Privacy Policy

Last updated: 2026-06-02

1. Data Controller

The data controller is My Ally Monika Wirżajtys (NIP 8441939035, REGON 340192810), ul. 3 Maja 26/3, 85-016 Bydgoszcz, Poland, operating the SESupervision platform. We process your personal data under the GDPR. For any privacy matter, write to contact@sesupervision.com.

2. Data We Collect

We collect the data you give us and the data the platform generates as you use it:

  • Identity and contact: your name and email address.
  • Sign-in: magic-link tokens, or your Google account identifier and avatar if you sign in with Google.
  • Supervisor profile (supervisors only): biography, languages, video-meeting link, specialties, and public profile address.
  • Billing: billing name or company name, address, and tax identifier (NIP, EU VAT number, or PESEL for individuals).
  • Phone number (optional): if you choose to receive SMS notifications, your mobile number and the record of your consent. You can remove your number or turn SMS off at any time in your account settings.
  • Sessions: booking dates, attendance, prices, and Stripe payment identifiers.
  • Session notes: notes a supervisor writes about a supervision session.
  • Reviews: your rating and review text.
  • Claims and disputes: the reason you submit and our resolution notes.
  • Supervisor reputation events: no-shows and late cancellations, which help keep the marketplace reliable.
  • Push subscriptions: only if you opt in to browser notifications.
  • Waitlist entries and technical preferences (language and time zone).

3. Legal Bases

We rely on:

  • Article 6(1)(b) — performance of our contract with you, covering booking and running sessions.
  • Article 6(1)(c) — legal obligations, mainly issuing invoices through the national e-invoicing system (KSeF).
  • Article 6(1)(f) — our legitimate interest in service quality, dispute resolution, and a reliable marketplace.
  • Article 6(1)(a) — your consent, for browser push notifications.
  • Article 9(2)(h) — for session notes, which may touch on health, processed for the provision of professional supervision.

4. Purposes of Processing

We use your data to book and run supervision sessions, process payments and issue invoices, record attendance, communicate with you, publish and moderate reviews, and resolve disputes.

5. Processors and Recipients

We share data with:

  • Brevo — email delivery (France, EU).
  • Stripe — payments and payouts (United States and EU).
  • Google — OAuth sign-in (United States).
  • Cloudflare R2 — profile photos (European region).
  • Hetzner — application hosting, database, and backups (EU).
  • KSeF / Ministry of Finance — invoices (Poland, under statutory obligation).
  • Push providers — Google, Apple, and Mozilla.
  • Video provider chosen by your supervisor, who supplies the meeting link. This sits outside the platform.

6. Transfers Outside the EEA

Stripe and Google may process some data in the United States under Standard Contractual Clauses and the EU-US Data Privacy Framework. Push notification endpoints may route through providers in the United States. Everything else stays within the EU.

7. Special-Category Data (Article 9)

Session notes can describe a supervisee's clinical situation and may therefore include health data. We process them under Article 9(2)(h) and limit access to the supervising supervisor and, where strictly necessary, our administration. Please do not enter third-party personal data or health details in free-text fields such as cancellation reasons or claims.

8. Data Retention

  • Account: once you request deletion, we wait 7 days and then anonymise the account. We keep issued invoices, which remain linked to it.
  • Session notes: deleted for good when their author or their subject deletes their account.
  • Invoices: 5 years, as the Accounting Act requires.
  • Reviews: we anonymise the text after 2 years; the numeric rating stays as part of an average.
  • Reputation events and published reviews: until the supervisor stops practising on the platform.
  • Sign-in tokens: about 10 minutes.

9. Your Rights

Under the GDPR you can:

  • access and export your data as a JSON file from your account settings,
  • correct inaccurate data,
  • delete your account, except for data we must keep, such as issued invoices and open disputes,
  • restrict or object to processing,
  • port your data.

You may also lodge a complaint with the Polish supervisory authority (PUODO).

10. Cookies

We use essential cookies only, which keep you signed in. We run no analytics or marketing cookies.

11. Security

We limit who can read your data, and we host the application, database, and backups within the EU.

12. Changes to This Policy

We will tell you about material changes to this policy, and may ask you to accept the new version.

13. Contact

For privacy matters, write to contact@sesupervision.com.