Privacy Policy
Data Controller: MindReset AI self-help platform, operated by MindReset AI Ltd, a company registered in England & Wales, based in London, United Kingdom — support@mindreset.ai
[NOTE: ICO Registration to be obtained at ico.org.uk before public launch. Annual fee ~£40-60. Register before any marketing or public availability.]
1. What This Policy Covers
This Privacy Policy explains what personal data we collect about you when you use the Service, why we collect it, how we secure it, with whom we share it, how long we keep it, and what rights you have under UK GDPR and (where applicable) EU GDPR.
2. Data We Collect
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Account data | email address, hashed password, country (inferred from IP), preferred language | create and manage your account; deliver the Service | Contract |
| Screening data | your responses to the Readiness Check, resulting classification (Green / Yellow / Red), reason summary | classify whether the Service is appropriate for you; protect users from potential harm | Explicit consent (Art 9 §2 a UK GDPR) |
| Conversation data (special category) | the messages you send to MiniMind or modules; reflections and answers in exercises; mood and energy check-ins | AI analysis to suggest practices; personalised wellbeing support; tracking your progress | Explicit consent (Art 9 §2 a UK GDPR) |
| Wellbeing profile | derived patterns (e.g., "elevated anxiety", "recent stable period"), state and theme observations | personalisation; smart routing to appropriate practices and modules | Explicit consent (Art 9 §2 a UK GDPR) |
| Safety events | flagged conversation moments that triggered our safety protocol, our automated response, optional manual review notes | safety protocol audit; compliance with Online Safety Act 2023 priority offences obligations | Legitimate interest (audit trail for safety) / Legal obligation |
| Usage data | device type, browser, IP address, cookies, timestamps, page views | security, anti-abuse, service improvement, anonymous analytics | Legitimate interest |
| Payment data | last 4 digits of card, transaction ID, billing email (full card data is held by the payment processor, not us) | billing, fraud prevention, financial record-keeping | Contract / Legal obligation (tax law) |
| Support messages | emails you send to support@mindreset.ai or our other addresses | responding to inquiries; resolving issues | Legitimate interest |
We do not request your real name, physical address, date of birth, or government identifiers. Please avoid sharing personally identifying details about yourself or others inside conversations with the AI.
3. How We Use AI
Your conversation data is processed by our AI engine to generate responses and suggest practices.
- The AI creates non-medical wellbeing observations (e.g., "the user describes physical tension when discussing work") to better personalise practices
- The AI does not make medical diagnoses
- The AI does not make decisions that have legal effects on you
- You may contact us at support@mindreset.ai if you believe an automated response is incorrect or harmful; a human will review
Under Article 22 of UK GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The wellbeing observations and practice suggestions made by our AI do not constitute such decisions.
4. With Whom We Share Data
We never sell or rent your personal data. We share it only with categories of service providers necessary to deliver the Service:
- Cloud hosting and database services
- AI infrastructure (for the conversational and analytical features)
- Speech-to-text transcription (for voice input)
- Authentication and account management
- Payment processing
- Transactional email delivery
- Website hosting
Voice input. If you choose to use voice input on MiniMind, your recorded audio is securely transmitted to our speech-to-text provider for transcription. We have enabled zero data retention with this provider — audio is not stored after transcription on either MindReset infrastructure or the provider's. Only the resulting text is saved as part of your conversation history. You may use the Service entirely by typing if you prefer.
Specific providers may change over time. A current list of the service providers we use is available on request — email support@mindreset.ai.
We may also disclose your data when legally compelled by a court order or similar legal process.
We use Standard Contractual Clauses (or equivalent UK IDTA mechanisms) for any international data transfers, supplemented where necessary by additional safeguards including encryption in transit and at rest.
5. International Transfers
Your data may be processed outside the UK and EU, primarily in the United States. Where this happens we rely on either:
- An adequacy decision by the UK or EU (where one exists)
- Standard Contractual Clauses approved by the European Commission or the UK ICO
- Other appropriate safeguards permitted under UK GDPR or EU GDPR
You may request details of the specific safeguards in place for any transfer by emailing support@mindreset.ai.
6. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS 1.2 or higher for all data in transit
- AES-256 encryption at rest for stored data (provided by Supabase)
- Hashed passwords using industry-standard algorithms (managed by Clerk)
- Role-based access to our backend systems; access logged and audited
- Confidentiality obligations for anyone with access to data
- Regular security reviews and dependency vulnerability monitoring
- Encrypted backups with limited retention
No security system is 100% impenetrable. In the event of a data breach affecting your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected users without undue delay.
7. Retention
| Data category | Retention period |
|---|---|
| Account data | Active account: until you delete it. Inactive account: deleted 12 months after last sign-in. |
| Screening data | 12 months after last sign-in, or immediately upon account deletion |
| Conversation data | 12 months after last sign-in, or immediately upon account deletion |
| Wellbeing profile | Same as Conversation data |
| Safety events | 7 years (legal audit trail obligation) — depersonalised after account deletion |
| Payment records | 6 years (UK tax law requirement) |
| Backups | Maximum 30 days |
| Support messages | 24 months from last contact |
You may request earlier deletion of any data, except where we have a legal obligation to retain it (e.g., financial records under tax law, safety events under Online Safety Act).
8. Your Rights
Under UK GDPR (and EU GDPR where applicable), you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations
- Restriction — request that we limit how we process your data
- Objection — object to processing based on legitimate interests
- Portability — receive your data in a structured, commonly-used, machine-readable format
- Withdraw consent — for any processing based on consent
To exercise any of these rights:
- Use the "Data" section in your account settings (when available), or
- Email support@mindreset.ai with your request
We will respond within one month, or notify you within one month if we need additional time (up to a further two months) due to complexity.
If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local data protection authority in the EU.
9. Cookies
We use:
- Strictly necessary cookies — for authentication (Clerk session), security, and basic site function. These cannot be disabled
- Optional analytics cookies — for understanding usage patterns and improving the Service. You will be asked to accept or decline these on your first visit
We do not use advertising cookies, tracking pixels for marketing, or third-party trackers.
10. Children's Data
The Service is for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a child under 18 has provided us with personal data, please contact us at support@mindreset.ai and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. Material changes will be announced by email and/or in-app at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
12. Contact
For privacy-related questions or to exercise your rights:
- Email: support@mindreset.ai
- Postal address: [NOTE: To be added when a registered business address is available.]