top of page

Mentrac Privacy Policy

At MENTRAC Sàrl (hereinafter: MENTRAC), we attach great importance to privacy and the protection of personal data. We are committed to protecting the privacy and intimacy of our clients (also referred to as beneficiaries) and to ensuring that the personal data we process in connection with the services they expect from psychologists approved by MENTRAC is protected by adequate organisational and security measures.

​

The personal data collected are processed, in short, only for the performance of the services that psychologists provide to beneficiaries. It is not sold, transferred or transmitted in any way to third parties, except to third parties concerned with the payment of the services paid by customers to MENTRAC, to the extent strictly necessary.

 

I. Legal bases

This privacy policy complies with the Federal Act of 25 September 2020 on data protection (hereafter : FADP) and its Ordinance of 31 August 2022 (OPDo), it being specified that MENTRAC is based in Switzerland and that its services are intended exclusively for people residing in Switzerland.

 

 
II. Data controller

The data controller (Art. 5 (j) FADP) is:

MENTRAC Sàrl

Chemin Sur Rosset 32a

1040 Echallens (Switzerland)

info@mentrac.com  

 

For any questions or requests in relation to the processing of personal data, in particular the right of access to personal data, you can contact the Data Controller by post or email using the contact details set out above.

​

​
III. Scope

This privacy policy is applicable to all data processing carried out by MENTRAC in connection with the provision of psychological support services, in particular those accessible on the platform at the address < mentrac.com > (all services referred to below: the Services). The people concerned by the treatments are MENTRAC's customers, visitors to the platform who fill out a contact form, and psychologists.

​

 

IV. Purposes of the processing of personal data

Personal data is only processed for purposes related to the provision of services, i.e. in particular videoconferences between beneficiaries and psychologists, the operation of the platform, the improvement of the platform and communication with clients and psychologists.

​

MENTRAC does not sell, transfer or otherwise transmit its customers' personal data to third parties, except to third parties concerned by the payment that customers make for the services accessible on the MENTRAC platform, to the extent strictly necessary (see below, section VI).

​

In addition, any disclosure of personal data that is required by law (Art. 31 FADP), e.g. to meet justified requirements of authorities, is reserved.

 

​

V. Categories of data concerned

In the context of a contractual relationship with MENTRAC, we process the usual basic personal data (surname, first name, e-mail and postal addresses). Data relating to the payment of services are processed exclusively by the subcontractor concerned (see point VI below), without access to this data by MENTRAC, which is not involved in the transaction.

​

Although health-related services are provided on the MENTRAC platform, we do not process data that relates to the health of clients or information that allows conclusions to be drawn about it. Psychologists' session notes are recorded on the platform, but are only accessible to psychologists, excluding MENTRAC. This is sensitive data within the meaning of Art. 5 let. c FADP. Psychologists approved by MENTRAC are bound by secrecy and are prohibited from disclosing this sensitive personal data to third parties. 

​

In the context of the operation of the platform, we also process non-personally identifiable data of a technical nature (e.g. IP address, type of device used), including cookies, which may depend on your browser/device settings and the choices you have made via the cookie banner that was presented to you when you first visited the site.

 

​

VI. Subcontractors and transfers abroad

We may use subcontractors, i.e. third-party companies that process personal data on our behalf and under our responsibility, to the exclusion of any processing in their own interest. Subcontractors are only allowed to carry out processing that we would be entitled to carry out ourselves.

​

In general, we select as much as possible subcontractors who offer excellent guarantees in connection with the protection and security of your data (certifications, etc.), and give preference to Swiss and European subcontractors. The MENTRAC platform, including the integrated video conferencing solution, was developed by a Swiss contractor and is hosted in Germany. The management of the payment of the services is entrusted to the company Stripe Payments Europe Limited, whose headquarters are in Ireland; In this context, data is transferred to Stripe Inc., based in the USA, which is certified according to the Swiss-U.S. Data Privacy Framework. This is only data that is strictly useful for the payment of services. This data is not used by these companies for any other purpose.

​

The psychologists involved in the provision of the services process the personal data of the beneficiaries under their own responsibility, on their behalf and in the exclusive interest of the beneficiaries.  Some of these psychologists may be established in a neighbouring country, in particular France or Germany, it being specified that these States are recognised by the Federal Council as guaranteeing an adequate level of data protection (OPDo, Annex 1).

​

​

VII. Data Security

MENTRAC takes all appropriate technical and organisational measures in relation to the risks involved to guarantee the security of the data.  MENTRAC's infrastructure is based on a three-tier architecture:

  1. Nginx proxy: connected to the Internet, this proxy receives connections from users of the platform and manages their redirection to internal services.

  2. Application server: hosting the application software, this server does not store any sensitive data. It communicates on an internal network with the proxy and on another internal network dedicated to the database, thus ensuring strict separation.

  3. Database server: Located on an isolated internal network, it is accessible only by the application server, without a direct connection to the Internet.

 

The psychologists’ notes are stored on the database server in an encrypted manner and unreadable in the event of unauthorized access. The correspondence between each file and the client is separated, as the identifiers are not kept in the files themselves.

 

​

VIII. Conservation

In general, the data is stored for as long as it is necessary for the purposes of the processing and other legal requirements.

​

Essential data relating to a contractual relationship, such as identity and information on the services contracted (types of packages, invoicing), are kept for up to 10 years from the end of the relationship, in accordance with the limitation period for contractual actions. Instant messages exchanged via chat during a session are deleted from the system within two weeks.

​

At the end of the contractual relationship between MENTRAC and the beneficiary, MENTRAC will hand over the session notes relating to the person concerned to the last psychologist who took care of him or her and immediately delete them from the MENTRAC platform. MENTRAC is not informed at any time of the content of the session notes in question.

​

 

IX. Profiling and automated individual decision-making

We do not carry out high-risk profiling (Art. 6 para. 7 FADP) and do not make any decisions based solely on automated data processing (Art. 21 FADP).

​

 

X. Rights of data subjects

If you are personally affected by data processing carried out by MENTRAC (Art. 5 (a) FADP), you have the following rights under the conditions set out in the applicable law: a right of access (Art. 25 FADP), a right to rectification (Art. 32 FADP), a right to erasure (Art. 32 FADP), a right to object (Art. 30 FADP), a right to data portability (Art. 28 FADP) and a right to report to the competent authority (Art. 49 FADP).

​

To exercise your rights, please send us your request by signed letter, together with a copy of your identity document, to the address indicated in section II of this document. We will endeavour to respond to you within 30 days.

​

 

XI. Changes

We reserve the right to change this Privacy Policy at any time. In such cases, changes will be communicated to you by an appropriate means, unless they are manifestly inconsequential to you.

 

​

MENTRAC privacy policy in force since 21.12.2024.

bottom of page