Introduction and scopeWhat is Personal Data and what is a Data Subject?What is Processing?What are our obligations?Core data protection principles

Privacy Policy

Last updated: 10 October 2024

Introduction and scope

This Data Protection Policy sets out Mindbay Technologies’ (“we”, “us” or “our”.) obligations when we process personal data. It also sets out what our employees and contractors must do when they handle personal data.

This Policy applies to our European operations and to others at Mindbay Technologies Ltd who receive data from our European operations – for example, European employee data. It also applies to our operations outside Europe if we monitor individuals in Europe for example for online advertising or we intend to provide goods or services to individuals in the EU.  

What is Personal Data and what is a Data Subject?

  • Personal data is any information about an identifiable living individual. You may see documents which talk about “data subjects”: this is what data protection law calls individuals. An individual is identifiable where:
  • Personal data is any information about an identifiable living individual. You may see documents which talk about “data subjects”: this is what data protection law calls individuals. An individual is identifiable where:

    a. An organisation holds clear direct identifiers – such as, name or full postal address; and/or

    b. It is reasonably likely that an organisation can identify the individual by other reasonable means. For example, an employee ID number where HR can link this to employee name, or customer reference number, where customer support can link this to a name or address.
  • Sensitive personal data is any information about health, religion, sex life or orientation, racial or ethnic origin, political opinions, trade union membership, genetic data or biometric data used to uniquely identify a person (such as fingerprints or facial recognition).
  • We may collect personal data in a variety of ways, such as from our website, application ,and  third parties (such as recruiters) via:

    Surveys and Questionnaires: These are structured tools used to collect quantitative and qualitative data directly from individuals.

    Interviews: Conducting one-on-one or group interviews to gather in-depth qualitative data about personal experiences, opinions, and behaviours.

    Observations: Monitoring and recording behaviours and interactions in natural or controlled environments to gather qualitative data.

    Focus Groups: Facilitating discussions among a group of people to collect qualitative data on their perceptions, opinions, and attitudes.

    Online Tracking: Using cookies, web beacons, and other tracking technologies to collect data on users’ online activities, preferences, and behaviours.

    Transactional Data: Collecting data from transactions, such as purchases, to understand consumer behaviour and preferences.

    Social Media Monitoring: Analysing data from social media platforms to gather insights into user interests, behaviours, and trends.

    Customer Relationship Management (CRM) Systems: Using CRM software to collect and manage customer data, including contact information, purchase history, and interactions.

    Public Records and Databases: Accessing publicly available information, such as government records, to gather data on individuals.

    Third-Party Data Providers: Purchasing data from companies that specialise in collecting and aggregating personal data from various sources.

What is Processing?

Processing is any use that an organisation makes of personal data. This includes obtaining or creating personal data, amending it, storing it, sharing it, or even accessing, anonymising or deleting it.

What are our obligations?

We must comply with the General Data Protection Regulation (“GDPR”) and laws such as the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 in the UK. Our obligations under these laws are set out in this Policy.

Furthermore, all our employees and, where applicable, contractors comply with this Data Protection Policy and any additional policies which we introduce. Failure to comply with this Policy may result in disciplinary action. The Annexes to this Policy contain specific information relating to the lawful purposes for each processing activity, as well as the details required to provide to individuals when we collect their personal data.

Core data protection principles

To guard your privacy lawfully in line with your individual reasonable expectations, when processing personal data we follow these data protection principles:

Lawfulness, Fairness and Transparency

  1. We ensure to provide all necessary information required for an individual to understand how their personal data will be collected and used, throughout their engagement with our services, including when a new product or activity is being developed that will involve personal data.
  2. We provide notice when we collect personal data directly from an individual at the time of collection.
  3. When we collect data from another source, we provide notice within a reasonable period, but no later than a month, after the data was obtained by us. If we intend to communicate with an individual, or disclose data to a third party, then the information is provided no later than the date of that communication or disclosure. Annex 1 outlines the information contained in the Privacy Notice.
  4. We ensure that privacy notices are: concise, intelligible, use clear and plain language, which is suitable for the audience; easily accessible; and provided in writing (which can include electronic means), unless the individual asks for the information to be provided orally.
  5. If the purposes for processing personal data change, we provide a further privacy notice before the new processing takes place – please contact us if you think that a purpose for which you process personal data is not already covered by the applicable privacy notice, as we take your data serious and want to ensure that we take all reasonable steps to ensure that our data protection policies take your individual needs in consideration.

Justification

We only process personal data where we can meet one of the grounds for processing in the legislation. These include:

  1. The individual has given consent to the processing;
  2. The processing is necessary to perform a contract with the individual, or to take steps at the request of the individual before entering into a contract;
  3. The processing is necessary for compliance with a legal obligation to which we are subject to; or
  4. The processing is necessary for legitimate interests or those of a third party, unless the interests of the individual override those interests.

We only process sensitive personal data if it can satisfy one of the additional sensitive data grounds. See the Annexes of this Privacy Policy for further guidance on the relevant grounds for each of our processing activities.

Purpose limitation

We only process personal data for purposes which are legitimate and which we have told the individual about, as part of the Transparency principle and in the Record of Processing. We do not process personal data for any incompatible purpose.

Data minimisation and accuracy

  1. We make sure that personal data is adequate and relevant for the purposes for which it is processed and limited to what is necessary for the purpose of processing. We do not collect more personal data than what is needed just because it may turn out to be useful later.
  2. We also make sure that personal data is accurate and, where necessary, kept up to date; and takes all reasonable steps to correct or delete inaccurate personal data.

Storage limitation

  1. Specific time periods have been determined for how long it is needed to process personal data for a particular purpose and we only keep personal data for these periods. At the end of these periods, we erase the personal data, or ensure that the data doesn’t allow individuals to be identified.
  2. Specific details about the retention periods that we have adopted for their different purposes and processing activities are set out in our Data Retention Policy. Some examples are::

    a. User Profiles: Retained for the duration of the user’s active account and for 6 years after account deactivation to comply with the statute of limitations for contractual claims.

    b. Interaction Logs: Retained for 2 years to support user experience improvements and for audit purposes.

    c. Anonymized Data: May be retained indefinitely for research and development purposes, provided it cannot be re-identified.  

Integrity and confidentiality

  1. We keep all the personal data we process secure, and protected against ‘unauthorised or unlawful processing and accidental loss, destruction or damage’. We do this by implementing various security measures as listed in our terms and conditions; and also implementing the measures which we impose on our data processors (See “Sharing personal data with third parties and international transfers).
  2. We also implement a data breach response programme so that it can log, remediate and report any data breaches as required by law. The process which we have implemented is described in our Data Breach Policy.

Accountability

  1. Access: to obtain (i) confirmation whether we process their personal data; (ii) a copy of the personal data (in a commonly-used electronic form, if the request is made electronically); and (iii) provision of supporting explanatory information.
  2. Portability: to request that their personal data is “ported” (i.e. transferred) to a specified third party, or to the individual him or herself, in a machine-readable and structured format (e.g. CSV files). There are exemptions – for example, this only applies to personal data which has been provided by the individual or collected automatically from the individual, which is held in digital format, and which we process with the individual’s consent or to fulfil a contract with that individual.
  3. Rectification: to request correction of inaccurate personal data.
  4. Objection: to object to: (i) processing for direct marketing purposes; (ii) profiling based on direct marketing; and/or (iii) processing based on our legitimate interests.
  5. Erasure (a.k.a. the “right to be forgotten”): to request that personal data is erased in certain situations, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised a right to object and wishes the data to be erased.
  6. Restriction: to request that personal data is “restricted” (i.e. block/pause) whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.

Individuals also have rights not to be subject to decisions taken solely on the basis of automated processing of personal data of an individual (i.e. no human involvement in the decision) which produce legal effects, or have similarly significant effects, unless taking such decisions is permitted by law. There are limited exceptions to this. We do not use automated individual decision-making technology.

We use  Natural Language Models that use:

  • Understanding User Input: The ability to accurately interpret and respond to user queries in natural language.
  • Context Awareness: Maintaining context over multiple interactions to provide coherent and relevant responses.

Human intervention only for monitoring purposes and to improve the process. Assigned responsibilities and access.

Sharing personal data with third parties and international transfers.

  1. Other than for accounting and transaction purposes, only employees of Mindbay Technologies Ltd control and process personal data. This is done through the use of cloud computing platforms and natural language models (specifically Azure and Google Analytics) that can only be accessed by authorised Mindbay Technology employees, that adhere to the following policies:

    a. Data Ownership and Control: You retain ownership of your data. We process your data only with your agreement and do not share it with advertiser-supported services or mine it for marketing purposes.

    b. Data Processing: We process data to provide services, troubleshoot, maintain, and improve its offerings. This includes Customer Data, Personal Data, and Professional Services Data.

    c. Data Security: We focus on securing your data both at rest and in transit using state-of-the-art software with encryption methods, that include 256-bit AES encryption for data at rest.

    d. Privacy Commitments: We ensure that we use third party software that adheres to strict privacy policies and procedures, including third-party audits and certifications like ISO 27018 and ISO 277012.

    Regardless, below is an outline of the process that we would follow incase we need to share personal data with a third party for legitimate interests and/or lawful purposes, for which you will be notified as per this policy and our terms and conditions.
  2. When appointing any data processor to collect, store or use personal data on our behalf, we:

    a. Before Engagement: Ensure that the data processor provides satisfactory assurances about their data protection practices – We have drafted a Supplier Due Diligence Checklist which must be checked for every data processor contracts; and

    b. On Engagement: Sign the data processor up to specified data processing terms – We have drafted template terms which must be entered into with all data processors; and

    c. Post Engagement: Confirm on an appropriate periodic basis (as determined by [IT]) that the assurances provided before engagement about their data protection practices remain valid – the Supplier Due Diligence Checklist is also sent out to all data processors on an annual basis.
  3. Where we transfer personal data to data processors or data controllers which are based outside the EEA (which includes data processors accessing the personal data from outside the EEA e.g. in order to provide IT support services), a data transfer mechanism is put in place unless that country has been deemed adequate by the European Commission.

Training

We provide training on this Policy and on other data protection-related policies, procedures and obligations to all employees and contractors when they join us, and then on an annual basis.

Audits and monitoring

We audit compliance with this Policy and other data protection-related policies; and will implement appropriate corrective actions to rectify any non-compliance. If you think that this Policy is not being complied with in any way, please bring this to our attention by contacting us at contact@mindbay.ai.

Updates of the policy

Any changes to this policy will be communicated to you based on our terms and conditions, which will also include a brief explanation of the reasons for any notified changes to this Policy.

Publication and final provisions

This Policy and any other amendments to it will be published on this website. Please ensure to review it on a periodic basis to stay up to date with our policies and procedures.

Effective date

This Policy takes effect as of 10 OCT 2024.  

You can raise any questions or concerns in relation to this Policy by contacting: contact@mindbay.ai.
You should also contact us if you think you need an exception to a rule in this Policy.  

Annex 1

  1. Information which must be provided to individuals when collecting their personal data directly from them and that are included in this Policy:

    a. The identity and the contact details of Mindbay Technologies Ltd;

    b. The purposes and the legal basis for the processing;

    c. The legitimate interests of Mindaby Technologies Ltd, where applicable;

    d. The recipients or categories of recipients of the personal data;

    e. Any international data transfers, including the location of any recipients and the methods used to ensure the adequate protection of those transfers (and how to obtain details of those methods);

    f. Data retention periods;

    g. Their rights under data protection rules;

    h. The process available to individuals to withdraw any consent;

    i. Whether the individual is obliged to provide the personal data and the possible consequences of failure to provide such data; and

    j. The existence of automated decision-making, including profiling, and the logic involved.
  2. Information which must be provided to individuals when collecting their personal data from  another source:

    a. All of the information stated in paragraph 1 of this Annex 1 above;

    b. The categories of personal data obtained from the third party; and

    c. The sources of the personal data – information must be as precise as possible (e.g. identify whether this source is a private or public source; and the type of organisation/industry/sector).

Annex 2

Grounds for processing personal data

We collect and process personal data where it is necessary for the following purposes:

​​Type of data ​Ground for processing ​Example 
​Normal data: e.g. names, contact information, job title, bank details etc. ​Necessary to perform a contract ​Full name, gender, age range, education level, occupation, relationship status, parental details, and  living situation details are required to create a WellnessOne account. ​​Identity details necessary to provide our services and to  respond to customer queries, to provide the information requested from us in relation to our products or services and to notify the customer of any service related changes. ​ Bank details necessary to complete transactions for the provision of our services.
​Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law Personal data necessary for processing payroll data, administering benefits and pensions, managing employee mobility, facilities management disciplinary procedures and to ensure network and information security.
​Consent ​To transfer data to third parties and to send promotional material related to our services, such as newsletters. 
​Legitimate interest ​Data relating to customer preferences, feedback, and behaviours, as well as, data relating to business activity such as sales figures, trends, and patterns for the purpose of creating tailored services to better meet customer needs.  
​Essential, functional, and analytical cookies: e.g. user-input, authentication and user-centric cookies etc. ​Necessary to perform a contract ​Strictly necessary cookies to provide you with services available through our Site and to use some of its features, such as access to secure areas. 
​Legitimate interest ​Analytics cookies are used in aggregate form to help us understand how our Site is being used or how effective marketing campaigns are, or to help us customise our Site for you. ​Functionality or performance cookies to provide the performance and functionality of our site and monitor system availability, stability, and error reporting. 
​Sensitive data: e.g. medical information and disabilities and personal information relating to mental health, political and philosophical thoughts and beliefs. Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection lawSickness or disability information for administration purposes, background checks, administering benefits etc.
​Necessary to perform a contract ​To provide Growth Coach, Growth Workshop, Let’s Talk and Mindfulness services that are tailored around individual customer needs. 
​​Type of data

​Normal data: e.g. names, contact information, job title, bank details etc.

​Ground for processing

​Necessary to perform a contract

​Example

​Full name, gender, age range, education level, occupation, relationship status, parental details, and  living situation details are required to create a WellnessOne account. ​

​Identity details necessary to provide our services and to  respond to customer queries, to provide the information requested from us in relation to our products or services and to notify the customer of any service related changes. ​

​Bank details necessary to complete transactions for the provision of our services.

​Ground for processing

​Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law

​Example

​Personal data necessary for processing payroll data, administering benefits and pensions, managing employee mobility, facilities management disciplinary procedures and to ensure network and information security.

​Ground for processing

Consent

​Example

​To transfer data to third parties and to send promotional material related to our services, such as newsletters.

​Ground for processing

​Legitimate interest

​Example

​Data relating to customer preferences, feedback, and behaviours, as well as, data relating to business activity such as sales figures, trends, and patterns for the purpose of creating tailored services to better meet customer needs.

​​Type of data

​Essential, functional, and analytical cookies: e.g. user-input, authentication and user-centric cookies etc.

​Ground for processing

​Necessary to perform a contract

​Example

​Strictly necessary cookies to provide you with services available through our Site and to use some of its features, such as access to secure areas.

​Ground for processing

​Legitimate interest

​Example

​Analytics cookies are used in aggregate form to help us understand how our Site is being used or how effective marketing campaigns are, or to help us customise our Site for you. ​ ​

Functionality or performance cookies to provide the performance and functionality of our site and monitor system availability, stability, and error reporting.

​​Type of data

​Sensitive data: e.g. medical information and disabilities and personal information relating to mental health, political and philosophical thoughts and beliefs. ​

​Ground for processing

​Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law

​Example

​Sickness or disability information for administration purposes, background checks, administering benefits etc.

​Ground for processing

​Necessary to perform a contract

​Example

​To provide Growth Coach, Growth Workshop, Let’s Talk and Mindfulness services that are tailored around individual customer needs.

About usLog inCreate an account
LinkedIn IconInstagram Icon Facebook IconTiktok Icon
© 2024 MindBay Technologies Ltd. All rights reserved
Privacy PolicyTerms & Conditions