Privacy Policy – MindKonnect
MindKonnect

MindKonnect Privacy Policy

Effective Date: [13.10.2025] | Last Updated: [13.10.2025]

1. Who We Are

MindKonnect Ltd (“MindKonnect”, “we”, “us”, “our”) is a UK-registered digital mental health platform that enables adults to complete a self-assessment and, where appropriate, connect with a mental health professional of their choice for remote video consultation. We also offer interactive tools and a rich content library containing self-help guides.

We are committed to protecting your privacy and handling your personal data in a fair, transparent, and secure way. This Privacy Policy explains what data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU GDPR.

We are the data controller for the personal data we collect and process through our platform, website, and related services.

Contact details:
MindKonnect Ltd
[Registered address]
Email: privacy@mindkonnect.com
Telephone: [Insert number]

If you have questions about this policy or how we handle your data, contact our Privacy Lead at the above email. If we appoint a Data Protection Officer (DPO), their details will be published here.

2. Scope

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child, we will delete it promptly.

3. What Data We Collect

We may collect and process the following personal data:

a) Account & Identity Data

  • Name, date of birth, gender, contact details.

b) Health & Assessment Data (special category data)

  • Relevant medical history (if inputted or sourced from approved repositories).
  • Responses to our two-stage mental health self-assessment.
  • Information provided during telehealth consultations.
  • Notes or summaries created by clinicians and the platform.
  • Triage information and severity scores.

c) Technical & Usage Data

  • Login and security credentials.
  • IP address, device information, browser, operating system.
  • App usage statistics, interaction logs, engagement data (including cookies).

d) Appointment Data

  • Specialist selection, schedules, feedback.

e) Payment Data

  • Billing address, payment method details (processed securely by our payment provider; we do not store full card details).

f) Communications

  • Messages sent via our platform, interactions with support, survey responses.

4. Lawful Basis for Processing

We process your data on one or more of the following lawful bases:

  • Consent (e.g., for accessing and using services, marketing).
  • Contract (e.g., delivering platform services).
  • Legal obligation (e.g., regulatory or safeguarding requirements).
  • Legitimate interests (e.g., platform improvement, user safety).
  • For special category health data, explicit consent or provision of healthcare under Article 9(2)(h) GDPR.

5. How Your Data Is Used

Purpose Lawful Basis (Art. 6 UK GDPR) Special Category Condition (Art. 9 UK GDPR)
Create and manage your account, verify identity, communicate updates Contract (6(1)(b)) Explicit consent (9(2)(a))
Provide self-assessment and telehealth services, connect with chosen professionals Contract; Legitimate interests Explicit consent; provision of health care (9(2)(h))
Process payments Contract; Legal obligation N/A
Improve and personalise services, including AI-assisted features Legitimate interests Explicit consent
Conduct research and service evaluation Legitimate interests; Consent Explicit consent; public interest in public health (9(2)(i))
Comply with legal/regulatory obligations Legal obligation Necessary for legal claims (9(2)(f))
Safeguarding and risk prevention Vital interests Provision of health care; legal claims
Offer relevant self-help resources and wellbeing tools Legitimate interests; Consent Explicit consent; provision of health care (9(2)(h))

We will always explain when providing data is optional and the consequences of not providing it.

6. Sharing and Disclosure

We may share your personal data:

  • With authorised MindKonnect staff and approved suppliers (e.g., software developers, support staff) strictly as necessary for service delivery.
  • With healthcare professionals chosen by you.
  • With payment processors, cloud hosts, or regulatory advisors.
  • With regulators (e.g., ICO, CQC) where legally required.
  • If required by law, safeguarding, or public interest (e.g., NHS partners, Care Quality Commission).
  • With research partners (only with your explicit consent and in anonymised or pseudonymised form).

We do not sell personal data or use it for third-party marketing without explicit consent.

7. Data Security

We employ strong organisational and technical safeguards:

  • Encryption of personal data in transit and at rest.
  • Access control and role-based permissions.
  • Secure cloud hosting compliant with ISO 27001.
  • Regular security audits, penetration testing, and monitoring.
  • Incident and breach notification protocols.
  • Staff training on data protection and confidentiality.

8. International Transfers

Where data may be processed or stored outside the UK/EEA, we use robust contracts and safeguards to protect your rights, such as:

  • UK International Data Transfer Agreement (IDTA).
  • Adequacy decisions recognised by the UK or EU.

9. Data Retention

We keep your personal data only as long as necessary for the purposes described:

  • Account and health data: Mental health records and assessments are retained for 20 years after last contact, or 10 years after death in England & Wales, 8 years after death in Northern Ireland, or 3 years after death in Scotland.
  • Payment records: Retained for 6 years for tax and accounting compliance.
  • Anonymised data: May be retained indefinitely for research and statistical purposes.

(Source: BMA guidance on retention of health records)

10. Your Rights

You have rights under UK GDPR to:

  • Access your data (subject access request).
  • Rectify inaccurate information.
  • Request erasure (“right to be forgotten”) subject to lawful retention.
  • Restrict or object to processing (including withdrawal of consent).
  • Data portability (receive your data in a reusable format).
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Raise complaints to MindKonnect’s appointed contact or the ICO.

To exercise your rights, contact us at privacy@mindkonnect.com. You also have the right to complain to the ICO: www.ico.org.uk.

11. Automated Decision-Making and Profiling

Some features may use AI or algorithmic processes to personalise your experience or triage severity. You have the right to request human intervention, express your point of view, and contest any automated decision.

Our platform may use automated processes to:

  • Provide triage scoring based on your self-assessment.
  • Suggest relevant mental health resources or professionals.

12. Cookies and Website Analytics

Our website/app uses cookies and similar technologies to operate our services, for analytics, and to optimise user experience. You will be asked to give consent via our cookie banner and can opt out at any time. See our Cookie Policy for details.

13. Children’s Data

Our platform is for adults aged 18+. We do not knowingly collect data from children.

14. DPO / Privacy Lead Statement

We have assessed our obligations under UK GDPR Article 37 and will appoint a Data Protection Officer when our processing meets the large-scale special category data threshold. In the meantime, we have designated a Privacy Lead to oversee compliance.

15. Changes to This Policy

We may update this policy from time to time. The latest version will always be available on our website, with the “last updated” date shown. Significant changes will be communicated via our platform.