Mindler’s Privacy Policy
Key updates
We’ve updated the storage period for customer service inquiries to improve the quality and effectiveness of our customer support.
We’ve included more detailed information about the technical data we process to evaluate and improve our Service.
Each week Mindler conducts thousands of meetings with patients from across the world. This entrusts Mindler with a great deal of responsibility - in protecting your data, but also towards the field of psychology and the world at large. We need to be able to understand this wealth of data and ensure that we use it to provide all of our patients with an ever-improving standard of care.
By sharing your data with Mindler, you play a vital role in our mission to make mental health treatment more effective. We will utilise your data to better understand what kind of treatment works the best. You will be part of the development of the most effective mental health treatment in the world.
We aim to share our anonymized and aggregated insights with governmental bodies, academic partners and the general public, making sure that Mindler - together with you - can help improve mental healthcare for all.
Introduction to our policy
At Mindler, your privacy and safety are of utmost importance to us. We strive to make our policies clear and understandable. We want you to feel secure about how we process your personal data.
All treatment is strictly confidential and never under any circumstances are your communications with a therapist shared with an unauthorised party.
We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. All information collected by us through the website or the application will be governed by our most recent Privacy Policy, posted on the website and the application. If you have any queries, please contact us at privacy@mindler.co.uk.
Mindler has appointed Bird & Bird DPO Services SRL as our Data Protection Officer (DPO). If you have any questions or complaints about our compliance with this Privacy Policy or how we process your personal data, please contact our DPO via email at: dpo@mindler.co.uk.
Our DPO may also be contacted at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium.
The policy
This Privacy Policy outlines how Mindler collects and processes personal data when you access and use Mindler’s platform (the "Service") via Android or iOS applications (the “Application”) or by visiting our Website https://mindlercare.com/uk/ (the “Website”).
This document also outlines your rights and how they can be asserted. The terms and conditions for use of the Service are set out in the current General Terms and Conditions (the "Terms and Conditions") and can be accessed here: https://mindlercare.com/uk/terms/. When using the service, Mindler is the data controller for the processing of your personal data. Mindler is processing personal data according to the General Data Protection Regulation (EU) 2016/679 (GDPR) as incorporated into domestic law of the United Kingdom, Data Protection Act 2018 and other applicable data protection regulation.
Data controller details:
Mindler Ltd (Corporate Identity Number: 12232933) 1 Chapel Street Warwick CV34 4HL United Kingdom
What information do we collect about you and how do we process it?
Mindler needs to have a legal basis to process your data, we provide our legal bases below. We only collect and process data which is relevant and necessary to properly fulfil our purposes with such processing. In this section we describe our different purposes for processing your personal data. For each purpose we state the following information:
What personal data is collected (and processed);
The purpose(s) for processing the data;
The legal basis Mindler relies on to process this data.
1. Processing necessary for providing healthcare
1.1 Personal data
The following personal data is processed for the purpose of providing our Service.
Contact information
First name, last name and country collected upon registration
Phone number and email address collected upon registration
Date of birth
Home address collected upon registration
Health data
Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history or mental state. Health data will be collected by your Therapist through meetings, registration forms, self-assessment forms, completion of Internet-based cognitive behavioural therapy (iCBT) programs in the Application and notes from Therapists in your medical records (Mindler is using electronic health record (EHR)). The images, videos and sounds shared during the use of the Service are neither recorded nor stored.
1.2 Purpose of processing
Your contact information is processed for the following purposes:
To be able to identify you and verify that you are of the required age to receive care
To send help in case of an emergency
Your health data is processed for the following purposes:
To provide mental healthcare treatment
To evaluate the effectiveness of ongoing treatment
1.3 Legal basis
The legal basis for this processing is legal obligation (UK GDPR Art. 6.1.c). We are processing health data supported by UK GDPR Art. 9.2.h and Data protection Act 2018. Health data collected through self-assessment forms is processed with support of your explicit consent (UK GDPR Art. 9.2.a).
2. Processing necessary for providing the Service
2.1 Personal data
The following personal data is processed for the purpose of providing the Service.
Contact information
First name and last name upon registration
Email address collected upon registration
Phone number collected upon registration
Home address collected upon registration
Country of residence collected upon registration
Spoken language collected upon registration
Demographic information
Age collected upon registration
Payment information
Payment details (e.g. credit card number) collected through our payment service
Any promotional codes redeemed in the Application
Technical data
Time of booking and meeting status (cancelled, unpaid, completed) collected through the Application or via customer service agents
Which device, IP address, language, operating system and screen resolution you are using
The date and time of your sessions
Which Therapists you have identified as favourites in the Application
Your iCBT program progression in the Application
2.2 Purpose of processing
Your contact information is processed for the following purposes:
To be able to identify you in the Application
Email address and phone number to log into the Application with two factor authentication
Home address in order to accurately provide you with a receipt for our services
Your demographic information is processed for the following purposes:
To ensure that you are old enough to use our Service
Your payment information is processed for the following purposes:
To make it possible for you to pay for your treatments
To issue a refund in case of cancellation
Your technical data is processed for the following purposes:
To plan and conduct meetings with you
To optimise your experience depending on the device you are using
To keep track of your preferred Therapist(s)
To track your iCBT program progression
2.3 Legal basis
The legal basis for this processing is the performance of a contract (UK GDPR Art. 6.1.b) to fulfil our obligations of providing you with the agreed Service.
3. Processing necessary for communication
3.1 Personal data
The following personal data is processed for the purpose of communicating with you in connection with the provision of the agreed services.
Contact information
First name and last name collected upon registration
Email address collected upon registration
Phone number collected upon registration
Technical data
Device identification
3.2 Purpose of processing
Your contact information is processed for the following purposes:
To contact your telephone number in the event your Therapist is unable to reach you through the Application for a booked meeting.
To contact you with important information such as changes to our Privacy Policy or user agreement, for example.
Your technical data is processed for the following purpose:
To send notifications to the last phone you used to log in to the Service
3.3 Legal basis
The legal basis for this processing is the performance of a contract (UK GDPR Art. 6.1.b).
4. Processing necessary for marketing services and products to you
4.1 Personal data
The following personal data is processed for the purpose of marketing services and products to you.
Contact information
First name and last name collected upon registration or completion of forms on our Website
Company name collected upon completion of forms on our Website
Email address collected upon registration or completion of forms on our Website
Phone number collected upon registration or completion of forms on our Website
User information collected through social media when you interact with Mindler’s content
Cookie data
Information regarding how you have been using our Website and what other websites you have visited
Health data
Information regarding your physical and mental health collected upon completion of forms on our Website
4.2 Purpose of processing
Your contact information is processed for the following purposes:
To inform you of our products or services via notification or email
To send you promotional marketing emails and marketing newsletters (you can unsubscribe from any mailing lists at any point)
Your cookie data is processed for the following purposes:
To show you targeted advertising
To measure the reach of our marketing campaigns
Your health data is processed for the following purposes:
To send you promotional marketing emails
You can read more about how we place cookies and how you can withdraw your cookie consent in our Cookie Policy.
4.3 Legal basis
The legal basis for processing your contact information is the performance of a contract (UK GDPR Art. 6.1.b) or your given consent (UK GDPR Art. 6.1.a) to provide you with customized products and services and to inform you about and market our offered Service. We only process your health information for targeted marketing if you have given your explicit consent (UK GDPR Art. 9.2.a). The legal basis for processing your cookie data for this purpose is your given consent (UK GDPR Art. 6.1.a).
You have the right to withdraw your consent (to “opt out”) of any marketing communications at any time. You can opt-out (e.g. email) by using the unsubscribe link available in every newsletter or in every commercial message you receive from us or in case of electronic direct marketing by following the instructions in the communication.
5. Processing necessary for evaluating and improving our Service
5.1 Personal data
The following personal data is processed for the purpose of evaluating and improving the Services that we provide.
Demographic information
Age collected upon registration
Technical data
Data collected through the Application or by customer service agents regarding time of booking and meeting status (cancelled, unpaid, completed)
Data collected through the Application regarding which device you are using
Data collected through the Application regarding how and when you use different parts of the Application
Data collected through the Application regarding how you rate your meeting, the video meeting quality and any further feedback provided
Data collected from reviews and ratings provided by third-party systems, such as application stores
Data collected through user surveys, including scoring metrics like NPS, CSAT, and free-text responses
The Therapist(s) you have identified as favourites in the Application
The Therapist(s) you have been meeting through the Application
Feedback such as answered polls or comments you have posted on social media in posts published by Mindler in Mindler’s official social media accounts
iCBT programs you have completed in the Application
iCBT program progress within the Application, including completion rate, and time spent on completing a program
The completion rate of iCBT program feedback
Data collected through app stores regarding application downloads and installations per market and date, including additional device-specific information such as language settings, OS version, carrier, country, user ratings, and reported issues.
Health data
Self-assessment questionnaires you have submitted through the Application
Customer service inquiry data
Text data collected through upon filing an inquiry through our Website or application
In the case that a customer service inquiry holds medical information together with identifiable information, Mindler takes technical measures to ensure that the support ticket is rendered completely unidentifiable and therefore not linked to an individual.
5.2 Purpose of processing
Your demographic information, technical data, health data and customer inquiry data is processed for the following purposes:
To improve time-slot and Therapist availability
To improve user flows by making it easier to navigate and find certain features in the Application
To detect bugs depending on device type
To improve our video service
To improve the general user experience in the Service
To analyse how your wellbeing may change during your treatment
To investigate how wellbeing differs between different demographics
To investigate how treatment outcomes differ for different demographics
To better understand how to treat you in an effective way
Any personal data processed for the purpose of evaluating and improving our Service is always handled and stored unidentifiable through pseudonymization. We will use the personal data to create statistics on a sufficiently aggregated level so that individual patients cannot be identified from the results. Aggregated statistics will be used for internal and external communication and for research.
5.3 Legal basis
The legal basis for this processing is our legitimate interest (UK GDPR Art. 6.1.f). We process your health data supported by your explicit consent (UK GDPR Art. 9.2.a).
6. Processing necessary for providing customer service
6.1 Personal data
The following personal data is processed for the purpose of providing customer service.
Contact information
First name and last name collected upon registration or filing an inquiry through our Website
Email address collected upon registration or filing an inquiry through our Website
Phone number collected upon registration
Payment information
Credit card information collected through our payment service
Any promotional codes redeemed in the Application
Technical data
Time of booking and meeting status (cancelled, unpaid, completed) which is collected through the Application or customer service agents
Which device you are using, IP address, language, operating system and screen resolution as well as the date and time of your sessions, which is collected through the Application
What Therapists you have identified as favourites in the Application
Your iCBT program progression in the Application
Health data
Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history, or mental state.
6.2 Purpose of processing
Your contact information is processed for the purpose of providing customer support by:
Identifying and contacting you for the sake of customer service updates (e.g. changes to booked meetings, cancellations)
To be able to offer customer service necessary to providing you healthcare
Your payment information, technical data, and health data is processed for the following purposes:
To be able to investigate, respond to and resolve complaints and problems with the Service (e.g. bugs)
6.3 Legal basis
The legal basis for this processing is the performance of a contract (UK GDPR Art. 6.1.b) to fulfil our obligations of giving you the agreed service. To the extent that the customer services are related to care or processing of health data, the processing takes place with the support of our right to process personal data in connection with the administration of care activities (UK GDPR Art. 9.2 h) and Data Protection Act 2018.
7. Processing necessary for providing our business to business service
7.1 Personal data
The following personal data is processed for the purpose of providing our business to business service.
Payment information
Any promotional codes redeemed in the Application
Technical data
Data collected through the Application or by customer service agents regarding time of booking and meeting status (cancelled, unpaid, completed)
iCBT programs you have completed in the Application
Health data
Self assessment questionnaires you have submitted through the Application
7.2 Purpose of processing
Your payment information, technical data, and health data is processed for following purposes:
To provide our business to business customers with aggregated insights regarding their employees’ well-being, meeting statistics of employees, most common problem areas and more. None of your personal data will be communicated or transferred to your employer. We only share aggregated statistics in which no special categories of personal or identifiable data are included. We will not provide our business to business customers with statistics and insights if they do not have a large enough user pool to protect individual anonymity (at least 15 users).
7.3 Legal basis
The legal basis for processing payment information, technical data and iCBT program completion data for the purpose of providing our business to business service is the performance of a contract (UK GDPR Art. 6.1.b) where you as an employee of a business to business customer have agreed on sharing your personal data on an aggregated level to your employer. We process your submitted self-assessment questionnaires with the support of our right to process such data based on your explicit consent (UK GDPR Art. 6.1.a and UK GDPR Art. 9.2.a).
8. Processing necessary for in-app tracking and optimizing ad campaigns
8.1 Personal data
Technical data
Data on events such as installation of the Application, registration in the Application and, booked, paid and/or completed meetings or iCBT programs in the Application
Mobile identifier like IDFA or Google Play Services ID, and your pseudonymized (hashed) IP - and possibly MAC address
8.2 Purpose of processing
Your technical data is processed for the following purposes:
To help us understand how our users are interacting with our Applications
To measure the performance of and optimize our ad campaigns
8.3 Legal basis
The legal basis for processing is our legitimate interest (UK GDPR Art. 6.1.f) or your given consent (UK GDPR Art. 6.1.a). You are free to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of our processing based on your consent before your withdrawal. iOS users can opt out of sharing this data with us through the settings menu and navigate to integrity and tracking in the iOS device to toggle off the tracking. Android users can opt out of sharing their Google advertising ID by toggling the "Opt out of Ads Personalization" setting on their device. Please contact us by using the contact details below should you like more information on how we have conducted our legitimate interest assessment.
9. Processing for research purposes
9.1 Personal data
The following personal data is processed for the purpose of doing research based on the data collected by Mindler.
Demographic information
Age and sex collected from social security number upon registration.
City, postal code and county code collected through third party.
Technical data
Time of booking and meeting status (canceled, unpaid, completed) collected through the Application or via customer service agents
The date and time of your sessions
iCBT program progression in the Application
Health data
Information regarding physical and mental health. This could include, for example, information relating to an illness, medical history or mental state. Health data will be collected by the Therapist through meetings, registration forms, self-assessment forms, completion of Internet-based cognitive behavioural therapy (iCBT) programs in the Application and notes from Therapists in the medical records (Mindler is using electronic health record (EHR)).
Self-assessment questionnaire answers submitted through the Application.
9.2 Purpose of processing
Your personal data is processed for the following purpose:
To conduct research alone and/or in collaboration with a research institute, government agency, healthcare provider or other legal entity in order to advance knowledge relating to the healthcare provided by Mindler and take measures to improve the healthcare provided by Mindler as a result of such research.
To provide data to a research institute, government agency, healthcare provider or other legal entity in order for such research institute, government agency, healthcare provider or other legal entity to advance knowledge relating to the healthcare provided by Mindler and take measures to improve the healthcare provided by Mindler as a result of such research.
9.3 Legal basis
The legal basis for this processing is for the performance of a task carried out in the public interest (UK GDPR Art. 6.1.e) and we are processing your health data supported by UK GDPR Art. 9.2 h and the Data protection Act 2018.
The time for which your data is stored
Your personal data and contact details are saved in the Service for as long as you still have your account. If your account is inactive i.e. you have not logged in for two (2) years, consecutively, your account will automatically be erased from the Service along with some of your personal data (see below). Some personal data may however need to be retained to meet legal obligation. How long your personal data is stored for depends on the type of data. Below we have listed how long different forms of personal data are stored.
Demographic data
Your demographic data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.
Payment information
Your payment information is saved for as long as you have an account or six (6) years from the date of completed purchases to meet legal obligations such as keeping business records.
Technical data
Your technical data is stored for as long as you have an account. It will be deleted or rendered completely unidentifiable upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.
In order to detect and fix errors, we save error logs in our systems. Since these logs may contain personal data, they are deleted after a maximum of 60 days. We always strive to minimise the storing of unnecessary data, therefore this storing period is often much shorter than 60 days.
Cookie data
If you have consented to third-party cookies being stored on your computer or mobile devices, the cookies will be removed when you uninstall them or when the cookie expires.
Customer service requests
If you have contacted our customer service team, the inquiry will be stored for 365 days before it is deleted. Some conversations may be relevant and recored to your medical file, in which case the following ‘Health data’ terms apply.
Health data
All health data that is collected for the purpose of providing you with healthcare and the Service and evaluating and improving our Service, will be stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account - either by you requesting deletion of the account or if the account has been inactive for two (2) years.
Health data that is stored in the journal will be saved for seven (7) years in order to comply with legal obligations.
Your rights
Your personal data belongs to you. Therefore, you have a right to obtain information on and determine how your personal data is processed by Mindler.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person or otherwise would be harmful to disclose, or if you ask us to erase information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority, please see more information below.
Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is necessary, and we will not be able to manage the customer and patient relationship without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to participate in certain programs and limit your possibilities to use our Websites and other services, where the information is necessary for those purposes. There may be additional requirements or provisions that restrict or extend your rights. There can also be legal obligations that prevent us from issuing or moving parts of your data or from blocking or erasing your data. These obligations are derived from legislation in the areas of health and medical assistance, confidentiality, archiving and accounting and tax. If your data must be saved due to legal obligations, the data will only be used to fulfil those obligations and for no other purpose.
A brief summary of your rights is set out below:
The right to object to processing
You can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or legal requirement).
You have a right to object to your personal data being processed for our legitimate interests including profiling and for direct marketing. In that case, Mindler will either show that there are compelling legitimate reasons for the processing that outweigh your interests, or else stop processing your data.
Where we have asked for your consent, you may withdraw consent at any time, e.g. by emailing us at the contact details below. If you ask to withdraw your consent to Mindler processing your data, this will not affect any processing which has already taken place at that time.
The right to access and data portability
At any time, you can request a copy of your personal data, as well as information on how it has been obtained and how it is being used or distributed. This also applies to information kept in your medical records. You also have a right to transfer your personal data to another personal data controller.
The right to receive extracts from logs
When someone accesses your electronic medical records, it is registered in a log. As a patient, you can receive an extract from the log to see who has looked at your medical records.
The right to erase data
You have a right to ask for your personal data to be erased if it is no longer necessary for the purpose for which it was collected or if there is no legal basis for processing the data.
The right to correct information
You have a right to correct inaccurate or incomplete data. If you consider that a detail in your medical records is inaccurate or misleading, you have a right to ask for a note to that effect to be entered in the records. You have a right to request a restriction on the processing of your personal data until inaccurate data has been corrected or an objection from you has been investigated.
The right to restriction
You may request us to restrict certain processing of your personal data. If you restrict certain processing of your personal data, this may lead to fewer possibilities to use our websites and other services.
Automated decision-making
We may in some cases use automated decision-making, if it is authorised by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract.
You can always express your opinion or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You have the right to obtain human intervention to express your opinion or contest a decision.
When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.
How do I exercise my rights?
You may request to use these rights by sending a letter or e-mail, including your name, address, phone number to the contact details set out below. When you exercise any of your rights, we may need to identify you in order to ensure that we are in contact with the correct person. Hence, we may request the provision of additional information necessary to confirm your identity.
We will respond to your request without undue delay, but at the latest within one (1) month of the request. If the requests are numerous or complex, we may extend the deadline to two (2) months, but we will still respond to the request within the first month and explain why the extension is necessary.
Disclosure of your personal data
Your personal data may need to be transferred to or shared with others whenever necessary or justified. Your personal data is shared with:
Authorised employees at Mindler
Your personal data may be shared under secrecy with Mindler employees who are involved in your treatment and/or providing the Service. Your personal data may also be shared with analysts and software developers at Mindler working with statistics, evaluating and improving the Service, or solving inquiries and issues. Analysts only have access to pseudonymized data.
Suppliers and subcontractors
Your personal data may be transferred to or shared with certain companies that supply various types of services to Mindler. These services could be medical journal systems, video and operator service providers, payment providers, marketing tracking providers, advertising and analytics service providers, chat or email automation providers and infrastructure platforms necessary for our services to run.
Subcontractors are covered by the same confidentiality agreement as those which apply to Mindler, and may only process personal data in accordance with our instructions or in accordance with laws and regulations.
The list of subcontractors is available at Mindler’s website (https://mindlercare.com/legal-information/sub-processors/).
Medical referrals
If you and your Therapist decide that you need a medical referral, they will write and send a referral to the appropriate medical provider.
Authorities
Mindler may also be required to provide necessary information to local healthcare authorities, the police or other authorities if required by law or if you have granted your approval.
Scientific Research
We may process information about your use of Services for research purposes which aim at e.g. increasing scientific knowledge in the field of medicine, health and nursing science. Such analysis is only made on a group level, and therefore results cannot be linked to you as an individual. We will only present aggregated results, non-personally identifiable data (anonymized data). Anonymized data can be shared to third parties for research purposes. Regulations on data privacy don’t apply to the anonymized data because registered persons are not identifiable.
Where your personal data is processed
Your medical record data will not be transferred to, or processed in, any country outside the EU/EEA or the UK. Other personal data may be processed in a country outside the EU/EEA or the UK. When transferring personal data to a country outside the EU/EEA or the UK to a country which is not subject to an adequacy decision by the European Commission or the UK Secretary of State, or considered adequate as determined by applicable data protection laws such as UK Privacy Framework, we take appropriate legal, technical and organisational security measures to ensure that the personal data is adequately protected according to the same level of protection as within the EU/EEA and the UK. If your personal data is transferred outside the EU/EEA or the UK, then this is done on the basis of appropriate and adequate safeguards for data transfers to comply with the requirements set out in UK GDPR Chapter V.
A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.
The European Commission has determined that the United Kingdom offers an adequate level of protection – you can find out more in the adequacy decision available here https://ec.europa.eu/commission/presscorner/detail/ro/ip_21_3183. We rely on this decision for EU/EEA-UK transfers and explain below what happens when there is not an adequacy decision covering a transfer.
Information Security
We will take all reasonable, appropriate technical, security and organisational means and measures considering the nature and purposes of processing and the nature of personal data processed, to protect Mindler and our customers from unauthorised access to or unauthorised alteration, disclosure or destruction of personal data we hold. Measures include, where appropriate, encryption, firewalls, secure facilities and access rights systems.
Should, despite the security measures, a security breach occur that is likely to result in a high risk to your rights and freedoms, we will inform you about the breach without undue delay.
Third-party websites and services
Our Website or other parts of our services may contain links to third-party websites and services. If you decide to visit third-party websites and services, this Privacy Policy will no longer apply and you should consult the privacy policy of that third-party instead.
Changes to the Privacy Policy
This policy may occasionally need to be changed or updated, for example if functions are changed or added to the Service. Minor changes to our Privacy Policy will be communicated through our webpage. Major changes regarding how your data is processed will be communicated through the Application, Website and email (if you have provided it to us). We will not make substantial changes to this Privacy Policy or reduce your rights under this Privacy Policy without providing you with a notice. This policy was last updated at 2024-11-20.
You can contact us at any time
Mindler Ltd is registered with the Registrar of Companies for England and Wales under organisation number 12232933. Our head office is 24 Old Queen Street London SW1H 9HP London.
You can contact us at any time if you have questions about your personal data by sending an email to privacy@mindler.co.uk.
Complaints
In case you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with the local supervisory authority for data protection.
You have a right to contact and file a complaint with the Information Commissioner’s Office (https://ico.org.uk/) if you believe we have processed your personal data incorrectly.