Privacy Policy

Effective Date: 2025-04-01

1. Introduction

Welcome to www.anxiety-therapy.com (the “Website”), operated by Dr. Thomas Blank (“I”, “me”, “my”, “the Practice”). I am committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains what personal information may be collected, how it is used and shared, and your rights regarding your data when you visit or interact with this Website.

Please read this policy carefully. By using this Website, you acknowledge you have understood the terms described herein. Your use of certain features (like analytics tracking or scheduling) may be subject to your consent as detailed below.

2. Data Controller

The data controller responsible for personal data collected directly through this Website is:

Dr. Thomas Blank Email: office@anxiety-therapy.com

3. Information Collected

I may collect the following types of personal information:

  • Information You Provide Directly:

    • Contact Form: When you submit the contact form, I collect your Name, Email Address, Country, Message, and potentially a unique browser session identifier (UID) generated during your visit. This information is processed by the Website’s secure backend function and stored securely in a database hosted by Supabase, solely for the purpose of responding to your inquiry and managing communication. If you voluntarily include sensitive health information in your message, it is processed under professional secrecy obligations necessary for potentially providing healthcare services.
    • Scheduling: When you book an introductory call using the embedded Calendly widget, Calendly collects information necessary for scheduling (e.g., name, email address, potentially phone number) as requested by their booking form. This data is processed directly by Calendly according to their privacy policy; the Practice does not store this scheduling data directly outside of Calendly.

  • Information Collected Automatically:

    • Website Usage & Interaction Data: If you provide consent for analytics/tracking via the cookie consent banner, custom tracking events are sent via a secure Netlify Function to a Supabase database. Data collected may include: a unique session identifier (UID) stored temporarily in your browser’s sessionStorage (not used for cross-site tracking), event type (e.g., ‘page_view’, ‘page_hide’, clicks), URL visited, timestamp, general geographic location (derived from IP address processed by Netlify/Supabase), browser/device type. This data is used in aggregate to understand website usage patterns and improve the site, and is not combined with identifiable information from contact forms unless necessary for technical troubleshooting.
    • Website Analytics Data: If you consent to analytics cookies via the cookie consent banner, Google Analytics (deployed via GTM) collects information about your interaction with the website. This typically includes your IP address (often anonymized depending on settings), device/browser details, pages viewed, session duration, clicks, scroll depth, and general geographic location.
    • Server Log Data: Netlify, my hosting provider, automatically logs standard technical information necessary for operating and securing the website. This may include your IP address, browser type, operating system, referring URLs, access times, and pages visited.
    • Split Testing Data: If I run A/B tests via Netlify, a cookie may be used only with your consent via the cookie banner to ensure you consistently see the same page version during your visit. This contains anonymous test identifiers.

4. How Your Information is Used

  • To Respond to Your Inquiries: Using contact form data stored in Supabase to reply to your messages.
  • To Schedule Appointments: To facilitate booking introductory calls via the integrated Calendly service.
  • To Operate, Maintain, and Secure the Website: Using server logs and necessary service functions provided by Netlify.
  • To Analyze and Improve the Website: Using aggregated Supabase tracking data and (if consented) Google Analytics data to understand user behavior, optimize content, diagnose technical issues, and enhance user experience.
  • To Optimize Website Design: Using Netlify A/B testing data (if consented) to improve site effectiveness.
  • To Measure Advertising Effectiveness: If Google Ads are implemented, using associated data (if consented) to understand campaign performance.
  • To Comply with Legal Obligations: If required by law, regulation, or legal process.

5. Legal Basis for Processing (GDPR/Equivalent Frameworks)

  • Responding to Contact Form Inquiries: Processing based on my legitimate interest in responding to your requests (Art. 6(1)(f) GDPR) or taking steps at your request prior to potentially entering into a contract/therapeutic relationship (Art. 6(1)(b) GDPR). If sensitive health data is voluntarily provided, processing is based on necessity for healthcare provision/management under professional secrecy obligations (Art. 9(2)(h) GDPR), or potentially consent if specifically requested.
  • Scheduling Appointments (Calendly): Processing based on the necessity to perform a service requested by you (booking a call) (Art. 6(1)(b) GDPR).
  • Operating and Securing the Website (Server Logs): Processing based on my legitimate interest in maintaining website security and functionality (Art. 6(1)(f) GDPR).
  • Website Usage/Interaction Tracking (Supabase via Function), Analytics (Google Analytics), Split Testing (Netlify), Ad Tracking: Processing based solely on your freely given, specific, informed, and unambiguous consent (Art. 6(1)(a) GDPR), obtained via the cookie consent banner before non-essential cookies are set or tracking scripts (managed via GTM) are executed.

6. Cookies, Google Tag Manager, and Consent

This Website uses cookies (small text files stored on your device) and Google Tag Manager (GTM). GTM acts as a container to manage the deployment of other scripts/tags based on rules and your consent. This website does not use Google Fonts.

  • Essential Cookies: May be used by Netlify for core functionality (like load balancing or security features). These typically do not require consent under the ePrivacy Directive as they are strictly necessary.
  • Non-Essential Cookies/Tags:
    • Analytics: Sets cookies (e.g., _ga, _gid) to distinguish users and analyze traffic. Requires your consent.
    • Tracking: The firing of the tracking code sending data to Supabase (managed by GTM) is subject to your consent status. This specific tracking does not directly set cookies itself but relies on the UID in sessionStorage.
    • Split Testing: Sets a cookie to manage A/B test variations if tests are active. Requires your consent.
    • Scheduling: The embedded Calendly widget may set functional cookies necessary for its operation, subject to their policies and potentially banner consent depending on configuration.
    • Advertising: Google Ads cookies/pixels for conversion tracking/remarketing. Requires your consent.

Consent Management: I use a cookie consent banner/tool to request your opt-in consent before any non-essential cookies are placed or non-essential tracking/advertising tags (managed by GTM) are fired. You can review or change your consent preferences at any time, typically via a link or icon provided by the consent tool.

7. Data Sharing and Third-Party Processors

I do not sell your personal data. Information is shared only as necessary with the following third-party service providers acting as data processors or controllers under appropriate data protection agreements where applicable:

  • Netlif: Hosts the website, processes server logs, executes the custom tracking and form submission functions, and manages split tests. Netlify Privacy Policy
  • Supabas: Stores website usage/interaction data (pageuser, events tables) and contact form submissions (form_submissions) sent via Netlify Functions. Supabase acts as a data processor. Supabase Privacy Policy
  • Google: If consent is given, processes analytics data, manages tag deployment, and will process advertising data, subject to your consent and Google’s policies. Google typically acts as an independent controller for Analytics data. Google Privacy Policy, Google Analytics Data Processing Terms
  • Calendly: Processes information you provide when booking appointments via the embedded widget. Calendly acts as a data controller for the data you submit directly to them. Calendly Privacy Policy
  • Zoho: Processes notification emails sent upon form submission (both success notifications and fail-safe alerts), including sender (office@anxiety-therapy.com), recipient ([Your Notification Email]), and the submitted form data contained within the notification email content. Zoho acts as a data processor for this email sending task. Zoho Privacy Policy

8. Data Retention

  • Contact Form Submissions (in Supabase): Retained in the form_submissions table for 14 months as required by professional record-keeping guidelines or until no longer needed for the purpose of communication, whichever is later.
  • Supabase Tracking Data: Aggregated or pseudonymized tracking data in the pageuser and events tables is retained for 14 months for website analysis purposes.
  • Google Analytics Data: Retained according to the data retention settings configured in my Google Analytics account (typically 14 or 26 months), after which user/event-level data is automatically deleted by Google. Aggregated reports remain.
  • Calendly Data: Retained according to Calendly’s policies and your interactions with them.
  • Server Logs (Netlify): Retained according to Netlify’s standard policies, typically for short periods (e.g., 30 days) for security, debugging, and operational purposes.

9. Data Security

I implement reasonable technical and organizational security measures, including HTTPS encryption for the Website, to protect your data against unauthorized access, disclosure, alteration, or destruction. However, please be aware that no method of transmission over the Internet or electronic storage is 100% secure.

10. Your Data Protection Rights

Depending on your location and applicable data protection laws (e.g., GDPR for EU/EEA residents, UK GDPR, CCPA/CPRA for California residents), you may have certain rights regarding your personal data. These may include the right to:

  • Access: Request a copy of the personal data held about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure (“Right to be Forgotten”): Request deletion of your personal data under certain conditions.
  • Restriction of Processing: Request limitation of how your personal data is processed under certain conditions.
  • Object to Processing: Object to processing based on legitimate interests under certain conditions.
  • Data Portability: Request your data in a structured, machine-readable format under certain conditions.
  • Withdraw Consent: Withdraw your consent at any time for processing based on consent (like analytics or non-essential cookies), without affecting the lawfulness of processing before withdrawal.

To exercise your rights regarding data processed directly by the Practice (specifically data stored in the Supabase form_submissions, pageuser, and events tables), please contact me using the details provided in Section 2.

For rights related to data controlled primarily by third parties (e.g., data you submitted directly to Calendly, data collected by Google Analytics based on your consent), please refer to their respective privacy policies or use the tools they provide (like Google Analytics opt-out mechanisms or Calendly account settings).

You also generally have the right to lodge a complaint with a relevant data protection supervisory authority if you believe your rights have been infringed.

11. International Data Transfers

As I utilize global service providers, your personal data may be processed by these third parties (Netlify, Supabase, Google, Calendly, Zoho) in countries outside of your country of residence, including the United States. These providers are responsible for ensuring that appropriate safeguards are in place for such transfers, often relying on mechanisms like Standard Contractual Clauses (SCCs) or Adequacy Decisions, as required by laws like the GDPR. Please consult the privacy policies of these providers for specific details on their data transfer practices.

12. Children’s Privacy

This Website and the services offered are not directed at individuals under the age of 18 (or the applicable age of majority for accessing mental health services independently in your jurisdiction). I do not knowingly collect personal data from children. If you believe a child has provided me with personal data without parental consent, please contact me immediately.

13. Changes to This Privacy Policy

I reserve the right to update this Privacy Policy from time to time to reflect changes in practices or legal requirements. Any changes will be posted on this page with an updated “Effective Date”. Your continued use of the Website after changes are posted constitutes your acknowledgment of the revised policy. Please review this policy periodically.

14. Contact Information

If you have any questions or concerns about this Privacy Policy or data protection practices, please contact:

Dr. Thomas Blank Email: office@anxiety-therapy.com