IMHC — Privacy notice

i.

Data controller

The data controller for your personal information — the party that decides how and why your data is processed — is:

Controller: IMHC — International Mental Health Centre (in preparation)
Represented by Tatiana von Hanau, Founder
Legal entity: PENDING Operating GmbH (to be confirmed before launch)
Email: tatiana.vonhanau@imhc.at
Base: Vienna, Austria

You can reach us at any time about your data by emailing the address above. If you need a formal data-protection contact, please mark your email "data protection query."

ii.

Our principles

Before describing our processing in detail, a few commitments we will not break:

We collect only the personal data we need to do what we are doing — matching you, evaluating an application, or processing a gift.
We do not sell or rent personal data to third parties. Ever.
We do not use personal data for advertising or marketing beyond what you explicitly consent to.
Sensitive health-related information shared in the context of a matching request is treated with extra care — accessible only to those directly involved in making the match.
You can ask us to delete your data at any time, and we will — unless the law requires us to keep it (for example, for tax records after a donation).

iii.

What data we collect, and why

We collect personal data only when you give it to us through one of our forms. We do not use trackers, advertising cookies, or behavioural fingerprinting. Here is every category of data we currently collect during the pre-launch period:

Newsletter signup (home page)

What: Email address.
Why: To write to you once — when IMHC opens for operation. That is the only message we will send.
Legal basis: Your consent (GDPR Art. 6(1)(a)).
Retained: Until launch notification is sent, or until you ask us to remove you, whichever comes first.

Client matching request

What: First name, optionally last name, email, preferred language for correspondence, the person you are seeking therapy for (yourself, a family member, etc.), preferred language for therapy, session format (in-person / online / either), location, topics you would like to work on, optional preferences (therapist gender, age, urgency), and anything else you choose to share in free-text fields.
Why: To match you with a suitable mental health professional, and to write to you with the result.
Legal basis: Your consent (GDPR Art. 6(1)(a)), and — because topics you share may constitute health data (GDPR Art. 9) — your explicit consent to process special categories of data (Art. 9(2)(a)).
Retained: Up to 24 months after your matching request is completed, unless you ask us to delete it sooner. If no match is made, up to 12 months. You may withdraw consent at any time.

Professional application (centre-based or independent)

What: Full name, contact details, professional licensure details (issuing authority, licence number, year of issue), training and clinical experience, therapeutic modalities and specialisations, languages you work in clinically, practice logistics (location, rate, availability), professional indemnity and supervision information, disclosure of any past sanctions, and your motivation for joining IMHC.
Why: To evaluate your application, verify your credentials with the issuing authority, and — if accepted — match you with appropriate clients. If not accepted, to write to you with our decision.
Legal basis: Pre-contractual steps at your request (GDPR Art. 6(1)(b)) for evaluation; legitimate interest (Art. 6(1)(f)) for verification and network operations; your consent (Art. 6(1)(a)) for any processing beyond this.
Retained: Successful applicants — for the duration of your listing with IMHC and up to 24 months after you leave the network. Unsuccessful applicants — up to 12 months from the decision, so we can reconsider if circumstances change. Withdrawn applications — up to 3 months.

International waitlist registration

What: First and last name, email, country of licence, country of residence, profession, year qualified, languages you work in clinically, and an optional note.
Why: To contact you when IMHC opens its second phase to internationally-licensed professionals.
Legal basis: Your consent (GDPR Art. 6(1)(a)).
Retained: Up to 24 months, or until you ask us to delete you.

Donor notification

What: First name, optionally last name, email, intended gift amount, intended recipient group, whether you are giving personally or through an organisation, and optional free-text reason for giving.
Why: To notify you when IMHC opens, so you can complete your intended gift then. No payment is processed at this stage.
Legal basis: Your consent (GDPR Art. 6(1)(a)).
Retained: Up to 12 months, or until you ask us to delete you. Once a gift is actually made, separate retention rules apply under Austrian tax law (generally 7 years for financial records).

Direct email contact

What: Your email address, name, and whatever you write to us.
Why: To reply to you.
Legal basis: Your consent (Art. 6(1)(a)), or legitimate interest in handling correspondence (Art. 6(1)(f)).
Retained: As long as needed to handle your query, plus 12 months for reference. Longer retention applies if the correspondence relates to a contractual or legal matter.

What we do not collect

We do not use advertising or analytics cookies that track you across sites.
We do not collect browsing behaviour, click paths, or heat maps.
We do not enrich your data from third-party sources or data brokers.
We do not request documents or proof-of-identity during the waitlist or notification stages.

iv.

Legal basis for processing

Under GDPR Article 6, we process your personal data only on one of the following lawful bases:

Consent (Art. 6(1)(a)) — when you tick a box or submit a form knowing why we are asking.
Performance of a contract (Art. 6(1)(b)) — for professional applications and eventual service contracts, processing that is necessary to take steps at your request before entering into a contract.
Legitimate interest (Art. 6(1)(f)) — for verifying credentials of applicants, responding to correspondence, and operating the network responsibly. We balance this interest against your rights and will explain our reasoning on request.

Where information we collect may constitute special category data under GDPR Article 9 — such as health-related content you share in a matching request — we rely on your explicit consent (Art. 9(2)(a)).

v.

How long we keep your data

Retention periods for each data type are listed in section iii above. As a general principle:

We keep personal data only as long as needed for the purpose we collected it.
We review retention every 12 months and delete what is no longer needed.
Some records must be kept longer by law — particularly financial records (generally 7 years under Austrian tax law) and records relating to ongoing legal claims.
You can ask us to delete your data at any time (see section viii).

vi.

Who sees your data

Within IMHC during the pre-launch period, personal data is accessed only by the founder and — once the review team is assembled — designated reviewers on a need-to-know basis.

We use the following third-party processors, each bound by written data-processing agreements (GDPR Art. 28):

Website hosting: Netlify, Inc. (United States) — static website hosting. The website itself does not store personal data; data is submitted to separate backend services described below.
Email: Google LLC (Google Workspace) — for correspondence sent to and from @imhc.at addresses. Data processing agreement in place; transfer to the US governed by Standard Contractual Clauses (see section vii).
Form submissions: PENDING The backend that receives form submissions is in selection; we will confirm the provider, location, and data-processing agreement before forms actually save submissions. During the current pre-launch preview period, no form data is persistently stored.

Matched mental health professionals will see the matching information of clients they are matched with, under a separate professional confidentiality obligation. We will publish the final list of processors and their locations before IMHC opens for operation.

vii.

International transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. Where this is the case, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Art. 46(2)(c) as the legal basis for transfer.

Specifically:

Netlify (US) — website hosting. Data transferred consists only of page requests and standard server logs; no form-submitted personal data is stored by Netlify.
Google Workspace (US) — email. All email correspondence to and from @imhc.at addresses is processed on Google's infrastructure. Google provides SCCs as part of its Workspace data-processing terms.

We will prefer EU-based providers for any processor that stores personal data from our forms. The selection of backend for form submissions (see section vi) is being made with EU data residency as a requirement.

viii.

Your rights

Under GDPR Articles 15–22, you have the following rights regarding your personal data:

Right of access (Art. 15) — you can ask us what data we hold about you, and receive a copy.
Right to rectification (Art. 16) — you can ask us to correct information that is wrong or incomplete.
Right to erasure (Art. 17) — you can ask us to delete your data, subject to limited exceptions.
Right to restriction (Art. 18) — you can ask us to stop processing your data temporarily in certain circumstances.
Right to data portability (Art. 20) — you can ask us to send your data to you, or to another controller, in a structured machine-readable format.
Right to object (Art. 21) — you can object to processing based on legitimate interest.
Right to withdraw consent — where our processing is based on your consent, you can withdraw that consent at any time, without affecting the lawfulness of processing before the withdrawal.

To exercise any of these rights, email tatiana.vonhanau@imhc.at with the subject "data rights request." We will respond within one month, as required by GDPR Art. 12(3).

ix.

Complaints

If you believe your rights have not been respected, you have the right to complain to a supervisory authority. In Austria, this is:

Authority: Österreichische Datenschutzbehörde (DSB)
Address: Barichgasse 40–42, 1030 Wien, Austria
Email: dsb@dsb.gv.at
Website: dsb.gv.at

We would prefer you contact us first so we can try to resolve the issue directly — but you do not have to, and your right to complain to the DSB is absolute.

x.

Changes to this notice

We will update this notice as IMHC evolves — particularly before launch, when the legal entity, backend processors, and retention schedules will be finalised. The "last reviewed" date at the top of this page will always show when the notice was most recently updated. We will notify anyone currently on our lists of material changes that affect how their data is processed.