PRIVACY POLICY

Last Updated: February 13, 2026

This Privacy Policy explains how Sole Proprietor Oleksandra Dmytrivna Yusupova ("BeMyself," "we," "us") collects, uses, discloses, and protects personal data when using the BeMyself platform, including the website, applications, and related services ("Services"). We are committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Ukrainian Law "On Personal Data Protection," and other applicable data protection laws.

Data Controller: Sole Proprietor Oleksandra Dmytrivna Yusupova; Legal/Physical Address: Ukraine, 69118, Zaporizhzhia Oblast, Zaporizhzhia, Avtozavodska Street 40, Apartment 119.

Data Protection Officer (DPO): Email: dpo@bemyself.online — you may contact the DPO for any privacy-related inquiries.

Depending on the context, BeMyself acts as a Data Controller (the owner of personal data under the Ukrainian Law "On Personal Data Protection") or as a Data Processor.

BeMyself as Data Controller: BeMyself is an independent Data Controller for processing personal data related to user accounts, authentication, access management, billing, platform security, communications, marketing, and optional AI-based features.

BeMyself as Data Processor: When BeMyself processes personal data on behalf of corporate clients (e.g., employers providing access to Services for their employees), BeMyself acts as a Data Processor and processes such data strictly according to documented client instructions under a Data Processing Agreement (DPA). Corporate clients may request the DPA by contacting dpo@bemyself.online.

Professionals (Therapists): Professionals using the BeMyself platform act as independent Data Controllers with respect to therapeutic content, clinical decisions, and professional obligations to their clients. BeMyself does not determine the purposes or means of such processing.

Client Account: Name, email, phone, app ID. Purpose: account registration, matching with a professional, scheduling sessions, billing. Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). Retention: account active period + 5 years.

Professional Registration: Name, contacts, licenses/degrees, CV, photo. Purpose: qualification verification, public profile creation. Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). Retention: active profile + 5 years.

Real-time Video/Audio: Audio/video streams. Purpose: providing online therapy sessions. Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). Retention: Not stored.

Platform Logs and Security: IP, device, browser, cookie ID, event logs. Purpose: fraud detection, integrity, usage statistics. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Retention: 12 months.

Marketing (optional): Email, device ID. Purpose: sending product news and offers. Legal basis: Consent (Art. 6(1)(a) GDPR). Retention: until unsubscribed.

We never process health-related data without your explicit, separate consent.

We process personal data only when at least one of the following legal bases applies:

Performance of a Contract (Art. 6(1)(b) GDPR): processing necessary to provide the Services according to our Terms of Use.

Consent (Art. 6(1)(a) GDPR): processing based on your freely given consent, including marketing communications and optional cookies.

Explicit Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): processing special categories of personal data.

Legitimate Interest (Art. 6(1)(f) GDPR): processing to ensure security, prevent fraud, and improve Services, provided these interests do not override your rights.

Legal Obligation (Art. 6(1)(c) GDPR): processing to comply with applicable Ukrainian and EU laws, including tax and accounting requirements.

We use cookies and similar technologies to operate and improve the Services. Cookies are small text files stored on your device that provide essential functionality, enhance user experience, and — with your consent — support analytics and marketing activities.

Types of Cookies: Strictly Necessary (authentication, session management); Functional (language, time zone); Analytical (Google Analytics, Mixpanel, Microsoft Clarity); Marketing (Google Ads, Meta/Facebook).

You can manage or withdraw your cookie consent at any time via the cookie banner or your browser settings. Blocking non-essential cookies may affect some features but will not prevent basic platform functionality.

Google Data: BeMyself uses and transfers information obtained from Google APIs in accordance with Google API Services User Data Policy, including limited use requirements.

Professionals on BeMyself: to provide therapeutic services. Guarantees: processors act according to our DPA; access is limited to sessions you book.

Cloud Hosting (EU): infrastructure provider, ISO 27001 certified, data encrypted at rest.

Payment Processor: to process payments. WayForPay LLC, licensed by the National Bank of Ukraine for financial payment services without opening an account (license No. 21/1064-rk, reissued 24.05.2024) and included in the Payment Infrastructure Registry; PCI-DSS Level 1 certified.

All production systems and personal data are stored and processed within the European Economic Area (EEA). Limited administrative or auxiliary access may occur from Ukraine under appropriate technical and organizational safeguards. We do not transfer or process personal data in the United States or other third countries outside the EEA.

Under the Ukrainian Law "On Personal Data Protection," cross-border transfers are allowed only to countries with an adequate level of data protection or with appropriate safeguards.

We implement technical and organizational measures to protect personal data, including:

Encryption: TLS 1.3 in transit, AES-256 at rest.

Access Control: role-based access (RBAC), multi-factor authentication (MFA) for employee login.

Monitoring: tamper-resistant audit logs, annual security audits.

Infrastructure: ISO 27001-certified hosting providers, regular backups.

In case of a personal data breach, we will: Notify the competent supervisory authority within 72 hours; Notify the Ukrainian Parliament Commissioner for Human Rights where required by law; Notify affected users without undue delay, if legally required; Document all breaches in our internal registry.

Contact for breach notifications: dpo@bemyself.online

Under GDPR and Ukrainian Law "On Personal Data Protection," you have the following rights: Access your personal data (Art. 15 GDPR); Rectify inaccurate personal data (Art. 16 GDPR); Delete your personal data ("right to be forgotten") (Art. 17 GDPR); Restrict processing of your personal data (Art. 18 GDPR); Object to processing (Art. 21 GDPR); Data portability — export your data (Art. 20 GDPR); Withdraw consent at any time (Art. 7 GDPR); Lodge a complaint with a supervisory authority.

To exercise your rights, email: dpo@bemyself.online

Our Services are intended for users aged 14 and older. We do not knowingly process data of children under 14 without verified parental or guardian consent. If we become aware that we have collected personal data of a child under 14 without consent, we will delete it.

Significant changes to this Privacy Policy will be communicated via email and a banner in the Services at least 15 days prior to taking effect. We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Check the "Last Updated" date at the top to determine the current version.

The current version is always available at: https://bemyself.online/app/privacy-policy

Data Protection Officer (DPO): Email: dpo@bemyself.online

Postal Address: Sole Proprietor Oleksandra Dmytrivna Yusupova; Ukraine, 69118, Zaporizhzhia Oblast, Zaporizhzhia, Avtozavodska Street 40, Apartment 119

Supervisory Authorities: For complaints under the GDPR — Slovak Data Protection Authority; For complaints under Ukrainian law — Ukrainian Parliament Commissioner for Human Rights

This Privacy Policy is provided in the English language. A Ukrainian version is available on the website bemyself.online. In the event of any discrepancies between language versions, the English version shall prevail.