mindwise

Legal

Privacy Policy

Mindwise App Pte. Ltd.

Singapore

Last updated: 2026-03-25

1. Introduction and Scope

Mindwise App Pte. Ltd. (“Mindwise”, “we”, “our”, “us”) operates the Mindwise app and website (collectively, the “Services”). We are incorporated in Singapore and are the data controller for the processing of your personal data.

This Privacy Policy applies to all users of the Services worldwide. We are committed to protecting your privacy in accordance with all applicable data protection laws, including but not limited to:

  • Singapore: Personal Data Protection Act 2012 (PDPA)
  • European Union: General Data Protection Regulation (GDPR)
  • United Kingdom: UK GDPR and Data Protection Act 2018
  • United States: FTC Act, FTC Health Breach Notification Rule, California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and applicable state privacy laws
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws
  • Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
  • Brazil: Lei Geral de Proteção de Dados (LGPD)
  • South Korea: Personal Information Protection Act (PIPA)
  • Japan: Act on the Protection of Personal Information (APPI)

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

IMPORTANT: Mindwise is a personal development and self-reflection tool. It is not a medical device, therapy service, or crisis intervention service. It does not provide medical advice, diagnosis, or treatment. If you are in crisis, contact emergency services immediately.

2. Why Your Data Is Sensitive — A Note on Classification

The data you share with Mindwise — including descriptions of emotional states, stress responses, personal beliefs, mood patterns, and psychological reflections — is sensitive regardless of how we describe our product. Across all jurisdictions in which we operate, this data is classified as:

  • Special category personal data (EU/UK GDPR Article 9 — data concerning health)
  • Sensitive personal data (Singapore PDPA)
  • Sensitive personal information (California CPRA)
  • Health information (FTC Health Breach Notification Rule)
  • Sensitive information (Australia Privacy Act Schedule 3)
  • Sensitive data (Brazil LGPD Article 11)
  • Sensitive personal data (South Korea PIPA)

The “personal development” positioning of our product does not reduce these classifications. We apply the highest standard of protection to all data you share with us and fully acknowledge all associated legal obligations.

3. Data We Collect

We collect only the data that is necessary to provide, operate, and improve the Services (data minimisation principle). The following categories of data may be collected:

  • Account data: email address, password (hashed), display name, account creation date
  • Session and conversation data processed by our AI response provider (Anthropic): your name, primary concern, conversation message history, logged situations, and goals
  • Profile and preference data: goals, settings, notification preferences, language preference
  • Behavioural and usage data: session duration, features used, app interactions, engagement patterns
  • Device and technical data: device type, operating system, app version, IP address (anonymised where possible), crash logs, performance logs
  • Support and communication data: support ticket content, feedback, survey responses
  • Payment and subscription data: subscription status, purchase identifiers, transaction timestamps (full payment card data is handled by the app store or payment provider — we do not store it)

Voice data note: Voice input audio is processed by our transcription provider (AssemblyAI) and converted to text; voice responses are generated by our speech synthesis provider (OpenAI). Neither raw audio nor synthesised audio is stored by Mindwise.

4. Legal Basis for Processing

We only process your personal data where we have a valid legal basis under applicable law. For sensitive and special category data (emotional states, mood data, session content), we require separate, explicit, affirmative consent obtained through a dedicated consent screen before your first use of the Services. You must provide this consent to use Mindwise — it is a requirement for access to the core functionality of the app, not an optional enhancement.

The following describes our legal basis for each processing purpose:

  • Core app functionality (AI responses, session continuity, personalisation): Explicit consent — EU/UK GDPR Art. 6(1)(a) + Art. 9(2)(a) | Singapore PDPA express consent | Consent (US, CA, AU, BR, KR, JP)
  • Account creation and management: Contract performance — EU/UK GDPR Art. 6(1)(b) | Singapore PDPA deemed consent / contract | Contract (all other jurisdictions)
  • Security monitoring, crash reporting, performance: Legitimate interests — EU/UK GDPR Art. 6(1)(f), LIA conducted | Singapore PDPA deemed consent | Legitimate interests (all other jurisdictions)
  • Legal compliance and enforcement: Legal obligation — EU/UK GDPR Art. 6(1)(c) | Singapore PDPA legal obligation | Legal obligation (all other jurisdictions)
  • Subscription billing and payment processing: Contract performance — EU/UK GDPR Art. 6(1)(b) | Singapore PDPA contract | Contract (all other jurisdictions)

How we obtain consent

At onboarding, before your first use of any session or voice features, we present a dedicated consent screen requiring your explicit confirmation. Consent to processing your sensitive personal data is required to use the Services. We maintain a timestamped, versioned record of the consent you gave and the version of this Privacy Policy in effect at the time.

Account deletion and your data

If you no longer wish for your data to be processed, you may delete your account at any time through Settings › Account › Delete Account, or by contacting support@mindwise.so. Upon account deletion, all your personal data will be deleted or irreversibly anonymised within 30 days.

Legitimate interests

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) confirming that our interests do not override your fundamental rights. You may request a summary of our LIA by contacting dpo@mindwise.so.

5. AI Model Training and Product Improvement

We may use certain data to develop, test, and improve our AI systems, subject to the following conditions:

  • We use aggregated, anonymised, or pseudonymised data wherever possible for improvement purposes.
  • Your individually identifiable session content is not used for AI training without a separate, explicit legal basis.
  • Anthropic, Inc. (Claude) — Processes conversation messages, your name, stated concerns, goals, and logged session data solely to generate AI responses in real time. Bound by Zero-Data Retention agreement. API inputs and outputs are deleted immediately after each response is generated — nothing from your sessions is retained by the provider after the call completes. This is a contractual obligation we enforce.

The licence you grant us in the Terms of Service does not constitute a legal basis for processing your sensitive personal data for AI training — a separate legal basis is always required for this purpose. If you wish to delete your account and all associated data, you may do so at any time as described in Section 4. Upon account deletion, your personal data will be removed from our systems within 30 days.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We do not share your conversation data with third parties for their own marketing purposes. We share data only with the following categories of recipients, each bound by a Data Processing Agreement (DPA) or equivalent contractual instrument requiring them to process data only on our instructions and to apply appropriate security measures:

  • Cloud infrastructure provider (Supabase, Inc.): Stores app data, user accounts, session transcripts, and progress data. Servers located in the United States. Bound by DPA including Standard Contractual Clauses for EU/UK data transfers.
  • AI response provider (Anthropic, Inc. — Claude): Receives and processes your name, primary concern, conversation message history, logged situations, goals, and session progress data solely to generate AI responses in real time. Anthropic is bound by a Zero-Data Retention agreement — contractually prohibited from retaining your data or training their models on it after each response is generated.
  • Voice synthesis provider (OpenAI, LLC): Receives the text of AI-generated responses in order to produce spoken audio output (text-to-speech). OpenAI does not receive your conversation history, name, or any other personal data beyond the response text being converted. Raw audio and input text are not retained by OpenAI after the audio stream is delivered.
  • Voice transcription provider (AssemblyAI, Inc.): Receives audio recordings of your voice input in order to produce text transcripts in real time. Raw audio is not retained by Mindwise or AssemblyAI after transcription is complete; only the resulting text transcript is stored by Mindwise.
  • Analytics provider: Receives pseudonymised, aggregated usage and crash data only. No session content, no mood data, no personally identifiable information.
  • Customer support platform: Receives support ticket content and communication data only.
  • Payment and subscription management: Receives subscription status and transaction identifiers. Full payment card data is handled directly by the app store (Apple/Google) or payment provider.
  • Professional advisors (legal, accounting, security): Under strict confidentiality obligations.
  • Authorities and regulators: Where required by applicable law, court order, or valid legal process.
  • Acquirers or successors: In connection with a merger, acquisition, or asset sale, subject to equivalent privacy protections continuing to apply and prior notice to users where required by law.

A current list of our specific third-party processors is available on request by contacting dpo@mindwise.so. We will notify you of material changes to processors where required by applicable law.

7. International Data Transfers

Mindwise App Pte. Ltd. is incorporated in Singapore. Our service providers operate globally. Your data may be processed in Singapore, the United States, the European Economic Area, and other countries. Where we transfer personal data across borders, we apply the following safeguards:

  • EU/UK: We rely on Standard Contractual Clauses (EU Commission Decision 2021/914, and UK IDTA as appropriate) for transfers to countries without an adequacy decision. All transfers to US-based processors are governed by SCCs. Copies are available on request from dpo@mindwise.so.
  • Singapore (PDPA): We comply with PDPA Schedule 9 requirements and implement contractual protections ensuring a standard of protection comparable to the PDPA for all outbound transfers.
  • Canada (PIPEDA): Transfers outside Canada are made under contractual arrangements ensuring equivalent protection to PIPEDA requirements.
  • Australia (Privacy Act): We take reasonable steps to ensure overseas recipients handle personal data in a manner consistent with the Australian Privacy Principles (APP 8).
  • Brazil (LGPD): International transfers are made only where permitted under LGPD Article 33, including to countries with adequate protection or under standard contractual clauses.
  • South Korea (PIPA): International transfers comply with PIPA Article 28-8 requirements, including consent or contractual safeguards.
  • Japan (APPI): Transfers to third countries comply with APPI requirements including the provision of equivalent protection measures.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy and to comply with applicable legal obligations. Our retention periods are as follows:

  • Account and profile data: Duration of active account + 90 days post-deletion
  • Session and conversation data: Duration of active account + 30 days post-deletion
  • Usage and behavioural data: 13 months from collection, then aggregated and anonymised
  • Device and technical data (crash logs): 90 days
  • Support and communication data: 3 years from last communication, or as required by law
  • Payment and subscription metadata: 7 years (tax and accounting requirements)
  • Consent records: Duration of account + 3 years after account deletion
  • Anonymised and aggregated data: May be retained indefinitely — cannot identify you

Account deletion: Upon account deletion, we will delete or irreversibly anonymise all personal data within 30 days, subject to legal retention obligations. Anonymised data that cannot identify you may be retained for analytics and product improvement.

Inactive accounts: Accounts inactive for 24 consecutive months will receive a notification and, absent a response within 30 days, will be subject to data anonymisation.

9. Your Privacy Rights

Your rights vary depending on your location. We honour applicable rights for all users globally. To exercise any right, contact support@mindwise.so or use in-app privacy settings. We respond within 30 calendar days (or the applicable statutory deadline if shorter).

  • Right of Access: Obtain confirmation of whether we hold your data and receive a copy. Available to all users.
  • Right to Rectification / Correction: Request correction of inaccurate or incomplete data. Available to all users.
  • Right to Erasure / Deletion:Delete your account at any time through Settings › Account › Delete Account. All personal data deleted within 30 days. Available to all users.
  • Right to Restriction: Request that we pause processing while a dispute is resolved. EU/UK users.
  • Right to Data Portability: Receive your data in a structured, machine-readable format (JSON). Contact support@mindwise.sowith subject ‘Data Export Request’. EU/UK, Singapore, Canada — available to all on request.
  • Right to Object: Object to processing based on legitimate interests or profiling. EU/UK users.
  • Right re: Automated Decisions: Where automated processing produces significant effects on you, request human review, contest the decision, and obtain an explanation. Contact dpo@mindwise.so. EU/UK users — acknowledged for all users.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. All users.
  • Opt-Out of Sale or Sharing: We do not sell or share your personal data for advertising. California (CPRA) and applicable US states.
  • Limit Use of Sensitive Personal Information: You may limit use of sensitive personal data to core service delivery only. Contact support@mindwise.so. California (CPRA) and applicable US states.
  • Right to Lodge a Complaint: Lodge a complaint with your applicable supervisory authority. Key contacts listed in Section 23.

10. Data Security

We implement appropriate technical and organisational security measures to protect your personal data. Our measures include:

  • Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers and between our servers and third-party processors
  • Encryption at rest: AES-256 encryption for all personal data stored on our servers, including session content, emotional data, and mood logs
  • Pseudonymisation: Session content is stored using internal user identifiers; mapping to identifying information is stored separately under additional access controls
  • Role-based access controls (RBAC): No default engineering access to production user data; all access requires documented justification and is logged
  • Audit logging: All access to sensitive data is logged, timestamped, and subject to regular review
  • Third-party security assessments:We conduct due diligence on service providers’ security practices prior to engagement
  • Penetration testing: Scheduled annually

No internet transmission is 100% secure. You use the Services at your own risk and should protect your account credentials.

11. Data Breach Notification

In the event of a personal data breach, we will notify the relevant authorities and affected individuals as required by applicable law. We maintain a documented internal incident response plan and test it annually. Our notification obligations by jurisdiction are:

  • Singapore (PDPA s.26D): Notify PDPC within 3 calendar days and affected individuals as soon as practicable where a breach is likely to cause significant harm or affects 500 or more individuals.
  • EU/UK (GDPR Art. 33–34): Notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individual rights. All breaches involving conversation data, emotional data, or mood data are treated as high-risk by default — affected individuals will be notified without undue delay.
  • United States (FTC HBNR 16 CFR Part 318): Where applicable, notify the FTC and affected users within 60 days of discovering a breach involving health-related personal data.
  • Canada (PIPEDA): Notify the OPC and affected individuals as soon as feasible where there is a real risk of significant harm.
  • Australia (NDB Scheme — Privacy Act s.26WH): Notify the OAIC and affected individuals as soon as practicable where a breach is likely to result in serious harm.
  • Brazil (LGPD Art. 48): Notify ANPD and affected individuals within a reasonable timeframe (expected regulatory guidance: 2 business days for serious breaches).
  • South Korea (PIPA Art. 34): Notify affected individuals within 72 hours and report to PIPC without delay for large-scale breaches.
  • Japan (APPI Art. 26): Notify PPC and affected individuals promptly for reportable breaches affecting 1,000 or more individuals or involving sensitive data.

12. Automated Decision-Making, AI, and Profiling

Mindwise uses artificial intelligence models to generate personalised responses and insights based on your inputs and interaction history.

What our AI does: generates session responses, creates personalised coaching paths, calculates engagement metrics (e.g., Clarity Score), and identifies patterns in your data to personalise your experience.

What our AI does not do: make any decisions with legal or similarly significant effects on you without your ability to seek human review.

Profiling: We create a personalised profile of your experience patterns. This profiling is used solely to improve your experience within the Services.

EU/UK users: Where automated processing produces significant effects on you, you have the right to (a) obtain human review of the decision, (b) express your point of view, and (c) contest the decision. Contact dpo@mindwise.so to exercise these rights.

All AI-generated responses are intended to support reflection and personal development only. They do not constitute medical, psychological, or professional advice.

13. Human Oversight and AI Safeguards

Mindwise incorporates human-defined rules, safety constraints, and monitoring processes to reduce the risk of harmful, inappropriate, or misleading AI outputs. Key safeguards include:

  • Predefined safety responses for certain categories of sensitive input
  • Automatic redirection to external support resources for crisis-related content
  • Human review of flagged outputs and user-reported concerns
  • Continuous evaluation of AI behaviour to improve safety

You may report AI responses you consider inappropriate by contacting support@mindwise.so or using the in-app report function.

EU AI Act compliance: We have assessed our AI systems against the prohibited practices and high-risk AI categories defined in the EU AI Act. Mindwise is designed to avoid manipulative, coercive, or exploitative interactions and to support user autonomy and self-determination. We do not use subliminal techniques or exploit psychological vulnerabilities.

14. AI Risk Awareness and User Responsibility

Prolonged or intensive use of AI-based personal development tools may involve certain risks, including over-reliance on AI-generated feedback and reduced engagement with human support networks. Mindwise is intentionally designed to encourage user autonomy, critical thinking, and engagement with qualified professionals where appropriate.

You remain fully responsible for how you interpret and act upon AI-generated responses. The Services are a supplement to, not a substitute for, professional support.

15. Children’s Privacy

The Services are not intended for individuals under 18 years of age, or the age of majority in your jurisdiction if higher. We do not knowingly collect personal data from minors.

  • United States (COPPA): We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal data, we will delete it immediately. Parents or guardians who believe a child has provided us with personal data should contact support@mindwise.so.
  • EU/UK (GDPR Art. 8): We do not direct our Services to children under 16 and do not knowingly process their data without verifiable parental consent.
  • All jurisdictions: If you believe a minor has used the Services, please contact support@mindwise.so.

16. Cookies and Tracking Technologies

We may use cookies and similar technologies on our website and app. A separate Cookie Policy (available at mindwise.so/legal/cookies) provides full details. Where required by applicable law — including EU ePrivacy Directive, UK PECR, Canada CASL, and Singapore PDPA — we obtain consent before placing non-essential cookies or tracking technologies.

Do Not Track: Some browsers transmit Do Not Track (DNT) signals. Our website currently does not respond differently to DNT signals. We will update this policy if our practices change.

17. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights in addition to those described in Section 9:

  • Right to Know: Know what personal information we collect, use, disclose, and share
  • Right to Delete: Request deletion of personal information we hold about you
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising
  • Right to Limit Use of Sensitive PI: Your emotional, psychological, and session data is sensitive personal information under CPRA. You have the right to limit its use to providing the Services
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise California rights: Contact support@mindwise.sowith ‘California Privacy Request’ in the subject line. Response within 45 days, extendable by 45 days with notice.

Authorised Agent: You may designate an authorised agent to make requests on your behalf. The agent must provide written authorisation signed by you.

Additional US State Rights: Residents of Virginia, Colorado, Connecticut, Texas, and other states with enacted privacy laws have similar rights. We honour these rights for all US residents regardless of state. Contact support@mindwise.so to exercise any US state privacy right.

18. Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have the following rights under PIPEDA and applicable provincial privacy laws (PIPA in British Columbia and Alberta, Law 25 in Quebec):

  • Right to Access: Request access to personal information we hold about you. Response within 30 days.
  • Right to Correction: Request correction of inaccurate personal information.
  • Right to Withdraw Consent: You may withdraw consent and delete your account at any time. Withdrawal will result in account deletion as consent is required for core service delivery. Contact support@mindwise.so.
  • Right to Challenge Compliance: Contact our Privacy Officer at dpo@mindwise.so, or lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

Quebec (Law 25): Quebec residents have additional rights including the right to data portability and enhanced consent rights.

Privacy Officer contact: dpo@mindwise.so

19. Australian Privacy Rights (Privacy Act 1988)

If you are an Australian resident, the Australian Privacy Principles (APPs) under the Privacy Act 1988 apply to our handling of your personal information.

  • Right to Access: Request access to personal information we hold about you (APP 12).
  • Right to Correction: Request correction of personal information that is inaccurate, out of date, incomplete, or misleading (APP 13).
  • Right to Anonymity: Where practicable, you may interact with us anonymously or using a pseudonym.
  • Overseas transfers: We comply with APP 8 requirements for cross-border disclosure.

To exercise your rights, contact support@mindwise.so. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

20. Brazil Privacy Rights (LGPD)

If you are a Brazilian resident, the Lei Geral de Proteção de Dados (LGPD) applies. You have the following rights under LGPD Article 18:

  • Confirmation of processing and access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymisation, blocking, or deletion of unnecessary or excessive data
  • Portability to another service or product provider
  • Deletion of data processed with your consent
  • Information about third parties with whom we share data
  • Information about the possibility of denying consent and consequences
  • Withdrawal of consent at any time (note: withdrawal results in account deletion as consent is required for core service delivery)
  • Opposition to processing not based on consent
  • Review of automated decisions

Contact support@mindwise.so or the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

21. Data Protection Officer and Representatives

The following contacts are responsible for data protection matters relating to Mindwise App Pte. Ltd.:

  • Data Protection Officer (DPO): dpo@mindwise.so
  • EU Representative (GDPR Art. 27): Data Protection Representative Limited (trading as DataRep), 77 Camden Street Lower, Dublin, D02 XE80, Ireland. Registered in Ireland (number 616588). Contact: info@datarep.com. EU data subjects and supervisory authorities may contact our EU Representative directly. DataRep maintains offices across all EU/EEA member states — full address list at datarep.com.
  • UK Representative (UK GDPR Art. 27): Data Protection Representative Limited (trading as DataRep), 77 Camden Street Lower, Dublin, D02 XE80, Ireland. Registered in Ireland (number 616588). Contact: info@datarep.com. UK data subjects and the ICO may contact our UK Representative directly.
  • Switzerland Representative (nFADP Art. 14): Data Protection Representative Limited (trading as DataRep), 77 Camden Street Lower, Dublin, D02 XE80, Ireland. Registered in Ireland (number 616588). Contact: info@datarep.com. Swiss data subjects and the FDPIC may contact our Swiss Representative directly.
  • Singapore DPO: dpo@mindwise.so
  • Canada Privacy Officer (PIPEDA): dpo@mindwise.so
  • Australia Privacy Officer (Privacy Act): dpo@mindwise.so

22. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will:

  • Update the Effective Date at the top of this policy
  • Provide notice in the app, by email, or through another appropriate channel
  • Where required by law, obtain fresh consent before processing your data under the updated terms
  • For material changes affecting EU/UK users, provide at least 30 days notice before changes take effect

Your continued use of the Services after the updated policy becomes effective constitutes acceptance, except where fresh consent is legally required.

23. Contact

For general privacy enquiries, contact Mindwise App Pte. Ltd. at support@mindwise.so. For data protection matters, contact our DPO at dpo@mindwise.so.

To exercise your rights or lodge a complaint, contact the relevant supervisory authority for your jurisdiction:

  • Singapore: PDPC — pdpc.gov.sg
  • EU: Your national DPA (list at edpb.europa.eu)
  • UK: ICO — ico.org.uk
  • USA (California): CPPA — cppa.ca.gov
  • Canada: OPC — priv.gc.ca
  • Australia: OAIC — oaic.gov.au
  • Brazil: ANPD — gov.br/anpd
  • South Korea: PIPC — pipc.go.kr
  • Japan: PPC — ppc.go.jp