Delta

Mental health

Psychologists Therapists Neuropsychologists

Rehabilitation

Psychomotor therapists Physiotherapists Osteopaths Speech therapists
Patient sheets Downloads
Security Pricing
Sign in Try for free
Language
Theme

Politique de confidentialité

Effective since 1 April 2026 · Version 1.0

Protection of personal data and health data processed by Delta.

1. Identity of the data controller and processor

1.1 The Publisher (data processor)

Delta Labs SAS, a simplified joint-stock company with a share capital of €1,000, registered with the Niort Trade and Companies Register under number 102 094 448, SIRET 102 094 448 00010, registered office: 11 BIS Allée du Muguet, 79200 Parthenay, France.

Data protection contact: admin@mydelta.app.

1.2 The User (data controller)

The User, as a mental health professional, is the data controller for the health data of their patients processed via Delta. The Publisher acts as a data processor (GDPR Article 28). This relationship is formalised by the Data Processing Agreement (DPA).

For the User's own personal data (account, billing), the Publisher is the data controller.

2. Data collected

2.1 User data

  • Identification data: first name, last name, email address, phone number
  • Professional data: professional qualification, ADELI number, practice address
  • Billing data: payment history, invoices (banking data processed exclusively by Stripe, not stored by the Publisher)
  • Connection data: IP address, connection logs, usage data
  • Preferences: account settings

2.2 Patient data

  • Identification data: first name, last name, initials, internal identifier
  • Health data: session notes, reports, history, themes, clinical observations
  • Generated data: transcripts, summaries, Copilot suggestions, briefings, follow-up messages
  • Metadata: session dates and durations, timestamps

3. Purposes and legal bases for processing

Purpose Legal basis Data concerned
Provision of the Service Performance of contract (art. 6(1)(b)); therapeutic care under professional secrecy (art. 9(2)(h)) for health data Clinical data, account data
Account management Performance of contract (art. 6(1)(b)) Identification and professional data
Billing Performance of contract (art. 6(1)(b)); legal obligation (art. 6(1)(c)) Billing data
Service improvement Explicit consent (art. 6(1)(a)) Anonymised data only
Security and prevention Legitimate interest (art. 6(1)(f)) Connection data, logs

4. Data recipients

4.1 Internal access

Access to the data is strictly limited to authorised members of the Delta Labs team, to the extent necessary for the operation of the Service. Access to Clinical Data is strictly limited and protected by appropriate technical and organisational measures.

4.2 Sub-processors

Sub-processor Function Data processed Location
Amazon Web Services EMEA SARL HDS hosting All data (encrypted) France (eu-west-3, Paris)
Google LLC (Gemini) AI processing (notes, copilot) Clinical data (strict minimum, zero retention) Europe (eu-west)
Stripe Payments Europe Ltd Payment processing Banking data only Ireland (EEA)

4.3 Third parties

Data is never sold, rented or communicated to third parties for commercial purposes.

5. Transfers outside the EEA

Clinical Data is hosted in France (AWS eu-west-3, Paris). AI processing via Google LLC (Gemini) takes place on servers located in Europe (eu-west region), within the European Economic Area. The data is not transferred outside the EEA.

Should this change, any transfer outside the EEA would be governed by the European Commission's Standard Contractual Clauses (decision 2021/914) and, where applicable, by the supplementary measures recommended by the EDPB.

Stripe Payments Europe Ltd, based in Ireland (EEA), processes banking data exclusively within the EEA.

6. Retention period

Type of data Period Justification
Clinical data Subscription + 90 days after termination Performance of contract + export window
Account data Subscription + deletion on termination Performance of contract
Billing data 10 years Legal obligation (French Commercial Code)
Connection logs 12 months Legal obligation (LCEN — French Confidence in the Digital Economy Act)

7. Data security

7.1 Technical measures

  • Strong encryption at rest (AES-256) and in transit (TLS 1.3)
  • Strict access control and data isolation
  • Secure authentication with optional 2FA
  • Password hashing
  • Daily encrypted and redundant backups

7.2 Organisational measures

  • Access limited by the principle of least privilege
  • Logging of all accesses
  • Regular penetration tests and security audits

8. Data breach

In the event of a breach, the Publisher undertakes to:

  • Notify the User within 48 hours
  • Notify the CNIL within 72 hours if there is a risk to individuals
  • Provide the information necessary to inform patients if required
  • Implement appropriate corrective measures

9. Data subject rights

User rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent.

Contact: admin@mydelta.app or by post to Delta Labs SAS, 11 BIS Allée du Muguet, 79200 Parthenay, France. Response time: 30 days.

Patient rights: to be exercised with the User (data controller).

Complaint: CNIL (www.cnil.fr) or APD Belgium (www.autoriteprotectiondonnees.be).

10. Cookies

Only strictly necessary cookies (session, preferences, CSRF security). No advertising or tracking cookies. For more details, see the Cookies Policy available at mydelta.app.

11. Modification

Any substantial modification will be notified by email with 30 days' advance notice.

12. Contact

Delta Labs SAS

admin@mydelta.app

+33 7 66 80 89 66

11 BIS Allée du Muguet, 79200 Parthenay, France