The Revelation The Lab Inquiry Brightlands
LEGAL // PRIVACY PROTOCOL

Privacy Policy.

Last updated February 2026

01 // DATA CONTROLLER

Data Controller

Mindsetor B.V.
Brightlands Smart Services Campus, Smedestraat 2, 6411 CR Heerlen, Netherlands
KVK: 42042393
RSIN: 869442958
Email: support@mindsetor.com

02 // SERVICE SCOPE

What We Do

MINDSETOR is a B2B corporate well-being platform for proactive burnout prevention. We provide:

Tracking Dashboard — Activity (steps, calories) and sleep monitoring

Care Hub — Video sessions with psychologists and lifestyle coaches

Gamification — Leaderboards, season badges, and Mindsetor Points

Burnout Insights - Wellbeing pattern recognition with optional self-referred specialist sessions. Informational, not diagnostic.

03 // DATA COLLECTION

Data We Collect

Account Data: Name, email, employer (job title not collected)

Activity Data: Steps, calories, heart rate, Resting Heart Rate (via Apple HealthKit / Google Health Connect)

Stress Data: Heart Rate Variability (SDNN) for nervous system recovery analysis (via Apple HealthKit / Google Health Connect)

Sleep Data: Duration, consistency, and quality metrics (via Apple HealthKit / Google Health Connect)

Mood Data: Self-reported mood ratings (valence protection)

Well-being Insights: Burnout risk scores (Risk Velocity), weekly trends, and sleep risk analysis

Session Data: Booking details, session notes (Care Hub)

Usage Data: Features used, points earned (Device type/OS not collected)

04 // LEGAL BASIS

Why We Process Your Data

Platform services: Contract (Art. 6(1)(b))

Health data processing: Explicit consent (Art. 9(2)(a))

Care Hub sessions: Contract + Consent

Burnout risk scores: Consent + Legitimate interest

Session records: Legal obligation (Wkkgz/WGBO)

05 // EMPLOYER FIREWALL

The Employer Firewall

Your employer cannot see your individual data.

Employers only receive participation rates and anonymized, aggregated trends. A strict minimum of 10 active users is required to generate any team analytics. If fewer than 10 users are active, no data is shown to preserve anonymity. Individual scores, mood data, session notes, and health metrics are never shared.

06 // AUTOMATED DECISIONS

Automated Decision-Making

Our V3 Risk Engine analyzes the convergence of your mood valence, sleep consistency, activity capability, and heart rate variability (HRV) to calculate a burnout risk score ("Risk Velocity"). You have the right to:

Request human review of any automated assessment

Book a Care Hub session to discuss your results

Object to automated processing

07 // DATA RETENTION

Data Retention

Account data: Until account deletion or end of Service Agreement, plus 2 years for legal-claim defense

Activity & sleep data: 3 years after last activity

Specialist session notes: 20 years (Dutch WGBO Art. 7:454 BW, as amended effective 1 January 2020)

Gamification data: Duration of account

Upon account deletion, personal identifiers (name, email) are permanently erased. Anonymized, non-identifiable health metrics (steps, sleep duration, mood patterns) may be retained for research and product improvement purposes. This anonymized data cannot be linked back to you.

08 // THIRD-PARTY PROCESSORS

Third-Party Processors

Google Firebase: Database (Firestore), authentication, hosting - EU (europe-west1, Belgium). Google Firebase is SOC 2 Type II and ISO 27001 certified.

Google Cloud: Cloud Functions, infrastructure - EU (europe-west1, Belgium). Google Cloud is SOC 2 Type II and ISO 27001 certified.

Firebase Cloud Messaging: Push notification delivery — EU/USA. No health data in notification payloads.

Agora (Agora Lab, Inc.): Video calls for Care Hub sessions — USA, with Standard Contractual Clauses (SCCs). Only video/audio streams; no health data transmitted.

HealthKit and Health Connect data stays on your device. We request permission to read it, but it is not stored by Apple or Google on our behalf.

The full sub-processor register is maintained in our Data Processing Agreement.

09 // SECURITY

Security

All data encrypted in transit and at rest (Google Cloud infrastructure)

Firestore security rules enforce user-level data isolation

Firebase Auth with secure session management

Hosted on Google Cloud, which is SOC 2 Type II and ISO 27001 certified. Mindsetor itself is not certified to either standard.

10 // YOUR RIGHTS (GDPR)

Your Rights

Access: Request a copy of your data by emailing support@mindsetor.com; account-level data is also viewable in-app

Rectification: Correct inaccurate information via your profile settings or by contacting us

Erasure: Delete your account and all associated data via Settings → Privacy → Delete Account

Restriction: Limit how we use your data

Portability: Request your data in machine-readable JSON format by emailing support@mindsetor.com; data is delivered within 30 calendar days

Object: Object to processing based on legitimate interest

Withdraw Consent: Revoke consent at any time by deleting your account

Complaint: Lodge complaint with Dutch DPA (Autoriteit Persoonsgegevens)

Contact support@mindsetor.com — we respond within 30 days.

11 // COOKIES

Cookies

Strictly Necessary: Authentication, session security

Functional: Language preferences

Analytics: Anonymized usage statistics

We do not use marketing or third-party tracking cookies.

12 // AGE REQUIREMENT

Age Requirement

MINDSETOR is intended for employees of corporate clients. Users must be at least 16 years old.

13 // POLICY CHANGES

Changes to This Policy

We notify users of material changes via email or in-app notification at least 14 days before they take effect.

14 // MEDICAL DEVICE STATUS

Medical Device Status

Mindsetor is not a medical device under EU MDR (Regulation 2017/745). Per MDR Recital 19, software intended for lifestyle and wellbeing purposes is excluded from the medical-device definition. Mindsetor's risk indicators are informational, not diagnostic. Mindsetor does not predict, prevent, monitor, treat, or alleviate disease.

15 // OCCUPATIONAL HEALTH BOUNDARY

Bedrijfsarts and Arbowet

Mindsetor does not replace, modify, or interface with the relationship between an employee and the bedrijfsarts under the Dutch Arbowet. The bedrijfsarts remains the employer's occupational-health responsibility. Mindsetor is voluntary, individual-facing wellbeing support. Data does not flow to the bedrijfsarts unless the employee chooses to share it themselves.

16 // VOLUNTARY PARTICIPATION

Participation Is Voluntary

Participation in any Mindsetor pilot or deployment is voluntary. Employers may not condition employment, performance review, promotion, or remuneration on participation, non-participation, or any in-app engagement pattern. You may withdraw consent under Article 7(3) GDPR at any time, without explanation, and without consequence to your employment.

17 // CONTACT

Contact

Email: support@mindsetor.com
Address: Brightlands Smart Services Campus, Smedestraat 2, 6411 CR Heerlen, Netherlands