Data Protection Impact Assessment

1. Project Overview

Organization: Mindsetor B.V., Brightlands Smart Services Campus, Smedestraat 2, 6411 CR Heerlen, Netherlands. KVK: 42042393. RSIN: 869442958.

Platform: MINDSETOR — AI-driven employee well-being platform for proactive burnout prevention.

Assessment Date: February 2026

Review Schedule: Annually, or upon significant changes to processing activities.

2. Description of Processing

2.1 Nature of Processing

MINDSETOR collects, stores, analyzes, and visualizes employee health and behavioral data to detect early signs of burnout and facilitate timely professional intervention. MINDSETOR acts as the sole data controller (Art. 4(7) GDPR) for all personal data processed through the Platform. Employers purchase access to the service but do not determine the purposes or means of processing individual health data; they receive only aggregated reports as described in Section 3.

2.2 Purposes of Processing

Track individual well-being metrics (sleep, activity, mood, HRV) for personal insight
Detect elevated burnout risk through multi-signal convergence analysis
Facilitate 1:1 sessions with psychologists and coaches
Provide gamified engagement to sustain healthy routines
Generate aggregated, anonymized team reports for employers
Provide opt-in Team Wellbeing aggregate scores visible to team members (not employers)

2.3 Data Flow

The data follows this path:

Collection: User voluntarily inputs mood data and grants permission to read health metrics from Apple HealthKit or Google Health Connect on their device
Transfer: Data is transmitted via TLS 1.2+ to Google Cloud Firestore (EU region: europe-west1, Belgium)
Processing: Cloud Functions compute risk scores, trends, and gamification points. The V4 Risk Engine uses Normalized Z-Score Aggregation across 4 signals
Storage: Data stored in Firestore with user-level isolation via security rules. Encrypted at rest (AES-256)
Output: Individual insights displayed only to the user. Employer dashboards show only aggregated data satisfying a k=10 minimum-cell-size threshold with complementary sparse-cell suppression (CBS methodology) to prevent re-identification via differencing
Care Sessions: Video calls via Agora (Agora Lab, Inc., USA, with SCCs). Session notes stored in Firestore, accessible only to the specialist and user

2.4 Scope

Dimension	Detail
Data Subjects	Employees of subscribing organizations (+ family members)
Data Volume	Daily health metrics per user; mood check-ins 1-3x/week
Geographic Scope	Netherlands (pilot), expanding EU
Processing Duration	Continuous during service agreement

3. Necessity and Proportionality

3.1 Legal Basis

Processing Activity	Legal Basis	GDPR Article
Platform services (account, gamification)	Performance of contract	Art. 6(1)(b)
Health data processing (sleep, HRV, activity)	Explicit consent	Art. 9(2)(a)
Mood self-reports	Explicit consent	Art. 9(2)(a)
Burnout risk scoring	Explicit consent + Legitimate interest	Art. 9(2)(a), Art. 6(1)(f)
Care Hub sessions	Contract + Explicit consent	Art. 6(1)(b), Art. 9(2)(a)
Session clinical notes	Legal obligation (Dutch Wkkgz/WGBO)	Art. 6(1)(c), Art. 9(2)(h)
Aggregated employer reports (non-personal, k=10 + sparse-cell suppression)	Legitimate interest of MINDSETOR as controller (B2B service delivery)	Art. 6(1)(f)
Team Wellbeing aggregate (opt-in)	Explicit consent (separate toggle)	Art. 9(2)(a)

3.2 Data Minimization Measures

Only first name collected (no full name, address, or direct identifiers beyond email)
Year of birth collected instead of full date of birth
Health data read from on-device health stores — MINDSETOR does not collect raw sensor data
Employer dashboards aggregated with k=10 minimum-cell-size threshold plus complementary sparse-cell suppression (CBS methodology) to block differencing attacks on adjacent breakdowns
Team Wellbeing requires 30% proportional opt-in (floor of 3); employer has zero access to this data
Team Wellbeing history auto-deleted after 90 days
Leaderboard anonymization (nicknames) available by default

3.3 Consent Mechanism

Explicit consent is collected during onboarding via a two-checkbox consent step:

Checkbox 1: "I agree to the Terms of Service" (with link to full text)
Checkbox 2: "I consent to the processing of my health data as described in the Privacy Policy" (with link to full text)

Both checkboxes must be actively checked before account creation proceeds. Consent can be withdrawn at any time by deleting the account.

4. Risk Assessment

Risk	Likelihood	Impact	Residual Risk	Mitigation
Unauthorized access to health data	Low	High	Low	Firestore security rules enforce user-level isolation. Firebase Auth with secure sessions. Google Cloud SOC 2 / ISO 27001.
Employer access to individual health data	Low	Very High	Low	"Employer Firewall": k=10 minimum-cell-size plus complementary sparse-cell suppression (CBS methodology) for any aggregated data. Individual data never exposed to employer dashboard. Enforced at database security rule level.
Re-identification from aggregated data	Low	High	Low	k=10 minimum-cell-size with complementary sparse-cell suppression (CBS methodology) prevents small-group identification and blocks differencing across adjacent breakdowns. Leaderboard nicknames enabled by default. No demographic breakdowns in employer reports.
Re-identification from Team Wellbeing aggregate	Low	High	Low	30% proportional threshold (floor of 3). Employer has zero visibility. Only team members see aggregate. Individual opt-in/out not visible to others. Server-side aggregation; no individual scores in team collection.
Automated profiling leads to adverse employment decisions	Low	Very High	Low	Risk scores never shared with employers. Human-in-the-loop: users can request specialist review. Scores are informational only, no automated decisions.
International data transfer (Agora, USA)	Medium	Medium	Medium	Standard Contractual Clauses (SCCs) in place. Only video session data transferred. No health metrics transmitted to Agora.
Data breach / exfiltration	Low	Very High	Low	AES-256 encryption at rest. TLS 1.2+ in transit. Google Cloud infrastructure with automated threat detection. 72-hour breach notification.
Excessive data retention	Low	Medium	Low	Defined retention periods per data type. Account deletion permanently erases identifiers. Anonymized data retained only for research.
Coerced participation by employer	Medium	High	Medium	Service Agreement requires employers to communicate voluntary nature. Platform requires individual consent. Users can delete account at any time.

5. Mitigation Measures Summary

5.1 Technical Measures

Encryption at rest (AES-256) and in transit (TLS 1.2+)
Firestore security rules with user-level data isolation
Role-based access control (employee, specialist, employer, admin)
Firebase Authentication with secure session management
Google Cloud infrastructure (SOC 2, ISO 27001, ISO 27017)
EU-based processing (europe-west1, Belgium)
Automated backups with point-in-time recovery
Employer analytics applied k=10 aggregation plus complementary sparse-cell suppression (CBS methodology) enforced server-side

5.2 Organizational Measures

Privacy Policy accessible in-app and on website
Explicit consent required during onboarding (two separate checkboxes) - Art. 9(2)(a) GDPR
B2B Service Agreement with each subscribing organization, including a Data Handling Schedule that documents the employer firewall and confirms MINDSETOR's sole-controller role
Sub-processor contracts (MINDSETOR appointing processors on its own behalf) with equivalent data protection obligations
Specialist confidentiality (NIP professional code, Wkkgz)
72-hour breach notification procedure to Autoriteit Persoonsgegevens (Art. 33 GDPR)
Annual DPIA review schedule

5.3 Data Subject Rights Implementation

Access & Portability: Email request to support@mindsetor.com (machine-readable JSON, delivered within 30 calendar days)
Erasure: In-app "Delete Account" with permanent data removal
Rectification: Profile editing in-app
Objection: Contact via support@mindsetor.com
Automated decisions: Human review via Care Hub specialist booking

6. Conclusion

The overall residual risk of the MINDSETOR platform is assessed as LOW.

The combination of technical safeguards (encryption, isolation, EU hosting), organizational measures (consent, DPA, professional confidentiality), and the "Employer Firewall" design principle effectively mitigates the identified risks associated with processing health data.

The primary residual risk relates to international data transfer for video sessions (Agora, USA), which is mitigated through Standard Contractual Clauses. This risk will be reassessed if the EU-US Data Privacy Framework status changes.

No prior consultation with the supervisory authority (Autoriteit Persoonsgegevens) is deemed necessary at this time, as residual risks have been mitigated to an acceptable level.

7. Review Schedule

This DPIA will be reviewed:

Annually (next review: February 2027)
Upon introduction of new data processing activities
Upon significant changes to the Platform architecture or sub-processors
Upon changes to the regulatory environment (e.g., EHDS, AI Act)

8. Sign-off

Assessed by: David Chakrian, Founder & Sole Data Controller
Date: February 7, 2026
Contact: support@mindsetor.com