Valid from 1.4.2024

Mindpax Privacy Policy

 

Privacy and protection of personal data is very important to Mindpax. This Privacy Policy will tell you how we handle and protect your personal data and comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) when you use Mindpax M2 Medical Device consisting of our mobile applications Miu.me or Sigma.me (the “App”), the wristband for collecting activity data (the “Mindpax Sensor”), and our analytical system and share data with your clinician (“Virtual Clinic”) (together the “Medical Device”) in connection with using our service (the “Service”).

1. Who we are

This Privacy Policy applies to personal data processed by Mindpax s.r.o., Branická 26/43, 147 00 – Prague, Czech Republic, ID No.: 04153359 (further referred to as “Mindpax”, “we”, or “us”) as the data controller in connection with the use of the Medical Device by you (the “user”).

Questions, comments, and requests regarding this Privacy Policy are welcome and should be addressed through the Data Protection Officer at dpo@mindpax.me.

2. App Data Processing at a Glance

When you register to use our App and Services, you have to confirm that you have read our Privacy Policy, and to consent to Mindpax collecting and analyzing your health data to provide you with the Service. You will also be invited to provide your consent to voluntary processing options, such as participation in research activities and app development. You must be 18 years or older to use the App.

When you use the App, we process information that you input during the set-up process and further supply during the use of the App through self-report questionnaires and, in the case of Miu.me app, information about your activity collected through the Mindpax Sensor. The user data is sent to Mindpax and analyzed to provide you with the Service.

Our analytical system includes automatic decision making. Data that you filled in the App and data gathered by the Mindpax Sensor are processed and evaluated by our analytical system. As a result of this analysis, the system provides targeted feedback tailored to your state. These automatic functions are used to deliver you the Mindpax Services.

You may decide to share data from the App with your clinician. In such a case, the clinician will gain access to the data collected by your use of the Medical Device and use such information for monitoring your health condition and/or clinical decision-making support.

We also process information related to your user account, subscription, and when you report a problem with our Service. We are under a legal obligation to conduct monitoring of the quality and safety of the Medical Device, for which purpose processing of your personal data may be necessary.

The App uses access to your location for proper functioning of Bluetooth communication between the App and the Mindpax Sensor. Location is in use only when you use the App. The location data is not stored or further processed by us. If you do not use the Mindpax Sensor with the App, the App will not use your location.

Generally, we process your data for the purpose of provision of the Service until you request deletion of your account or when you delete your account. Your account and data will be deleted or irreversibly anonymized within 6 months. During these 6 months, your account will be frozen for your protection, and you will still be able to restore your account.

3. Data about your Health

To deliver the Service, the App collects and processes data about you and your health. This includes general information about you, your diagnosis, medication, symptoms, life patterns, events, feelings, and activities.

Your data is further processed and analyzed to give you visualization and feedback on symptoms of your medical condition based on your diagnosis in order to support your management of the disease.

The processing involves automatic decision-making based on your health data to deliver feedback on your symptoms and personalized content.

It is not possible to use the App without your consent to processing your health data as they are necessary for the provision of the service.

You may also give us consent to use information collected during your use of the App for research purposes or for developing the App. In such a case, your consent is voluntary and can be withdrawn anytime without any impact on our Service.

4. Automatic Decision Making and Profiling

Data that you input in the App and data collected from your use of the Mindpax Sensor may be used for automatic decision making within the meaning of Art. 22 of GDPR. Mindpax uses algorithms to evaluate data inputted in the App (including data from the Mindpax Sensor, when used) to deliver personalized content to you.

For affective disorders (Miu.me), the App creates a baseline from data collected during the first months of use; this usually takes around 3 months. Then the App displays personalized psychoeducational suggestions depending on deviations from the baseline to help you manage your condition. The App also provides a calculated state of your symptoms.

For psychotic disorders (Sigma.me), the App uses data from early warning signs questionnaires to alert you about possible risk of relapse and adjust questionnaire period during the alert period.

5. Details of Data Processing

In this section, you will find details about what data we process, why, and how we process them. The range of data collected through the App depends on your diagnosis, i.e., whether you use the App to manage an affective disorder or a psychotic disorder. Your height, weight, and general information about your activity patterns such as employment or traveling between time zones are only processed if you use the App for affective disorders. Actigraphy data and data about the Mindpax Sensor is collected only if you are using the Mindpax Sensor.

If you use the App as a participant in a scientific research or study, there might be modifications to the processing of your personal data. Please review documents you received regarding your participation from the organization conducting the research.

• • • When you register a user account
      • Types of data: Email address and password, account ID, device ID, name, username, consents, gender, date of birth, height, weight, general information about your activity patterns such as employment or traveling between time zones.
      • Purpose: To provide you with a user account and access to our Medical Device. We use general health data for basic analysis. We will not be able to provide our Services without your input of non-optional data.
      • Legal grounds: Contract performance, consent for the processing of your health data.
      • Storage duration: Until you request deletion of your account plus 6 months.
    • Provision of the Service by the Medical Device
      • Types of data: user data (email, user name, name, age, gender, height, weight, work and travel information), actigraphy data (sleep, activity), information about feelings and mood, information from questionnaires, events, medication data, technical information about the Mindpax Sensor, results of evaluation algorithms.
      • Purpose of processing: To provide you the Services, data collected through the App are processed and analyzed by the Mindpax analytical system in order to provide you and/or your clinician with visualizations of the data, alerts, and personalized education content to support self-management of your medical condition and clinical decision making by your clinician.
      • Legal grounds: Contract performance, consent for the processing of your health data. Proper functioning of the Medical Device requires processing of these data. If you do not give consent to our processing of these data or you withdraw your consent, you will not be able to use the Medical Device.
      • Storage duration: Until you request deletion of your account plus 6 months.
    • Participation in scientific and clinical research
      • Types of data: user data ( age, gender, height, weight, work and travel information), actigraphy data (sleep, activity), information about feelings and mood, information from questionnaires, events, medication data, and results of evaluation algorithms.
      • Purpose of processing: We use the above data to assess your suitability for scientific or clinical research and to contact you in order to invite you to participate in clinical research with one of our clinical research partners that may be of interest to you. We do not pass any personal data to our research partners without your consent and any participation in such clinical researches are subject to your prior consent.
      • Use justification: You may withdraw your consent at any time by rejecting the option in your App.
      • Storage duration: Until you request deletion of your account.
        
    • Participation in app development
      • Types of data: user data (age, gender, height, weight, work and travel information), actigraphy data (sleep, activity), information about feelings and mood, information from questionnaires, events , medication data , technical information about the Mindpax Sensor information, and results of evaluation algorithms.
      • Purpose of processing: We further develop the App and our Medical Device to provide enhanced services to our users. We use only pseudonymised data for this purpose.
      • Use justification: You may withdraw your consent at any time by rejecting the option in your App.
      • Storage duration: Until you request deletion of your account.
        
    • Post-market surveillance and quality management
      • Types of data: user data (email, user name, name, age, gender, height, weight, work and travel information), actigraphy data (sleep, activity), information about feelings and mood, information from questionnaires, events, medication data, technical information about the Mindpax Sensor, results of evaluation algorithms, data about complaint reports, customer feedback surveys.
      • Purpose of processing: To guarantee high quality and safety standards of the Medical Device, we are required to conduct post-market surveillance and employ a quality management system, for which purposes we are required to monitor and analyze data. Health data are not processed for quality management. We may also ask you to fill in surveys. The aim is to determine if any improvement is needed in order for our Medical Device and to meet the highest quality and safety standards.
      • Use justification: Legal obligation under medical device regulations of the European Union and the Czech Republic.
      • Storage duration: We process your data until no longer than necessary for the purposes specified above.
    • Security and safety
      • Types of data: log information (user ID, time, type of event)
      • Purpose of processing: We use the data for security of Mindpax Services. We do not use your health data for this purpose.
      • Use justification: Legitimate interest
      • Storage duration: We keep logs no longer than necessary for the purposes specified above but no longer than 3 months.
    • Customer support
      • Types of data: name, email, phone number, requests and complaints handling, subscription information.
      • Purpose of processing: When you contact us with a question, request or complaint, we process your personal data to handle the issue and communicate with you. We will further retain the data for defense against legal claims.
      • Use justification: Performance of contract, legitimate interest
      • Storage duration: Until expiry of statutory limitation periods.

6. Sharing personal data with your clinician

If your clinic, doctor or psychotherapist (the “Clinician”) is signed up with Mindpax you may decide to share your personal data with them. For the purpose of patient treatment by Clinicians, the Medical Device comprises of a monitoring system that provides the Clinician with continuous monitoring information of the user for long term disease management and treatment.

Data will be shared only with your approval. Each Clinician has a unique code. Ask your Clinician for the code and submit the code in your App. You will be required to verify the name of the clinic / Clinician before the sharing resumes.

When you decide to share your data with your Clinician, all data collected through the App and Mindpax Sensor will be made accessible to them.

Your Clinician is a separate data controller independent of Mindpax, and their processing of your personal data is subject to the control and responsibility of the Clinician.

You may stop sharing your data with the Clinician anytime. If you do so, the Clinician’s access to your data in Mindpax systems will be discontinued and their access to data that has already been shared will be blocked. Review your Clinician’s privacy information or ask your Clinician about the way they process your personal data.

7. What happens after expiry of subscription

If your subscription expires, the processing of your personal data will be limited. You will have access to your historic data and you will still be able to input some new data manually, however, the data will not be analyzed for the purpose for provision of the Service by the Medical Device.

If you renew your subscription, full range of processing activities will resume from the first day of the subscription period.

8. Location of your personal data

The personal data that we process about you is stored in the European Union on cloud servers of Amazon Web Services EMEA S.A.R.L. (“AWS”) with a business seat in Luxembourg.

9. Access to your personal data

We may engage reliable and trustworthy processors to process your personal data. You can find a full list of our processors at www.mindpax.me. All processors are bound by data processing agreements and the processing is conducted under our control.

Otherwise, we share your personal data with third parties only with your prior explicit consent. Such third parties may include, based on your consent, your clinic or clinician or our research partners.

We may further disclose your personal data in the event that we are required to do so by EU or member states’ legal regulations.

10. How long do we retain your personal data

Generally, we process your data for the purposes of provision of the Service until you request deletion of your account or when you delete your account. If your account is inactive for more than 36 months, we will contact you to check whether you wish to continue using our Medical Device. If you then leave your user account unused for another 3 months, we will delete your account. In this case, your account and data will be deleted or irreversibly anonymized within 1 month. During this 1 month, you may still request restoration of your account.

Otherwise, we will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

If your personal data is used for more than one purpose, we will retain them until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires. We restrict access to your personal data to the persons who need to use it for the relevant purpose(s).

We may retain data (incl. health data) in relation to your use of our Services for three or ten years in accordance with our business needs for the purposes of establishing, exercising or defending against legal claims.

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely deleted.

11. Your rights

Under GDPR you have various rights in relation to your personal data. All of these rights can be exercised by contacting us via our contact form or by contacting the Data Protection Officer at dpo@mindpax.me. You can exercise your rights by contacting us – see www.mindpax.me. Some rights can also be exercised directly through the App.

• • • • Right to withdraw consent: Where the processing of your data relies on your prior consent, you have the right to withdraw such consent. You can do this by canceling your consent directly in the App. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected.
      • Right to erasure: You have the right to erasure (“right to be forgotten”). This means generally that based on your request we are obliged to erase your personal data when one of the reasons listed in Article 17(1) GDPR applies. You can make the request for erasure by deleting your account in the App. When applicable we are also obliged to take reasonable steps to inform other controllers which are processing the relevant personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data, taking account of available technology and costs. There are exceptions to the right to erasure, e.g. if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.
      • Right to object: You have the right to object under the conditions of Article 21 GDPR, especially when the processing is based on legitimate interests. You have the right to object on the grounds relating to your particular situation. We will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
      • Right to access: You have the right to obtain access and information under the conditions provided in Article 15 GDPR. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
      • Right to restriction of processing: You have the right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data.
      • Right to data portability: You have the right to data portability in cases when we process your personal data based on consent or for the purpose of fulfilment of our contract under Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to you or another controller designated by you, and where the processing is carried out by automated means. In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible.
      • Right to Rectification: You have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you may require us to rectify inaccuracies in your personal data and completion of incomplete personal data.
      • Rights related to Automatic Decision Making: To the extent the App provides you with automatic decision making functions, you may require to obtain human intervention, express your point of view, and contest the decision.
      • Right to complain: You have the right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR. The supervisory authority responsible for us is the Personal Data Protection Office of the Czech Republic (uoou.cz).

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services

12. Changes to this policy

Any changes we make to our Privacy Policy will be posted on Mindpax website and made accessible in the App. Where appropriate, we will notify you of the changes by email, in-App notification, or by any other available means.