Mindler’s Privacy Policy
Each week Mindler conducts thousands of meetings with patients from across the world. This entrusts Mindler with a great deal of responsibility – in protecting your data, but also towards the field of psychology and the world at large. We need to be able to understand this wealth of data and ensure that we use it to provide all of our patients with an ever-improving standard of care.
By sharing your data with Mindler, you play a vital role in our mission to make mental health treatment more effective. We will utilize your data to better understand what kind of treatment works the best. You will be part of the development of the most effective mental health treatment in the world.
In the future, we aim to share our anonymized and aggregated insights with governmental bodies, academic partners and the general public, making sure that Mindler – together with you – can help improve mental healthcare for all.
Introduction to our policy
At Mindler, your privacy and safety are of utmost importance to us. We strive to make our policies clear and understandable. We want you to feel secure about how we process your personal data.
All treatment is strictly confidential and never under any circumstances are your communications with a psychologist shared with an unauthorized party.
We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. All information collected by us through the website or the application will be governed by our most recent Privacy Policy, posted on the website and the application. If you have any queries, please contact us at privacy@mindler.dk.
Mindler has appointed Bird & Bird DPO Services SRL as our Data Protection Officer (DPO). If you have any questions or complaints about our compliance with this Privacy Policy or how we process your personal data, please contact our DPO via email at: dpo@mindler.dk.
Our DPO may also be contacted at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium.
The policy
This Privacy Policy outlines how Mindler collects and processes personal data when you access and use Mindler’s platform (the “Service”) via Android or iOS applications (the “Application”) or by visiting our websites https://mindler.se/ / https://mindlercare.com/uk/ / https://mindlercare.com/nl/ / https://mindlercare.com/dk/ (the “Website”).
This document also outlines your rights and how they can be asserted. The terms and conditions for use of the Service are set out in the current Terms of Use (the “Terms of Use”) and can be accessed here.
When using the Service, Mindler is the data controller for the processing of your personal data. Mindler is processing personal data according to the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection regulation.
Data controller details: Mindler AB (Corporate Identity Number: 559150-0722) Landgreven 3, st. th 1301 København Denmark
What information do we collect about you and how do we process it?
Mindler needs to have a legal basis to process your data, we provide our legal bases below. We only collect and process data which is relevant and necessary to properly fulfill l our purposes with such processing. In this section we describe our different purposes for processing your personal data. For each purpose we state the following information:
What personal data is collected (and processed);
The purpose(s) for processing the data;
The legal basis Mindler relies on to process this data.
1. Processing necessary for providing healthcare
1.1 Personal data
The following personal data is processed for the purpose of providing our Service.
Contact information
First name, last name and country collected upon registration
Phone number and email address collected upon registration
Date of birth
Home address collected upon registration
Health data
Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history or mental state. Health data will be collected by your Psychologist through meetings, self-assessment forms, completion of Internet-based cognitive behavioral therapy (iCBT) programs in the Application and notes from Psychologists in your medical records (Mindler is using electronic health record (EHR)). The images, videos and sounds shared during the use of the Service are neither recorded nor stored.
1.2 Purpose of processing
Your contact information is processed for the following purposes:
To be able to identify you and verify that you are of the required age to receive care
To send help in case of an emergency
Your health data is processed for the following purposes:
To provide mental healthcare treatment
To evaluate the effectiveness of ongoing treatment
1.3 Legal basis
The legal basis for this processing is performance of contract (GDPR Art. 6.1.b) to fulfill our obligations of providing you with the agreed Service. The legal basis for processing your health data is your explicit consent (GDPR Art. 9.2.a).
2. Processing necessary for providing the Service
2.1 Personal data
The following personal data is processed for the purpose of providing the Service.
Contact information
First name and last name upon registration
Email address collected upon registration
Phone number collected upon registration
Home address collected upon registration
Country of residence collected upon registration
Spoken language collected upon registration
Demographic information
Age collected upon registration
Payment information
Payment details (e.g credit card number) collected through our payment service
Any promotional codes redeemed in the Application
Technical data
Time of booking and meeting status (canceled, unpaid, completed) collected through the Application or via customer service agents
Which device, IP address, language, operating system and screen resolution you are using
The date and time of your sessions
Which Psychologists you have identified as favorites in the Application
Your iCBT program progression in the Application
Health data
Your completion of iCBT programs in the Application
2.2 Purpose of processing
Your contact information is processed for the following purposes:
To be able to identify you in the Application
Email address and phone number to log into the Application with two factor authentication
Home address in order to accurately provide you with a receipt for our services
Your demographic information is processed for the following purposes:
To ensure that you are old enough to use our Service
Your payment information is processed for the following purposes:
To make it possible for you to pay for your treatments
To issue a refund in case of cancellation
Your technical data is processed for the following purposes:
To plan and conduct meetings with you
To optimize your experience depending on the device you are using
To keep track of your preferred Psychologist(s)
To track your iCBT program progression
Your health data is processed for the following purposes:
To track your completion of iCBT programs
2.3 Legal basis
The legal basis for this processing is performance of a contract (GDPR Art. 6.1.b) to fulfill l our obligations of providing you with the agreed Service.
3. Processing necessary for communication
3.1 Personal data
The following personal data is processed for the purpose of communicating with you in connection with the provision of the agreed services.
Contact information
First name and last name collected upon registration
Email address collected upon registration
Phone number collected upon registration
Technical data
Device identification
3.2 Purpose of processing
Your contact information is processed for the following purposes:
To contact your telephone number in the event your Psychologist is unable to reach you through the Application for a booked meeting.
To contact you with important information such as changes to our Privacy Policy or user agreement, for example.
Your technical data is processed for the following purpose:
To send notifications to the last phone you used to log in to the Service
3.3 Legal basis
The legal basis for this processing is performance of contract (GDPR Art. 6.1.b).
4. Processing necessary for marketing services and products to you
4.1 Personal data
The following personal data is processed for the purpose of marketing services and products to you.
Contact information
First name and last name collected upon registration or completion of forms on our Website
Company name collected upon completion of forms on our Website
Email address collected upon registration or completion of forms on our Website
User information collected through social media when you interact with Mindler’s content
Cookie data
Information regarding how you have been using our Website and what other websites you have visited
Health data
Information regarding your physical and mental health collected upon completion of forms on our Website
4.2 Purpose of processing
Your contact information is processed for the following purposes:
To inform you of our products or services via notification or email
To send you promotional marketing emails and marketing newsletters (you can unsubscribe from any mailing lists at any point)
Your cookie data is processed for the following purposes:
To show you targeted advertising
To measure the reach of our marketing campaigns
Your health data is processed for the following purposes:
To send you promotional marketing emails
You can read more about how we place cookies and how you can withdraw your cookie consent in our Cookie Policy.
4.3 Legal basis
The legal basis for processing your contact information for this purpose is our legitimate interest to provide you with customized product and service and to inform you about and market our offered Service (GDPR Art. 6.1.f) or your given consent (GDPR Art. 6.1.a) to inform you about and market our offered Service. Please contact us by using the contact details below should you like more information on how we have conducted our legitimate interest assessment. We only process your health information for targeted marketing if you have given your explicit consent (GDPR Art. 9.2.a). The legal basis for processing your cookie data for this purpose is your given consent (GDPR Art. 6.1.a).
You have the right to withdraw your consent (to “opt out”) of any marketing communications at any time. You can opt-out (e.g. email) by using the unsubscribe link available in every newsletter or in every commercial message you receive from us or in case of electronic direct marketing by following the instructions in the communication.
5. Processing necessary for evaluating and improving our Service
5.1 Personal data
The following personal data is processed for the purpose of evaluating and improving the Service that we provide.
Demographic information
Age collected upon registration
Technical data
Data collected through the Application or by customer service agents regarding time of booking and meeting status (canceled, unpaid, completed)
Data collected through the Application regarding which device you are using
Data collected through the Application regarding how and when you use different parts of the Application
Data collected through the Application regarding how you rate your meeting, the video meeting quality and any further feedback provided
The Psychologist(s) you have identified as favorites in the Application
The Psychologist(s) you have been meeting through the Application
Feedback such as answered polls or comments you have posted on social media in posts published by Mindler in Mindler’s official social media accounts
Health data
Self-assessment questionnaires you have submitted through the Application
iCBT programs you have completed in the Application
Customer service inquiry data
Text data collected upon filing an inquiry through our Website or application
In the case that a customer service inquiry holds medical information together with identifiable information, Mindler takes technical measures to ensure that the support ticket is rendered completely unidentifiable and therefore not linked to an individual.
5.2 Purpose of processing
Your demographic information, technical data, health data and customer inquiry data is processed for the following purposes:
To improve time-slot and Psychologist availability
To improve user flows by making it easier to navigate and find certain features in the Application
To detect bugs depending on device type
To improve our video service
To improve the general user experience in the Service
To analyze how your wellbeing may change during your treatment
To investigate how wellbeing differs between different demographics
To investigate how treatment outcomes differ for different demographics
To better understand how to treat you in an effective way
Any personal data processed for the purpose of evaluating and improving our Service is always handled and stored unidentifiable through pseudonymization. We will use the personal data to create statistics on a sufficiently aggregated level so that individual patients cannot be identified from the results. Aggregated statistics will be used for internal and external communication and for research.
5.3 Legal basis
The legal basis for this processing is our legitimate interest (GDPR Art. 6.1.f). We process your health data supported by your explicit consent (GDPR Art. 9.2 a).
6. Processing necessary for providing customer service
6.1 Personal data
The following personal data is processed for the purpose of providing customer service.
Contact information
First name and last name collected upon registration or filing an inquiry through our Website
Email address collected upon registration or filing an inquiry through our Website
Phone number collected upon registration
Payment information
Credit card information collected through our payment service
Any promotional codes redeemed in the Application
Technical data
Time of booking and meeting status (canceled, unpaid, completed) which is collected through the Application or customer service agents
Which device you are using, IP address, language, operating system and screen resolution as well as the date and time of your sessions, which is collected through the Application
What Psychologists you have identified as favorites in the Application
Your iCBT program progression in the Application
6.2 Purpose of processing
Your contact information is processed for the purpose of providing customer support by:
Identifying and contacting you for the sake of customer service updates (e.g. changes to booked meetings, cancellations)
To be able to offer customer service necessary to providing you healthcare
Your customer service ticket data, payment information and technical data is processed for the following purposes:
To be able to investigate, respond to and resolve complaints and problems with the Service (e.g. bugs)
6.3 Legal basis
The legal basis for this processing is performance of contract (GDPR Art. 6.1.b) to fulfill our obligations of providing you the agreed Service.
7. Processing necessary for providing our business to business service
7.1 Personal data
The following personal data is processed for the purpose of providing our business to business service.
Payment information
Any promotional codes redeemed in the Application (if applicable)
Technical data
Data collected through the Application or by customer service agents regarding time of booking and meeting status (canceled, unpaid, completed)
Health data
Self assessment questionnaires you have submitted through the Application
iCBT programs you have completed in the Application
7.2 Purpose of processing
Your technical and health data is processed for following purposes:
To provide our business to business customers with aggregated insights regarding their employees’ well-being, meeting statistics of employees, most common diagnoses and more. None of your personal data will be communicated or transferred to your employer. We only share aggregated statistics in which no special categories of personal or identifiable data are included. We will not provide our business to business customers with statistics and insights if they do not have a large enough user pool to protect individual anonymity (at least 10 users).
7.3 Legal basis
The legal basis for processing payment information, technical data and completed iCBT programs for the purpose of providing our business to business service is performance of contract (GDPR Art. 6.1.b) where you as an employee of a business to business customer have agreed on sharing your personal data on an aggregated level to your employer. We process your submitted self-assessment questionnaires with the support of our right to process such data based on your explicit consent (GDPR Art. 9.2.a).
8. Processing necessary for optimizing and analyzing ad campaigns
8.1 Personal data
Technical data
Data such as installation, registration, paid meetings, and completed meetings collected through our ad campaigns tracking providers.
Mobile identifier like IDFA or Google Play Services ID, and your pseudonymized (hashed) IP – and possibly MAC address collected through our ad campaigns tracking provider.
8.2 Purpose of processing
Your technical data is processed for the following purposes:
To help us understand how our users are interacting with our Applications and to optimize and analyze our mobile ad campaigns
8.3 Legal basis
The legal basis for processing technical data for the purpose of optimizing and analyzing ad campaigns is our legitimate interest (GDPR Art. 6.1.f) to run cost-efficient ad campaigns. iOS users can opt out of sharing this data with us through the settings menu and navigate to integrity and tracking in the iOS device to toggle off the tracking. Android users can opt out of sharing their Google advertising ID by toggling the “Opt out of Ads Personalization” setting on their device. Please contact us by using the contact details below should you like more information on how we have conducted our legitimate interest assessment.
The time for which your data is stored
Your personal data and contact details are saved in the Service for as long as you still have your account. If your account is inactive (i.e. you have not logged in for two (2) years, consecutively, your account will automatically be erased from the Service along with some of your personal data (see below). Some personal data may however need to be retained to meet legal obligation. How long your personal data is stored for depends on the type of data. Below we have listed how long different forms of personal data are stored.
Demographic data
Your demographic data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years.
Payment information
Your payment information is saved for as long as you have an account or six (6) years from completed purchases to meet legal obligations such as keeping business records.
Technical data
Your technical data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years.
In order to detect and fix errors, we save error logs in our systems. Since these logs may contain personal data, they are deleted after a maximum of 60 days. We always strive to minimize the storing of unnecessary data, therefore this storing period is often much shorter than 60 days.
Cookie data
If you have consented to third-party cookies being stored on your computer or mobile devices, the cookies will be removed when you remove them or when the cookie expires.
Customer service requests
If you have contacted our customer service team, the inquiry will be stored for 180 days before it is deleted.
Health data
All health data collected for the purpose of providing you with healthcare and the Service and evaluating and improving our Service, will be stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years.
Your rights
Your personal data belongs to you. Therefore, you have a right to obtain information on and determine how your personal data is processed by Mindler.
These rights may be limited, for example if fulfill ling your request would reveal personal data about another person or otherwise would be harmful to disclose, or if you ask us to erase information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority, please see more information below.
Where we collect personal data to perform our contract with you or to comply with our legal obligations, this is necessary, and we will not be able to manage the customer and patient relationship without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to participate in certain programs and limit your possibilities to use our Websites and other services, where the information is necessary for those purposes. There may be additional requirements or provisions that restrict or extend your rights. There can also be legal obligations that prevent us from issuing or moving parts of your data or from blocking or erasing your data. These obligations are derived from legislation in the areas of health and medical assistance, confidentiality, archiving and accounting and tax. If your data must be saved due to legal obligations, the data will only be used to fulfill those obligations and for no other purpose.
A brief summary of your rights is set out below:
The right to object to processing
You can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or legal requirement).
You have a right to object to your personal data being processed for our legitimate interests including profiling and for direct marketing. In that case, Mindler will either show that there are compelling legitimate reasons for the processing that outweigh your interests, or else stop processing your data.
Where we have asked for your consent, you may withdraw consent at any time, e.g. by emailing us at the contact details below. If you ask to withdraw your consent to Mindler processing your data, this will not affect any processing which has already taken place at that time.
The right to access and move your data
At any time, you can request a copy of your personal data, as well as information on how it has been obtained and how it is being used or distributed. This also applies to information kept in your medical records. You also have a right to transfer your personal data to another personal data controller.
The right to receive extracts from logs
When someone accesses your electronic medical records, it is registered in a log. As a patient, you can receive an extract from the log to see who has looked at your medical records.
The right to erase data
You have a right to ask for your personal data to be erased if it is no longer necessary for the purpose for which it was collected or if there is no legal basis for processing the data.
The right to correct information
You have a right to correct inaccurate or incomplete data. If you consider that a detail in your medical records is inaccurate or misleading, you have a right to ask for a note to that effect to be entered in the records. You have a right to request a restriction on the processing of your personal data until inaccurate data has been corrected or an objection from you has been investigated.
The right to restriction
You may request us to restrict certain processing of your personal data. If you restrict certain processing of your personal data, this may lead to fewer possibilities to use our websites and other services.
Automated decision-making
We may in some cases use automated decision-making, if it is authorized by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract.
You can always express your opinion or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You have the right to obtain human intervention to express your opinion or contest a decision.
When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.
How do I exercise my rights?
You may request to use these rights by sending a letter or email, including your name, address, phone number to the contact details set out below. When you exercise any of your rights, we may need to identify you in order to ensure that we are in contact with the correct person. Hence, we may request the provision of additional information necessary to confirm your identity.
We will respond to your request without undue delay, but at the latest within one (1) month of the request. If the requests are numerous or complex, we may extend the deadline to two (2) months, but we will still respond to the request within the first month and explain why the extension is necessary.
Disclosure of your personal data
Your personal data may need to be transferred to or shared with others whenever necessary or justified. Your personal data is shared with:
Authorized employees at Mindler
Your personal data may be shared under secrecy with Mindler employees who are involved in your treatment. Your personal data may also be shared with analysts at Mindler working with aggregated statistics or evaluating and improving the Service. Analysts only have access to pseudonymized, unidentifiable aggregated data.
Suppliers and subcontractors
Your personal data may be transferred to or shared with certain companies that supply various types of services to Mindler. These services could be medical journal systems, payment providers, marketing tracking providers, email automation providers or infrastructure platforms necessary for our services to run. Subcontractors are covered by the same confidentiality agreement as those which apply to Mindler, and may only process personal data in accordance with our instructions or in accordance with laws and regulations.
Medical referrals
If you and your Psychologist decide that you need a medical referral, they will write and send a referral to the appropriate medical provider.
Authorities
Mindler may also be required to provide necessary information to local healthcare authorities, the police or other authorities if required by law or if you have granted your approval.
Scientific Research
We may process information about your use of Services for research purposes which aim at e.g. increasing scientific knowledge in the field of medicine, health and nursing science. We will do this using only aggregated, non-personally identifiable data (anonymized data). Anonymized data can be shared to third parties for research purposes. Regulations on data privacy don’t apply to the anonymized data because registered persons are not identifiable.
Where your personal data is processed
Your medical record data will not be transferred to, or processed in, any country outside the EU/EEA. Other personal data may be processed in a country outside the EU/EEA. When transferring personal data to a country outside the EU/EEA, we take appropriate legal, technical and organizational security measures to ensure that the personal data is processed according to the same level of protection as within the EU/EEA. If your personal data is transferred outside the EU/EEA, then this is done on the basis of appropriate and adequate safeguards for data transfers to comply with the requirements set out in GDPR Chapter V.
A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.
Information Security
We will take all reasonable, appropriate technical, security and organizational means and measures considering the nature and purposes of processing and the nature of personal data processed, to protect Mindler and our customers from unauthorized access to or unauthorized alteration, disclosure or destruction of personal data we hold. Measures include, where appropriate, encryption, firewalls, secure facilities and access rights systems.
Should, despite the security measures, a security breach occur that is likely to result in a high risk to your rights and freedoms, we will inform you about the breach without undue delay.
Third-party websites and services
Our Website or other parts of our services may contain links to third-party websites and services. If you decide to visit third-party websites and services, this Privacy Policy will no longer apply and you should consult the privacy policy of that third-party instead.
Changes to the Privacy Policy
This policy may occasionally need to be changed or updated, for example if functions are changed or added to the Service. Minor changes to our Privacy Policy will be communicated through our Website. Major changes regarding how your data is processed will be communicated through the Application, Website and email (if you have provided it to us). We will not make substantial changes to this Privacy Policy or reduce your rights under this Privacy Policy without providing you with a notice.
This policy was lastly updated at 2022-06-22.
You can contact us at any time
Mindler AB is registered with the Swedish Companies Registration Office under organization number 559150-0722. Our head office in Denmark is Landgreven 3, st. th 1301 København.
You can contact us at any time if you have questions about your personal data by sending an email to privacy@mindler.dk.
Complaints
In case you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with the local supervisory authority for data protection. You have a right to contact and file a complaint with The Danish Data Protection Agency for example by email dt@datatilsynet.dk or via phone +45 33 19 32 00, if you believe we have processed your personal data incorrectly. You can read more about how to lodge a complaint on The Danish Data Protection Agency’s website here: https://www.datatilsynet.dk/borger/klage/saadan-klager-du.