wımpur
Sign inStart free

Legal

Privacy Policy

Last updated: 30 May 2026

1. Data controller

Wimpur B.V. [registered office address, to be completed], registered with the Dutch Chamber of Commerce under KvK [number, to be completed], is the data controller for personal data processed through the platform. Contact: privacy@wimpur.com.

1a. Data Protection Officer

Because we handle data relating to mental health and wellbeing, we have appointed a Data Protection Officer (DPO). You can reach our DPO at dpo@wimpur.com for any question regarding the processing of your personal data or the exercise of your rights under the GDPR.

2. What we collect

  • Account data: name, email, role, authentication identifiers.
  • Intake answers: the responses you give in the purpose intake.
  • Messages and bookings: communication and session metadata exchanged with practitioners.
  • Payment data: handled by Stripe; we receive transaction status and identifiers, never your full card number.
  • Practitioner verification data: credentials and ID documents uploaded for review.
  • Usage data: basic device, browser, and event logs.

3. Legal basis (GDPR)

We process data to perform the contract with you (Art. 6(1)(b)), to comply with legal obligations (Art. 6(1)(c)), and based on our legitimate interest in operating a safe platform (Art. 6(1)(f)). Sensitive data shared during sessions is processed under explicit consent (Art. 9(2)(a)).

4. How we share data

  • With practitioners you contact, so they can support you.
  • With Stripe, to process payments and payouts.
  • With infrastructure providers (hosting, database, email) under data-processing agreements.
  • When required by law.

We do not sell personal data.

4a. International transfers

Some of our sub-processors (including Stripe and parts of our hosting and email infrastructure) are established outside the European Economic Area, including in the United States. When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical and organisational measures to ensure an essentially equivalent level of protection. A copy of the relevant safeguards is available on request at privacy@wimpur.com.

4b. Automated decision-making

We use a simple matching algorithm that scores practitioners against your intake answers (focus areas and languages) to suggest a shortlist. This is not automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR: the suggestions are advisory, you choose which practitioner to contact, and a human is always involved in the booking and conversation that follows. You can ask us to explain how a particular suggestion was generated at any time.

5. Your rights

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. To exercise these rights, email privacy@wimpur.com. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority in the EU.

6. Retention

We retain account and session data while your account is active and for up to 24 months after closure for legal and accounting purposes. Verification documents are retained for as long as the practitioner is published, plus 12 months.

7. Security

We use industry-standard encryption in transit, row-level security on our database, scoped access for staff, and audited third-party processors. No system is perfectly secure; please use a strong password.

7a. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in line with Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Art. 34 GDPR.

8. Cookies

We use strictly necessary cookies to keep you signed in and to remember your cookie preferences. No advertising or cross-site tracking cookies are set. Any non-essential analytics cookies will only be placed after you give consent through the cookie banner shown on your first visit; you can change your choice at any time by clearing cookies for this site.

9. Changes

We will notify you of material changes to this policy by email or in-app notice.