Version 1.1 – Effective: April 2026
This Privacy Policy explains how we process and protect your personal data when you use our website www.psynex.de or the services we offer through this website (together "our Services" or "the Platform").
The website and platform is operated by:
Intermac systems
Sendnicher Str. 58a
56072 Koblenz
Germany
Email: info@intermac.de
Phone: +49-151-2755-5942
VAT ID: DE178012433
(hereinafter "the Company", "we", "our" or "us")
Data Protection Contact:
For questions about data protection, contact us at: info@intermac.de
Psynex is a B2B platform for healthcare professionals (psychotherapists, psychologists).
For the processing of patient data of your clients, you as the therapist are the Data Controller under GDPR. We (Intermac systems) act as a Data Processor pursuant to Article 28 GDPR. The terms of data processing are governed by our separate Data Processing Agreement (DPA), which you must accept during registration.
This Privacy Policy primarily concerns:
Your obligations towards your patients:
When you register as a therapist and use the platform, we process the following data about you:
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Account Data | Name, email, password (hashed), phone | Provision and management of your account | Art. 6(1)(b) GDPR (contract performance) |
| Professional Information | License, specialty, practice address | Verification of authorization to use | Art. 6(1)(b), (c) GDPR |
| Payment Data | Billing address, payment method | Processing subscription payments | Art. 6(1)(b) GDPR |
| Usage Data | Login times, features used, IP address | Provision and improvement of services | Art. 6(1)(f) GDPR (legitimate interest) |
| Communications | Support requests, feedback | Customer service, product improvement | Art. 6(1)(b), (f) GDPR |
When you as a therapist enter patient data into the platform, we process this exclusively on your behalf:
| Data Category | Examples | Purpose |
|---|---|---|
| Patient Master Data | Name, date of birth, contact details, insurance number | Identification, insurance applications |
| Health Data (Art. 9 GDPR) | Diagnoses, symptoms, treatment progress, therapy notes | Documentation, therapy report creation |
| Session Data | Audio transcripts, session notes, treatment plans | AI-assisted documentation and reporting |
| Insurance Data | Insurance provider, coverage approval, application status | Creating reimbursement applications |
Legal basis for patient data:
We collect data from the following sources:
Access to data is limited to:
Patient data is stored encrypted in the database, and the encryption keys are managed separately in Azure Key Vault. There is no administrative interface through which plaintext patient data would be accessible. Access to decrypted content would only be possible through deliberate technical effort at the infrastructure level – for instance, in a specifically requested support or error case – and does not occur in regular operation. As a data processor, we are additionally bound by § 203 para. 4 StGB directly to the therapist's professional confidentiality obligation.
We use the following sub-processors under Article 28 GDPR:
| Service Provider | Service | Location | Data Protection Guarantees |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, data center | Germany (Falkenstein, Nuremberg) | DPA under Art. 28 GDPR, BSI C5 Type 2, ISO 27001:2022 certified |
| Microsoft Ireland Operations Ltd. | Key management (Azure Key Vault) | Germany (Frankfurt, Germany West Central) | Microsoft Products and Services DPA per Art. 28 GDPR, ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, BSI C5 |
| OpenAI Ireland Ltd. | AI text processing (transcription, report generation) | EU (EU data center, Data Residency, Zero Data Retention) | DPA per Art. 28 GDPR, additional BAA, SOC 2, ISO 27001 |
| Stripe Payments Europe Ltd. | Payment processing | Ireland (EU) | DPA per Art. 28 GDPR, PCI DSS Level 1 certified |
| Resend | Transactional emails | EU | DPA per Art. 28 GDPR, SOC 2 |
This differs fundamentally from public ChatGPT, where inputs are stored by default for 30 days, logged for abuse monitoring, and potentially used for training unless the user actively opts out.
Your data (especially patient data) is primarily processed in Germany:
For AI text processing, we use OpenAI's EU-based infrastructure:
Transparency about our OpenAI usage:
Our contractual partner is OpenAI Ireland Ltd., an EU legal entity based in Ireland. Data processing takes place exclusively within the EU (EU Data Residency). In Zero Data Retention mode, content is discarded immediately after processing and not stored. No third-country transfer of your submitted content to the USA occurs; access by US authorities to your patient data is therefore contractually and technically excluded.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Until account deletion + 30 days | Contract performance, then deletion required |
| Patient Data | As long as you wish, max until account deletion + 30 days | Data processing – you control deletion |
| Billing Data | 10 years after year-end | Tax retention requirements |
| Backups | Max. 90 days (rolling system) | IT security, then automatic deletion |
| Log Files | 30 days, IP addresses anonymized after 14 days | IT security, abuse prevention |
| Support Correspondence | 3 years after last message | Traceability, quality assurance |
We take the security of your and your patients' data very seriously. The following measures are implemented:
You have the following data protection rights regarding your own data:
You can request a copy of all data stored about you at any time. You can view your profile data through your account dashboard.
You can request corrections if your data is inaccurate or incomplete. You can edit profile data yourself in your account.
You can request deletion of your data when:
Practical: Use "Delete Account" function in profile → all data permanently deleted after 30 days.
You can receive your data in a structured, commonly used format. Practical: Export function for all your data (JSON/CSV format).
For processing based on legitimate interests, you can object. For direct marketing, you can object at any time (opt-out in every marketing email).
You have the right to lodge a complaint with a data protection supervisory authority.
For Rhineland-Palatinate:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34, 55116 Mainz
poststelle@datenschutz.rlp.de
Contact to exercise your rights:
Email: info@intermac.de
We respond to requests within 30 days.
We use only technically necessary cookies for platform operation:
| Cookie Name | Purpose | Duration |
|---|---|---|
session_token | Authentication (login session) | 30 days or until logout |
csrf_token | Protection against CSRF attacks | 1 day |
✓ No tracking or marketing cookies
We do not use Google Analytics, social media tracking pixels (Facebook, LinkedIn), advertising cookies, or third-party cookies.
For newsletter signup, we use double opt-in. You can unsubscribe at any time (link in every email). Legal basis: Art. 6(1)(a) GDPR (consent).
Our website may contain links to external websites. We have no control over their privacy practices. When you click, you leave our area of responsibility.
Our platform is intended for adult professionals. We do not knowingly collect data from persons under 18.
We use AI (OpenAI) only as assistance (transcription, report generation). All final decisions are made exclusively by the therapist. There is no automated decision-making within the meaning of Art. 22 GDPR.
No profiling: We do not create profiles for marketing or creditworthiness purposes.
In case of a data breach:
We reserve the right to update this Privacy Policy. We will notify you of material changes by email (at least 14 days in advance).
Current version: Always available at www.psynex.de/privacy-policy
For questions, requests, or complaints about data protection, contact us:
Intermac systems
Norbert Doetsch
Sendnicher Str. 58a
56072 Koblenz, Germany
Email: info@intermac.de
Phone: +49-151-2755-5942
Response time: We respond to requests within 30 days.
Effective: April 2026 | Version: 1.1
This Privacy Policy was prepared with the utmost care. It does not constitute legal advice. For specific questions, please consult a data protection expert or attorney.