’ documents: 6 years after the end of the partnership to comply with legal obligations.
After these periods, data is securely deleted or irreversibly anonymised.
8. Cookies and Similar Technologies
Umebi uses:
- Strictly necessary cookies (login, session preferences);
- Performance cookies (Google Analytics 4) with anonymised IP and 14-month retention.
You can manage cookies in your browser settings. Disabling certain cookies may affect Platform functionality.
9. Data-Subject Rights
Under Articles 15-22 GDPR, you have the right to:
- Access your data;
- Rectify inaccurate or incomplete data;
- Erase your data (“right to be forgotten”), where applicable;
- Restrict processing;
- Object to processing based on legitimate interest or marketing;
- Data portability to another controller;
- Withdraw consent at any time;
- Not be subject to solely automated decisions with significant effects.
Requests may be submitted via the dashboard or by email to privacy@umebi.com. We will respond, in principle, within 30 days.
10. Children and Adolescents
Umebi is not intended for individuals under 18 years of age. If we become aware that we have collected data from a minor, we will promptly delete such information.
11. Automated Decisions and Profiling
Umebi does not carry out automated profiling that produces legal effects or similarly significant impacts. The matching algorithm between user and therapist relies on objective criteria (availability, area of expertise), but the final decision remains human.
12. Changes to this Policy
We may update this document periodically. Material changes (affecting your rights) will be notified 30 days in advance by email or in-app notification. The date of the last update is indicated at the end of this document.
13. Contacts, Complaints and Supervision
- Email: privacy@umebi.com
If you believe that your data is being processed in breach of the GDPR, you may lodge a complaint with the CNPD (https://www.cnpd.pt) or with the supervisory authority of your country of residence.
14. Language Disclaimer
In case of doubt, inconsistency or misunderstanding arising from linguistic nuances, the original Portuguese (Portugal) version of this Privacy Policy shall prevail.
Last update: 6 August 2025