1. Controller Information

The Reach application (MVP 1 – Test Version) is currently in its prototype phase and is being developed by a small independent team:

Data Controllers:
Thomas Crols and Vincent Troisfontaine
Email: contact@reach-mentalhealth.com

No legal entity has been formally incorporated at this stage. However, for the purposes of data protection legislation, the individuals named above act as joint controllers under Article 26 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Any queries relating to the collection, use or protection of personal data in connection with this prototype may be addressed to the contact email above.

---

2. Categories of Personal Data We Collect

We may collect and process the following categories of personal data when you use the Reach test application:

2.1 Identification and Account Data

• Email address

• Chosen display name, username or nickname

• Age or date of birth

• Gender

2.2 Preference and Profile Data

• Whether you wish to receive or offer peer support

• Selected emotional or thematic labels (“problem tags”)

• Gender preferences

• Desired traits in matched users

• Mood status or emotional indicators

• Personal interests and user traits voluntarily entered

2.3 Images and Media

• Profile photographs or any other media uploaded voluntarily

2.4 Communications and Chat Content

• Messages sent or received in one-to-one conversations within the app

• Message metadata (e.g. timestamps)

2.5 Technical and Device Data

• IP address

• Type of device and operating system

• Language settings

• Approximate regional location (not GPS-based, and not stored permanently)

We do not collect biometric identifiers, financial information, or location data beyond basic regional inference.

---

3. Purpose of Processing and Legal Basis

The personal data listed above is processed for the following purposes, in accordance with GDPR:

3.1 Matching and Chat Functionality
To enable matching with other users and to provide basic peer conversation services.
Legal basis: Article 6(1)(b) GDPR – processing is necessary for the performance of a contract or service the user has actively engaged with.

3.2 Stability and Technical Support
To maintain system integrity, debug errors, and improve usability during the test phase.
Legal basis: Article 6(1)(f) GDPR – legitimate interests pursued by the controller in maintaining platform functionality and user experience.

3.3 Evaluation and Feedback
To collect insights on prototype performance and user interaction patterns for refinement.
Legal basis: Article 6(1)(f) GDPR – legitimate interest in product development.

3.4 Sensitive Personal Data (Special Categories)
Certain information, such as emotional states or mental well-being indicators, may be considered special category data under Article 9 GDPR.
Legal basis: Article 9(2)(a) GDPR – explicit consent provided voluntarily by the user during onboarding.

Users are never required to provide sensitive data, and all processing in this category is entirely optional.

---

4. Consent for Special Category Data

During onboarding and/or in user profile configuration, you may be asked to indicate emotional states or problem tags (e.g. loneliness, anxiety, burnout). Where such information may fall under Article 9 of GDPR as special category data, your explicit consent is required and will be obtained through a clear, informed action (e.g. opt-in checkbox).

You may withdraw your consent at any time, either by deleting your account or by contacting us at the email listed above. Upon withdrawal, any associated sensitive data will be permanently deleted.

---

5. Data Access and Third Parties

5.1 Internal Access
Access to your data is strictly limited to the development team, currently comprising the two joint controllers named above. Access is role-based and restricted to the minimum necessary for testing and functionality.

5.2 Hosting and Subprocessors
Data is hosted on secure cloud infrastructure provided by Google Cloud Platform (GCP). Where data is stored or processed outside the European Economic Area (EEA), such transfers are protected by:

• A signed Data Processing Agreement (DPA) with Google

• Standard Contractual Clauses (SCCs) in accordance with Articles 44–46 GDPR

No data is sold, shared, or otherwise disclosed to third parties for advertising or marketing purposes.

---

6. Data Retention

Your personal data is retained only for as long as is necessary to support the prototype’s functions. In most cases, this will be for a period of 30 days following your last activity or the deletion of your account, whichever occurs first.

Thereafter:

• Personal data will be permanently deleted

• Non-identifiable (anonymised) technical logs may be retained for crash diagnostics or aggregated analysis

---

7. Your Rights Under GDPR

As a user within the European Union, and in accordance with the GDPR and Belgian Data Protection Law (Loi du 30 juillet 2018), you are entitled to the following rights:

• Right of access – to know what data is held about you

• Right of rectification – to correct inaccurate or incomplete data

• Right to erasure (“right to be forgotten”)

• Right to restrict processing – in certain legal circumstances

• Right to object – to processing based on legitimate interest

• Right to data portability – where applicable

• Right to withdraw consent – at any time, without affecting prior lawful processing

To exercise these rights, please email us at contact@reach-mentalhealth.com. We will respond within one month of receipt of your request, in accordance with Article 12 GDPR.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).

---

8. Data Security

We apply appropriate technical and organisational measures to ensure the protection of your data against accidental loss, misuse, unauthorised access, alteration or destruction. Measures include:

• Role-based access controls

• Communications over TLS

• Limited access to infrastructure

• Password hashing and secure data storage practices

However, as this is a non-commercial prototype still in development, users are advised to use the app with discretion and to avoid sharing sensitive or identifiable information in chats.

---

9. Changes to This Policy

This Privacy Policy may be amended or updated as the application evolves or as regulatory requirements change. The most recent version of the policy will always be available within the app interface or may be sent directly to test participants via email.

All updates will include a change in the “last updated” date and, where appropriate, will be accompanied by a summary of key changes.

---

10. Disclaimer

Reach is an experimental tool, not a clinical or crisis intervention service. It is not regulated as a healthcare application and has not undergone formal medical evaluation.

By using this prototype, you acknowledge that:

• You are solely responsible for your interactions and the information you choose to share

• There is no content moderation, medical supervision or emergency assistance

• The developers are not liable for emotional harm, inappropriate behaviour of other users, or the outcome of any interaction initiated through the application

If you feel unsafe or require immediate support, you are strongly advised to cease using the app and contact an appropriate professional or emergency service.