Legal

Privacy

How MindsMelt handles your data. In a mental-health product, this is not boilerplate—it is the product.

Last updated: July 2026

What we collect

Only what a page needs to work: contact form fields, assessment answers you submit, and account data if you create one. The free self-assessment needs no account.

Health data

Longitudinal screening (a future, opt-in feature) is treated as GDPR Article 9 data: stored in an isolated schema, encrypted at the application layer, and never shared with your organisation. An organisation can, at most, see anonymised aggregates above a k-anonymity threshold, and only with your explicit consent.

Your rights

You may request access, correction, export, restriction or erasure where applicable through the contact route. Athlete-account self-service controls are planned, not yet released. You may also complain to the CNIL or another competent supervisory authority.

Controller and processors

The final controller identity and GDPR contact will be inserted after the legal entity is incorporated; this is a public-launch blocker. The current development stack uses Supabase and Vercel. Optional payment, email and monitoring processors will be listed only when activated and contracted.

Retention

Screening data: a future opt-in feature with a proposed rolling 24-month default. Security logs: proposed 12 months. Certification decision records: 10 years for award traceability. Formal assessment answers and audit evidence: award cycle plus 3 years. Legal holds or active disputes may require a documented exception.