The Revelation The Lab Inquiry Brightlands
LEGAL // PRIVACY PROTOCOL

Privacy Policy.

Last updated February 2026

01 // DATA CONTROLLER

Data Controller

MINDSETOR (David Chakrian)
Edmond Jasparstraat 48A, 6217HR, Maastricht, Netherlands
Email: support@mindsetor.com

02 // SERVICE SCOPE

What We Do

MINDSETOR is a B2B corporate well-being platform for proactive burnout prevention. We provide:

Tracking Dashboard — Activity (steps, calories) and sleep monitoring

Care Hub — Video sessions with psychologists, lifestyle coaches, and mindfulness experts

Gamification — Leaderboards, season badges, and Mindsetor Points

Burnout Insights — Algorithm-based risk detection with human specialist support

03 // DATA COLLECTION

Data We Collect

Account Data: Name, email, employer (job title not collected)

Activity Data: Steps, calories, heart rate, Resting Heart Rate (via Apple HealthKit / Google Health Connect)

Stress Data: Heart Rate Variability (SDNN) for nervous system recovery analysis (via Apple HealthKit / Google Health Connect)

Sleep Data: Duration, consistency, and quality metrics (via Apple HealthKit / Google Health Connect)

Mood Data: Self-reported mood ratings (valence protection)

Well-being Insights: Burnout risk scores (Risk Velocity), weekly trends, and sleep risk analysis

Session Data: Booking details, session notes (Care Hub)

Usage Data: Features used, points earned (Device type/OS not collected)

04 // LEGAL BASIS

Why We Process Your Data

Platform services: Contract (Art. 6(1)(b))

Health data processing: Explicit consent (Art. 9(2)(a))

Care Hub sessions: Contract + Consent

Burnout risk scores: Consent + Legitimate interest

Session records: Legal obligation (Wkkgz/WGBO)

05 // EMPLOYER FIREWALL

The Employer Firewall

Your employer cannot see your individual data.

Employers only receive participation rates and anonymized, aggregated trends. A strict minimum of 10 active users is required to generate any team analytics. If fewer than 10 users are active, no data is shown to preserve anonymity. Individual scores, mood data, session notes, and health metrics are never shared.

06 // AUTOMATED DECISIONS

Automated Decision-Making

Our V3 Risk Engine analyzes the convergence of your mood valence, sleep consistency, activity capability, and heart rate variability (HRV) to calculate a burnout risk score ("Risk Velocity"). You have the right to:

Request human review of any automated assessment

Book a Care Hub session to discuss your results

Object to automated processing

07 // DATA RETENTION

Data Retention

Account data: Duration of employment + 2 years

Activity & sleep data: 3 years after last activity

Specialist session notes: 15 years (Dutch Wkkgz)

Gamification data: Duration of account

Upon account deletion, personal identifiers (name, email) are permanently erased. Anonymized, non-identifiable health metrics (steps, sleep duration, mood patterns) may be retained for research and product improvement purposes. This anonymized data cannot be linked back to you.

08 // THIRD-PARTY PROCESSORS

Third-Party Processors

Google Firebase: Database (Firestore), authentication, hosting — EU (europe-west1, Belgium). SOC 2, ISO 27001.

Google Cloud: Cloud Functions, infrastructure — EU (europe-west1, Belgium). SOC 2, ISO 27001.

Firebase Cloud Messaging: Push notification delivery — EU/USA. No health data in notification payloads.

Daily.co: Video calls for Care Hub sessions — USA, with Standard Contractual Clauses (SCCs). Only video/audio streams; no health data transmitted.

HealthKit and Health Connect data stays on your device. We request permission to read it, but it is not stored by Apple or Google on our behalf.

The full sub-processor register is maintained in our Data Processing Agreement.

09 // SECURITY

Security

All data encrypted in transit and at rest (Google Cloud infrastructure)

Firestore security rules enforce user-level data isolation

Firebase Auth with secure session management

Hosted on Google Cloud (SOC 2, ISO 27001 certified)

10 // YOUR RIGHTS (GDPR)

Your Rights

Access: Request a copy of your data via the in-app "Download My Data" feature or by emailing support@mindsetor.com

Rectification: Correct inaccurate information via your profile settings or by contacting us

Erasure: Delete your account and all associated data via Settings → Privacy → Delete Account

Restriction: Limit how we use your data

Portability: Export your data in machine-readable JSON format via the in-app "Download My Data" feature

Object: Object to processing based on legitimate interest

Withdraw Consent: Revoke consent at any time by deleting your account

Complaint: Lodge complaint with Dutch DPA (Autoriteit Persoonsgegevens)

Contact support@mindsetor.com — we respond within 30 days.

11 // COOKIES

Cookies

Strictly Necessary: Authentication, session security

Functional: Language preferences

Analytics: Anonymized usage statistics

We do not use marketing or third-party tracking cookies.

12 // AGE REQUIREMENT

Age Requirement

MINDSETOR is intended for employees of corporate clients. Users must be at least 16 years old.

13 // POLICY CHANGES

Changes to This Policy

We notify users of material changes via email or in-app notification at least 14 days before they take effect.

14 // CONTACT

Contact

Email: support@mindsetor.com
Address: Edmond Jasparstraat 48A, 6217HR, Maastricht, Netherlands