Privacy Policy

1. Important information and who we are

MINDSET TECHNOLOGIES LTD respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit the Mindset Application ("our app") (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.

2. Purpose of this privacy policy

This privacy policy aims to give you information on how we collect and process your personal data through your use of our app, including any data you may provide through our app, from time to time, when you access our app and our website at

We do not intend to collect your personal data when you use the app and/or the website, however it is possible that aggregate data, being personal and non-personal data combined from several measurements can be aggregated and lead to you as an identifiable individual. When you use our app and/or the website, you may be associated with online identifiers and other information received by the servers may be used to identify you and create your profile. If we collect any of your personal data, it will be stored and processed in accordance with this privacy policy.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide from time to time when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

3. Controller

MINDSET TECHNOLOGIES LTD ("We"). We are a private limited company registered in England and Wales under company number 11092048 and have our registered office at Minster House 42 Mincing Lane, 7th Floor, London, United Kingdom, EC3R 7AE is the controller and responsible for your personal data (the "Company", "we", "us" or "our" in this privacy policy).

4. Information Commissioner's Office (ICO)

We are registered with the ICO in the Register of fee payers. Our data protection registration number is ZA501157. The Register is available at here

5. Contact details

If you have any questions about this privacy policy or our privacy practices, please contact:

Name: Mindset Technologies LTD Email address

You have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

6. Security of personal data

Appropriate technical and organisational measures

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, among other, including:

  • the pseudonymisation and encryption of personal data;
  • ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely matter in the event of or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.


The application of pseudonymisation to personal data is implemented with a view to reduce the risk to your personal data and help us to meet our data protection obligations.

7. Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review.

This version of the privacy policy was last updated on June 6 2020.

8. Third-party links

9. The data we may collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • "Identity" includes your name, surname, e-mail address, and voice.
  • "Technical Data" includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our app and/or the website.
  • "Profile Data" includes your username and password, your interests and preferences.
  • "Usage Data" includes information about how you use our app and the website.

We also collect, use and share "Aggregated Data" such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any "Special Categories of Personal Data" about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Mindset uses TrueDepth API to automatically collect information to track the facial expressions of the user for a period of approximately 20 seconds. Mindset uses this data to attempt to determine the emotions displayed by a user in response to a stimulus provided by the app. No personal data is collected during the test. Data is sent over HTTPS to a secure access-controlled database in our AWS account, which is encrypted at rest, and is not shared with any third parties. Mindset will require access to your microphone and/or camera to be able to use TrueDepth API.

TrueDepth API does not capture or store any personally identifiable information through the app nor does it record any unique facial features. TrueDepth API only provides to Mindset a set of numbers that relate to movement areas of the user’s face (such as “left eyebrow raised”). TrueDepth API is not used for any clinical setting and not specifically targeting individuals with dementia or any other health conditions.

If you provide to us personal information belonging to someone else

If you provide personal information about other people then you must:

  • seek their prior content; and/or
  • provide a copy of this privacy policy to those persons and ensure that they are aware of and understand its contents,

when providing information about other people, ensure that you have all relevant permissions and authority: to make all necessary disclosures.

10. How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

    • conduct neurodiagnostic tests;
    • create an account on our app;
    • sign up on our website for the purposes of enquiry; early access to the app and the Diagnostics; to join our team; or for any media enquiries; and
    • give us feedback or contact us.

    We strongly advise you not provide any sensitive personal data on our website, as the “Sign-Up” option is for general enquiries only.

  • Automated technologies or interactions. As you interact with our app and/or the website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. Cookies and similar technologies may be used to collect this information.

11. How we use your personal data

We will only use your personal data only when necessary and strictly when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

12. Purposes for which we may use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

to manage our relationship with you which may include:

  1. notifying you about changes to our terms or privacy policy;
  2. contacting you with regards to any enquiry you may have submitted via the website;
  3. notifying you of changes to our app and/or the website;
  4. to ask you to leave a feedback or take a survey; and
  5. to carry out analysis, market research and testing.
Profile and Identity
  1. Necessary to comply with a legal obligation; and
  2. necessary for our legitimate interests (to keep our records updated; to study how patients use our services; and to aggregate tests data).
  1. to administer the operation of our app and the website (including but not limited to troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
  2. to update the records, we hold about you from time to time;
  3. to deliver relevant app and website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you;
  4. to develop and improve our services, products and business, including data collected and our customer service offering;
  5. to provide and administer the marketplace and our related services; and
  6. to use data analytics to improve our app and the website, services, marketing, customer relationships and experiences.
Technical Data and Usage Data Necessary for our legitimate interests (to study the tests outcomes to develop the algorithm; for the purpose of running our app; to provide administration and IT services, network security)
to carry out analysis, market research and testing Identity Necessary for our legitimate interests (necessary to conducts the neurological tests)

13. Who we disclose your personal information to as part of our services

We may only disclose your personal data if we are required to do so by applicable law and regulation.

14. Change of purpose

We will only use your personal data exclusively for the purposes for which we collect it, unless we identify that any new purpose is compatible with the existing processing purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

15. Disclosures of your personal data

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

16. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so within 72 hours upon becoming aware of the breach.

17. Data retention

We will not keep your personal information for longer than is necessary, for the purposes for which it was collected and is processed and for the purposes of satisfying our legal, accounting or regulatory reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances you can ask us to delete your data by contacting us at

In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

18. Where we store your personal information

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.

Amazon Cloud

We use Amazon Cloud for the purpose of storing personal data. Amazon Cloud servers may be located in the US or anywhere else in the world. Amazon Cloud (Amazon AWS) privacy policy is available at

Amazon is responsible for security of its Cloud Server. Amazon implements security measures that we will implement and operate. At all times we remain responsible for security of the personal data stored in the Cloud Server.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Whenever we transfer your personal information out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
  • The Privacy Shield allows your personal data to be transferred from the EU to a company in the United States, provided that the company there processes your personal data according to a strong set or data protection rules and safeguards. The protection given to your data applies regardless of whether you are an EU citizen or not.
  • In order to be able to certify, companies in the US must have a privacy policy in line with the relevant privacy principles. They must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU. In this case, we will use the standard contractual clauses prescribed by the relevant data protection legislation in the EU for the purpose of transfers to the countries outsider the EEA.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

19. Your legal rights

Under certain circumstances, you have rights under the relevant data protection laws in relation to your personal information.

  • right to rectification

    If your personal information is incorrect or incomplete any way, you may notify a person dealing with your matter and where inaccurate or incomplete, we will correct it without delay.

  • right of access

    You have a right to:

    • request a confirmation from us that we are processing your personal information;
    • access your personal information held by us and request a copy (unless providing a copy adversely affects the rights and freedoms of others);
    • obtain certain information about how we process your personal information, categories of personal information processed, recipients or categories of recipients who receive personal information from us; and
    • request how long we store your personal information for and the criteria we use to determine retention periods.
  • right to be informed

    You have a right to be informed:

    • how your personal information is being process;
    • how long it will be stored for;
    • the legal basis for processing;
    • recipients (or categories of recipients) of your personal information; and
    • whether personal information must be provided under statute or for another reason and the consequences of not providing the personal information to ensure the fair and transparent processing of your personal information.
  • right to restrict processing under certain circumstances

    You have a right to restrict processing under certain circumstances:

    • if you contest the accuracy of your personal information, we may restrict its processing, until we can verify its accuracy;
    • if the processing is unlawful;
    • If we no longer need to process your personal information, unless we still need your personal information for the establishment, exercise, or defence of legal claims; and
    • if you object to processing that relies on public interest or our (or third party’s) legitimate interest as the lawful processing ground.
  • right to data portability

    • You have a right to receive from us a copy of your personal information in commonly used and machine-readable format and store it for further use on a private devise.
    • You have a right to transmit personal information to another third party; or have your personal information transmitted directly from one third party to another where technically possible.
  • right not to be subject of automated processing

    You have a right not to be subject to automated decision-making, including profiling, which has legal or other significant effects on you. This does not apply when the automated decision is necessary for entering into or performing a contract with you; or it is authorised by EU or member state law applicable to us if the law requires suitable measures to safeguard your rights and freedoms and legitimate interests; or based on your explicit consent.

  • the right to object to processing

    You may object to direct marketing, including profiling related to direct marketing. We will stop processing your personal information once notified by you, except if we can demonstrate a compelling legitimate ground for processing the personal information that overrides your request; or processing is necessary to exercise or defend legal claims.

If you wish to exercise any of the rights set out above, please contact

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).

20. Glossary

"Comply with a legal obligation" means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

"Legitimate Interest" means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at