Mindler’s Privacy Policy

Each week Mindler conducts thousands of meetings with patients from across the world. This entrusts Mindler with a great deal of responsibility – in protecting your data, but also towards the field of psychology and the world at large. We need to be able to understand this wealth of data and ensure that we use it to provide all of our patients with an ever-improving standard of care.

By sharing your data with Mindler, you play a vital role in our mission to make mental health treatment more effective. We will utilize your data to better understand what kind of treatment works the best. You will be part of the development of the most effective mental health treatment in the world.

In the future, we aim to share our anonymized and aggregated insights with governmental bodies, academic partners and the general public, making sure that Mindler – together with you – can help improve mental healthcare for all.

Introduction to our policy

At Mindler, your privacy and safety are of utmost importance to us. We strive to make our policies clear and understandable. We want you to feel secure about how we process your personal data.

All treatment is strictly confidential and never under any circumstances are your communications with a psychologist shared with an unauthorized party.

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. All information collected by us through the website or the application will be governed by our most recent Privacy Policy, posted on the website and the application. If you have any queries, please contact us at privacy@mindler.se.

Mindler has appointed Bird & Bird DPO Services SRL as our Data Protection Officer (DPO). If you have any questions or complaints about our compliance with this Privacy Policy or how we process your personal data, please contact our DPO via email at: dpo@mindler.se.

Our DPO may also be contacted at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium. 

The policy

This Privacy Policy outlines how Mindler collects and processes personal data when you access and use Mindler’s platform (the “Service”) via Android or iOS applications (the “Application”) or by visiting our website https://mindler.se/ (the “Website”).

This document also outlines your rights and how they can be asserted. The terms and conditions for use of the Service are set out in the current Terms of Use (the “Terms of Use”) and can be accessed here.

Mindler is a registered care provider under the Swedish Health and Social Care Inspectorate (IVO)’s supervision and works exclusively with established, licensed psychologists (“Psychologists”) whose care provider responsibility follows from applicable legislation such as the Health Care Act (2017:30), the Patient Act (2014:821), the Patient Safety Act (2010:659) and the Patient Data Act (2008:355). The health care that you as a patient receive via the Application is provided by a health center to which Mindler is a subcontractor. Your care is registered with the following health centers; Kungsholmen General Practitioner, Stockholm; Beckomberga Vårdcentral, Stockholm; District doctors Mölndal, Västra Götaland. In connection with contact with a Psychologist, the care visit is therefore registered in your medical record as a visit to Mindler or a relevant health center.

When using the Service, Mindler is the data controller for the processing of your personal data. Mindler is processing personal data according to the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection regulation.

Data controller details:
Mindler AB (Corporate Identity Number: 559150-0722)
Hovslagargatan 3
111 48 Stockholm
Sweden

What information do we collect about you and how do we process it?

Mindler needs to have a legal basis to process your data, we provide our legal bases below. We only collect and process data which is relevant and necessary to properly fulfil our purposes with such processing. In this section we describe our different purposes for processing your personal data. For each purpose we state the following information:

  •  What personal data is collected (and processed);
  •  The purpose(s) for processing the data;
  • The legal basis Mindler relies on to process this data.

1. Processing necessary for providing healthcare

1.1 Personal data

The following personal data is processed for the purpose of providing our Service.

Contact information

  • First name, last name and country collected upon registration
  • Social security number collected upon registration
  • Phone number and email address collected upon registration

Demographic information 

  • County code (länskod) collected through third party service
  • Information regarding if you are listed at a Mindler contracted clinic

Health data

  • Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history or mental state. Health data will be collected by your Psychologist through meetings, self-assessment forms, completion of Internet-based cognitive behavioural therapy (iCBT) programs in the Application and notes from Psychologists in your medical records (Mindler is using electronic health record (EHR)). ​​The images, videos and sounds shared during the use of the Service are neither recorded nor stored.

1.2 Purpose of processing

Your contact information is processed for the following purposes:

  • To be able to identify you and verify that you are of the required age to receive care
  • To send help in case of an emergency

Your demographic information is processed for the following purposes:

  • To register your healthcare in the correct region and clinic
  • To provide you with the correct patient fee

Your health data is processed for the following purposes:

  • To provide mental healthcare treatment
  • To evaluate the effectiveness of ongoing treatment

The legal basis for this processing is our legal obligation (GDPR Art. 6.1.c) under mandatory health care legislation, we are processing health data supported by GDPR Art. 9.2 h and the Patient Data Act (2008: 355).

2. Processing necessary for providing the Service

2.1 Personal data

The following personal data is processed for the purpose of providing the Service.

Contact information

  • First name and last name upon registration
  • Email address collected upon registration
  • Phone number collected upon registration
  • Social security number collected upon registration
  • Home address collected upon registration
  • Country of residence collected upon registration
  • Spoken language collected upon registration

Demographic information

  • Age from social security number collected upon registration

Payment information

  • Payment details (e.g credit card number) collected through our payment service
  • Free card (frikort) number collected through the eFrikort service, providing your region is connected to the eFrikort service
  • Any promotional codes redeemed in the Application

Technical data

  • Time of booking and meeting status (canceled, unpaid, completed) collected through the Application or via customer service agents
  • Which device, IP address, language, operating system and screen resolution you are using 
  • The date and time of your sessions
  • Which Psychologists you have identified as favourites in the Application
  • Your iCBT program progression in the Application

Health data

  • Your completion of iCBT programs in the Application

2.2 Purpose of processing

Your contact information is processed for the following purposes:

  • To be able to identify you in the Application 
  • To accurately provide you with an invoice for our Services to your home address

Your demographic information is processed for the following purposes:

  • To ensure that you are old enough to use our Service

Your payment information is processed for the following purposes:

  • To make it possible for you to pay for your treatments 
  • To issue a refund in case of cancellation

Your technical data is processed for the following purposes:

  • To plan and conduct meetings with you
  • To optimize your experience depending on the device you are using
  • To keep track of your preferred Psychologist(s)
  • To track your iCBT program progression

Your health data is processed for the following purposes:

  • To track your completion of iCBT programs

The legal basis for this processing is performance of a contract (GDPR Art. 6.1.b) to fulfil our obligations of providing you with the agreed Service.

3. Processing necessary for communication 

3.1 Personal data 

The following personal data is processed for the purpose of communicating with you in connection with the provision of the agreed services.

Contact information

  • First name and last name collected upon registration
  • Email address collected upon registration
  • Phone number collected upon registration

Technical data

  • Device identification

3.2 Purpose of processing

Your contact information is processed for the following purposes:

  • To contact your telephone number in the event your Psychologist is unable to reach you through the Application for a booked meeting.
  • To contact you with important information such as changes to our Privacy Policy or user agreement, for example.

Your technical data is processed for the following purpose:

  • To send notifications to the last phone you used to log in to the Service

The legal basis for this processing is performance of contract (GDPR Art. 6.1.b).

4. Processing necessary for marketing services and products to you

4.1 Personal data 

The following personal data is processed for the purpose of marketing services and products to you.

Contact information

  • First name and last name collected upon registration or completion of forms on our Website
  • Company name collected upon completion of forms on our Website
  • Email address collected upon registration or completion of forms on our Website
  • User information collected through social media when you interact with Mindler’s content
  • Information regarding how you have been using our Website and what other websites you have visited

Health data

  • Information regarding your physical and mental health collected upon completion of forms on our Website

4.2 Purpose of processing

Your contact information is processed for the following purposes:

  • To inform you of our products or services via notification or email
  • To send you promotional marketing emails and marketing newsletters (you can unsubscribe from any mailing lists at any point)

Your cookie data is processed for the following purposes:

  • To show you targeted advertising
  • To measure the reach of our marketing campaigns

Your health data is processed for the following purposes:

  • To send you promotional marketing emails

You can read more about how we place cookies and how you can withdraw your cookie consent in our Cookie Policy.

The legal basis for processing your contact information for this purpose is our legitimate interest to provide you with customised product and service and to inform you about and market our offered Service (GDPR Art. 6.1.f) or your given consent (GDPR Art. 6.1.a) to inform you about and market our offered Service. Please contact us by using the contact details below should you like more information on how we have conducted our legitimate interest assessment. We only process your health information for targeted marketing if you have given your explicit consent (GDPR Art. 9.2.a). The legal basis for processing your cookie data for this purpose is your given consent (GDPR Art. 6.1.a).

You have the right to withdraw your consent (to “opt out”) of any marketing communications at any time. You can opt-out (e.g. email) by using the unsubscribe link available in every newsletter or in every commercial message you receive from us or in case of electronic direct marketing by following the instructions in the communication.

5. Processing necessary for evaluating and improving our Service

5.1 Personal data 

The following personal data is processed for the purpose of evaluating and improving the Services that we provide.

Please notice that this processing activity differs from the quality assurance Mindler is obligated to perform in certain jurisdictions. For Mindler’s processing for the purpose of quality assurance, please see section 9.

Demographic information

  • Age and sex collected from social security number upon registration
  • City, postal code and county code collected through third party

Technical data

  • Data collected through the Application or by customer service agents regarding time of booking and meeting status (canceled, unpaid, completed)
  • Data collected through the Application regarding which device you are using
  • Data collected through the Application regarding how and when you use different parts of the Application
  • Data collected through the Application regarding how you rate your meeting, the video meeting quality and any further feedback provided
  • The Psychologist(s) you have identified as favourites in the Application
  • The Psychologist(s) you have been meeting through the Application
  • Feedback such as answered polls or comments you have posted on social media in posts published by Mindler in Mindler’s official social media accounts

Health data

  • Self-assessment questionnaires you have submitted through the Application 
  • iCBT programs you have completed in the Application

Customer service inquiry data

  • Text data collected through upon filing an inquiry through our Website or application

In the case that a customer service inquiry holds medical information together with identifiable information, Mindler takes technical measures to ensure that the support ticket is rendered completely unidentifiable and therefore not linked to an individual.

5.2 Purpose of processing

Your demographic information, technical data, health data and customer inquiry data is processed for the following purposes:

  • To improve time-slot and Psychologist availability
  • To improve user flows by making it easier to navigate and find certain features in the Application
  • To detect bugs depending on device type
  • To improve our video service
  • To improve the general user experience in the Service
  • To analyse how your wellbeing may change during your treatment
  • To investigate how wellbeing differs between different demographics
  • To investigate how treatment outcomes differ for different demographics
  • To better understand how to treat you in an effective way

Any personal data processed for the purpose of evaluating and improving our Service is always handled and stored unidentifiable through pseudonymization. We will use the personal data to create statistics on a sufficiently aggregated level so that individual patients cannot be identified from the results. Aggregated statistics will be used for internal and external communication and for research.

The legal basis for this processing is our legitimate interest (GDPR Art. 6.1.f). We process your health data supported by your explicit consent (GDPR Art. 9.2 a).

6. Processing necessary for providing customer service

6.1 Personal data

The following personal data is processed for the purpose of providing customer service.

Contact information

  • First name and last name collected upon registration or filing an inquiry through our Website
  • Email address collected upon registration or filing an inquiry through our Website
  • Phone number collected upon registration

Payment information

  • Credit card information collected through our payment service
  • Free card (frikort) number collected through our Application
  • Any promotional codes redeemed in the Application

Technical data

  • Time of booking and meeting status (canceled, unpaid, completed) which is collected through the Application or customer service agents
  • Which device you are using, IP address, language, operating system and screen resolution as well as the date and time of your sessions, which is collected through the Application
  • What Psychologists you have identified as favourites in the Application
  • Your iCBT program progression in the Application

6.2 Purpose of processing

Your contact information is processed for the purpose of providing customer support by:

  • Identifying and contacting you for the sake of customer service updates (e.g. changes to booked meetings, cancellations)
  • To be able to offer customer service necessary to providing you healthcare

Your payment information and technical data is processed for the following purposes:

  • To be able to investigate, respond to and resolve complaints and problems with the Service (e.g. bugs)

The legal basis for this processing is performance of contract (GDPR Art. 6.1.b) to fulfil our obligations of giving you the agreed Service.

To the extent that the customer services are related to care or processing of health data, the processing takes place with the support of our right to process personal data in connection with the administration of care activities (GDPR Art. 9.2 h) and Patient Data Act (2008: 355).

7. Processing necessary for providing our business to business service

7.1 Personal data 

The following personal data is processed for the purpose of providing our business to business service.

Payment information

  • Any promotional codes redeemed in the Application (if applicable)

Technical data

  • Data collected through the Application or by customer service agents regarding time of booking and meeting status (canceled, unpaid, completed) 

Health data

  • Self assessment questionnaires you have submitted through the Application 
  • iCBT programs you have completed in the Application

7.2 Purpose of processing

Your technical and health data is processed for following purposes:

  • To provide our business to business customers with aggregated insights regarding their employees’ well-being, meeting statistics of employees, most common diagnoses and more. None of your personal data will be communicated or transferred to your employer. We only share aggregated statistics in which no special categories of personal or identifiable data are included. We will not provide our business to business customers with statistics and insights if they do not have a large enough user pool to protect individual anonymity (at least 10 users).

The legal basis for processing payment information, technical data and completed iCBT programs for the purpose of providing our business to business service is performance of contract (GDPR Art. 6.1.b) where you as an employee of a business to business customer have agreed on sharing your personal data on an aggregated level to your employer. We process your submitted self-assessment questionnaires with the support of our right to process such data based on your explicit consent  (GDPR Art. 9.2.a).

8. Processing necessary for optimizing and analyzing ad campaigns

8 .1 Personal data

Technical data

  • Data such as installation, registration, paid meetings, and completed meetings collected through our ad campaigns tracking providers. 
  • Mobile identifier like IDFA or Google Play Services ID, and your pseudonymized (hashed) IP – and possibly MAC address collected through our ad campaigns tracking provider.

8.2 Purpose of processing

Your technical data is processed for the following purposes:

  • To help us understand how our users are interacting with our Applications and to optimize and analyze our mobile ad campaigns

The legal basis for processing technical data for the purpose of optimizing and analyzing ad campaigns is our legitimate interest (GDPR Art. 6.1.f) to run cost-efficient ad campaigns. iOS users can opt out of sharing this data with us through the settings menu and navigate to integrity and tracking in the iOS device to toggle off the tracking. Android users can opt out of sharing their Google advertising ID by toggling the “Opt out of Ads Personalization” setting on their device. Please contact us by using the contact details below should you like more information on how we have conducted our legitimate interest assessment.

9. Processing necessary for quality assurance 

9.1 Personal data

The following personal data is processed for the purpose of doing quality assurance of the healthcare provided by Mindler.

Health data

  • Information regarding your physical and mental health. This could include, for example, information relating to an illness, your medical history or mental state. Health data will be collected by your Psychologist through meetings, self-assessment forms, completion of Internet-based cognitive behavioural therapy (iCBT) programs in the Application and notes from Psychologists in your medical records (Mindler is using electronic health record (EHR)). ​​The images, videos and sounds shared during the use of the Service are neither recorded nor stored. 

9.2 Purpose of processing

Your  personal data is processed for the following purpose:

  • To follow up on the quality of the healthcare provided by Mindler and take measures to improve the quality of our healthcare and prevent medical injuries
  • To draft patient safety reports annually.

The legal basis for this processing is our legal obligation (GDPR Art. 6.1.c), we are processing your health data supported by GDPR Art. 9.2 h and the Patient Data Act (2008: 355).

The time for which your data is stored

Your personal data and contact details are saved in the Service for as long as you still have your account. If your account is inactive i.e. you have not logged in for two (2) years, consecutively, your account will automatically be erased from the Service along with some of your personal data (see below). Some personal data may however need to be retained to meet legal obligations. How long your personal data is stored for depends on the type of data. Below we have listed how long different forms of personal data are stored.

Demographic data

Your demographic data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years.

Payment information

Your payment information is saved for as long as you have an account or at least seven (7) years from completed purchases to meet legal obligations such as keeping business records.

Technical data

Your technical data is stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years.

In order to detect and fix errors, we save error logs in our systems. Since these logs may contain personal data, they are deleted after a maximum of 60 days. We always strive to minimize the storing of unnecessary data, therefore this storing period is often much shorter than 60 days.

If you have consented to third-party cookies being stored on your computer or mobile devices, the cookies will be removed when you uninstall them or when the cookie expires.

Customer service requests 

If you have contacted our customer service team, the inquiry will be stored for 180 days before it is deleted.

Health data

All health data, that is collected for the purpose of providing you with healthcare and the Service and evaluating and improving our Service, will be stored for as long as you have an account. It will be deleted or anonymized upon deletion of your account – either by you requesting deletion of the account or if the account has been inactive for two (2) years. 

Health data that is stored in the medical journal will be saved for ten (10) years in order to comply with legal obligations. You can however contact IVO and request to have your health data erased (https://www.ivo.se/privatpersoner/missnojd-med-halso-sjukvard/ansokan-om-journalforstoring/).

Your rights

Your personal data belongs to you. Therefore, you have a right to obtain information on and determine how your personal data is processed by Mindler. 

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to erase information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority, please see more information below.

Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is necessary, and we will not be able to manage the customer and patient relationship without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to participate in certain programs and limit your possibilities to use our Websites and other services, where the information is necessary for those purposes.

There may be additional requirements or provisions that restrict or extend your rights. There can also be legal obligations that prevent us from issuing or moving parts of your data or from blocking or erasing your data. These obligations derive from legislation in the areas of health and medical assistance, confidentiality, archiving and accounting and tax. If your data must be saved due to legal obligations, the data will only be used to fulfil those obligations and for no other purpose.

A brief summary of your rights is set out below:

The right to object to processing

You can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or legal requirement). 

You have a right to object to your personal data being processed for our legitimate interests. In that case, Mindler will either show that there are compelling legitimate reasons for the processing that outweigh your interests, or else stop processing your data. 

Where we have asked for your consent, you may withdraw consent at any time, e.g. by emailing us at the contact details below. If you ask to withdraw your consent to Mindler processing your data, this will not affect any processing which has already taken place at that time.

The right to access and move your data

At any time, you can request a copy of your personal data, as well as information on how it has been obtained and how it is being used or distributed. This also applies to information kept in your medical records. You also have a right to transfer your personal data to another personal data controller.

The right to receive extracts from logs

When someone accesses your electronic medical records, it is registered in a log. As a patient, you can receive an extract from the log to see who has looked at your medical records.

The right to erase data

You have a right to ask for your personal data to be erased if it is no longer necessary for the purpose for which it was collected or if there is no legal basis for processing the data. 

Health data that is stored in the medical journal will be saved for ten (10) years in order to comply with legal obligations. As previously mentioned, you can however contact IVO and request to have your health data erased https://www.ivo.se/privatpersoner/ansokan-om-journalforstoring/.

The right to correct information

You have a right to correct inaccurate or incomplete data. If you consider that a detail in your medical records is inaccurate or misleading, you have a right to ask for a note to that effect to be entered in the records. You have a right to request a restriction on the processing of your personal data until inaccurate data has been corrected or an objection from you has been investigated. 

The right to restriction

You may request us to restrict certain processing of your personal data. If you restrict certain processing of your personal data, this may lead to fewer possibilities to use our websites and other services.

Automated decision-making 

We may in some cases use automated decision-making, if it is authorized by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract. 

You can always express your opinion or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You have the right to obtain human intervention to express your opinion or contest a decision.

When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.

How do I exercise my rights?

You may request to use these rights by sending a letter or email, including your name, address, phone number to the contact details set out below. When you exercise any of your rights, we may need to identify you in order to ensure that we are in contact with the correct person. Hence, we may request the provision of additional information necessary to confirm your identity. 

We will respond to your request without undue delay, but at the latest within one (1) month of the request. If the requests are numerous or complex, we may extend the deadline to two (2) months, but we will still respond to the request within the first month and explain why the extension is necessary.

Disclosure of your personal data

Your personal data may need to be transferred to or shared with others whenever necessary or justified. Your personal data is shared with:

Authorized employees at Mindler

Your personal data may be shared under secrecy with Mindler employees who are involved in your treatment. Your personal data may also be shared with analysts at Mindler working with aggregated statistics or evaluating and improving the Service. Analysts only have access to pseudonymized, unidentifiable aggregated data.

Suppliers and subcontractors

Your personal data may be transferred to or shared with certain companies that supply various types of services to Mindler. These services, for example, could be medical journal systems, payment providers, marketing tracking providers, email automation providers or infrastructure platforms necessary for our services to run. Subcontractors are covered by the same confidentiality agreement as those which apply to Mindler, and may only process personal data in accordance with our instructions or in accordance with laws and regulations.

Medical referrals

If you and your Psychologist decide that you need a medical referral, they will write and send a referral to the appropriate medical provider.

Authorities

Mindler may also be required to provide necessary information to local healthcare authorities, the police or other authorities if required by law or if you have granted your approval.

Scientific Research

We may process information about your use of Services for research purposes which aim at e.g. increasing scientific knowledge in the field of medicine, health and nursing science. We will do this using only aggregated, non-personally identifiable data (anonymized data). Anonymized data can be shared to third parties in research purposes. Regulations on data privacy don’t apply to the anonymized data because registered persons are not identifiable.

Where your personal data is processed

Your medical record data will not be transferred to, or processed in, any country outside the EU/EEA. Other personal data may be processed in a country outside the EU / EEA. When transferring personal data to a country outside the EU/EEA, we take appropriate legal, technical and organizational security measures to ensure that the personal data is processed according to the same level of protection as within the EU/EEA. If your personal data is transferred outside the EU/EEA, then this is done on the basis of appropriate and adequate safeguards for data transfers to comply with the requirements set out in GDPR Chapter V.

A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

Information Security

We will take all reasonable, appropriate technical, security and organizational means and measures appropriate considering the nature and purposes of processing and the nature of personal data processed, to protect Mindler and our customers from unauthorized access to or unauthorized alteration, disclosure or destruction of personal data we hold. Measures include, where appropriate, encryption, firewalls, secure facilities and access rights systems.

Should, despite the security measures, a security breach occur that is likely to result in a high risk to your rights and freedoms, we will inform you about the breach without undue delay.

Third-party websites and services 

Our Website or other parts of our Services may contain links to third-party websites and services. If you decide to visit third-party websites and services, this Privacy Policy will no longer apply and you should consult the privacy policy of that third-party instead. 

Changes to the privacy policy

This policy may occasionally need to be changed or updated, for example if functions are changed or added to the Service. Minor changes to our Privacy Policy will be communicated through our Website. Major changes regarding how your data is processed will be communicated through the Application, Website and email (if you have provided it to us). We will not make substantial changes to this Privacy Policy or reduce your rights under this Privacy Policy without providing you with a notice.

This policy was lastly updated at 2022-05-30. 

You can contact us at any time

Mindler AB is registered with the Swedish Companies Registration Office under organization number 559150-0722. Our head office is at Hovslagargatan 3 111 48 Stockholm.

Mindler AB is the personal data controller for the processing of your personal data as described above. Mindler AB complies with Swedish data protection legislation, including the Data Protection Regulation (GDPR).

You can contact us at any time if you have questions about your personal data by sending an email to privacy@mindler.se.

Complaints

In case you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with the local supervisory authority for data protection.

You have a right to contact and file a complaint with the Swedish Authority for Privacy Protection, if you believe we have processed your personal data incorrectly.

Swedish Authority for Privacy Protection (Swe. Integritetsskyddsmyndigheten)
Box 8114
104 20, Stockholm