Security & GDPR

Security and GDPR: your patient never appears, and your practice stays walled off

No technical jargon, no promises in the fine print. Here's plainly what we do so neither a regulator nor your professional obligations keep you up at night.

Your patient is never named

You decide what to call them: 'P-014', 'Monday 6pm case', whatever you like. We never learn who that is — no name, no ID number, no phone. If an outsider ever got in, they couldn't identify a single one of your patients.

Your practice, a separate vault

Your practice's data lives apart from everyone else's. No other clinician using VRET can peek in — not by mistake, not out of curiosity, not even if the app failed. The separation isn't a pretty screen; it's row-level tenant isolation enforced in the database itself.

Your clinical data stays in the EU

Session notes, exposure markers, and recordings are stored on EU-hosted servers (Ireland and Germany) and are not copied to the United States. Payment, authentication, and support tools may process non-clinical data under standard EU data-transfer safeguards; we spell it out, no fine print, in the privacy policy.

What we don't do

Sometimes trust is earned by what you don't do.

  • We don't train AI on your notes. Ever. It's in the contract.
  • We don't sell data. We don't share it with marketing. We don't mine it 'to improve the product'.
  • We don't read what you write. If resolving an incident required access, we ask first and it's logged.
  • We don't force you to enter clinical data you don't want to. You can use VRET without writing a single note.
  • We don't hide behind jargon. If a clause isn't clear on the first read, it's badly written and we fix it.
What happens if...

What worries you, handled before it happens.

The four situations that keep a practice up at night, and exactly what happens in each.

If ...a regulator or auditor asks for your data-processing records

Then: We hand you a dossier within 48 hours: the signed agreement, exactly what data we process on your behalf, where it lives, and for how long. Your compliance lead presents it and the conversation is over.

If ...someone tries to break into our systems

Then: Even if they got in, they'd read nothing: what's stored is scrambled with a key that only your access unlocks. If any incident occurred, we notify you within the 72 hours GDPR requires and support you through whatever you need to report.

If ...you decide to cancel and take your data with you

Then: You have 30 days to export everything into a file that opens in a spreadsheet or any clinical system. After 60 days we delete it from our systems. If regulation requires you to retain records, we help you archive them properly.

If ...a patient asks to see, correct, or delete their data

Then: You handle the request from your dashboard in minutes — the button to export, edit, or delete any case is right there. You meet the patient's right of access without opening a single support ticket.

Our commitment

We say it on the site. We sign it in the contract.

We don’t ask you to trust a marketing page. Every one of these lines is written into the data agreement we sign with you on day one.

GDPR-grade DPA
We sign it with you, ready for your compliance lead.
Breach notice
Within 72 hours, as the law requires. In writing.
Audit support
A dossier within 48 business hours if you're audited.
Continuity
If VRET ever shuts down, 90 days' notice and your data in an open format.
FAQ

What we're asked before signing

Who can read my patients' notes?

Only you and the people you grant access from your dashboard. The VRET team doesn't open your notes day to day. If resolving an incident required access, we ask first and it's logged so you can see it.

Do you sign a data processing agreement for my compliance lead?

Yes. We sign a GDPR-grade DPA, ready to review. It's the document that governs the relationship between your practice (which decides what happens with the data) and us (who only process it on your instructions).

If I cancel, what happens to everything I have inside?

30 days to export everything. 60 days and we delete it from our systems. If regulation requires you to retain clinical records, we help you keep them properly outside the platform.

Do you use what I write to train AI?

No. Your notes, markers, recordings, and metrics are not used to train AI models — not ours, not a third party's. It's written into the contract.

What if you get hacked?

What's stored is unreadable to anyone without your access. Even if someone forced their way in, they couldn't read anything useful. And if it happened, we notify you within 72 hours. For security reports, use the channel in the footer.

Is VRET a certified medical device?

In its current supporting role, no. VRET is a professional tool for your work: it doesn't diagnose, doesn't prescribe, doesn't replace your judgment, and isn't used autonomously without your supervision. Clinical indication and supervision stay with you as the licensed clinician.

Do you work with vendors outside the EU?

Only the ones essential for VRET to run (payments, secure authentication), always under the legal safeguards the EU requires for data to leave the European space. The full list, no marketing, is in the data agreement.

Can I use VRET without entering clinical data?

Yes. If you'd rather keep your notes elsewhere, VRET is still useful for launching scenarios, controlling exposure, and reviewing session metrics. You decide what stays inside and what doesn't.

Compliance lead, counsel, or IT? Here’s the detail.

The full technical detail (subprocessors, international-transfer safeguards, technical and organizational measures, breach procedures) is in the downloadable data agreement. If you need anything else for a risk assessment or an audit, email us at contacto [arroba] vret.es with the subject “Security documentation + your practice name” and we’ll send it within 48 business hours.

Vulnerability reports or security incidents: seguridad [arroba] vret.es.