Privacy Policy

PRIVACY NOTICE – PSYLARIS (EMDR‑VR B.V.) – INTERNATIONAL (EN)

This Privacy Notice explains how EMDR‑VR B.V. (the “Company”, “Psylaris”, acting under/for the Psylaris brand) processes personal data in connection with:

– the website www.psylaris.com;
– sales and marketing communications;
– support; and
– (the services around) Psylaris Care, Psylaris Relax, EMDR‑Remote and the Psylaris Dashboard.

Last updated: 13 February 2026

1. WHO IS RESPONSIBLE?

Controller (for website, sales and support):
EMDR‑VR B.V.
Dutch Chamber of Commerce (KvK) number: 70390185
Address: Boschstraat 21, 6211AS Maastricht, the Netherlands
Email: [email protected]

Privacy contact person:
Christoph Lynen
Contact via: [email protected]

2. WHO DOES THIS NOTICE APPLY TO?

This Notice applies to:
– website visitors;
– prospects and business contacts (e.g., demo requests, quotes and contracts);
– customer contact persons;
– suppliers and other business partners; and
– participants in promotions/events (e.g., prize draws).

Important (end users via our customers):
If you use our products through an organisation (e.g., your employer or a healthcare organisation), that organisation is typically the “controller” for that use. Psylaris may act as a “processor” on the organisation’s behalf. See section 12.

3. PERSONAL DATA WE PROCESS (AS CONTROLLER)

We only process personal data that is necessary for the purposes described below.

3.1 Website, forms, chat, downloads and demo requests
Depending on what you submit/use:
– name;
– company/organisation;
– business email address;
– (business) phone number;
– message content (what you write to us);
– any other information you choose to provide in free-text fields.

Important:
Please do not share special categories of data (such as health data) via website forms or chat.

3.2 Newsletter and marketing communications
– email address;
– (optional) name/organisation;
– opt-out status and limited communication preferences.

3.3 Sales, quotes and contract administration (B2B)
– name, business contact details and role/title;
– organisation details;
– communications (emails and notes);
– contract and administrative data (e.g., invoicing details).

3.4 Support
– contact details;
– support request content and correspondence;
– technical information needed to troubleshoot (e.g., error messages).

3.5 Technical data (e.g., website access)
When you use our website (and in some cases digital services), we may process technical data such as:
– IP address;
– device, browser and language settings;
– date/time and pages visited (via cookies/similar technologies; see section 11);
– log data (e.g., usage logs, changes, and error logs).

We aim to minimise directly identifying data in portals/logs. However, technical data may still be personal data in certain cases.

3.6 Audio/visual materials (recordings/photos)
In specific situations, we may process audio or visual materials (e.g., recordings of online meetings, trainings/webinars, or event materials). Where this applies, we will explain this in the relevant communication and request consent where required.

4. WHERE DO WE GET PERSONAL DATA FROM?

In principle, we receive personal data directly from you (e.g., via forms, email, chat or communications).
If we exceptionally receive personal data from a third party, we handle it carefully and assess whether and how we must inform you.

5. PURPOSES AND LEGAL BASES

We process personal data for the following purposes:

a) Contacting you, handling demo requests, quotes and sales conversations
Legal bases: contract/pre-contract steps and/or legitimate interests (depending on the context).

b) Performing agreements, account management, invoicing and administration
Legal bases: contract and/or legal obligations (where applicable).

c) Support and service delivery
Legal bases: contract and/or legitimate interests (depending on the context).

d) Marketing / lead generation and marketing communications
Legal bases: consent and/or legitimate interests, where permitted by applicable law.
Existing customer communications: where allowed, we may contact existing customers about similar products/services (with an opt-out option in every message).

e) Product improvement, quality and security (incl. logging and troubleshooting)
Legal bases: legitimate interests and/or contract, depending on the context.

f) Compliance (e.g., audits/certifications and meeting legal requirements)
Legal bases: legal obligations and/or legitimate interests.

g) Promotions/events (e.g., prize draws)
Legal bases: consent and/or performance of participation terms, depending on the case.

No solely automated decisions with significant effects:
We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.

6. IS PROVIDING PERSONAL DATA REQUIRED?

Sometimes. For example, if you request a demo or want to enter into an agreement, we need certain information to respond and to perform the agreement. If required data is not provided, we may not be able to provide (parts of) our services.

7. WHO DO WE SHARE PERSONAL DATA WITH?

We do not sell or rent your personal data.

We may share personal data with:
– service providers supporting us (e.g., CRM/email delivery, support tooling, hosting/IT, e-signing, payments, website analytics);
– accountants and administrative providers;
– legal advisors;
– auditors/certification bodies (if applicable);
– implementation partners (if needed to deliver agreed services);
– authorities/public bodies where legally required.

Where these parties act as processors, we put appropriate data processing arrangements in place and limit sharing to what is necessary.

8. INTERNATIONAL TRANSFERS

We aim to process personal data within the European Economic Area (EEA). However, some service providers (or their subcontractors) may be located outside the EEA or may access data from outside the EEA.

Where applicable, we ensure appropriate safeguards, such as Standard Contractual Clauses and, where required, supplementary measures, or other mechanisms permitted under applicable data protection law.

9. RETENTION

We keep personal data only as long as necessary for the purposes described in this Notice, unless a longer retention period is required by law.

As a general guideline (where appropriate):
– invoicing/accounting data: as required by statutory retention obligations;
– prospects/leads: up to 5 years after the last relevant contact (or shorter where follow-up is no longer needed);
– newsletter/marketing: until you unsubscribe (then only minimal suppression data to honour your opt-out);
– support requests: up to 5 years (or shorter where appropriate);
– technical logs: as short as possible and typically limited to security/troubleshooting;
– promotions/events: as long as needed to run the activity and for accountability, then deleted/anonymised.

Cookie/technology retention: see cookie settings (section 11).

10. MARKETING OPT-OUT

Every marketing email contains an unsubscribe link. You can also opt out by emailing [email protected].
If you object to direct marketing, we will stop using your personal data for those purposes.

11. COOKIES AND SIMILAR TECHNOLOGIES

Our website uses cookies and similar technologies (e.g., scripts/pixels) to:
– make the website work properly;
– understand how the website is used and improve it; and
– measure marketing campaigns and, if you consent, provide advertising functionality.

You can manage your choices (including withdrawing consent where applicable) via the cookie settings available on the website. The cookie settings provide an up-to-date list of the technologies used, purposes, and (where relevant) third parties.

12. OUR ROLE AS PROCESSOR (PRODUCTS/SERVICES)

For Psylaris Care, Psylaris Relax, EMDR‑Remote, the Psylaris Dashboard and related services, Psylaris may act as a processor. This means:
– our customer (the organisation deploying the product) typically determines the purposes and means of processing and acts as controller;
– Psylaris processes personal data only on the customer’s instructions and under the applicable agreements (including a Data Processing Agreement / DPA).

End-user requests:
If you are an end user, please direct requests (access, deletion, etc.) to the organisation through which you use the product. We support our customers as agreed in the DPA.

DPA availability:
Our DPA is available to customers upon request via [email protected].

13. SECURITY AND DATA BREACHES

We take appropriate technical and organisational measures to protect personal data.
In case of a (suspected) personal data breach, we follow our internal incident procedure and notify supervisory authorities and/or affected individuals where legally required.

14. YOUR RIGHTS

Where applicable (in particular under the GDPR), you may have the right to:
– access your personal data;
– rectify inaccurate data;
– request deletion;
– restrict processing;
– data portability;
– object to processing (especially direct marketing); and
– withdraw consent at any time (where processing is based on consent).

To exercise your rights, please contact: [email protected].
We generally respond within one month and aim to respond as soon as possible.

15. COMPLAINTS

If you have concerns about how we process your personal data, please contact us at [email protected].

You may also have the right to lodge a complaint with a supervisory authority, in particular in the country of your habitual residence, place of work or place of the alleged infringement. For example:
– The Netherlands: Autoriteit Persoonsgegevens
– Germany: competent authority of your federal state
– Belgium: Gegevensbeschermingsautoriteit
– Austria: Österreichische Datenschutzbehörde
– United Kingdom: Information Commissioner’s Office (ICO)
– Switzerland: FDPIC

16. CHANGES

We may update this Privacy Notice from time to time, for example when our practices or legal requirements change. The current version will always be available on our website.