Skip to content

English (primary)
Contact us
Contact us
  • home
  • chevron_right
  • Privacy and Data policy Psyray

Privacy and Data policy Psyray

At Psyray, we highly value care, transparency, and privacy when handling data. This privacy policy explains what data is processed when Psyray technology is used, why it is processed, and where you can go with questions about your rights.

Who we are

Psyray is a technology company that provides insights into mental well-being through measurements and analyses. Our technology is designed as a “plug & play” approach that can be used in different markets via contracted distribution partners.

In most cases, the process has two steps:

  1. Capturing data via a hardware-based scan using the Psyray app and scan device. The data is sent to Psyray’s cloud services (“the Engine”).
  2. Processing by the Engine into insights, usually structured in a report. The output is returned to the distribution partner’s platform (the platform that requested the analysis).

Psyray processes scan-related measurement data and technical identifiers needed to generate the requested insights and return them to the distribution partner.

Intended use of the software

Different Psyray software variants exist with distinct intended uses.

Consumer-facing use:

  • Intended solely for self-reflection and mental awareness.
  • It does not provide diagnoses or treatment decisions.
  • It does not qualify as a medical device.

Professional mental health use:

  • Intended solely as a decision-support tool.
  • Interpretation and responsibility remain with the professional.
  • Psyray is not part of the therapeutic relationship.

Psyray ensures the correct allocation of software variants to the appropriate user groups.

Legal basis for processing and our role

Psyray technology is accessible only via contracted distribution partners. Those partners have their own relationship with their users/clients and are responsible for arranging the appropriate legal basis (for example: consent or contractual necessity, depending on their service design).

Psyray processes data only at the request and instruction of a distribution partner. The Engine returns the results to the requesting partner’s platform.

In this setup:

  • The distribution partner is responsible for the identifiable user relationship and personal data administration.
  • For the Engine service, Psyray acts as a processor: we process data on instruction of the distribution partner and do not use it for our own independent purposes.

Non-identifying processing in the Psyray Engine

Psyray is designed to process scan data in a way that limits identifiability.

The scan process may use a person’s name locally in the distribution partner’s platform (for example, to guide the scan process and to present results), and the name can be essential in that local flow. However, the Psyray App and scan device do not transmit the client’s name to the Psyray Engine.

Data sent to the Engine is processed using technical identifiers. As a result, the client data in the Psyray Engine cannot be linked by Psyray to a specific natural person.

Retention periods

Psyray does not store the client’s name in the Psyray Engine and therefore cannot maintain an identifiable medical file. Any retention obligations that apply to identifiable client records are handled by the distribution partner in its own environment.

Psyray may retain non-identifying and aggregated data for as long as necessary to:

  • keep the service reliable (e.g., quality control and troubleshooting), and
  • improve the performance and accuracy of the Engine,
    in line with contractual arrangements.

Transparency and care

We aim to present insights in a careful and transparent way. Reports may be tailored to the context (consumer or professional), but the underlying approach remains the same: clear explanations, consistent reporting, and responsible communication of results.

Sharing data with third parties

Psyray only shares data with service providers we use to deliver the services (for example, secure cloud hosting or support tooling). Where required, we agree appropriate data protection arrangements with these parties.

Psyray does not sell personal data to third parties.

Security

We take appropriate technical and organisational measures to prevent misuse, loss, unauthorised access, or unwanted disclosure of data. This includes secure infrastructure, access controls, encryption in transit, and monitoring designed to protect data throughout processing.

Contact

If you have questions about this privacy policy or how data is processed in the Psyray Engine, please contact: privacy@psyray.com. We aim to respond within 30 days.

Note for end-users (privacy rights requests)

If you are an end-user and want to exercise your privacy rights (such as access, correction, deletion, restriction, or portability) under applicable law, please contact the distribution partner through which you used the Psyray technology. They manage the identifiable user relationship and are best positioned to identify you and act on your request. The distribution partner is responsible for verifying identity and handling requests within the timelines required by applicable law. If needed, the distribution partner may contact Psyray to support the request.