Psica

Privacy Policy

Last updated: 31/05/2026

1. Data Controller

Data Controller: Alfredo BarattaVia Tullio Capone, Battipaglia 84091 (SA) – email: [email protected].

2. Types of Data

  • Account data (name, email, credentials, settings).
  • Chat content (may include health-related data or other special categories – Art. 9 GDPR).
  • Technical metadata (IP, user-agent, timestamp) and security logs.
  • Strictly necessary cookies.

3. Purposes and Legal Bases

  • Service provision – Art. 6(1)(b) GDPR.
  • Security and abuse prevention – Art. 6(1)(f) GDPR.
  • Improvement/research (if applicable) – Art. 6(1)(a) + 9(2)(a) GDPR, explicit consent.
  • Legal obligations (incl. DSA Art. 18) – Art. 6(1)(c) GDPR.
  • Vital interests in case of serious danger – Art. 6(1)(d) + 9(2)(c) GDPR.

Automated decisions: no solely automated decision-making with legal effects pursuant to Art. 22 GDPR.

4. Minors

Use reserved for individuals over 16 years old. Parental/guardian consent is required for minors. In Italy, autonomous consent is valid from 14 years old.

5. Payments and Subscriptions

Payments are handled by the external provider Stripe. We do not store users' payment card data in any way: such information is processed exclusively by Stripe in compliance with the highest security standards (PCI-DSS). Activated subscriptions are non-refundable, as service delivery involves immediate use of credits on external services essential to the chat system's operation. Users retain the ability to disable automatic renewal at any time from their account settings.

6. Message Retention

Messages exchanged within the platform are encrypted in the database and their retention is entirely at the user's discretion. Users have the ability to delete their messages at any time through the features provided by the application. In the absence of manual deletion by the user, messages will remain archived as long as the account remains active.

7. Data Retention

  • Security logs: 90 days.
  • Research/training consents: until revocation and in any case 24 months.

8. Recipients, Transfers and Data Processors

Google LLC (Gemini API) — Data Processor appointed under Art. 28 GDPR via Google's API Terms of Service and Data Processing Amendment. Your data is transferred to the USA under Standard Contractual Clauses (EU Decision 2021/914) and supplementary technical measures. Google does not use API data to train its models. Stripe Inc. — payment processing (PCI-DSS). Any additional cloud providers or consultants are appointed as processors in writing.

Data Protection Impact Assessment (DPIA): in accordance with Art. 35 GDPR, Psica has conducted a Data Protection Impact Assessment for the systematic processing of mental health data. The DPIA is available upon reasoned request to the data controller.

9. Security

TLS encryption in transit, encryption at rest, access control, logging, secure backups, privacy by design/by default.

10. GDPR Rights

You can exercise the rights of access, rectification, deletion, restriction, portability, objection and withdrawal of consent by writing to [email protected]. You have the right to lodge a complaint with the Supervisory Authority.

11. Contacts

Data Controller Email: [email protected].

Create an account