MINDLIGHT.AI PRIVACY POLICY

Effective Date: July 23, 2025

Last Updated: July 23, 2025

1. Introduction

Mindlight.ai ("we," "our," or "us") is committed to protecting the privacy and confidentiality of our users ("you" or "your"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our AI-powered mental health tools and agents through our website, mobile applications, and related services (collectively, the "Services").

IMPORTANT: Our Services are designed to provide AI-based tools and support for mental health and wellness. We are not healthcare providers, and our Services are not intended to replace professional medical care, diagnosis, or treatment.

This Privacy Policy applies to all users of our Services, including therapists, practitioners, and individual clients. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Information We Collect

2.1 Personal Information You Provide

We collect information you voluntarily provide to us, including:

Account Information: Name, email address, username, password, and profile information
Demographic Information: Age, gender, location (country/state), and language preferences
Mental Health Information: Mood logs, journal entries, responses to assessments, therapy goals, and other wellness-related data you choose to share
Communication Data: Messages exchanged with AI agents, chat logs, voice recordings (if applicable), and feedback
Professional Information (for practitioners):{" "} License information, credentials, practice details, and professional affiliations
Payment Information: Billing address and payment method details (processed by third-party payment providers)

2.2 Information Automatically Collected

When you use our Services, we automatically collect certain information:

Usage Data: Features accessed, time spent on the platform, interaction patterns with AI agents
Device Information: Device type, operating system, browser type, IP address, and device identifiers
Log Data: Access times, pages viewed, links clicked, and system activity
Location Data: General geographic location based on IP address (not precise geolocation)

2.3 Information from Third Parties

We may receive information about you from:

Healthcare providers or therapists (with your explicit consent)
Third-party authentication services (e.g., Google, Apple) if you choose to use them
Payment processors for transaction verification

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

Provide Services: Deliver AI-powered mental health tools, personalized recommendations, and support
Improve AI Performance: Train and enhance our AI models to provide better, more personalized responses
Account Management: Create and maintain your account, authenticate access, and provide customer support
Communication: Send service-related notifications, updates, and respond to your inquiries
Safety and Security: Monitor for harmful content, prevent abuse, and protect user safety

Under the General Data Protection Regulation (GDPR), we process your personal data based on:

Consent: For processing sensitive mental health data and marketing communications
Contract Performance: To provide the Services you've requested
Legitimate Interests: For service improvement, security, and analytics (balanced against your rights)
Legal Obligation: To comply with applicable laws and regulations

3.3 Sensitive Data Processing

Mental health information is considered sensitive personal data. We process this information only:

With your explicit consent
When necessary for the provision of Services you've requested
Subject to appropriate safeguards and security measures

4.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information. We will never share your mental health data with advertisers, data brokers, or other commercial third parties for their marketing purposes.

We may share your information only in the following limited circumstances:

With Your Consent:

With healthcare providers or therapists you designate
When you explicitly authorize specific data sharing

Service Providers:

Trusted third-party vendors who help us operate our Services (cloud hosting, payment processing, analytics)
These providers are bound by strict confidentiality obligations and can only use your data as instructed

Legal Requirements:

To comply with legal obligations, court orders, or government requests
To protect our rights, property, or safety, or that of our users
In connection with legal proceedings or investigations

Business Transfers:

In the event of a merger, acquisition, or sale of assets (with continued privacy protections)

4.3 De-identified Data

We may use de-identified, aggregated data for research, analytics, and service improvement. This data cannot be used to identify you personally.

6. Your Privacy Rights

6.1 Access and Control

You have the right to:

Access: Request a copy of your personal data
Correction: Update or correct inaccurate information
Deletion: Request deletion of your personal data (subject to legal limitations)
Portability: Receive your data in a portable format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interests

You can:

Withdraw consent for data processing at any time
Modify your privacy preferences in your account settings
Opt out of marketing communications

6.3 California Privacy Rights (CCPA)

California residents have additional rights:

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (though we don't sell data)
Right to non-discrimination for exercising privacy rights

6.4 Exercising Your Rights

To exercise your privacy rights, contact us at{" "} privacy@mindlight.ai {" "} or through your account settings. We will respond within 30 days (or as required by applicable law).

7. Data Retention

7.1 Retention Periods

We retain your personal information only as long as necessary for:

Providing Services (duration of your account)
Legal compliance (varies by jurisdiction, typically 3–7 years)
Legitimate business purposes (security, fraud prevention)

7.2 Deletion Process

When you delete your account:

Personal data is permanently deleted within 30 days
Some information may be retained in de-identified form for research
Legal and safety-related data may be retained as required by law

8. International Transfers

8.1 Global Services

Our Services are provided globally, which may require transferring your data to countries outside your residence, including the United States.

8.2 Transfer Protections

For international transfers, we implement appropriate safeguards:

Adequacy Decisions: Transfers to countries with adequate protection levels
Standard Contractual Clauses: EU-approved contract terms for data protection
Additional Safeguards: Technical and organizational measures for extra protection

9. Children's Privacy

9.1 Age Restrictions

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

9.2 Teen Users (13–17)

For users aged 13–17:

Parental consent may be required by local law
Additional privacy protections apply
Limited data collection and sharing

10. Third-Party Services

10.1 Integrations

Our Services may integrate with third-party platforms (authentication, payment processing). These integrations are governed by the third party's privacy policies.

10.2 Links

Our Services may contain links to external websites. We are not responsible for the privacy practices of external sites.

11. Updates to This Policy

11.1 Changes

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated through:

Email notification to registered users
Prominent notice in our Services
Updated effective date

11.2 Continued Use

Your continued use of our Services after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Information

12.1 Privacy Officer

Email:{" "} privacy@mindlight.ai
Mail: San Francisco, CA
Phone:

12.2 Data Protection Officer (EU Users)

Email:{" "} dpo@mindlight.ai
Mail: [EU REPRESENTATIVE ADDRESS]

12.3 Regulatory Authorities

You have the right to file complaints with data protection authorities:

EU: Contact your local data protection authority
California: California Privacy Protection Agency
Other jurisdictions: Contact your local privacy regulator

13. Specific Provisions by Jurisdiction

Legal basis for processing clearly identified
Enhanced rights for data subjects
Data Protection Impact Assessments conducted
Privacy by Design principles implemented

13.2 United States

CCPA compliance for California residents
HIPAA-inspired protections (though we're not a covered entity)
State-specific privacy law compliance

13.3 Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where we operate, including but not limited to Canada (PIPEDA), Australia (Privacy Act), and Brazil (LGPD).