1. Introduction
Rolepsy ("we", "us", "our") is a clinical training platform that uses AI to create realistic patient personas for therapy practice. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and application at rolepsy.com and app.rolepsy.com.
Rolepsy is operated from Sweden and complies with the General Data Protection Regulation (GDPR). For the purposes of the GDPR, Rolepsy is the data controller.
2. Data We Collect
2.1 Account Data
When you register, we collect:
- Name and email address
- Hashed password (we never store plaintext passwords)
- Account role and preferences
2.2 Usage Data
When you use the platform, we collect:
- Therapy practice session content (messages exchanged with AI personas)
- Persona configurations you create
- Therapist notes and session summaries
- Supervision preparation data
2.3 Technical Data
- IP address and approximate geolocation
- Browser type, operating system, and device information
- Pages visited and actions taken (via analytics)
- Session identifiers and authentication tokens
2.4 Voice Data
If you use voice messaging features, audio is processed in real time for speech-to-text conversion and tone analysis. We do not store raw audio recordings after processing.
3. How We Use Your Data
- Provide the service — authenticate you, store your sessions, generate AI responses
- Improve the platform — anonymous, aggregated analytics to understand usage patterns
- Communicate with you — account notifications, service updates, and support
- Ensure security — detect abuse, prevent fraud, and enforce rate limits
We do not sell your personal data. We do not use your therapy session content to train AI models.
4. Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)) — processing necessary to provide you with the service you signed up for
- Legitimate interests (Art. 6(1)(f)) — analytics, security monitoring, and service improvement
- Consent (Art. 6(1)(a)) — optional analytics cookies (see our Cookie Policy)
5. Hosting & Infrastructure
All services are hosted in the European Union (Frankfurt, Germany) to ensure your data remains within the EU.
| Component | Provider | Location | Purpose |
|---|---|---|---|
| Application server | Render | Frankfurt, DE | Backend API and frontend hosting |
| Database | MongoDB Atlas | Frankfurt, DE | Primary data store (accounts, sessions, personas) |
| Cache & sessions | Redis (Render) | Frankfurt, DE | Session store, rate limiting, caching |
| DNS & CDN | Cloudflare | Global edge (EU origin) | DNS resolution, DDoS protection, TLS termination |
6. Subprocessors
We share personal data with the following third-party subprocessors, each under a Data Processing Agreement (DPA):
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | AI model provider for therapy chat and clinical analysis | Anonymized session messages (PII stripped before transmission) | USA (EU API endpoint) |
| Anthropic | Alternative AI model provider | Anonymized session messages (PII stripped before transmission) | USA |
| Deepgram | Speech-to-text (voice messaging) | Audio stream (real-time, not stored) | USA |
| ElevenLabs | Text-to-speech (voice responses) | AI-generated text (no personal data) | USA |
| Hume AI | Vocal tone analysis | Audio stream (real-time, not stored) | USA |
| PostHog | Product analytics | Anonymized usage events (no PII) | EU (Frankfurt) |
| Render | Application hosting | All application data (encrypted) | EU (Frankfurt) |
| MongoDB Atlas | Database hosting | All stored data (encrypted at rest) | EU (Frankfurt) |
| Cloudflare | CDN and security | IP addresses, request metadata | Global (EU origin) |
International transfers
Some subprocessors are based in the USA. For these transfers we rely on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as adopted by the European Commission. We will notify you of any changes to our subprocessor list by updating this page.
7. Data Retention
- Account data — retained while your account is active, deleted within 30 days of account deletion
- Session data — retained while your account is active; you can delete individual sessions at any time
- Analytics data — aggregated and anonymized, retained for up to 24 months
- Server logs — retained for 30 days for security and debugging purposes
8. Your Rights
Under the GDPR, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — restrict processing of your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at privacy@rolepsy.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY).
9. Security Measures
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Passwords hashed with bcrypt
- Role-based access control with principle of least privilege
- Rate limiting and abuse detection
- Regular security reviews and dependency audits
- PII anonymization before AI processing
10. Cookies
We use a limited number of cookies. For full details on what cookies we set, their purpose, and how to manage them, see our Cookie Policy.
11. Children's Privacy
Rolepsy is designed for licensed mental health professionals and is not intended for use by anyone under 18. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.
13. Contact
For privacy-related questions or requests:
- Email: privacy@rolepsy.com
- Website: rolepsy.com