Legal
Privacy Policy
Effective date: 29 May 2026. Last updated: 29 May 2026.
MindLotus B.V. ("MindLotus", "we", "us" or "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect when you visit our websites or use the MindLotus therapy platform, why we collect it, how we use and share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), the Dutch Uitvoeringswet AVG and Dutch healthcare laws including the Wet op de geneeskundige behandelingsovereenkomst (WGBO).
We act as a data controller for the personal data we process about you when you visit our marketing websites and when you use the platform as a client, employee, psychologist, HR manager or administrator. Where psychologists keep clinical records of their patients on our platform, those clinical records are processed by us as a data processor on behalf of the treating psychologist, who remains the controller of the medical record.
1. Who we are
- Controller: MindLotus B.V.
- Chamber of Commerce (KVK): 42026262
- Registered office: Meerzand 36, 5658 LJ Eindhoven, the Netherlands
- Privacy contact: privacy@mindlotus.nl
- Data Protection Officer: dpo@mindlotus.nl
2. What personal data we collect
We collect only the personal data we need to operate MindLotus safely and to deliver the services you have requested. The exact data we hold about you depends on whether you visit the public site, create a client account, are sponsored by an employer or work with us as a psychologist.
Identification and account data
- Name, email address, phone number, profile picture, password (hashed).
- Role (client, employee, psychologist, HR manager, administrator) and onboarding status.
- Account, login and security event metadata, including IP address, device, browser and timestamps.
Health and therapy data (special category)
- Information you provide in intake questionnaires, including mental-health history, current symptoms, goals and cultural context.
- Therapy session metadata (date, duration, attendance, cancellations).
- Session notes prepared by the psychologist within the platform.
- Voluntary feedback, ratings and free-text comments after sessions.
Real-time communications
- Audio and video streams during sessions are routed via our video processor (Daily.co) and are not recorded by us unless you and your psychologist both explicitly opt in for a specific session.
- Text messages exchanged inside the platform are stored encrypted at rest.
Professional credentials (psychologists)
- Diplomas, registrations, CV, identity verification documents and qualifications uploaded during onboarding.
- Availability schedules and session-management preferences.
Organisation and employment data (HR / employees)
- Employer name, work email, department, and the scope of therapy benefits granted by your employer.
- Aggregate, de-identified usage statistics for the HR dashboard. We do not share individual therapy content with employers.
Payment and billing data
- Billing name and address, VAT number, invoice history.
- Card or SEPA tokens stored by Stripe — we never see or store your full card number.
Website usage data
- Pages viewed, referring URL, UTM campaign parameters, approximate region derived from your IP, and CTA interactions.
- Collected only after you grant analytics consent on the cookie banner.
3. Special category (health) data
Information about your mental health is treated as a special category of personal data under Article 9 of the GDPR and receives additional protection. We process this data:
- with your explicit consent, which you give when you create an account, complete an intake questionnaire or book a session (Article 9(2)(a) GDPR); and
- because it is necessary for the provision of healthcare and the management of healthcare systems and services, by health professionals subject to a duty of professional secrecy (Article 9(2)(h) GDPR, in conjunction with the WGBO and the Wet beroepen in de individuele gezondheidszorg).
You can withdraw your consent at any time by contacting privacy@mindlotus.nl. Withdrawal does not affect any processing that took place before withdrawal, and it does not override our obligation to retain medical records for the period prescribed by the WGBO.
4. Why we process your data, and our legal basis
The table below summarises each purpose we have for processing personal data, the legal basis we rely on and the data categories involved.
| Purpose | Legal basis | Data categories |
|---|---|---|
| Providing the MindLotus therapy platform, including matching, booking, session delivery and aftercare. | Performance of the contract with you (Art. 6(1)(b) GDPR). For health data, your explicit consent and the provision of healthcare (Art. 9(2)(a) and 9(2)(h) GDPR). | Account, health, communications, professional credentials, organisation. |
| Verifying psychologists' qualifications and maintaining a safe network of providers. | Legal obligation under Dutch healthcare law and our legitimate interest in platform safety (Art. 6(1)(c) and (f) GDPR). | Professional credentials, identity documents. |
| Charging for sessions, issuing invoices and meeting tax-record obligations. | Performance of the contract and legal obligation (Art. 6(1)(b) and (c) GDPR). | Payment, billing, account data. |
| Sending transactional emails (booking confirmations, reminders, password resets). | Performance of the contract (Art. 6(1)(b) GDPR). | Account data and session metadata. |
| Sending marketing newsletters and product updates where you have subscribed. | Your consent (Art. 6(1)(a) GDPR). You can withdraw at any time. | Email address, language preference, engagement metadata. |
| Operating the public marketing website and measuring aggregate usage. | Your consent for analytics and similar non-essential cookies (Art. 6(1)(a) GDPR and Art. 11.7a Telecommunicatiewet). Strictly necessary cookies rely on our legitimate interest. | Website usage data. |
| Detecting fraud, abuse and protecting the security of our users and systems. | Our legitimate interest (Art. 6(1)(f) GDPR). | Login and security event metadata, IP address, device data. |
| Aggregating de-identified usage data for employer reporting and product research. | Our legitimate interest (Art. 6(1)(f) GDPR). | Aggregate session, attendance and engagement counts. No identifiable health content. |
| Complying with legal requests, court orders and regulatory obligations. | Legal obligation (Art. 6(1)(c) GDPR). | Whatever the specific request lawfully requires. |
5. Cookies and similar technologies
We use a small number of strictly necessary cookies that make the site work (for example, to keep you signed in, to remember your language and to protect against cross-site request forgery). These cookies do not require your consent.
We also use optional analytics cookies set by Mixpanel to understand how visitors use our marketing website. These cookies are loaded only after you grant consent via the cookie banner. You can change your choice at any time from the "Cookie settings" link in our footer. If you decline, no analytics cookies are placed and no analytics events are sent.
We do not use third-party advertising cookies, cross-site tracking pixels or social-network "like" buttons that profile you.
6. Who receives your personal data
We do not sell personal data. We share personal data only with the following categories of recipients:
- Your treating psychologist or therapist on the platform, to enable care.
- Your employer's HR manager, if you accessed MindLotus through an employer programme, but only in the form of aggregate, de-identified usage statistics. We never share individual session content or clinical information with employers.
- Service providers (sub-processors) who help us run the platform under written processing agreements and on our documented instructions.
- Professional advisers (lawyers, auditors, accountants) under duties of confidentiality, where strictly necessary.
- Public authorities when we are required to do so by law, a binding court order or to defend legal claims.
- An acquirer or successor in the event of a merger, acquisition, reorganisation or sale of assets, subject to equivalent confidentiality and security protections.
Current sub-processors
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage and backend services for the MindLotus platform. | European Union (Frankfurt region) | EU-hosted; Data Processing Addendum in place. |
| Daily.co (Pluot Communications, Inc.) | Real-time video and audio infrastructure for therapy sessions. | United States, with EU media routing where available | EU Standard Contractual Clauses (SCCs) and Data Processing Addendum. |
| Mixpanel, Inc. | Privacy-respecting product analytics for the MindLotus marketing website. Loaded only after you grant analytics consent. | European Union (Frankfurt — EU residency project) | EU data residency and Data Processing Addendum. |
| Stripe Payments Europe, Limited | Payment processing for sessions, subscriptions and invoices. | European Union (Ireland), with global card network routing | EU controller / processor agreements and SCCs for non-EEA transfers. |
| Resend, Inc. | Transactional and notification email delivery. | United States | EU SCCs and Data Processing Addendum. |
| Vercel Inc. | Hosting and content delivery for the MindLotus websites. | Global edge network, EU regions for primary compute | EU SCCs and Data Processing Addendum. |
7. International transfers
We host MindLotus' primary data systems in the European Union. Some of our sub-processors (for example Daily.co and Resend) are established in the United States. Where we transfer personal data outside the European Economic Area, we rely on European Commission adequacy decisions or on the European Commission's 2021 Standard Contractual Clauses, combined with technical and organisational measures appropriate to the data (such as encryption in transit and at rest, key separation and access controls). You may request a copy of the safeguards we use by writing to privacy@mindlotus.nl.
8. How long we keep your data
We keep personal data only as long as we need it for the purposes described in this policy, or as long as the law requires us to.
| Data | Retention period |
|---|---|
| Medical / therapy records (intake questionnaires, session notes) | 20 years from the end of treatment, in accordance with Article 7:454(3) of the Dutch Civil Code (WGBO). |
| Account and profile data | For the duration of your account, plus 12 months after deletion for safety, dispute resolution and back-up rotation. |
| Invoices and tax records | 7 years from the end of the financial year, as required by Dutch tax law (Algemene Wet inzake Rijksbelastingen). |
| Marketing consent and newsletter subscriptions | Until you unsubscribe, plus a minimum suppression record of the unsubscribe itself. |
| Cookie consent record | 12 months, after which we will ask you again. |
| Server, security and audit logs | Up to 12 months, except where a longer period is required to investigate or defend a legal claim. |
When the retention period ends, we either delete the data permanently from production systems and rolling backups, or anonymise it so that it can no longer be linked to you.
9. How we protect your data
We apply technical and organisational measures appropriate to the risk involved in processing health data, including:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Role-based access controls and row-level security inside our database, so people on the platform can only see the data they are authorised to see.
- Single sign-on, strong password requirements and multi-factor authentication for staff with administrative access.
- Continuous logging, monitoring and alerting on production systems.
- Regular back-ups, vulnerability scanning and structured incident response procedures.
- Background checks, confidentiality undertakings and ongoing security and privacy training for staff.
- Sub-processors are reviewed before onboarding and bound by data processing agreements that meet GDPR requirements.
No system can be made perfectly secure. If we become aware of a personal-data breach that is likely to affect your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by Article 33 GDPR, and we will notify you without undue delay when Article 34 GDPR requires us to do so.
10. Your rights
Subject to applicable conditions and limitations, you have the following rights in relation to your personal data:
Access
You may ask whether we process personal data about you and request a copy.
Rectification
You may ask us to correct inaccurate or incomplete data.
Erasure ('right to be forgotten')
You may ask us to delete personal data, subject to legal retention obligations such as the WGBO medical-records rule.
Restriction of processing
You may ask us to pause processing in specific circumstances.
Data portability
For data you provided to us based on consent or a contract, you may request a structured, machine-readable export.
Objection
You may object to processing based on our legitimate interests, including any profiling for analytics.
Withdraw consent
Where we rely on your consent (for example marketing or analytics cookies), you can withdraw it at any time without affecting prior lawful processing.
Lodge a complaint
You may lodge a complaint with the Autoriteit Persoonsgegevens or your local EU supervisory authority.
To exercise any of these rights, please email privacy@mindlotus.nl. We may need to verify your identity before we can act on your request. We will respond within one month of receiving a complete request, and may extend that period by up to two further months for complex requests, in line with Article 12 GDPR. We do not charge a fee unless your requests are manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) or with the data protection authority in the EU country where you live or work.
11. Automated decision-making and profiling
We do not use solely automated processing, including profiling, to make decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do use algorithmic matching to suggest psychologists who fit your stated preferences. The final choice is always yours, and a human psychologist is involved in delivering your care.
12. Children
The MindLotus platform is not directed at children under 16. If you believe a child has provided us with personal data without the consent of a parent or legal guardian, please contact us at privacy@mindlotus.nl so we can delete it.
13. Third-party websites and links
Our sites may link to websites we do not control. We are not responsible for the privacy practices of those sites, and we encourage you to read their privacy notices before sharing information with them.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, our legal obligations or industry practice. When we make material changes, we will update the "Last updated" date at the top of the policy and, where appropriate, notify you by email or through the platform before the changes take effect.
15. How to contact us
If you have questions or concerns about this Privacy Policy or how we handle your personal data, please contact us at:
MindLotus B.V.Meerzand 36, 5658 LJ Eindhoven, the Netherlands
KVK: 42026262
Email: privacy@mindlotus.nl
DPO: dpo@mindlotus.nl
You can also update your cookie preferences at any time from the Cookie settings link in our footer.