Your patient is never named
You decide what to call them: 'P-014', 'Monday 6pm case', whatever you like. We never learn who that is — no name, no ID number, no phone. If an outsider ever got in, they couldn't identify a single one of your patients.
No technical jargon, no promises in the fine print. Here's plainly what we do so neither a regulator nor your professional obligations keep you up at night.
You decide what to call them: 'P-014', 'Monday 6pm case', whatever you like. We never learn who that is — no name, no ID number, no phone. If an outsider ever got in, they couldn't identify a single one of your patients.
Your practice's data lives apart from everyone else's. No other clinician using VRET can peek in — not by mistake, not out of curiosity, not even if the app failed. The separation isn't a pretty screen; it's row-level tenant isolation enforced in the database itself.
Session notes, exposure markers, and recordings are stored on EU-hosted servers (Ireland and Germany) and are not copied to the United States. Payment, authentication, and support tools may process non-clinical data under standard EU data-transfer safeguards; we spell it out, no fine print, in the privacy policy.
The four situations that keep a practice up at night, and exactly what happens in each.
If ...a regulator or auditor asks for your data-processing records
Then: We hand you a dossier within 48 hours: the signed agreement, exactly what data we process on your behalf, where it lives, and for how long. Your compliance lead presents it and the conversation is over.
If ...someone tries to break into our systems
Then: Even if they got in, they'd read nothing: what's stored is scrambled with a key that only your access unlocks. If any incident occurred, we notify you within the 72 hours GDPR requires and support you through whatever you need to report.
If ...you decide to cancel and take your data with you
Then: You have 30 days to export everything into a file that opens in a spreadsheet or any clinical system. After 60 days we delete it from our systems. If regulation requires you to retain records, we help you archive them properly.
If ...a patient asks to see, correct, or delete their data
Then: You handle the request from your dashboard in minutes — the button to export, edit, or delete any case is right there. You meet the patient's right of access without opening a single support ticket.
We don’t ask you to trust a marketing page. Every one of these lines is written into the data agreement we sign with you on day one.
Only you and the people you grant access from your dashboard. The VRET team doesn't open your notes day to day. If resolving an incident required access, we ask first and it's logged so you can see it.
Yes. We sign a GDPR-grade DPA, ready to review. It's the document that governs the relationship between your practice (which decides what happens with the data) and us (who only process it on your instructions).
30 days to export everything. 60 days and we delete it from our systems. If regulation requires you to retain clinical records, we help you keep them properly outside the platform.
No. Your notes, markers, recordings, and metrics are not used to train AI models — not ours, not a third party's. It's written into the contract.
What's stored is unreadable to anyone without your access. Even if someone forced their way in, they couldn't read anything useful. And if it happened, we notify you within 72 hours. For security reports, use the channel in the footer.
In its current supporting role, no. VRET is a professional tool for your work: it doesn't diagnose, doesn't prescribe, doesn't replace your judgment, and isn't used autonomously without your supervision. Clinical indication and supervision stay with you as the licensed clinician.
Only the ones essential for VRET to run (payments, secure authentication), always under the legal safeguards the EU requires for data to leave the European space. The full list, no marketing, is in the data agreement.
Yes. If you'd rather keep your notes elsewhere, VRET is still useful for launching scenarios, controlling exposure, and reviewing session metrics. You decide what stays inside and what doesn't.
The full technical detail (subprocessors, international-transfer safeguards, technical and organizational measures, breach procedures) is in the downloadable data agreement. If you need anything else for a risk assessment or an audit, email us at contacto [arroba] vret.es with the subject “Security documentation + your practice name” and we’ll send it within 48 business hours.
Vulnerability reports or security incidents: seguridad [arroba] vret.es.