RealHealers

Data Processing Agreement (DPA)

Annex to the Guide Terms. Governs the processing of Users' personal data by the Guide (Controller) on behalf of which RealHealers GmbH (Processor) processes data under Art. 28 GDPR. The Polish version is binding.

Last updated: 2026-06-28

Parties and recitals

This Data Processing Agreement is an annex to the Guide Terms and is concluded between: RealHealers GmbH, with its registered office at Glatthof 6, 9245 Oberbüren, Switzerland, registered in the commercial register of the Canton of St. Gallen (hereinafter: „Processor” or „RealHealers”) and the Guide (hereinafter: „Controller” or „Guide”) upon the Guide's acceptance of the Terms. The Guide's identification data is the data provided by the Guide in the registration form or account panel.

Whereas: RealHealers operates a website at https://realhealers.com/ („Service”), through which it provides electronic services to Guides and Users, including functionalities for offering, booking, handling, conducting, or documenting Sessions;

an agreement for the use of the Service has been concluded between the Guide and RealHealers, under which the Guide uses the Service's functionalities to offer and provide services to Users;

the Guide provides services to the Service's clients („User”) on the basis of a separate session agreement concluded directly with the User;

in connection with providing services to Users, the Guide collects and processes Users' personal data, including special categories under Art. 9 GDPR, in particular data concerning physical and mental health and other information disclosed during the session;

to the extent the Guide uses the Service Functionalities, RealHealers may process Users' personal data on behalf of the Guide as a processor;

activities in which RealHealers processes personal data as a separate controller remain outside the scope of this Agreement, in particular in connection with operating the Service, account, payment, and settlement handling, Service security, analytics, abuse prevention, complaint handling, claim pursuit, and the fulfilment of its own legal obligations;

the Parties intend to regulate the processing of personal data entrusted by the Controller to the Processor in accordance with Regulation (EU) 2016/679 (GDPR). Fulfilling the obligation under Art. 28 GDPR, the Parties have agreed to conclude this Agreement with the following content.

§1 Subject of the agreement

The Controller entrusts the Processor with personal data for processing on the terms and for the purpose set out in this Agreement.

The Processor declares that it will process the entrusted personal data in accordance with this Agreement, the GDPR, and other data-protection laws.

For the purposes of this Agreement, the Parties establish the following meanings: Personal data — information about an identified or identifiable natural person within the meaning of Art. 4(1) GDPR, entrusted to the Processor under this Agreement within the scope set out in §3; Confidential data — any information, data, materials, documents, and personal data received from the Controller and persons cooperating with it, or obtained in any other way, in oral, written, electronic, or other form; Subprocessor — a third party to which RealHealers entrusts the further processing of personal data covered by the Agreement solely to the extent necessary to provide the Service Functionalities (in particular hosting, data storage, communication, transcription, note generation, or AI tools), under an agreement meeting the requirements of Art. 28 GDPR; Processing of personal data — any operation performed on personal data, whether by automated means or not; Terms — the document setting out the rules for electronic service provision by RealHealers to Guides and the conditions for using the Service; Service Functionalities — functionalities of the Service serving to prepare, handle, conduct, or document the Session provided by the Guide to the User (including communication, booking handling, storage of materials, recordings, automatic transcription, generation of notes or summaries, and AI tools), where available and used by the Guide.

§2 Declarations of the Parties

The Controller declares that it is a controller within the meaning of Art. 4(7) GDPR, who alone or jointly with others determines the purposes and means of processing.

The Processor declares that it is a processor within the meaning of Art. 4(8) GDPR, meaning it will process personal data on behalf of and on the instructions of the Controller.

The Guide acknowledges that RealHealers may also process Users' personal data as a separate controller, within the scope indicated in the Terms and RealHealers' privacy policy.

§3 Scope and purpose of processing

The entrustment of processing covers exclusively Users' personal data processed by RealHealers on behalf of the Guide in connection with the Guide's use of the Service Functionalities.

Processing of personal data by RealHealers as a separate controller remains outside the scope of this Agreement, in particular operating the Service, setting up and handling accounts, presenting Guide profiles, ensuring Service security, abuse prevention, complaint handling, claim pursuit, fulfilling legal obligations, product analytics, Service development, and third-party services, including payment handling.

The scope of entrusted data includes in particular: Users' identification data (first and last name, date of birth, gender); Users' contact data (phone number, e-mail address, postal address, if provided); data provided before the Session, including in voice recordings or other materials voluntarily provided by the User; data contained in communication between Guide and User conducted via the Service before the Session; data provided by the User during the Session; data contained in the Guide's voice notes, transcriptions, or short notes created using AI tools, if the User has given explicit consent.

The data referred to in para. 3(c)–(f) may include special categories within the meaning of Art. 9 GDPR, in particular data concerning mental and physical health, well-being, sex life, religious or philosophical beliefs, family relationships, personal experiences, life difficulties, traumas, or other particularly sensitive information.

The entrusted data will be processed by RealHealers solely to the extent necessary to provide, maintain, and technically operate the Service Functionalities used by the Guide.

The Controller is solely responsible for obtaining the consent referred to in para. 3(f) and for demonstrating that it was given.

The Guide is responsible, as a controller, for the lawfulness of processing, in particular for holding a proper legal basis, fulfilling information obligations toward Users, and obtaining required consents, including consents for recording, transcription, note creation, or AI tools, where required.

The Guide is responsible for the content of the data and materials entered into or transmitted via the Service and for the compliance of its instructions with the GDPR and other laws.

The Guide's documented instructions are: the Terms, this Agreement, the settings selected by the Guide in the Service, and the actions performed by the Guide while using the Service Functionalities.

§4 Obligations of the Processor

The Processor undertakes to: process personal data solely on the documented instructions of the Controller, unless the processing obligation arises from EU law, the law of a member state, or the law applicable to the Processor (in which case the Processor informs the Controller of that obligation before processing begins, unless the law prohibits such information on grounds of important public interest);

inform the Controller if, in the Processor's view, an instruction given to it infringes the GDPR or other data-protection provisions;

apply appropriate technical and organizational measures to ensure a level of security appropriate to the processing risk;

ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory duty of confidentiality;

limit access to personal data to persons and entities for whom access is necessary to provide the Service Functionalities;

maintain a record of categories of processing activities, insofar as such an obligation arises from Art. 30(2) GDPR;

assist the Controller, taking into account the nature of processing and the information available to the Processor, in fulfilling the obligation to respond to data-subject requests and the obligations set out in Art. 32–36 GDPR;

inform the Controller about the use of automation or AI tools to the extent necessary for the Controller to fulfil its data-protection obligations.

The Processor's obligations regarding the use of Subprocessors, notification of data-protection breaches, demonstrating compliance, audit, and termination of the entrustment are set out in the further provisions of this Agreement.

§5 Sub-entrustment

The Processor may use Subprocessors to the extent necessary to provide the Service Functionalities. The Controller grants the Processor general authorization to use Subprocessors.

The current list of Subprocessors constitutes Annex No. 1 to this Agreement or is made available to the Controller in the Service, account panel, or in another manner indicated by the Processor.

The Processor ensures that Subprocessors are obliged to protect personal data to the extent required by Art. 28 GDPR.

The Processor informs the Controller of a planned change of Subprocessor in the manner adopted for communicating with Guides. The Controller may raise a justified objection to the change within 14 days of receiving the information, solely on grounds related to data protection.

Absence of objection within the period referred to in para. 4 constitutes acceptance of the change of Subprocessor.

Raising an objection does not limit the Processor's right to make a change of Subprocessor if it is necessary to ensure the continuity, security, or compliance of the Service. In such a case, the Controller may discontinue the affected Service Functionalities or terminate the agreement for the use of the Service.

§6 Breach notification

The Processor notifies the Controller of a detected breach of the protection of personal data covered by this Agreement without undue delay, no later than within 48 hours of detecting it.

The notification includes information available to the Processor and necessary for the Controller to assess the breach and fulfil its GDPR obligations, in particular where possible: a description of the nature of the breach; the categories and approximate number of data subjects; the categories and approximate number of personal-data records concerned; the likely consequences of the breach; the measures taken or proposed to address the breach or mitigate its effects; the contact point from which more information can be obtained.

The Processor may provide information about the breach in phases if complete information is not available at the time of the first notification.

§7 Right of audit

The Processor makes available to the Controller the information necessary to demonstrate compliance with the obligations under Art. 28 GDPR, regarding the data processed on behalf of the Controller.

A standard documentary audit, carried out no more than once per calendar year and not requiring non-standard involvement of the Processor, is conducted without additional charges.

If an audit requires non-standard involvement of the Processor, the preparation of additional materials, the participation of the Processor's employees or associates, external advisors, translations, meetings, additional technical analyses, data exports, or other activities going beyond a standard documentary audit, the Processor may make such activities conditional on the Controller covering the reasonable costs of carrying them out.

An audit at the Processor's premises or another location used by the Processor may take place only in exceptional and justified cases, after prior agreement on the date, scope, rules, and costs, preserving confidentiality and without access to data of other clients, Users, Guides, or the Processor's trade secrets.

The Controller bears its own audit costs and the Processor's reasonable audit-related costs, to the extent the audit goes beyond the standard documentary audit referred to in para. 2.

The Processor may refuse or limit an audit if the request is excessive, disproportionate, threatens the security of the Service, infringes the rights of third parties, or could lead to disclosure of the Processor's trade secrets.

§8 Transfers outside the European Economic Area

The Processor is established in Switzerland. The European Commission has issued an adequacy decision for Switzerland, allowing the transfer of personal data without additional transfer mechanisms.

When transferring personal data to a third country or international organization for which the European Commission has not issued an adequacy decision, the Processor applies an appropriate transfer mechanism provided by the GDPR, in particular standard contractual clauses approved by the European Commission, binding corporate rules, an appropriate certification mechanism (if applicable), or another permissible transfer basis under the GDPR.

The Controller acknowledges that providing the Service Functionalities may require the use of Subprocessors established or processing data outside the EEA, in accordance with the rules of this paragraph and Annex No. 1.

§9 Liability

The Processor's liability toward the Controller under this Agreement is limited to the actual damage suffered by the Controller solely through the Processor's fault, subject to mandatory law and the liability limits provided in the Terms.

The Processor is not liable for breaches resulting from the Controller's actions or omissions, in particular the lack of a legal basis, failure to fulfil information obligations, lack of required consents, unlawful instructions, the content of data entered by the Controller, or use of the Service inconsistent with the Terms.

If the Processor incurs liability, costs, a penalty, compensation, or other expenses in connection with the Controller's breach of obligations, the Controller will reimburse the Processor's reasonable costs, compensation, and expenses incurred on that account, to the extent permitted by law.

No provision of this Agreement excludes or limits liability toward data subjects to the extent that such exclusion or limitation would be impermissible under the GDPR.

§10 Term of the Agreement

The Agreement enters into force on the day the Guide accepts the Terms and is in effect for the duration of the agreement for the use of the Service concluded between the Guide and RealHealers.

The entrustment of processing is in effect for the period of the Controller's use of the Service Functionalities and, after its end, solely for the period necessary to delete, return, anonymize, or secure the data in accordance with the Processor's technical procedures, unless further storage is required by law, necessary to establish, pursue, or defend claims, ensure Service security, or fulfil the Processor's obligations as a separate controller.

After the Service Functionalities end, the Processor, at the Controller's choice, deletes or returns the entrusted data, unless further storage is permissible under para. 2. If the Controller does not provide the Processor with different instructions within the period indicated by the Processor, the Processor may delete or anonymize the data in accordance with its technical and retention procedures.

Deletion of data from backups may take place at a later date resulting from the Processor's backup cycle and security procedures, provided the data remains secured against unauthorized access and is not actively used.

§11 Conditions of termination

This Agreement expires upon the termination of the agreement for the use of the Service concluded between the Controller and the Processor, unless further processing is permissible under §10.

The Controller may not terminate this Agreement separately from the agreement for the use of the Service, subject to rights arising from mandatory law.

In the event of the Processor's breach of obligations under this Agreement, the Controller may use the means provided in the Terms or in mandatory law.

§12 Confidentiality

The Processor undertakes to keep Confidential Data secret and not to disclose it to third parties, except for Subprocessors or persons authorized by the Processor to process personal data.

The Processor declares that, in connection with the confidentiality obligation, Confidential Data will not be used, disclosed, or made available without the Controller's written consent for any purpose other than performing the Agreement.

The confidentiality obligation does not cover information: that is publicly known, unless it acquired that status through a breach of this confidentiality clause; whose disclosure is required by law, solely to the necessary extent; whose disclosure is demanded by an authorized body in the form and content provided by law, solely to the extent demanded.

Disclosure of any Confidential Data requires the Controller's prior written consent; in the cases referred to in para. 3, instead of consent, written notification of the Controller of the disclosure is required.

§13 Final provisions

In matters not regulated by the Agreement, the provisions of the GDPR and the relevant provisions of Polish law apply.

If any provision of the Agreement proves invalid, ineffective, or unenforceable, this does not affect the validity, effectiveness, or enforceability of the remaining provisions. The Parties undertake to replace invalid, ineffective, or unenforceable provisions with ones closest to those replaced and compliant with the law.

The Processor may amend this Agreement on the terms provided for amending the Terms.

In the event of a conflict between this Agreement and the Terms, this Agreement prevails, solely with respect to the entrustment of processing of personal data.

Annex No. 1 — List of Subprocessors forms an integral part of the Agreement.

Annex No. 1 — List of Subprocessors

The Controller accepts that the Processor uses the following entities to provide the Service Functionalities (name — processing purpose — location/transfer basis):

Supabase Inc. — hosting of databases, files, logic — Frankfurt, Germany (EU/EEA).

Stripe Payments Europe Limited — payment handling (subscriptions, payments for services provided by Guides to Users), commission settlement — Dublin, Ireland (EU/EEA). Data may be transferred to the USA (Stripe, Inc.) on the basis of the EU-U.S. Data Privacy Framework (DPF) adequacy decision and Standard Contractual Clauses (SCC).

Resend, Inc. — sending transactional e-mails — USA; SCC.

Cloudflare, Inc. — network security, DDoS protection, CDN, traffic routing — USA; SCC, DPF.

Vercel, Inc. — hosting and maintenance of the Service — USA; SCC, DPF.

Anthropic, PBC — AI-based functionalities, generating notes and session summaries, processing transcriptions — USA; SCC.

Mapbox — maps, locations, and place search — USA; SCC.

PostHog, Inc. — product analytics, Service usage statistics, event analysis — EU or USA.

Sentry — error monitoring, diagnostics, security and stability of the Service — USA; SCC, DPF.

Data Processing Agreement (DPA) — RealHealers.com | RealHealers