Legal

Privacy Policy

Version 2.0 — 1 April 2026 · MyEntourage Sàrl

1. Data Controller

The controller of personal data collected through the SuperMe platform (app.mysuperme.com) is:

Company nameMyEntourage Sàrl
Legal formLimited liability company (Sàrl) under Swiss law
Company numberCHE-410.574.084
Registered officeRue Saint-Pierre 2, c/o Christophe Fischer, notaire, 1003 Lausanne, Switzerland
DirectorsMr Yan Delgado and Mr Stéphane Daniel Bezençon
Data contactsupport@mysuperme.com
HostingAmazon Web Services (AWS) — EU North 1 region, Stockholm, Sweden

MyEntourage Sàrl is committed to processing personal data in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and the UK GDPR for persons residing in the United Kingdom.

2. Data Collected

2.1 User data

Identity dataFirst name, surname, date of birth, email address, phone number
Account dataLogin credentials (email + hashed password), account preferences, language
Profile dataWellness goals, interests, information shared during the matching questionnaire
Health data ⚠Content of exchanges during therapy and wellness coaching sessions, information on emotional and mental state, wellness tracking journals — SPECIAL CATEGORY DATA (Art. 9 GDPR)
Transaction dataBooking history, amounts invoiced, payment method (type only — no card number)
Technical dataIP address, browser type and version, device type, operating system, session ID
Navigation dataPages visited, visit duration, traffic source, in-app actions
Communication dataExchanges with customer service via support@mysuperme.com or the integrated chat

2.2 Expert (Professional) data

Identity dataFirst name, surname, email address, phone number, postal address
Professional dataDegrees, certifications, professional registration number, years of experience, biography
Qualification dataSupporting documents (CV, diplomas, certificates), professional liability insurance certificate
Financial dataVAT number, bank account details (IBAN) for fee payments
Performance dataUser ratings, number of sessions completed, satisfaction rate
Technical dataSame as Users — IP address, device, sessions

2.3 Data we never collect

✅ DATA EXCLUDED FROM ALL PROCESSING

  • Full card numbers or complete payment data (processed exclusively by our PCI-DSS certified providers)
  • Biometric data
  • Data relating to political opinions, trade union membership or religious beliefs
  • Data from minors (access prohibited to persons under 18)
  • 3. Legal bases and purposes of processing

    In accordance with Article 6 of the GDPR, each processing activity rests on an identified legal basis. Health data (Art. 9 GDPR) is subject to a separate explicit consent.

    Processing / PurposeData concernedLegal basisRetention period
    Account registration and managementIdentity, email, passwordArt. 6(1)(b) — Contract performanceDuration of relationship + 5 years
    Therapy and wellness coaching sessionsHealth and mental wellbeing data⚠ Art. 9(2)(a) — EXPLICIT consent5 years after last session, then deletion
    User / Expert matchingObjectives, preferences, profile dataArt. 6(1)(b) — Contract performanceDuration of active relationship
    Payment processingTransaction dataArt. 6(1)(b) + Art. 6(1)(c) — Legal obligation10 years (statutory accounting obligation)
    Expert qualification verificationDegrees, insurance, registrationArt. 6(1)(b) + Art. 6(1)(c) — Legal obligationDuration of registration + 5 years
    Security and fraud preventionTechnical data, access logsArt. 6(1)(f) — Legitimate interest12 months rolling
    Platform improvementAnonymised navigation dataArt. 6(1)(f) — Legitimate interest13 months maximum
    Marketing communicationsEmail, communication preferencesArt. 6(1)(a) — ConsentUntil withdrawal + 3 years
    Customer supportSupport exchangesArt. 6(1)(b) — Contract performance3 years after ticket closure
    Legal and regulatory obligationsAny type as legally requiredArt. 6(1)(c) — Legal obligationAs applicable by law

    ⚠ SPECIFIC CONSENT — HEALTH DATA (ART. 9 GDPR)

    Processing of your emotional and mental wellbeing data requires your EXPLICIT consent,

    collected separately during registration via a dedicated checkbox.

    Without this consent, access to therapy and wellness coaching sessions is restricted.

    You may withdraw this consent at any time from Settings → Privacy and data.

    Withdrawal does not affect the lawfulness of processing carried out before that date.

    4. Sub-processors and data recipients

    MyEntourage Sàrl never sells personal data to third parties. Data may be shared with the following sub-processors and partners, strictly within the scope of their mission:

    ProviderRoleCountrySafeguards
    Amazon Web ServicesHostingSweden (EU-N1)EU region — data localised in Europe
    Stripe / PayPalPayment processingEU / United StatesPCI-DSS · SCCs for US transfers
    Google AnalyticsAudience analyticsUnited StatesIP anonymisation · SCCs · opt-out available
    Google Tag ManagerTag managementUnited StatesSCCs
    IntercomCustomer supportUnited StatesSCCs · DPA signed
    MailchimpEmail marketingUnited StatesSCCs · DPA signed
    SentryError monitoringUnited StatesAnonymisation · SCCs
    Keen IOProduct metricsUnited StatesAnonymised data · SCCs
    CloudflareNetwork securityUnited StatesSCCs · EU network available

    SCCs = Standard Contractual Clauses of the European Commission (Implementing Decision 2021/914/EU). DPA = Data Processing Agreement.

    5. International data transfers

    The platform's primary hosting is provided by AWS EU North 1 (Stockholm, Sweden), ensuring that data remains in Europe for the majority of processing operations. Certain sub-processors listed in Article 4 are established in the United States.

    5.1 Safeguards for transfers to the United States

    Standard Contractual Clauses (SCCs) of the European Commission — Implementing Decision 2021/914/EU — Art. 44 to 49 GDPR.

    Verification of adherence to the EU-US Data Privacy Framework (DPF) for relevant providers.

    Transfer Impact Assessments (TIAs) available on request at support@mysuperme.com.

    5.2 Swiss Users

    For Users residing in Switzerland, transfers to countries without an adequate level of protection recognised by the FDPIC are governed by appropriate safeguards in accordance with the revised revFADP (Art. 16 and 17 revFADP).

    5.3 UK Users

    Transfers are governed by the International Data Transfer Agreements (IDTAs) approved by the ICO, in compliance with the UK GDPR.

    6. Retention periods

    Data is retained only for as long as necessary for the purposes for which it was collected, in compliance with legal obligations.

    Active account dataDuration of the contractual relationship
    Inactive account data3 years after last login, then deletion or anonymisation
    Health / wellbeing data5 years after the last session, then permanent deletion
    Payment / invoicing data10 years (statutory accounting obligation — Swiss CO art. 958f)
    Expert qualification dataDuration of registration + 5 years (statute of limitations)
    Consent logsMinimum 5 years after end of relationship (GDPR compliance proof)
    Security / access logs12 months rolling
    Anonymised navigation data13 months maximum
    Customer support exchanges3 years after ticket closure
    Marketing / newsletter dataUntil withdrawal of consent, then 3 additional years

    Upon expiry of retention periods, data is permanently deleted or irreversibly anonymised. Upon a User's request (right to erasure, Art. 17 GDPR), deletion is carried out within 30 days, subject to legal retention obligations.

    7. Your rights regarding your personal data

    Under the GDPR, the Swiss revFADP and the UK GDPR, you have the following rights, which you may exercise at any time:

    Right of access (Art. 15 GDPR)Obtain a copy of all your personal data held by MyEntourage Sàrl, together with information about its processing.
    Right to rectification (Art. 16)Have any inaccurate or incomplete data corrected.
    Right to erasure (Art. 17)Request deletion of your data where processing is no longer necessary or where you withdraw your consent.
    Right to restriction (Art. 18)Request temporary suspension of processing in certain circumstances.
    Right to data portability (Art. 20)Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
    Right to object (Art. 21)Object to processing based on legitimate interest, in particular for direct marketing purposes.
    Right to withdraw consent (Art. 7(3))Withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
    Right not to be subject to automated decision-making (Art. 22)Not be subject to a decision based solely on automated processing, including profiling.
    Right to lodge a complaintLodge a complaint with the competent supervisory authority (FDPIC, CNIL or ICO depending on your country of residence).

    7.1 How to exercise your rights

    By email: support@mysuperme.com — subject: 'Exercise of my GDPR rights'

    From your personal account: Settings → Privacy and data

    By post: MyEntourage Sàrl, Rue Saint-Pierre 2, 1003 Lausanne, Switzerland

    MyEntourage Sàrl responds to all requests within 30 calendar days. This period may be extended by one further month for complex requests, with prior notification to the User. Identity verification is required before any data communication.

    7.2 Competent supervisory authorities

    SwitzerlandFederal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
    European Union / FranceCommission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr
    United KingdomInformation Commissioner's Office (ICO) — www.ico.org.uk

    8. Data security

    MyEntourage Sàrl implements appropriate technical and organisational measures to ensure the security of personal data against unauthorised access, loss, destruction, alteration or disclosure.

    8.1 Technical measures

    Data in transit encryption: TLS 1.2 minimum on all communications

    Data at rest encryption: AES-256 for health data and sensitive data

    Password encryption: bcrypt hashing — never stored in plain text

    Role-based access control (RBAC) — access to health data restricted to the minimum necessary

    Logging of access to sensitive data — who, when, from which IP address

    Infrastructure hosted on AWS EU North 1 with encrypted automated backups

    8.2 Organisational measures

    Data access limited to team members with a legitimate operational need

    Contractual confidentiality obligations for all staff and sub-processors

    Sub-processor verification process (GDPR due diligence before any engagement)

    Internal data breach response procedure

    8.3 Personal data breach notification (Art. 33 GDPR)

    In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, MyEntourage Sàrl will notify the competent supervisory authority within 72 hours. Where the risk to individuals is high, they will also be notified without undue delay.

    9. Cookies and tracking technologies

    The platform uses cookies and similar technologies. A consent banner is displayed on the first visit. The full Cookie Policy is accessible at app.mysuperme.com/cookies.

    Necessary cookiesPlatform operation — session, authentication, security. No consent required.
    Functional cookiesStoring your preferences (language, display). Consent required.
    Analytical cookiesGoogle Analytics, Sentry, Keen IO — anonymised audience measurement. Consent required.
    Marketing cookiesMeta Pixel, Mailchimp — personalisation and campaigns. Explicit consent required.

    You may change your preferences at any time via the 'Manage cookie preferences' link in the site footer.

    10. Protection of minors

    The SuperMe platform is exclusively intended for persons aged 18 or over. MyEntourage Sàrl does not knowingly collect personal data from minors. If we become aware that a minor has created an account, it will be immediately deleted and the associated data erased. Please contact us immediately at support@mysuperme.com if you believe a minor has provided personal data to SuperMe.

    11. Automated decision-making and profiling

    SuperMe uses an algorithmic matching system to connect Users with the most suitable Experts for their needs, based on preferences and objectives declared during registration. A member of the SuperMe team validates each match, meaning this does not constitute automated decision-making under Article 22 GDPR. Users may request a review of their match or select a different Expert at any time. MyEntourage Sàrl does not use User data for commercial profiling with third parties.

    12. Session confidentiality

    Session content between Users and Experts is strictly confidential. Experts are bound by the professional confidentiality obligations applicable to their discipline. MyEntourage Sàrl does not access session content, except in cases of reported misconduct requiring internal investigation, on order from a competent judicial or administrative authority, or in cases of serious and imminent danger requiring mandatory reporting. No session is recorded by SuperMe without the prior explicit consent of both the User and the Expert.

    13. Changes to this Privacy Policy

    In the event of a material change, Users will be notified by email at least 30 days before the new version takes effect. Any modification to the health data consent text (Art. 9) will require renewed explicit consent from all concerned Users.

    Current version2.0 — 1 April 2026
    Previous version1.0 — 20 June 2025

    14. Contact and complaints

    Data protection contactsupport@mysuperme.com — subject: 'Data Protection'
    Postal addressMyEntourage Sàrl, Rue Saint-Pierre 2, 1003 Lausanne, Switzerland
    Response time30 calendar days (extendable to 3 months for complex requests)
    Authority (Switzerland)FDPIC — www.edoeb.admin.ch — Stauffacherstrasse 65/59, 3003 Bern
    Authority (EU/France)CNIL — www.cnil.fr — 3 place de Fontenoy, 75007 Paris
    Authority (UK)ICO — www.ico.org.uk — Wycliffe House, Water Lane, Wilmslow, SK9 5AF

    15. Expert-specific provisions

    This section supplements the general provisions of this policy for Experts (therapists, coaches, yoga teachers) registered on the SuperMe platform as independent service providers.

    15.1 Data processed specifically for Experts

    Processing / PurposeData concernedLegal basisRetention period
    Banking and fiscal dataIBAN, bank details, VAT number, tax documentsArt. 6(1)(b) — Contract + Art. 6(1)(c) — Legal obligationDuration of registration + 10 years (accounting)
    Public Expert profileName, photo, biography, specialities, rates, ratingsArt. 6(1)(b) — Contract (deliberately made public)Active registration + 30 days after termination
    KYC / qualification verificationDegrees, certifications, registration number, RCP certificateArt. 6(1)(b) + Art. 6(1)(c) — Legal obligationRegistration + 5 years
    Performance and ratingsUser ratings, reviews, session statisticsArt. 6(1)(f) — Legitimate interest (service quality)Registration + 3 years
    SuperMe marketing communicationsName, logo, photo for platform promotionArt. 6(1)(b) — Contract (GTC Art. 13 — marketing licence)Duration of licence granted in GTC
    Platform activity logsLogins, managed bookings, reported incidentsArt. 6(1)(f) — Legitimate interest (security, disputes)3 years after end of registration

    15.2 Public profile — Deliberately made public data

    Certain data provided by the Expert is deliberately made public on the platform as part of their professional profile: name, first name, photo, biography, specialities, languages spoken, rates and ratings. This data is processed on the basis of contract performance (GTC).

    Upon account termination, the public profile is removed within 30 days. Ratings and reviews may be retained in anonymised form for statistical purposes.

    15.3 Use of Expert name and image for marketing purposes

    In accordance with Article 13 of the General Terms and Conditions applicable to Professionals, MyEntourage Sàrl may use the Expert's name, logo and brand elements to communicate that they use the platform, under a limited and revocable licence.

    This use is based on contract performance. The Expert may object at any time by notifying MyEntourage Sàrl at support@mysuperme.com. The objection takes effect within 15 business days.

    15.4 Performance data and right to challenge

    Ratings and reviews left by Users regarding an Expert are collected and displayed on their profile. Experts have a right of access to all their performance data and may challenge any review they consider abusive, defamatory or fraudulent by contacting support@mysuperme.com. MyEntourage Sàrl undertakes to examine any challenge within 15 business days.

    15.5 Identity verification (KYC) and qualification

    As part of the Expert verification process, MyEntourage Sàrl may use a third-party KYC provider. Data transmitted is limited to the strictly necessary and is subject to a GDPR-compliant data processing agreement. Qualification documents are stored securely and accessible only to the MyEntourage team members responsible for verification.

    15.6 Termination and fate of Expert data

    Public profile removed within 30 days of termination.

    Qualification and contractual data retained for 5 years (statute of limitations).

    Accounting and fiscal data retained for 10 years (statutory obligation).

    User reviews may be retained in anonymised form for statistical purposes.

    Banking data (IBAN) deleted once all outstanding payments are settled.

    15.7 Exercise of GDPR rights by Experts

    Experts have the same rights as Users (Article 7 of this policy). They may in particular:

    Request access to all their personal data, including activity logs;

    Request rectification of their public profile or professional data;

    Object to the use of their image for marketing purposes (Art. 15.3);

    Request data portability (session history, ratings);

    Challenge abusive reviews (Art. 15.4).

    Contact: support@mysuperme.com — subject: 'GDPR Rights — Expert'.