Privacy Policy
Mindloom, based in Rhenen, is the data controller for personal data of app users (such as account details, contact information, and payment information). For personal data in the content of coaching sessions, such as audio recordings, transcriptions, and AI-generated insights, Mindloom acts as a processor on your behalf as a coach. In that context, you are the data controller.
This statement applies to the use of the mobile application “Prism” (hereinafter: the “App”).
1. Contact Details Mindloom
π§ Email: [email protected]
π’ Chamber of Commerce nr.: 97426628
2. Personal Data We Process
As data controller
We process personal data from you as a user of the App:
- First and last name
- Email address
- Username and password
- Payment information (via Google Play Store or Apple Store)
- Questions and answers via API calls with LLM providers
- IP address
- Device information
- Usage data
As processor
We process personal data in the content of coaching sessions on behalf of you as a coach:
- (Special) personal data in audio recordings of coaching sessions (e.g., health data)
- Transcriptions of audio recordings from coaching sessions
- AI-generated insights about coaching sessions, individual and compiled
3. Processor Relationship
When you use the App to make audio recordings, transcribe, or analyze them, we process personal data on your behalf as a coach. In these cases, you are the data controller under the General Data Protection Regulation (GDPR) and Mindloom acts as a processor. By agreeing to the terms of service, a processor agreement is concluded between you and us (see Appendix 2 of the Terms of Service).
Your responsibility as a coach
As a coach, you are responsible for:
- Having a valid legal basis for processing personal data in recorded coaching sessions
- Informing coachees about the processing
This responsibility also includes situations where special personal data is processed, such as data concerning:
- Health
- Religion or belief
- Other sensitive topics
β οΈ Important: For processing such special personal data, explicit consent from each session participant is required under Article 9(2)(a) GDPR. The App may not be used for processing such data without prior consent.
Mindloom processes this data solely on behalf of you as a coach based on the agreed processor agreement.
4. Purposes and Legal Bases
Processing Purposes
We process personal data for the following purposes:
- Registration and authentication of users
- Recording, transcription, and analysis of coaching sessions
- Making transcriptions of coaching sessions searchable with API calls to LLM providers
- Sharing session information at the user’s request
- Processing payments
Service Improvement
We improve our services exclusively based on:
- Anonymized and aggregated data
- Data that is not traceable to individual persons
π Privacy guarantee: This data is not used for AI model training purposes without separate and specific consent from you as a user. Personal data from recorded sessions is never used for improvement or model training based on legitimate interest.
Legal Bases
Legal bases:
- Performance of contract (Article 6(1)(b) GDPR)
- Legitimate interest (Article 6(1)(f) GDPR)
- User consent for sharing with third parties (Article 6(1)(a) GDPR)
For data we process on behalf of you as a coach, you are responsible for having a valid processing basis (such as coachee consent).
Note: For special personal data, explicit consent is required in accordance with Article 9(2)(a) GDPR.
5. Sharing Personal Data with Third Parties
We use external service providers (processors) who process personal data under our responsibility. These are described in Appendix 1 (Sub-processor List) of the Terms of Service.
Processor agreements have been concluded with these parties where required.
6. Transfer Outside the EU
When using OpenAI, personal data may be processed outside the European Economic Area (EEA). We ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) in accordance with Article 46 GDPR
- Physical hosting in a public cloud within the EU
7. Retention Periods
We retain personal data no longer than necessary.
Standard Periods
| Type of data | Retention period |
|---|---|
| Recording and transcription data | 12 months (unless you delete them earlier or terminate your account) |
Automatic deletion upon inactivity
| Inactivity period | Action |
|---|---|
| 18 months | You receive a reminder |
| 24 months (18+6) | Account and associated personal data are automatically deleted* |
*Unless legal retention obligations require otherwise.
8. Data Subject Rights
You as a user and (where relevant) third parties have the following rights:
Your Rights
| Right | Description |
|---|---|
| π Right of access | You can request what data we process about you |
| βοΈ Right to rectification | You can have incorrect data corrected |
| ποΈ Right to erasure | You can request deletion of your data |
| βΈοΈ Right to restriction | You can have processing restricted |
| π¦ Right to data portability | You can receive your data in a structured format |
| β Right to object | You can object to certain processing |
| π Right to complaint | You can file a complaint with the Data Protection Authority |
Submitting a Request
You can send a request to [email protected].
9. Data Security
We take appropriate technical and organizational measures to secure personal data, including:
Security Measures
- π Encryption of data at rest and in transit
- π Authentication via password
- π₯ Role-based access to sessions
In case of a security incident affecting personal data, affected individuals and supervisory authorities are informed in accordance with Articles 33 and 34 GDPR.
10. Changes
We reserve the right to modify this statement. The most recent version is always available in:
- π± The Prism app
- π www.mindloom.eu