Legal
Privacy
How MindsMelt handles your data. In a mental-health product, this is not boilerplate—it is the product.
Last updated: July 2026
What we collect
Only what a page needs to work: contact form fields, assessment answers you submit, and account data if you create one. The free self-assessment needs no account.
Health data
Longitudinal screening (a future, opt-in feature) is treated as GDPR Article 9 data: stored in an isolated schema, encrypted at the application layer, and never shared with your organisation. An organisation can, at most, see anonymised aggregates above a k-anonymity threshold, and only with your explicit consent.
Your rights
You may request access, correction, export, restriction or erasure where applicable through the contact route. Athlete-account self-service controls are planned, not yet released. You may also complain to the CNIL or another competent supervisory authority.
Controller and processors
The final controller identity and GDPR contact will be inserted after the legal entity is incorporated; this is a public-launch blocker. The current development stack uses Supabase and Vercel. Optional payment, email and monitoring processors will be listed only when activated and contracted.
Retention
Screening data: a future opt-in feature with a proposed rolling 24-month default. Security logs: proposed 12 months. Certification decision records: 10 years for award traceability. Formal assessment answers and audit evidence: award cycle plus 3 years. Legal holds or active disputes may require a documented exception.