Privacy Policy and Data Protection

Last updated: 17 May 2026

1. Data Controller

Sofia Nobre
Clinical Psychologist — OPP Licence No. 020726
Tax ID (NIF): 202780252
Coimbra, Portugal
Email: clinica@sofianobre.pt
Phone: +351 963 161 234

This is a translated version provided for information purposes. The Portuguese version is the legally binding document.

2. Personal data we collect

We collect the following data depending on your interaction with the website:

  • Identification and contact: full name, email address, phone number.
  • Booking: date and time of session, type of service selected, optional notes provided in the booking form.
  • Payment: payment data is processed exclusively by Stripe, Inc. We do not store credit or debit card data in our systems.
  • Contact messages: content of messages sent via the website contact form.

Health data collected during therapy sessions is protected by professional secrecy under the Statute of the Portuguese Psychologists Association (Law No. 57/2008) and is not subject to this policy regarding clinical activities.

3. Purposes and legal bases

  • Booking management and service delivery — legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Payment processing — legal basis: performance of a contract; sub-processor: Stripe, Inc. (see section 5).
  • Responding to contact messages — legal basis: legitimate interest (Art. 6(1)(f) GDPR) and explicit consent provided in the form (Art. 6(1)(a) GDPR).
  • Compliance with legal and tax obligations — legal basis: legal obligation (Art. 6(1)(c) GDPR).

4. Health data

Health data constitutes a special category of personal data under Art. 9 GDPR. Its processing in the context of the therapeutic relationship is based on Art. 9(2)(h) GDPR — provision of healthcare — and is carried out under professional secrecy obligations.

The contact form must not be used to share sensitive health information. All clinical information is handled exclusively in the context of sessions.

5. Sub-processors

Your data may be shared with the following service providers acting as sub-processors:

  • Stripe, Inc. (payment processing) — based in the USA, certified under the EU–U.S. Data Privacy Framework. See Stripe's privacy policy.
  • Vercel, Inc. (website hosting and database) — based in the USA, with EU infrastructure. See Vercel's privacy policy.
  • Resend, Inc. (transactional email delivery, including booking confirmations) — based in the USA. See Resend's privacy policy.

Your data is not sold or shared with third parties for commercial or marketing purposes.

6. International data transfers

Stripe, Inc., Vercel, Inc. and Resend, Inc. are based in the United States of America. Transfers to these sub-processors are made under appropriate legal safeguards, namely the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission, under Art. 46 GDPR.

7. Retention periods

  • Booking and clinical contact data: retained for the duration of the therapeutic relationship and for a maximum of 5 years after the last session, unless a different legal obligation applies.
  • Tax and billing data: retained for 10 years, in accordance with applicable tax legislation.
  • Contact messages (without subsequent booking): retained for the time strictly necessary to respond, and deleted after 12 months of inactivity.

8. Your rights

Under GDPR and applicable Portuguese law, you have the following rights:

  • Access — to obtain confirmation as to whether your data is being processed and to receive a copy.
  • Rectification — to correct inaccurate or incomplete data.
  • Erasure — to request deletion of your data in cases provided for by law (Art. 17 GDPR).
  • Restriction of processing — to restrict processing in certain circumstances (Art. 18 GDPR).
  • Data portability — to receive your data in a structured, machine-readable format (Art. 20 GDPR).
  • Objection — to object to processing based on legitimate interest (Art. 21 GDPR).
  • Withdrawal of consent — where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us by email: clinica@sofianobre.pt. Requests will be answered within 30 days (extendable by a further 60 days for complex requests, with prior notification).

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, or destruction, including encrypted transmission (HTTPS/TLS) and restricted access controls.

10. Cookies

This website does not use tracking, behavioural analytics, or advertising cookies. Technically necessary cookies may be used for the Stripe payment process. These are considered essential under Art. 5(3) of the ePrivacy Directive 2002/58/EC and do not require prior consent.

11. Changes to this policy

This policy may be updated periodically to reflect legal or operational changes. In the event of significant changes, a notice will be published on this page. The date of the last update is shown at the top of this document.

12. Supervisory authority and contact

You have the right to lodge a complaint with the competent supervisory authority:

Comissão Nacional de Proteção de Dados (CNPD)
Rua de São Bento, No. 148-3, 1200-821 Lisbon, Portugal
www.cnpd.pt

For any questions regarding this policy or the processing of your data, contact: clinica@sofianobre.pt