Legal
Privacy Policy
Version 2.0 — 1 April 2026 · MyEntourage Sàrl
1. Data Controller
The controller of personal data collected through the SuperMe platform (app.mysuperme.com) is:
| Company name | MyEntourage Sàrl |
| Legal form | Limited liability company (Sàrl) under Swiss law |
| Company number | CHE-410.574.084 |
| Registered office | Rue Saint-Pierre 2, c/o Christophe Fischer, notaire, 1003 Lausanne, Switzerland |
| Directors | Mr Yan Delgado and Mr Stéphane Daniel Bezençon |
| Data contact | support@mysuperme.com |
| Hosting | Amazon Web Services (AWS) — EU North 1 region, Stockholm, Sweden |
MyEntourage Sàrl is committed to processing personal data in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and the UK GDPR for persons residing in the United Kingdom.
2. Data Collected
2.1 User data
| Identity data | First name, surname, date of birth, email address, phone number |
| Account data | Login credentials (email + hashed password), account preferences, language |
| Profile data | Wellness goals, interests, information shared during the matching questionnaire |
| Health data ⚠ | Content of exchanges during therapy and wellness coaching sessions, information on emotional and mental state, wellness tracking journals — SPECIAL CATEGORY DATA (Art. 9 GDPR) |
| Transaction data | Booking history, amounts invoiced, payment method (type only — no card number) |
| Technical data | IP address, browser type and version, device type, operating system, session ID |
| Navigation data | Pages visited, visit duration, traffic source, in-app actions |
| Communication data | Exchanges with customer service via support@mysuperme.com or the integrated chat |
2.2 Expert (Professional) data
| Identity data | First name, surname, email address, phone number, postal address |
| Professional data | Degrees, certifications, professional registration number, years of experience, biography |
| Qualification data | Supporting documents (CV, diplomas, certificates), professional liability insurance certificate |
| Financial data | VAT number, bank account details (IBAN) for fee payments |
| Performance data | User ratings, number of sessions completed, satisfaction rate |
| Technical data | Same as Users — IP address, device, sessions |
2.3 Data we never collect
✅ DATA EXCLUDED FROM ALL PROCESSING
3. Legal bases and purposes of processing
In accordance with Article 6 of the GDPR, each processing activity rests on an identified legal basis. Health data (Art. 9 GDPR) is subject to a separate explicit consent.
| Processing / Purpose | Data concerned | Legal basis | Retention period |
| Account registration and management | Identity, email, password | Art. 6(1)(b) — Contract performance | Duration of relationship + 5 years |
| Therapy and wellness coaching sessions | Health and mental wellbeing data | ⚠ Art. 9(2)(a) — EXPLICIT consent | 5 years after last session, then deletion |
| User / Expert matching | Objectives, preferences, profile data | Art. 6(1)(b) — Contract performance | Duration of active relationship |
| Payment processing | Transaction data | Art. 6(1)(b) + Art. 6(1)(c) — Legal obligation | 10 years (statutory accounting obligation) |
| Expert qualification verification | Degrees, insurance, registration | Art. 6(1)(b) + Art. 6(1)(c) — Legal obligation | Duration of registration + 5 years |
| Security and fraud prevention | Technical data, access logs | Art. 6(1)(f) — Legitimate interest | 12 months rolling |
| Platform improvement | Anonymised navigation data | Art. 6(1)(f) — Legitimate interest | 13 months maximum |
| Marketing communications | Email, communication preferences | Art. 6(1)(a) — Consent | Until withdrawal + 3 years |
| Customer support | Support exchanges | Art. 6(1)(b) — Contract performance | 3 years after ticket closure |
| Legal and regulatory obligations | Any type as legally required | Art. 6(1)(c) — Legal obligation | As applicable by law |
⚠ SPECIFIC CONSENT — HEALTH DATA (ART. 9 GDPR)
Processing of your emotional and mental wellbeing data requires your EXPLICIT consent,
collected separately during registration via a dedicated checkbox.
Without this consent, access to therapy and wellness coaching sessions is restricted.
You may withdraw this consent at any time from Settings → Privacy and data.
Withdrawal does not affect the lawfulness of processing carried out before that date.
4. Sub-processors and data recipients
MyEntourage Sàrl never sells personal data to third parties. Data may be shared with the following sub-processors and partners, strictly within the scope of their mission:
| Provider | Role | Country | Safeguards |
| Amazon Web Services | Hosting | Sweden (EU-N1) | EU region — data localised in Europe |
| Stripe / PayPal | Payment processing | EU / United States | PCI-DSS · SCCs for US transfers |
| Google Analytics | Audience analytics | United States | IP anonymisation · SCCs · opt-out available |
| Google Tag Manager | Tag management | United States | SCCs |
| Intercom | Customer support | United States | SCCs · DPA signed |
| Mailchimp | Email marketing | United States | SCCs · DPA signed |
| Sentry | Error monitoring | United States | Anonymisation · SCCs |
| Keen IO | Product metrics | United States | Anonymised data · SCCs |
| Cloudflare | Network security | United States | SCCs · EU network available |
SCCs = Standard Contractual Clauses of the European Commission (Implementing Decision 2021/914/EU). DPA = Data Processing Agreement.
5. International data transfers
The platform's primary hosting is provided by AWS EU North 1 (Stockholm, Sweden), ensuring that data remains in Europe for the majority of processing operations. Certain sub-processors listed in Article 4 are established in the United States.
5.1 Safeguards for transfers to the United States
Standard Contractual Clauses (SCCs) of the European Commission — Implementing Decision 2021/914/EU — Art. 44 to 49 GDPR.
Verification of adherence to the EU-US Data Privacy Framework (DPF) for relevant providers.
Transfer Impact Assessments (TIAs) available on request at support@mysuperme.com.
5.2 Swiss Users
For Users residing in Switzerland, transfers to countries without an adequate level of protection recognised by the FDPIC are governed by appropriate safeguards in accordance with the revised revFADP (Art. 16 and 17 revFADP).
5.3 UK Users
Transfers are governed by the International Data Transfer Agreements (IDTAs) approved by the ICO, in compliance with the UK GDPR.
6. Retention periods
Data is retained only for as long as necessary for the purposes for which it was collected, in compliance with legal obligations.
| Active account data | Duration of the contractual relationship |
| Inactive account data | 3 years after last login, then deletion or anonymisation |
| Health / wellbeing data | 5 years after the last session, then permanent deletion |
| Payment / invoicing data | 10 years (statutory accounting obligation — Swiss CO art. 958f) |
| Expert qualification data | Duration of registration + 5 years (statute of limitations) |
| Consent logs | Minimum 5 years after end of relationship (GDPR compliance proof) |
| Security / access logs | 12 months rolling |
| Anonymised navigation data | 13 months maximum |
| Customer support exchanges | 3 years after ticket closure |
| Marketing / newsletter data | Until withdrawal of consent, then 3 additional years |
Upon expiry of retention periods, data is permanently deleted or irreversibly anonymised. Upon a User's request (right to erasure, Art. 17 GDPR), deletion is carried out within 30 days, subject to legal retention obligations.
7. Your rights regarding your personal data
Under the GDPR, the Swiss revFADP and the UK GDPR, you have the following rights, which you may exercise at any time:
| Right of access (Art. 15 GDPR) | Obtain a copy of all your personal data held by MyEntourage Sàrl, together with information about its processing. |
| Right to rectification (Art. 16) | Have any inaccurate or incomplete data corrected. |
| Right to erasure (Art. 17) | Request deletion of your data where processing is no longer necessary or where you withdraw your consent. |
| Right to restriction (Art. 18) | Request temporary suspension of processing in certain circumstances. |
| Right to data portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. |
| Right to object (Art. 21) | Object to processing based on legitimate interest, in particular for direct marketing purposes. |
| Right to withdraw consent (Art. 7(3)) | Withdraw previously given consent at any time, without affecting the lawfulness of prior processing. |
| Right not to be subject to automated decision-making (Art. 22) | Not be subject to a decision based solely on automated processing, including profiling. |
| Right to lodge a complaint | Lodge a complaint with the competent supervisory authority (FDPIC, CNIL or ICO depending on your country of residence). |
7.1 How to exercise your rights
By email: support@mysuperme.com — subject: 'Exercise of my GDPR rights'
From your personal account: Settings → Privacy and data
By post: MyEntourage Sàrl, Rue Saint-Pierre 2, 1003 Lausanne, Switzerland
MyEntourage Sàrl responds to all requests within 30 calendar days. This period may be extended by one further month for complex requests, with prior notification to the User. Identity verification is required before any data communication.
7.2 Competent supervisory authorities
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch |
| European Union / France | Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr |
| United Kingdom | Information Commissioner's Office (ICO) — www.ico.org.uk |
8. Data security
MyEntourage Sàrl implements appropriate technical and organisational measures to ensure the security of personal data against unauthorised access, loss, destruction, alteration or disclosure.
8.1 Technical measures
Data in transit encryption: TLS 1.2 minimum on all communications
Data at rest encryption: AES-256 for health data and sensitive data
Password encryption: bcrypt hashing — never stored in plain text
Role-based access control (RBAC) — access to health data restricted to the minimum necessary
Logging of access to sensitive data — who, when, from which IP address
Infrastructure hosted on AWS EU North 1 with encrypted automated backups
8.2 Organisational measures
Data access limited to team members with a legitimate operational need
Contractual confidentiality obligations for all staff and sub-processors
Sub-processor verification process (GDPR due diligence before any engagement)
Internal data breach response procedure
8.3 Personal data breach notification (Art. 33 GDPR)
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, MyEntourage Sàrl will notify the competent supervisory authority within 72 hours. Where the risk to individuals is high, they will also be notified without undue delay.
9. Cookies and tracking technologies
The platform uses cookies and similar technologies. A consent banner is displayed on the first visit. The full Cookie Policy is accessible at app.mysuperme.com/cookies.
| Necessary cookies | Platform operation — session, authentication, security. No consent required. |
| Functional cookies | Storing your preferences (language, display). Consent required. |
| Analytical cookies | Google Analytics, Sentry, Keen IO — anonymised audience measurement. Consent required. |
| Marketing cookies | Meta Pixel, Mailchimp — personalisation and campaigns. Explicit consent required. |
You may change your preferences at any time via the 'Manage cookie preferences' link in the site footer.
10. Protection of minors
The SuperMe platform is exclusively intended for persons aged 18 or over. MyEntourage Sàrl does not knowingly collect personal data from minors. If we become aware that a minor has created an account, it will be immediately deleted and the associated data erased. Please contact us immediately at support@mysuperme.com if you believe a minor has provided personal data to SuperMe.
11. Automated decision-making and profiling
SuperMe uses an algorithmic matching system to connect Users with the most suitable Experts for their needs, based on preferences and objectives declared during registration. A member of the SuperMe team validates each match, meaning this does not constitute automated decision-making under Article 22 GDPR. Users may request a review of their match or select a different Expert at any time. MyEntourage Sàrl does not use User data for commercial profiling with third parties.
12. Session confidentiality
Session content between Users and Experts is strictly confidential. Experts are bound by the professional confidentiality obligations applicable to their discipline. MyEntourage Sàrl does not access session content, except in cases of reported misconduct requiring internal investigation, on order from a competent judicial or administrative authority, or in cases of serious and imminent danger requiring mandatory reporting. No session is recorded by SuperMe without the prior explicit consent of both the User and the Expert.
13. Changes to this Privacy Policy
In the event of a material change, Users will be notified by email at least 30 days before the new version takes effect. Any modification to the health data consent text (Art. 9) will require renewed explicit consent from all concerned Users.
| Current version | 2.0 — 1 April 2026 |
| Previous version | 1.0 — 20 June 2025 |
14. Contact and complaints
| Data protection contact | support@mysuperme.com — subject: 'Data Protection' |
| Postal address | MyEntourage Sàrl, Rue Saint-Pierre 2, 1003 Lausanne, Switzerland |
| Response time | 30 calendar days (extendable to 3 months for complex requests) |
| Authority (Switzerland) | FDPIC — www.edoeb.admin.ch — Stauffacherstrasse 65/59, 3003 Bern |
| Authority (EU/France) | CNIL — www.cnil.fr — 3 place de Fontenoy, 75007 Paris |
| Authority (UK) | ICO — www.ico.org.uk — Wycliffe House, Water Lane, Wilmslow, SK9 5AF |
15. Expert-specific provisions
This section supplements the general provisions of this policy for Experts (therapists, coaches, yoga teachers) registered on the SuperMe platform as independent service providers.
15.1 Data processed specifically for Experts
| Processing / Purpose | Data concerned | Legal basis | Retention period |
| Banking and fiscal data | IBAN, bank details, VAT number, tax documents | Art. 6(1)(b) — Contract + Art. 6(1)(c) — Legal obligation | Duration of registration + 10 years (accounting) |
| Public Expert profile | Name, photo, biography, specialities, rates, ratings | Art. 6(1)(b) — Contract (deliberately made public) | Active registration + 30 days after termination |
| KYC / qualification verification | Degrees, certifications, registration number, RCP certificate | Art. 6(1)(b) + Art. 6(1)(c) — Legal obligation | Registration + 5 years |
| Performance and ratings | User ratings, reviews, session statistics | Art. 6(1)(f) — Legitimate interest (service quality) | Registration + 3 years |
| SuperMe marketing communications | Name, logo, photo for platform promotion | Art. 6(1)(b) — Contract (GTC Art. 13 — marketing licence) | Duration of licence granted in GTC |
| Platform activity logs | Logins, managed bookings, reported incidents | Art. 6(1)(f) — Legitimate interest (security, disputes) | 3 years after end of registration |
15.2 Public profile — Deliberately made public data
Certain data provided by the Expert is deliberately made public on the platform as part of their professional profile: name, first name, photo, biography, specialities, languages spoken, rates and ratings. This data is processed on the basis of contract performance (GTC).
Upon account termination, the public profile is removed within 30 days. Ratings and reviews may be retained in anonymised form for statistical purposes.
15.3 Use of Expert name and image for marketing purposes
In accordance with Article 13 of the General Terms and Conditions applicable to Professionals, MyEntourage Sàrl may use the Expert's name, logo and brand elements to communicate that they use the platform, under a limited and revocable licence.
This use is based on contract performance. The Expert may object at any time by notifying MyEntourage Sàrl at support@mysuperme.com. The objection takes effect within 15 business days.
15.4 Performance data and right to challenge
Ratings and reviews left by Users regarding an Expert are collected and displayed on their profile. Experts have a right of access to all their performance data and may challenge any review they consider abusive, defamatory or fraudulent by contacting support@mysuperme.com. MyEntourage Sàrl undertakes to examine any challenge within 15 business days.
15.5 Identity verification (KYC) and qualification
As part of the Expert verification process, MyEntourage Sàrl may use a third-party KYC provider. Data transmitted is limited to the strictly necessary and is subject to a GDPR-compliant data processing agreement. Qualification documents are stored securely and accessible only to the MyEntourage team members responsible for verification.
15.6 Termination and fate of Expert data
Public profile removed within 30 days of termination.
Qualification and contractual data retained for 5 years (statute of limitations).
Accounting and fiscal data retained for 10 years (statutory obligation).
User reviews may be retained in anonymised form for statistical purposes.
Banking data (IBAN) deleted once all outstanding payments are settled.
15.7 Exercise of GDPR rights by Experts
Experts have the same rights as Users (Article 7 of this policy). They may in particular:
Request access to all their personal data, including activity logs;
Request rectification of their public profile or professional data;
Object to the use of their image for marketing purposes (Art. 15.3);
Request data portability (session history, ratings);
Challenge abusive reviews (Art. 15.4).
Contact: support@mysuperme.com — subject: 'GDPR Rights — Expert'.