top of page

Privacy Policy

Last updated: 22.04.2026

 

1. Contact Information

 

Dr.ª Maja Grünzner

Psicóloga — Member of the Ordem dos Psicólogos Portugueses (OPP)

Cédula Profissional n.º: 32188

 

NIF: 334 933 897

Email: dr.maja.gruenzner@posteo.com

 

If you have any questions about how your personal data is handled, you can contact me at the email address above.

 

2. Legal Framework

 

This Privacy Policy is governed by:

 

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")

  • Portuguese Data Protection Law (Lei n.º 58/2019, of 8 August)

  • The Code of Ethics (Código Deontológico) of the Ordem doy Psicólogos Portugueses (OPP), in particular its provision on privacy and confidentiality (Princípio Específico 2)

  • Portuguese Law on Privacy in Electronic Communications (Lei n.º 41/2004, as amended by Lei n.º 46/2012)

 

As a registered psychologist, I am bound by professional secrecy (sigilo profissional) as set out in the OPP Code of Ethics. This obligation exists in addition to, and reinforces, my duties under data protection law.

 

3. What Personal Data I Collect and Why

 

a) Contact and Inquiry Data

 

When you contact me via email or a contact form, I collect:

  • Your name

  • Your email address

  • The content of your message

 

Purpose: To respond to your inquiry or to take pre-contractual steps at your request.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

 

b) Client Data (Psychological Services)

 

If you become a client, I may collect and process:

  • Identification data (name, date of birth, contact details)

  • Emergency contact data (name, contact details, relationship to client)

  • Health-related data and information shared during sessions

  • Session notes and clinical records

  • Informed consent documentation

 

Purpose: To provide psychological services, maintain clinical records, and comply with professional and legal obligations.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 9(2)(h) GDPR (processing necessary for the provision of health care by a health professional subject to professional secrecy).

 

Health-related data is classified as a special category of personal data under Art. 9 GDPR. I process this data solely for the purpose of providing psychological services and in strict compliance with my duty of professional confidentiality under the OPP Code of Ethics.

 

c) Booking and Scheduling Data

 

If you book a session through a third-party platform (e.g., It's Complicated), the platform may collect your name, email, and scheduling details. Please refer to the platform's own privacy policy for details on how they handle your data.

 

d) Server Log Files

 

The hosting provider automatically collects technical data when you visit this website, including:

  • Browser type and version

  • Operating system

  • IP address (anonymised where possible)

  • Date and time of access

  • Referring URL

 

Purpose: To ensure the technical functioning and security of the website.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and operability of the website).

 

e) Payment and Invoicing Data

 

When you engage my services, I collect billing details necessary for invoicing, including:

  • Your name (or company name)

  • Address

  • NIF (tax identification number)

  • Email address

  • Service description and amounts

 

This data is processed through InvoiceXpress (InvoiceXpress, Lda., NIPC 508.025.338, Avenida Duque D'Ávila, n.º 46, 3.º A, 1050-083 Lisboa), a certified invoicing software provider (AT Certification No. 192). InvoiceXpress acts as a data processor on my behalf in accordance with Art. 28 GDPR and its published Data Processing Terms.

 

Invoice data is automatically communicated to the Autoridade Tributária e Aduaneira (AT — Portuguese Tax Authority) via the SAF-T (PT) reporting system, as required by Portuguese tax law.

This includes the mandatory ATCUD (unique document code) and QR code on all invoices. The AT processes this data as an independent data controller under Portuguese tax legislation.

 

Payment methods

Depending on the payment method chosen, your payment may be processed through one or more of the following:

 

(i) Bank transfer via Revolut Business

My business bank account is held with Revolut Bank UAB (Konstitucijos ave. 21B, 08130 Vilnius, Lithuania), operating under a European Banking Licence issued by the Bank of

Lithuania. When you make a bank transfer to my account, Revolut receives standard transaction data (sender name, IBAN, amount, reference). Revolut acts as an independent data controller for its banking, regulatory compliance, anti-money laundering, and fraud prevention obligations.

See: https://www.revolut.com/legal/business-customer-privacy-notice/

 

(ii) MB WAY

If you pay via MB WAY (operated by SIBS Forward Payment Solutions, S.A., Alfrapark, Edifício E, Estrada de Alfragide, n.º 67, 2610-008 Amadora, Portugal), the transaction is processed through the Portuguese interbank network. SIBS acts as an independent data controller for its payment infrastructure, fraud prevention, and regulatory compliance purposes. Your bank processes your side of the transaction under its own privacy policy.

See: https://www.sibs.com/privacy-policy/

SIBS DPO: DataProtectionOfficer@sibs.com

 

(iii) Stripe

In some cases, payments may be processed through Stripe (Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland). Stripe may collect and process payment card or bank account details, name, email address, billing address, device ID, IP address, and transaction details. Stripe acts partly as a data processor on my behalf (to execute payment transactions) and partly as an independent data controller (for fraud prevention, anti-money laundering compliance, and platform security). I do not have access to your full payment card details — these are collected directly by Stripe in a PCI DSS-compliant environment.

See: https://stripe.com/privacy

DPA: https://stripe.com/legal/dpa

 

I do not store payment card numbers, bank account details, or MB WAY PINs. Payment credentials are handled exclusively by the respective payment service providers.

 

Purpose: To issue legally compliant invoices, process and receive payments, and fulfil Portuguese tax reporting obligations.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(c) GDPR (legal obligation under Portuguese tax law); Art. 6(1)(f) GDPR (legitimate interest in secure payment processing, applicable to independent controller activities of payment providers).

 

f) Tax Advisory Data

 

I use the services of Relocate Now (Relocate Now, Inc., Rua Castilho 213, 4th floor, 1070-051 Lisboa; www.relocatenow.io) for tax advisory, freelancer tax and social security obligations,

and annual tax return submissions related to my business activity in Portugal.

 

In this context, the following data may be shared with Relocate Now's specialists:​

  • Invoice summaries and financial records (via SAF-T exports from InvoiceXpress)

  • Income and expense information relevant to tax filings

  • Any other data necessary for the preparation and submission of tax returns to the Autoridade Tributária

 

Relocate Now acts as a data processor for the specific tasks I instruct them to carry out on my behalf. To the extent that Relocate Now's specialists access client billing data (e.g., client names, address and NIF numbers appearing on invoices), this data is shared strictly for the purpose of fulfilling my legal tax and accounting obligations.

 

No clinical, health-related, or session data is ever shared with Relocate Now or any tax advisor.

 

Purpose: To comply with Portuguese tax obligations, including the preparation and submission of tax returns, social security declarations, and ongoing tax advisory.

Legal basis: Art. 6(1)(c) GDPR (legal obligation); Art. 6(1)(f) GDPR (legitimate interest in professional accounting and tax compliance).

 

g) Anonymised Case Material for Supervision and Teaching

 

As a registered psychologist, I engage in professional supervision and may participate in teaching, training, or professional development activities. In these contexts, I may share anonymised

case material, such as general themes, therapeutic approaches, presenting issues, and process observations, for the purposes of:

 

  • Professional supervision (as required/recommended by the OPP for ongoing quality assurance of psychological practice)

  • Teaching, training, and professional development

  • Oral case presentations or written publications

 

Anonymisation measures applied:

 

All identifying information is removed or altered before any case material is shared. This includes, but is not limited to:

  • Names and contact details

  • Dates of birth and specific ages (replaced with age ranges)

  • Locations, workplaces, and educational institutions

  • Specific family configurations or relationship details

  • Any other details that could, individually or in combination, lead to the identification of the client

 

The focus of shared material is always on clinical themes, therapeutic processes, and professional learning, never on the personal identity of the client.

 

Informed consent requirement:

 

In accordance with Article 2.13 of the OPP Code of Ethics (Código Deontológico), the identity of the client is always protected in didactic and training contexts. If, despite anonymisation measures, there remains any possibility that a client could be identified by third parties, for example due to the uniqueness of the case, a small professional community, or the combination of details presented, I will obtain the client's prior informed consent before sharing such material.

 

Clients are informed about this practice at the start of the professional relationship as part of the informed consent process, and have the right to object to the use of their case material at any time, even in anonymised form.

 

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining and improving professional standards through supervision and continuing professional development); Art. 9(2)(h) GDPR (processing for health care purposes by a professional subject to professional secrecy), applied to anonymised data where re-identification risk has been eliminated.

 

Note: Where data has been fully and irreversibly anonymised such that the client can no longer be identified, the data falls outside the scope of the GDPR (Recital 26). The measures described above are applied as a matter of professional ethics and best practice, beyond the minimum legal requirements.

 

h) Email Communication

 

I use Posteo (Posteo e.K., Berlin, Germany) as my email provider for all professional correspondence. Posteo is a privacy-focused email service hosted exclusively on servers located in Germany. All data transmissions are encrypted using TLS with Perfect 

 

Forward Secrecy. Posteo does not collect inventory data (names or addresses of account holders), does not store IP addresses, and operates on a principle of maximum data minimisation.

 

As a publicly accessible telecommunications service subject to German telecommunications law (TKG) and the Telecommunications Telemedia Data Protection Act (TTDSG), Posteo is not classified as a data processor under Art. 28 GDPR. A Data Processing Agreement is therefore not required.

 

When you send me an email, the following data is processed:

  • Your email address

  • The content of your message

  • Date and time of the communication

  • Technical metadata (e.g., sender server information)

 

Purpose: To conduct professional correspondence related to inquiries, scheduling, and the provision of services.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures); Art. 6(1)(f) GDPR (legitimate interest in maintaining professional communication).

 

See: https://posteo.de/en/site/privacy_policy

 

i) Video Sessions

 

Online psychological sessions are conducted primarily through the It's Complicated platform, which provides an integrated GDPR-compliant video session environment.

 

In exceptional situations, sessions may be conducted via one of the following alternative platforms:

 

(i) Google Meet (Google Ireland Limited, Dublin, Ireland)

Google Meet is covered by the Google Workspace Data Processing Agreement. Google encrypts data in transit and offers EU data residency options. Google is certified under the EU–U.S. Data Privacy Framework.

See: https://policies.google.com/privacy

 

(ii) Microsoft Teams (Microsoft Ireland Operations Limited, Dublin, Ireland)

Microsoft Teams is covered by the Microsoft 365 Data Processing Agreement. Microsoft provides EU data boundary options and comprehensive encryption in transit and at rest. Microsoft is certified under the EU–U.S. Data Privacy Framework.

See: https://privacy.microsoft.com/privacystatement

 

(iii) WhatsApp Video Call (WhatsApp Ireland Limited, Dublin, Ireland / Meta Platforms)

WhatsApp video calls are protected by end-to-end encryption. However, WhatsApp (Meta) collects metadata (call duration, participants, timestamps, device information) and may share this with other Meta companies. WhatsApp video calls are used only in emergencies when other platforms are unavailable, and only with your consent.

See: https://www.whatsapp.com/legal/privacy-policy

 

(iv) Apple FaceTime (Apple Distribution International Ltd., Cork, Ireland)

FaceTime calls are protected by end-to-end encryption. Apple states that it does not store the content of FaceTime calls on its servers. FaceTime is used only in emergencies when other platforms are unavailable, and only with your consent.

See: https://www.apple.com/legal/privacy/

 

When an alternative platform is used for a session, I will inform you in advance and obtain your agreement. No session recordings are made on any platform.

 

Important: The fact that you are a client of a psychologist constitutes health-related information. By participating in a video session through any of these platforms, the platform provider may process technical metadata (such as the fact that a call took place, its duration, and device information). While the content of sessions is protected by end-to-end encryption (WhatsApp, FaceTime) or strong transport encryption (Google Meet, Microsoft Teams, It's Complicated), metadata processing by the platform provider cannot be fully prevented.

 

Purpose: To provide psychological services remotely. Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 9(2)(h) GDPR (processing for health care purposes by a professional subject to professional secrecy).

 

j) Messaging Apps (Scheduling Only)

 

For scheduling and administrative communication only, I may communicate with you via:

  • WhatsApp (WhatsApp Ireland Limited, Dublin, Ireland / Meta Platforms)

  • Signal (Signal Technology Foundation, California, USA)

 

These messaging apps are used exclusively for logistical purposes such as appointment scheduling, rescheduling, or brief administrative messages. No health-related data, clinical information, or session content is communicated via these channels.

 

WhatsApp: Messages are end-to-end encrypted. However, WhatsApp collects metadata and may share it with Meta companies. WhatsApp may transfer data to the United States under the EU–U.S. Data Privacy Framework and Standard Contractual Clauses.

See: https://www.whatsapp.com/legal/privacy-policy

 

Signal: Messages are end-to-end encrypted. Signal is designed with data minimisation principles — it does not store message content on its servers and collects minimal metadata. Signal is operated by a non-profit foundation.

See: https://signal.org/legal/

 

Purpose: To coordinate scheduling and administrative matters.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

 

If you prefer not to use these messaging platforms, you can always contact me via email or through the It's Complicated platform.

 

k) Session Tools

 

During psychological sessions, I use the following digital tools for in-session visualisation, psychoeducation, systemic work, and therapeutic exercises:

 

(i) Coachingspace (Coachingspace GmbH, Stöcken 7, 42897 Remscheid, Germany)

An online platform purpose-built for coaching and therapy, offering integrated tools including:

  • Constellation board (Systembrett)

  • Inner Team

  • Positioning maps

  • Digital whiteboard

  • Impulse / image cards

  • Journal / collaborative notepad

 

When used in a session, coachingspace may process:

  • Your name or display name

  • Your email address (if invited to a session)

  • Content created on boards and tools during the session

  • IP address and device information

 

Coachingspace is hosted on Hetzner Online GmbH servers located in Germany. All data is transmitted in encrypted form and stored on German servers only.

 

Video conferencing within coachingspace is provided by Whereby (Video Communication Services AS, Måløy, Norway), a GDPR-compliant service within the EEA. Sessions with fewer than 4 participants are end-to-end encrypted. Whereby may transfer limited data to third countries (e.g., the USA) under EU Standard Contractual Clauses.

 

Coachingspace has concluded Data Processing Agreements (AVV/DPA) with both Hetzner and Whereby.

 

Coachingspace acts as a data processor on my behalf.

See: https://coachingspace.net/datenschutz

 

(ii) VISTEMA® Board (VISTEMA GmbH, Margaritenweg 9, A-2301 Groß-Enzersdorf, Austria)

A specialised systemic constellation and visualisation tool used for therapeutic exercises such as genogram work, board constellations, and systemic mapping. VISTEMA® operates on EU-based servers (ISO 27001 certified) and states full GDPR compliance. Sessions are conducted via encrypted rooms using token links.

See: https://vistema.org (Data protection section)

 

(iii) Microsoft PowerPoint (Microsoft Ireland Operations Limited, Dublin, Ireland)

Used for psychoeducational presentations. Presentation files are stored locally and are not shared with Microsoft beyond standard Microsoft 365 processing.

See: https://privacy.microsoft.com/privacystatement

 

No client names or identifying details are entered into coachingspace, VISTEMA®, or presentation tools unless this is part of the agreed process and you have been informed. Where possible, only initials, pseudonyms, or generic labels are used.

 

Content created on these platforms during sessions may contain therapeutically relevant information. I ensure that:

  • Boards, tools, and presentations are not shared with third parties

  • Session-specific content is deleted after the therapeutic purpose has been fulfilled, unless retention is agreed with you for ongoing therapeutic work

  • Access is restricted to the session participants only

 

Purpose: To support and enhance the therapeutic process through visual and interactive methods.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 9(2)(h) GDPR (processing for health care purposes by a professional subject to professional secrecy).

 

l) Client Records and Clinical Notes

 

Clinical session notes and client records are managed as follows:

 

Digital client records: Stored within the internal systems of the It's Complicated platform (GDPR-compliant, EU-based servers).

 

Handwritten session notes: Maintained in physical form and stored securely in a locked location accessible only to me.

 

No clinical or session data is stored in general-purpose cloud storage services (e.g., Google Drive, iCloud, Dropbox).

 

Handwritten notes are subject to the same professional secrecy obligations and retention periods as digital records.

 

Purpose: To maintain professional clinical records as required for the provision of psychological services and in compliance with OPP professional obligations.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(c) GDPR (legal obligation — professional record- keeping); Art. 9(2)(h) GDPR (processing for health care purposes by a professional subject to professional secrecy).

4. Cookies

 

This website uses cookies, small text files stored on your device.

 

Strictly necessary cookies: Required for the website to function properly. These do not require your consent.

Analytics and other cookies: Used only with your prior consent.

 

You can manage or disable cookies in your browser settings at any time. Please note that disabling certain cookies may affect the functionality of this website.

 

5. Third-Party Services and Data Recipients

 

This website and my professional activity involve the following third-party services, each of which may process personal data:

 

a) Website hosting: Wix.com Ltd. (Israel/EU infrastructure)
Role: Data processor

Wix processes data in accordance with GDPR and uses Standard Contractual Clauses (SCCs) for international data transfers.

See: https://www.wix.com/about/privacy

 

b) Booking platform and Video sessions (primary): It's Complicated (Mittelweg 50 Berlin GmbH)

Role: Data processor (for client data)

GDPR-compliant; data stored in EU data centres.

See: https://complicated.life/legal/privacy

 

c) Video sessions (alternative):

  • Google Meet (Google Ireland Ltd.) Data processor

  • Microsoft Teams (Microsoft Ireland Operations Ltd.) Data processor

  • WhatsApp Video (WhatsApp Ireland Ltd. / Meta) Independent controller

  • Apple FaceTime (Apple Distribution International Ltd.) Independent controller

 

Used only in exceptional circumstances with client consent.

 

d) Messaging:

  • WhatsApp (WhatsApp Ireland Ltd. / Meta) Independent controller. Metadata may be shared with Meta companies.

  • Signal (Signal Technology Foundation, USA) Independent controller. Minimal metadata collection. End-to-end encrypted.

 

e) Invoicing software: InvoiceXpress, Lda.

Role: Data processor

AT-certified invoicing software (Certification No. 192).

InvoiceXpress processes client billing data (name, address, NIF, email, invoice details) on my behalf for the purpose of issuing legally compliant invoices and reporting to the

Portuguese Tax Authority.

InvoiceXpress may use sub-processors, including providers located in the United States, subject to GDPR-compliant safeguards.

See: https://invoicexpress.com/en/privacy-policy/

Data Processing Terms: https://invoicexpress.com/data-processing-terms/

 

f) Business banking: Revolut Bank UAB (Lithuania) 

Role: Independent data controller

Revolut holds my business bank account and processes transaction data under its European Banking Licence and applicable banking regulations, including AML/KYC

requirements. Revolut may transfer data outside the EEA subject to GDPR-compliant safeguards (SCCs).

See: https://www.revolut.com/legal/business-customer-privacy-notice/

 

g) Payment infrastructure: SIBS Forward Payment Solutions (Portugal)

Role: Independent data controller

SIBS operates the MB WAY and Multibanco interbank payment network. Transaction data is processed within the EU/EEA.

DPO: DataProtectionOfficer@sibs.com

See: https://www.sibs.com/privacy-policy/

 

h) Payment processing: Stripe Payments Europe, Limited (Ireland) 

Role: Data processor (payment execution) and independent data controller (fraud prevention, regulatory compliance, platform security)

Stripe is certified under the EU–U.S. Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for international data transfers where required. Stripe's DPA is automatically incorporated into the Stripe Services Agreement.

See: https://stripe.com/privacy

DPA: https://stripe.com/legal/dpa

 

i) Portuguese Tax Authority (Autoridade Tributária e Aduaneira — AT)

Role: Independent data controller

Invoice data is transmitted to the AT via the SAF-T (PT) reporting system and the e-Fatura platform, as mandated by Portuguese tax law. The AT processes this data under its own legal authority for tax compliance and enforcement purposes.

 

j) Tax advisory: Relocate Now (Relocate Now, Inc., Lisbon)

Role: Data processor

Relocate Now provides tax advisory, freelancer tax and social security management, and annual tax return submission services.

In this capacity, they may access invoice summaries, financial records, and business identification data. They do not receive any clinical or health-related data.

See: https://www.relocatenow.io/privacy-policy

 

k) Embedded content:

This website may embed content from third parties (e.g., Instagram, YouTube). When you interact with embedded content, those providers may collect data according to their own privacy policies.

 

l) Analytics: (e.g., Google Analytics).

If used, data is anonymised where possible.

 

m) Session tools:

  • Coachingspace (Coachingspace GmbH, Remscheid, Germany) Data processor. Hosted on Hetzner servers in Germany.
    Integrated video via Whereby (Norway, EEA). DPAs in place with both sub-processors.
    See: https://coachingspace.net/datenschutz

  • VISTEMA® Board (VISTEMA GmbH, Austria) Data processor.

  • EU-hosted servers (ISO 27001). GDPR-compliant.

  • Microsoft PowerPoint (Microsoft Ireland Operations Ltd.) Data processor under Microsoft 365 DPA

 

I do not sell, trade, or otherwise transfer your personal data to third parties for their own marketing purposes.

 

6. International Data Transfers

 

Some of the service providers I use may transfer personal data to countries outside the European Economic Area (EEA). Where this occurs, appropriate safeguards are in place, including:

 

  • EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR

  • EU adequacy decisions where applicable

  • The EU–U.S. Data Privacy Framework, where certified

 

Specifically:

  • Wix.com may process data in Israel (EU adequacy decision) and the United States (SCCs).

  • InvoiceXpress may use sub-processors in the United States, subject to GDPR-compliant contractual safeguards as detailed in their Data Processing Terms.

  • Stripe may transfer data to Stripe, Inc. in the United States. Stripe is certified under the EU–U.S. Data Privacy Framework and additionally incorporates the 2021 EU Standard Contractual Clauses (SCCs) in its Data Transfers Addendum as a fallback transfer mechanism.

  • Google (Meet, PowerPoint/Microsoft 365) and Microsoft are certified under the EU–U.S. Data Privacy Framework and use SCCs as additional safeguards.

  • WhatsApp (Meta) may transfer metadata to the United States under the EU–U.S. Data Privacy Framework and SCCs.

  • Signal may process data in the United States; Signal's minimal data collection approach limits the scope of any such transfer.

  • Posteo, It's Complicated, VISTEMA®, and SIBS process data exclusively within the EU/EEA.

  • Apple (FaceTime) uses end-to-end encryption; Apple may transfer limited metadata internationally subject to SCCs and its published DPA terms.

  • Revolut Bank UAB may transfer data outside the EEA to support its global operations, regulatory compliance, and fraud prevention. Such transfers are carried out in accordance with GDPR Chapter V safeguards, including Standard Contractual Clauses.

  • SIBS (MB WAY) processes data within the EU/EEA.

  • Coachingspace is hosted exclusively in Germany (Hetzner). Its integrated video service Whereby (Norway, EEA) may transfer limited data to the USA under EU Standard Contractual Clauses.

  • VISTEMA® processes data exclusively within the EU (Austria).

 

No clinical or health-related client data is transferred outside the EEA.

 

7. Data Retention

 

I retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

 

Inquiry data (contact form/email): Deleted once the inquiry is concluded, unless a client relationship is established.

 

Client records and clinical data: Retained for a minimum of 5 years following the conclusion of the professional relationship, in accordance with professional best practice and the OPP Code of Ethics. Longer retention may apply where required by law or to protect legitimate interests (e.g., potential legal claims).

 

Invoicing and financial records (InvoiceXpress / AT): Retained for a minimum of 12 years in accordance with Portuguese tax and commercial law obligations (Código Comercial, Art. 40; Código do IRS). Invoice data reported to the Autoridade Tributária is retained by the AT in accordance with its own data retention policies.

 

Data held by tax advisors (Relocate Now): Financial and tax-related data shared with Relocate Now is retained for the duration of the advisory relationship and for a minimum period thereafter as required by Portuguese tax law. Upon termination of the advisory relationship, I will instruct Relocate Now to return or delete data in their possession, subject to any legal retention obligations.

 

Bank transaction records (Revolut): Revolut retains personal data for up to 10 years after the business relationship ends, in accordance with applicable banking, KYC, and anti-money laundering regulations.

 

MB WAY transaction data (SIBS): Retained by SIBS in accordance with its own policies and applicable Portuguese banking regulations.

 

Payment transaction data (Stripe): Stripe retains transaction data for the duration of the business relationship and thereafter as required by applicable law and financial regulations. As an independent data controller for certain processing activities, Stripe determines its own retention periods for fraud prevention and regulatory compliance data.
See Stripe's Privacy Policy for details.

 

After the applicable retention period, data is securely deleted or anonymised.

 

8. Your Rights

 

Under GDPR and Portuguese law, you have the right to:

 

  • Access: Request confirmation of whether your personal data is being processed, and obtain a copy of that data (Art. 15 GDPR).

  • Rectification: Request correction of inaccurate or incomplete data (Art. 16 GDPR).

  • Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal and professional retention obligations (Art. 17 GDPR).

  • Restriction of processing: Request that processing be temporarily limited in certain circumstances (Art. 18 GDPR).

  • Data portability: Request your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).

  • Objection: Object to processing based on legitimate interest (Art. 21 GDPR).

  • Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

 

Please note: Certain data may be subject to professional secrecy obligations under the OPP Code of Ethics and Portuguese law. In such cases, the exercise of certain rights (e.g., erasure) may be limited to the extent necessary to comply with these obligations.

 

To exercise any of these rights, please contact me at: dr.maja.gruenzner@posteo.com

 

You also have the right to lodge a complaint with the Portuguese supervisory authority:

 

Comissão Nacional de Proteção de Dados (CNPD)

Avenida D. Carlos I, n.º 134, 1.º andar

1200-651 Lisboa, Portugal

www.cnpd.pt

 

9. Data Security

 

I implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These include:

 

  • Secure storage of clinical records (digital and/or physical)

  • Use of GDPR-compliant service providers

 

Despite these measures, no method of data transmission or storage is completely secure. If you become aware of any security concern, please contact me immediately.

 

10. Confidentiality and Professional Secrecy

 

As a psychologist registered with the OPP, I am bound by strict professional secrecy (sigilo profissional) under the OPP Code of Ethics. Information shared in the context of psychological services is confidential and will not be disclosed to third parties without your explicit consent, except where:

 

  • There is a serious and imminent risk to your life or safety or that of others

  • Disclosure is required by a court order or legal obligation

  • You have provided written authorisation for specific disclosure (e.g., to another health professional)

 

Anonymised case material (with all identifying details removed) may be used for professional supervision, teaching, or publication in accordance with Article 2.13 of the OPP Code of Ethics. Where any risk of identification remains, your explicit informed consent will be obtained beforehand.

 

11. Emergency Disclaimer

 

The services offered through this website do not provide crisis intervention or emergency care.

 

If you are experiencing an acute mental health crisis, please contact:

  • Emergency services: 112 (European emergency number)

  • SNS 24 (Portuguese health line): 808 24 24 24

  • International helpline directory: https://findahelpline.com

 

12. Changes to This Privacy Policy

 

I reserve the right to update this Privacy Policy to reflect changes in legal requirements, professional obligations, or the

services I provide. The current version is always available on this website. Material changes will be communicated where appropriate.

Emergency Support

 

If you are experiencing an acute mental health crisis or having thoughts of harming yourself, please seek immediate help.

 

Contact your local emergency number and reach out to a trusted person.

Find international helplines at: www.findahelpline.com


(available in most countries, 24/7)

© 2026 by Dr. Maja Grünzner. All rights reserved.

bottom of page