Legal

Privacy Policy

Version 2.0 — 1 April 2026MyEntourage Sàrl

How MyEntourage Sàrl (SuperMe) collects, uses, and protects your personal data. GDPR, Swiss nLPD and UK GDPR compliant.

Contents

1

Data Controller

The entity responsible for processing your personal data (the “data controller”) is:

DetailValue
Company nameMyEntourage Sàrl
Legal formLimited liability company (Sàrl) under Swiss law
Company numberCHE-410.574.084
Registered officeRue Saint-Pierre 2, c/o Christophe Fischer, notaire, 1003 Lausanne, Switzerland
DirectorsMr Yan Delgado and Mr Stéphane Daniel Bezençon
Data protection contactsupport@mysuperme.com
HostingAmazon Web Services (AWS) — EU North 1 region, Stockholm, Sweden

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nLPD/revFADP) and the UK GDPR. This policy explains what we collect, why, on what legal basis, and the rights available to you.

2

Data Collected

2.1 User data

CategoryExamples
Identity dataFull name, age, country of residence.
Account dataPhone number, email address, login credentials, preferences.
Profile dataGoals, service interests, assessment answers.
Health data ⚠Wellbeing goals, stress/sleep indicators and any health context you choose to share with an expert.
Transaction dataBookings, packages, subscriptions, coupons, payment status (no full card numbers).
Technical dataIP address, device and browser type, app interaction logs.
Communication dataMessages to support, session feedback, survey responses.

2.2 Expert data

CategoryExamples
Identity dataFull name, date of birth, photograph, contact details.
Professional dataTitle, specialisms, biography, languages, availability.
Qualification dataCertifications, diplomas, professional registrations and verification documents.
Financial dataPayout details and tax information for remuneration.
Performance dataRatings, reviews, completed sessions, response times.
Technical dataIP address, device information, platform activity logs.

2.3 Data we never collect

We do not collect or store:

Excluded data
✅ Full payment card numbers (handled solely by our PCI-DSS compliant payment providers).
✅ Biometric data of any kind.
✅ Data revealing political opinions, trade-union membership or religious beliefs.
✅ Data from minors (anyone under 18).
3

Legal Bases and Purposes

PurposeDataLegal basisRetention
Create and manage your accountIdentity, accountContract (Art. 6(1)(b))Account lifetime + 3 yrs
Match you with an expertProfile, assessmentContract / consentAccount lifetime
Deliver 1:1 and group sessionsAccount, transactionContract (Art. 6(1)(b))Account lifetime + 3 yrs
Process health context shared with experts ⚠Health dataExplicit consent (Art. 9(2)(a))Until consent withdrawn
Process paymentsTransactionContract / legal obligation10 yrs (accounting)
Provide customer supportCommunicationLegitimate interest (Art. 6(1)(f))3 yrs
Improve and secure the platformTechnicalLegitimate interest12 months
Send service notificationsAccountContractAccount lifetime
Marketing communicationsAccountConsent (Art. 6(1)(a))Until consent withdrawn
Comply with legal obligationsIdentity, transactionLegal obligation (Art. 6(1)(c))As required by law

SPECIFIC CONSENT — HEALTH DATA (ART. 9 GDPR)

Any health-related information you choose to share is special-category data. We process it only on the basis of your explicit consent, solely to enable your expert to support you. You may withdraw this consent at any time, after which we stop processing it and delete it unless retention is legally required.

4

Sub-processors and Recipients

ProviderRoleCountrySafeguards
Amazon Web ServicesHosting & storageSweden (EU)DPA, EU region
Stripe / PayPalPayment processingUSA / EUSCCs, DPF, PCI-DSS
Google AnalyticsUsage analyticsUSASCCs, consent
Google Tag ManagerTag managementUSASCCs, consent
IntercomCustomer supportUSA / EUSCCs, DPA
MailchimpEmail deliveryUSASCCs, DPA
SentryError monitoringUSASCCs, DPA
Keen IOEvent analyticsUSASCCs, DPA
CloudflareCDN & securityGlobalSCCs, DPA
SCCs are the European Commission’s Standard Contractual Clauses for international transfers. A DPA is a Data Processing Agreement that binds each provider to process data only on our instructions and to maintain appropriate security. We engage processors under written contracts and disclose data to public authorities only where legally required.
5

International Data Transfers

5.1 Transfers to the United States

Where data is transferred to providers in the USA, we rely on the EU Standard Contractual Clauses (SCCs), certification under the EU–US Data Privacy Framework (DPF) where available, and Transfer Impact Assessments (TIAs) to confirm an adequate level of protection.

5.2 Swiss users

For users in Switzerland, transfers comply with the revised Federal Act on Data Protection (revFADP), using the Swiss addendum to the SCCs where required.

5.3 UK users

For users in the United Kingdom, transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, consistent with ICO guidance.

6

Retention Periods

Data categoryRetention period
Account & identity dataAccount lifetime + 3 years
Profile & assessment dataAccount lifetime
Health dataUntil consent is withdrawn
Booking & session recordsAccount lifetime + 3 years
Payment & accounting records10 years (legal obligation)
Support communications3 years
Technical & analytics logs12 months
Marketing consent recordsUntil withdrawn + 1 year
Expert verification documentsEngagement + 5 years
CookiesPer cookie table (Section 9)
When you close your account or a retention period expires, your personal data is deleted or irreversibly anonymised within 30 days, save where a longer period is required by law.
7

Your Rights

Subject to the conditions in applicable data protection law, you have the following rights over your personal data:

Right of access (Art. 15 GDPR)

Obtain confirmation of whether we process your data and a copy of it, together with information about the processing.

Right to rectification (Art. 16 GDPR)

Have inaccurate or incomplete personal data corrected without undue delay.

Right to erasure (Art. 17 GDPR)

Request deletion of your data where there is no overriding legal ground for us to keep it.

Right to restriction (Art. 18 GDPR)

Ask us to limit how we use your data while a request or objection is being resolved.

Right to portability (Art. 20 GDPR)

Receive the data you provided in a structured, machine-readable format, or have it sent to another controller.

Right to object (Art. 21 GDPR)

Object to processing based on our legitimate interests, including profiling, and to direct marketing at any time.

Right to withdraw consent (Art. 7 GDPR)

Withdraw any consent you have given (including for health data) at any time, without affecting prior lawful processing.

Rights re: automated decisions (Art. 22 GDPR)

Request human review of, express your view on, and contest any decision based solely on automated processing.

7.1 How to exercise your rights

Use the privacy controls in your account settings.
Write to us at our registered office (Section 1). We respond within one month.

7.2 Supervisory authorities

You may lodge a complaint with your local authority:

RegionAuthorityWebsite
SwitzerlandFDPICedoeb.admin.ch
EU / FranceCNILcnil.fr
United KingdomICOico.org.uk
8

Data Security

8.1 Technical measures

Encryption in transit (TLS) and at rest.
Strict access controls and least-privilege permissions.
Network firewalls and DDoS protection.
Continuous monitoring and error tracking.
Regular backups with tested recovery.
Pseudonymisation of data where practicable.
Periodic security testing and patching.

8.2 Organisational measures

Confidentiality obligations for staff and experts.
Data protection training for personnel.
Written agreements with all processors.
An internal incident-response procedure.

8.3 Breach notification

In the event of a personal data breach likely to result in a risk to your rights, we notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay where the risk is high.

9

Cookies and Tracking

TypePurposeConsent
NecessaryEnable core functionality such as login and security.Not required
FunctionalRemember preferences and settings.Required
AnalyticalUnderstand usage to improve the service.Required
MarketingMeasure and personalise campaigns.Required
You can accept or reject non-essential cookies and change your choices at any time through the cookie banner or your browser settings.
10

Protection of Minors

SuperMe is intended for adults aged 18 and over. We do not knowingly collect data from minors. If we become aware that we have collected personal data from a person under 18, we delete it promptly. If you believe a minor has provided us data, please contact support@mysuperme.com.

11

Automated Decision-Making

We use an algorithm to suggest experts who best fit your goals, preferences and assessment answers. This matching supports — but does not replace — your choice: the suggested matches are recommendations, and you decide whom to book.

Matches are subject to human validation, and no decision producing legal or similarly significant effects is taken solely by automated means. You may request human review of, express your view on, and contest a match at any time.

12

Session Confidentiality

All experts are bound by strict confidentiality obligations regarding anything shared during a session. Sessions are never recorded without your explicit, prior consent. Information shared with an expert is used only to support you and is not disclosed to third parties except as described in this policy or required by law.

13

Changes to this Policy

We may update this policy from time to time. Where changes are material, we give at least 30 days’ notice by email or in-app before they take effect.

VersionDateStatus
2.01 April 2026Current
1.020 June 2025Previous
14

Contact and Complaints

SubjectDetail
Data protection contactsupport@mysuperme.com
Postal addressMyEntourage Sàrl, Rue Saint-Pierre 2, 1003 Lausanne, Switzerland
Response timeWithin one month of a verified request
Authority (Switzerland)FDPIC — edoeb.admin.ch
Authority (EU / France)CNIL — cnil.fr
Authority (UK)ICO — ico.org.uk
15

Expert-Specific Provisions

15.1 Expert-specific processing

PurposeDataLegal basis
Onboarding & verificationIdentity, qualificationContract / legal obligation
Public expert profileProfessional, photographContract / consent
Matching with usersProfessional, performanceContract
Remuneration & taxFinancialContract / legal obligation
Quality & performancePerformanceLegitimate interest
Platform securityTechnicalLegitimate interest

15.2 Public profile

An expert’s professional profile (name, title, biography, photograph, ratings) is displayed publicly to help users choose. Experts may request changes to their profile at any time.

15.3 Marketing use of name and image

We use an expert’s name and image to promote the platform only with their consent, which can be withdrawn for future use.

15.4 Performance data

Performance metrics and reviews are processed to maintain service quality. Experts may challenge inaccurate performance data and request correction.

15.5 KYC verification

We verify experts’ identity and qualifications (KYC) to protect users; verification documents are retained as set out in Section 6.

15.6 Termination data

Accounting and tax records are retained for 10 years.
Verification records are retained for 5 years after the engagement ends.
Public profile data is removed promptly on termination.

15.7 GDPR rights for experts

Experts hold the same data protection rights set out in Section 7 and may exercise them using the same methods.

Last updated: 1 April 2026 · Version 2.0
© 2026 MyEntourage Sàrl. All rights reserved.