Mindstep U.S. Incorporated
Privacy Policy
Effective Date: 20 February 2024
Welcome to Mindstep. This privacy policy (the “Privacy Policy”) describes how Mindstep US Incorporated (collectively “Mindstep,” “we,” or “us”) collect, maintain, use, disclose, and process certain information about you as it relates to the following:
Mindstep’s digitally-based health care services (the “Mindstep Services”);
Mindstep’s mobile applications (the “Apps”);
the websites that Mindstep operates and directly link to this Privacy Policy (the “Sites”); and
all related services and features that Mindstep provides (collectively with Mindstep Services, Apps and Sites, the “Services”).
Any capitalized terms that are not defined in this Privacy Policy will have the meanings given to those terms in the Terms of Use.
What personal information do we collect?
We collect various Personal Information (as defined below) from you and certain devices that you may use. This includes information collected through applications, registrations, and your use of the Services. We also collect Personal Information in connection with your inquiries. Collection starts from the time that you initially access our Services.
Personal information definition
In this Privacy Policy, we use the term “Personal Information” to refer to information we gather that could be used to identify or contact you and any information we gather concerning your use or potential use of the Services. Your Personal Information that we receive may include “personal information” as that term is defined by relevant laws and regulations. Examples of Personal Information include your first and last name, your personal profile, your email address or other contact information, and all User Submissions.
Personal health information definition
In this Privacy Policy, we use the term “Personal Health Information” to refer to the subset of Personal Information that we create, receive, transmit, or maintain as part of your application for or participation in a Mindstep Services where that information relates to (a) your past, present, or future physical or mental health or condition or (b) the provision of healthcare to you.
Personal information that You provide to Us
We receive and store any information that you voluntarily provide to us. This may be when you provide such information by inputting it on our Site or through one of our Apps, information that you share with us by email, phone, or other direct communications, and any other information that you directly provide to us through the Services. The categories of Personal Information that we collect include the following:
Basic Identifying Information, including your full name, email, phone number, and address;
Demographic Information, including your gender and age;
Account Credentials, including your username and password, contact information (e.g., your phone number, your email address;
Personal Health Information, including weight, pre-existing medical conditions, information concerning your exercise, sleep, mental cognition information, emotional state, and other activities, and other past, present, or future physical or mental health or condition or the provision of healthcare to you;
User Submissions, including content you submit to us through the Services. More information about User Submissions is further described in our Terms of Use;
Payment information, including credit card and/or other payment information (where applicable for participants who pay for their own participation in the Services);
Inferences, such as inferences drawn from or created based on the information identified above; and
Voluntarily Provided Information, including any other information or data that you voluntarily and directly provide when using our Services or interacting with us.
Personal Information that We Receive From Third-Parties Data Sources
We also may enable you to share information with us from third parties who have received your information because you subscribe to or otherwise participate in their services or because you use their digital equipment. We refer to these sources as “Third-Party Data Sources.” Third-Party Data Sources may include any digital equipment, platforms, or services that you already possess or that you later acquire on your own and not from us (“Third-Party Health Devices”). We may receive your Personal Information from Third-Party Health Devices if you enter that information manually through the Apps or the Sites or if you enable the device to supply information to us automatically. In addition to Third-Party Health Devices, Third-Party Data Sources may also include other third-party sources of data that you authorize to deliver information to us, such as Apple HealthKit. Examples of Personal Information that we may receive from Third-Party Data Sources, including Third-Party Health Devices, may include various current and historic health information, including that concerning your exercise, sleep, and other activities. You can find more information about Third-Party Data Sources, including Third-Party Health Devices, in our Terms of Use.
We will use the Personal Information that you provide for the purposes described above (and any other purposes intrinsic to the Services that you use) and to provide you with an engaging and personalized experience in using the Services. You can choose not to provide us with certain information, but if you do make that choice, we may be unable to provide you with access to or use of many of our features.
Personal Information Collected Automatically
In addition to any information that you provide to us through the Services, we and our third-party service providers may use a variety of technologies that store or collect certain information from you automatically (or passively) when you visit or interact with the Site, the Apps, or other aspects of the Services (“Usage Information”). This Usage Information may be stored or accessed using technologies downloaded to your device whenever you visit or interact with the Services. The categories of Information we collect automatically include:
Device Identifiers and Other Unique Identifiers, including your IP address, other unique device identifiers assigned to your device that allow our computers to recognize you, details of your device’s characteristics and functionality (e.g., browser, and operating system)
Internet or Other Network Activity, including information such as your browsing or use history, mobile network information, access to areas within the Site, the Apps, or other aspects of the Services that you visit and your activities there;
Tracking Technologies, including cookies, embedded scripts and web beacons. For more information about tracking technologies, please see the subsection “Tracking Technologies” below.
Geolocation Data, including Information that permits us to determine your device’s location.
The following provides additional information related to circumstances in which we collect information automatically:
Information from Your Browser or the App. We automatically receive and record Usage Information from your browser on our server logs whenever you interact with the Site, the Apps, or other aspects of the Services. We may use this Usage Information to provide you with customer service and support. We also may use this Usage Information to recognize you when you arrive at the Site from an external link, such as a link appearing on a third-party site or in an email generated by us. We discuss this type of technology in more detail under “Tracking Technologies” below. Our Services also collect Usage Information to determine how often visitors use parts of the Site, the Apps, or other aspects of the Services so that we can improve our Services and strive to ensure that the Services appeal to as many users and customers as possible. Our Services collect this data in a manner similar to how TV ratings may indicate the number of people that watched a particular show. We may provide this de-identified, aggregate data to our partners and/or customers to identify how our users use our Services, but we only use this data in aggregate form as a statistical measure to monitor how the Services function and not in a manner that would permit us to identify you personally. You may set your browser to refuse or disable these data collection methods, but doing so may change your experience with the Site, the Apps, or other aspects of the Services, diminish certain aspects of the Services’ functionality, or render certain features inoperable. For example, the Site may not recognize or respond to your browser with “do not track” technologies employed.
Email Communications. We may receive a confirmation when you open an email from us if your device supports this type of program. We use this confirmation to make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. If you would like assistance in unsubscribing from email communications, please contact us in any of the manners described at the end of this Privacy Policy. Please keep in mind that, by opting out of further email communications after you enroll in an Mindstep Services, you may limit program reminders and other valuable program content and components.
Tracking Technologies. We may use various tracking methods or technologies (“Tracking Technologies”) to store or collect your Usage Information, including information about your visits to or interactions with our Site, the Apps, and other aspects of the Services. We use Tracking Technologies for a variety of purposes we believe to be necessary or helpful in improving or assessing the performance of the Services (for example, as part of our analytic practices) or in offering you enhanced functionality (for example, to identify you when you sign in, to keep track of your specified preferences, or to help ensure that the security of your account has not been compromised). Tracking Technologies may include the following technologies and methods as well as any subsequent technologies and methods later developed to perform similar functions:
Cookies. Cookies are alphanumeric identifiers that we transfer to your device through your browser to enable our systems to recognize your browser and to tell us how and when you visit pages in our Site or other aspects of the Services. We use cookies to enhance visitors’ experiences by understanding how they engage with and navigate our Site and the Services. Regular cookies may be disabled or removed generally by adjusting certain settings available as part of most browsers. In some (but not all) cases, these tools can block those cookies in the future. Each browser that you use would need to be set separately, and different browsers offer different functionality and options in this regard. In addition, these tools may not be effective for certain types of cookies (e.g., Adobe Flash or HTML5 cookies). Your ability to limit cookies when you revisit our Site or Services is subject to your browser settings and limitations. Please note that, if you disable or remove cookies on your device, some parts of our Site or other aspects of our Services may not function properly.
Embedded Scripts. An embedded script is programming code designed to collect information about your interactions with the Site, the Apps, and other aspects of our Services, such as a link that you may click on. Embedded scripts are temporarily downloaded onto your device. Embedded scripts remain active only while you are connected to the Services and are then deactivated or deleted.
Web Beacons. The Services may also include small graphic images or other web programming code called “web beacons” (also known as “1×1 GIFs” or “clear GIFs”). Any electronic image or other web programming code inserted into a page or email can act as a web beacon, and web beacons may be invisible to you. Web beacons and similar technologies may be used for a number of purposes, including to count visitors to the Services, to count how many sent emails were opened, to count how many articles or links were viewed, or to monitor how users navigate the Services.
Third parties may use Tracking Technologies with our Sites as well. As an example, you will see social media widgets for Instagram, TikTok, and LinkedIn on our Sites. We do not control those Tracking Technologies, and we are not responsible for them. For example, if we serve ads on our Site or through other aspects of the Services, our advertising partners may set cookies in connection with those ads. These cookies may allow the advertising partner to recognize your device each time the partner sends you an online advertisement and may enable the partner to deliver targeted advertisements to you or otherwise compile information about you or others who use your device. This Privacy Policy refers only to the use of cookies and other Tracking Technologies by Mindstep and does not cover the use of any Tracking Technologies by advertisers or any other third parties. You consent to potentially encountering third-party Tracking Technologies in connection with your use of the Services and accept that this Privacy Policy does not apply to the Tracking Technologies or practices of those third parties. To confirm how any third party collects or uses your information, please refer to that third party’s website.
How do We use Your Personal Information?
Information that we gather enables us:
to administer your account,
to provide you with the Services,
to send you communications regarding the Services we offer,
to respond to your inquiries,
to obtain your feedback on our Services,
to understand who is using our Services and how the Services are performing,
to otherwise analyze user behavior and activity,
to personalize and improve our Services,
to conduct research activities,
to manage the security of the Services, and
to fulfill any requirements imposed on us by applicable laws and regulations.
From time to time, we may use or augment Personal Information about you with information obtained from third parties. For example, we may use third-party information to confirm contact or financial information, to verify your eligibility for Mindstep Services, or to better understand your interests by associating demographic information with the information that you have provided.
Who do we share Personal Information with?
The following sections describe certain circumstances when we may share your Personal Information:
Information Shared with our Affiliates
We share information with our related entities including our parent and sister companies for business purposes such as customer support, marketing, product development, and technical operations.
Information Shared with Our Service Providers
We employ other people and companies to perform tasks on our behalf, and we must share your information with them in order to provide products and/or Services to you. Such service providers include providers that assist us with payment processing, data analytics, marketing and advertising, website hosting, technical support, auditing, and debugging to identify and repair errors that impair existing intended functionality on our Services.
Information Available to App Providers
By downloading any of the Apps from an App Provider, such as the Apple App Store or Google Play, please note that the App Provider and its agents may be able to identify you as a user of our Services.
Information Shared with Other Business Partners
In order to provide you with the optimal user experience, we anticipate that we may work with a variety of third-party businesses. In certain situations, we may enable you to buy products or services of third-party businesses through the Services. In other situations, we may provide services or sell products jointly with affiliated businesses. You should be able to recognize when a business partner is associated with your transactions. Throughout the course of those transactions, we will share Personal Information that is related to those transactions with those affiliated business.
Referrals to Family, Colleagues, and Friends
From time to time, we may ask or invite you to refer our Services to family members, colleagues, or friends. We ask you to limit your invitations to people in your inner circle that may have an interest in our Services. In these cases, it is your responsibility to ensure that these persons are indeed family members (by marriage, common-law partnership, or parent-child relationship) or people with whom you have a personal relationship (based on frequency of communication, sharing of interests or opinions, etc.). If we refer one of these persons to the Services, we may inform them that you have suggested that they may be interested in trying our Services. If they request that we do not contact them again, we will not contact them again.
Our Business Transfers
We may disclose Personal Information in connection with or during negotiations of, any proposed or actual merger, purchase, sale, or any other type of acquisition, business combination of all or any portion of our business or assets, change of control or a transfer of all or a portion of our business or assets to another third party (including in the case of any bankruptcy.
For Legal Process and Protection
We may release your Personal Information when we believe in good faith that releasing that information is necessary to comply with applicable law, to enforce our conditions of use and other agreements, or to protect the rights, property, or safety of Mindstep, our employees, our users, or others. We may exchange information with other companies and organizations to detect, suppress, or protect against fraud and for credit risk reduction.
We may also disclose or share your information to satisfy any law, regulation, legal process, governmental request, or where we have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to enforce or apply our agreements or in connection with claims, disputes, or litigation.
De-identified Data
As described in our Terms of Use, we may de-identify the User Submissions that you share with us, including any Personal Information, or otherwise process them so that they are no longer attributable to you without additional information (“De-identified Data”). We may use that De-identified Data without restriction in any way allowed by law. For example, we might use De-identified Data to understand, evaluate, or modify the Services, to generate statistical information about the Services that we share with our customers and other third parties who are evaluating, analyzing, accrediting, or researching Mindstep’s programs, or for our other business purposes. When an applicable law requires that we use a particular method of de-identifying data or rendering it no longer attributable to you, we will comply with that law. Otherwise, we may use a method that is appropriate under the circumstances and would not reasonably identify you.
Promotional Offers
We will never disclose your Personal Information to other businesses for their marketing purposes, but we may send you offers that promote the products of other businesses. We intend these offers to benefit you, your health, or your experience with our Services.
Is my Personal Information secure?
We employ industry-standard administrative, physical, and technical measures designed to safeguard and protect information under our control from unauthorized access, use, and disclosure. In addition, when we collect, maintain, use, disclose, and process your Personal Information, we will do so using systems and processes consistent with the information privacy and security requirements of applicable federal and state laws.
No one can protect from all vulnerabilities, and many vulnerabilities exist as a result of uncontrollable circumstances to Mindstep, including user misuse. To help avoid unauthorized access to your account and Personal Information, we suggest that you safeguard your device appropriately, limit access to your devices and browsers, and sign off after you have finished accessing your account.
In addition, to the extent that you use one of the Apps and your device permits that App to send you push notifications, we may send you push notifications that include Personal Information and, in limited instances, Personal Health Information that is not encrypted. Depending on your device settings, push notifications may be visible to other people who encounter your device. Please see the section entitled “Your Choices” for more information about how to control push notifications.
Regardless of the measures we take, we cannot ensure the complete security or confidentiality of any Systems or Connections that you use to transmit information to us. For example, we cannot ensure that your email or your mobile phone or any other personal device is secure. In addition, communication lines used to transmit emails and text messages do not have the same security features that are built into our Services.
If you have reason to believe that your data or your interactions with us are no longer secure or if you have questions related to privacy or data security, you may contact us in any of the manners described at the end of this Privacy Policy.
Your Choices
The following explains your choices with respect to controls related to your personal information and aspects of our Services.
Account Information
If you have an account with us to receive one of the Mindstep Services, you can access certain information about you described below through the App or otherwise through the Mindstep Services in order to view, and in certain situations, update that information.
In order to help us maintain your information and ensure that it is accurate and up to date, please update your information if it changes or inform us promptly. You may access, update, or remove certain information that you have provided to us through your account by visiting your account settings or sending an email to the email address set out in the “How Can You Contact Us With Questions, Concerns, or Complaints?” section below.
Tracking Technologies
Cookies and Pixels. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline or delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations.
Do Not Track. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
App and Location Technologies. You can stop all collection of information via an app by uninstalling the app. You can also reset your device Ad Id at any time through your device settings, which is designed to allow you to limit the use of information collected about you. You can stop all collection of precise location data through an app by uninstalling the app or withdrawing your consent through your device settings.
Please be aware that if you disable or remove tracking technologies some parts of the Services may not function correctly.
Communications
E-mails. If you do not wish to receive promotional emails that we send, you may follow the instructions to unsubscribe contained within the emails or you may contact us in any of the manners described at the end of this Privacy Policy. We will process your request within the time required by law, if not faster, but you may receive additional offers as we process your request. Please note that you cannot opt-out of non-promotional emails, such as those about your account, transactions, servicing, or Mindstep’s ongoing business relations.
Push Notifications. If you have opted-in to receive push notification on your device, you can opt out of receiving push notifications by adjusting the settings on your device. To the extent that you do not opt out of receiving push notifications, you will continue to receive such push notifications and should be cautious about the security and confidentiality of any information displayed in push notifications on your devices.
Text Messages and Calls. You can opt-out of receiving text messages or calls to your phone number at any time by (i) for text messages, texting “STOP” in response to any text message you receive from us or contacting us as set out in the “How Can You Contact Us With Questions, Concerns, or Complaints?” section below and specifying you want to opt-out of text messages; and (ii) for calls, requesting opt-out during any call you receive from us or contacting us as set out in the “How Can You Contact Us With Questions, Concerns, or Complaints?” section below and specifying you want to opt-out of calls.
Please note that your opt out is limited to the email address, device, and phone number used and will not affect subsequent subscriptions.
Choosing Not to Disclose
You may choose not to disclose information to us, even though that information may be required to take advantage of certain features of the Services.
To request information from us or to obtain additional information and instructions for exercising your rights to obtain information, please contact us in any of the manners described at the end of this Privacy Policy.
Deleting Your Personal Information
We are required to maintain certain Personal Information, including any Personal Health Information, that we receive from you as a business record as required by applicable law. As a result, we cannot necessarily eliminate your User Submissions or other Personal Information from our records. However, even if you stop using our Services for any reason, we will protect your User Submissions and other Personal Information in accordance with our Terms of Use and this Privacy Policy, as if you were still using the Services.
Other Legal Rights in Certain Jurisdictions
If you are a data subject in the United Kingdom or Europe, you have the right to access, rectify, or erase any personal data we have collected about you. You also have the right to data portability and the right to restrict or object to our processing of personal data we have collected about you. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different than for which it was originally collected or subsequently authorized by you.
You may exercise your rights by submitting a written request to us at the address set out in the “How Can You Contact Us With Questions, Concerns or Complaints?” section below. We will respond to your request within 30 days. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
Please note that we retain information as necessary to fulfil the purposes for which it was collected, and may continue to retain and use information even after a data subject request for purposes of our legitimate interests, including as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.
Other Legal Rights in Certain Jurisdictions
Mindstep has operations in the United States and may process information in the United States. If you are accessing the Service from outside of the U.S., please be aware that information collected through the Service may be transferred to, processed, stored, and used in the U.S. and other jurisdictions.
Mindstep complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Mindstep has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. With respect to information transferred into the U.S., if there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. Mindstep’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
If you are a resident in the United Kingdom (“UK”), Switzerland (“Swiss”) or European Economic Area (“EU”), we commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Mindstep at: compliance@letsmindstep.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Mindstep commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should contact as provided in the Section entitled, “How Can You Contact Us With Questions, Concerns or Complaints?” below. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Mindstep commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
If Mindstep does not resolve your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the EU-U.S. Data Privacy Framework Principles.
As set out above in the Section entitled, “Who Do We Share Personal Information With?” above, Mindstep uses a limited number of third-party service providers to assist us in providing our services to our users and business customers. These third parties may access, process, or store personal data in the course of providing their services. Mindstep maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and Mindstep remains liable if they fail to meet those obligations and Mindstep is responsible for the event giving rise to the damage.
How Do We Protect Children's Personal Information?
The Services are not directed to children, and we do not knowingly collect Personal Information from children. We do not knowingly allow or solicit anyone under the age of 18 to participate independently in any of the Services. If a parent or guardian becomes aware that a child has provided us with Personal Information, please contact us. If we become aware that a user of the Services under the age of 18 has provided us with Personal Information without verifiable parental consent, we will delete such Personal Information from our files.
Links to Third Party Websites
The Services may contain links to Third-Party Offerings (as further described in the Terms of Use). When you access any Third-Party Offerings, you do so at your own risk. We suggest that you read any applicable terms of use and/or privacy policies that apply to those Third-Party Offerings prior to using any Third-Party Offerings.
How Can We Change This Privacy Policy?
We may prospectively change or replace any terms of this Privacy Policy at any time and for any reason at our discretion. We will post the most recent version of this Privacy Policy on our Sites and in the Apps, and any changes to this Privacy Policy will become effective when posted. Use and disclosure of information that we collect is subject to the Privacy Policy in effect at the time the information is disclosed to us. You are responsible for checking this Privacy Policy periodically for changes. If we change or replace any terms of this Privacy Policy in a manner that meaningfully reduces your rights, we will notify you and designate a reasonable time period before the new terms will take effect.
How Can You Contact Us With Questions, Concerns, Or Complaints?
If you have any questions or concerns regarding this Privacy Policy or Mindstep’s privacy practices or if you would like to request to access or correct your Personal Information, please contact our support line at info@letsmindstep.com or our Privacy Officer, either by email at compliance@letsmindstep.com or at the following address:
Mindset Technologies Ltd
C/o CC Young & Co, Third Floor
The Bloomsbury Building, 10 Bloomsbury Way,
Holborn, London, England, WC1A 2SL
United Kingdom
We will make every effort to respond to your questions, concerns, and requests within a reasonable time.