Mendi Innovation AB (hereinafter also referred to as “us”, “we”, “our” and “Mendi”) respects your privacy and is committed to protecting your personal data. “Personal data” means any information relating to an identified or identifiable natural person.
This privacy notice aims to give you information on how we collect and process your personal data when you visit or use our mobile app (the “ App”), and through the usage of Mendi’s headset sensor, including any data you may provide through any of the mentioned means, and inform you about your privacy rights and how the law protects you.
Users under the age of 16 years may not create, register or use a Mendi account without parent's or guardian’s permission and supervision.
The information provided does not concern third-party websites, pages or services that can be accessed via hyperlinks on the App. Clicking on those hyperlinks may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies.
Who we are
Scope of the processing
We process personal data only to the extent necessary to provide a functional App. The processing of personal data takes place regularly only with the consent of the data subject or based on other legal provisions that permit data processing (for more information see the section “Purpose/Activities and Legal Basis”).
Personal data may be integrated into the App either manually or automatically by you, or directly collected by us through the Mendi headset sensor. Personal data also includes personal data of a special category (health data) in accordance with Art. 9 GDPR.
What data we process
Personal data, or personal information, means any information about an individual from which that person can be identified. It Does not include data for which it is no longer possible to trace the data subject to whom this data relates (anonymous data).
Whenever you access or use our Services, we may process (e.g. collect, use, store, transfer) different kinds of personal data about you which we have grouped together as follows:
Identification Data and Personal Characteristics
When you use our Services, we process certain of your: Identification Data (Email, Username, Phone Number, Country, City, Date of birth, User ID, IP addresses); Personal Characteristics (weight, height, and gender).
Mendi Headset Collected Data
When you use the Mendi headset, we mainly collect data on the levels of blood oxygenation in a specific part of your brain called the prefrontal cortex. In order to get a high quality and reliable signal, we also collect data such as your head movements, heart rate variability and calibrate the signal based on the brightness of your skin (technically speaking, the light that reflects back into the receptor of the Mendi device) during a Mendi session.
Wellness Data and Measurements
Mendi Headset Collected Data is used to determine the level of blood oxygenation in your prefrontal cortex (PFC), necessary to provide you with profiled neurofeedback brain training with lifestyle recommendations. This data is the output data generated from providing the Services as opposed to what we collect.
When you use the Mendi App, we occasionally ask you to provide us with feedback about your general wellness, based largely on the WHO-5 survey format, in order to monitor how Mendi is improving your overall brain health and well-being. This user feedback is completely optional.
When you use our Services, our servers automatically record certain information about how a person uses our Services whether through the use of log files, and scripts, including without limitation device carrier-related information, configuration information, information about your interaction with our Services and your usage patterns, Device information (e.g. Phone model, phone version, phone os, phone brightness, battery level).
Aggregated and anonymous Data
We also collect, use and share Aggregated Data such as statistical or demographic.
Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
How we use your personal data
We use the Personal Data you provide or which we collect mainly for the following purposes:
PROVIDE THE SERVICE
- Purpose: provide you the service as described in our terms and conditions (i.e. Creation of User Account; Provision of exercises and lifestyle recommendations based on your brain activity Measurements; Creation of potential wellness status measurements based on the analysis of the levels of your brain’s blood oxygenation).
- Types of data: Identification Data (Email, Username, Phone Number, Country, City, Date of birth, IP addresses), Personal Characteristics (weight, height, and gender); Sensitive data - Health data (Levels of blood oxygenation in the brain, Head movements during the session, Heart rate variability and skin colour, Measurements of your potential wellness status based on the analysis of the levels of blood oxygenation);
- Legal Basis (relevant to the GDPR): The processing of personal data is based on Art. 6. (1) (a) GDPR your consent, Art. 6. (1) (b) GDPR the necessity of the processing for the performance of the contract. The legal basis for the processing of sensitive data (Mendi Headset Collected Data, Wellness Data and Measurements) is the Art. 9 (2) (a) GDPR, i.e. your explicit consent.
- Retention Period: Your personal data is stored for this purpose for 60 days after your user account is deleted or the termination of the service provision (it could be extended to 3 months in case of justified necessity).
Safety and Security
If necessary, we may use your personal data to promote the safety and security of our services and our users. We may use your personal data to monitor operations, authenticate users, detect and protect against fraud and other criminal activity and enforce our Terms and Conditions and other policies. We will rely on our legitimate interests when processing personal data in detecting and preventing fraud and illegal conduct or, if necessary, for complying with a legal obligation to which we are subject.
Manage and Defend Legal Claims
If necessary we may use your personal data to manage and defend legal claims, e.g. in connection with a dispute or a court proceeding. We will in such case process the personal data collected which is necessary in order to manage and defend the legal claim in question. The processing is based on our legitimate interest of managing and defending legal claims. Your personal data is stored for this purpose for such a period as is necessary in order to manage or defend the legal claim.
For this purpose, we may also share certain information with other parties, please see below.
Fulfill Legal Obligations
Finally, we may use your personal data to fulfil legal obligations that we have, e.g. accounting requirements or obligations under data protection laws. We will in such case process the personal data collected which is necessary in order to fulfill the legal obligation in question. Your personal data is stored for such a period as is necessary in order to fulfill respective legal obligations.
For this purpose, we may share your personal data with other parties, see below.
How we collect your data
We use different methods to collect data from and about you including through:
- Direct interactions: You may give us your personal data (sensitive data included) by filling in forms or by corresponding with us by post, email or otherwise. This includes personal data you provide when you:
- use our products or Services - When you use our Services, we may receive or collect information or data about you or relating to you such as product reviews, comments, etc.
- create an account on our App - Depending on the jurisdiction in which you are based, you may be required to provide log-in information to use our Services and create an account to access the full features of our Services which may include your Email, Username, Phone Number, Country
- give us feedback or contact us - Any information that you provide to our customer support team from the correspondence that you send to us, any conversations you have with us and any feedback that you give us.
- Third parties: We may receive personal data about you from third parties.
How we share your data
We will only share your personal data in connection with providing you with the service as agreed per our Terms and Conditions.
In general, we do not disclose the personal data about you to third parties without your consent or otherwise as specified in this policy.
The circumstances in which we may disclose or share your personal data under this policy, include as follows:
- Lawful requests: we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- Third party service providers: we may use third party service providers to provide certain data processing services for us (acting as our authorized data processors), such as:
- analytics service providers.
- contact, financial and transaction data from providers of technical, payment and support or delivery services (if applicable); and
- Data Hosting service providers
When acting as our authorized data processors, they are required to only process data in accordance with our instructions and are subject to appropriate legal, confidentiality and security obligations.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Our third-party service providers may only process your personal data for specified purposes and in accordance with our instructions and are not permitted to use your personal data for their own purposes.
We do not transfer your personal data outside the European Economic Area (EEA).
A processing of personal data outside the EU or the EEA will only take place on the basis of an adequacy decision of the European Commission or, in case of no adequacy decision in place (e.g. US) in accordance with standard contractual clauses approved by the European Commission and appropriate safeguards.
How we protect your data
We keep your data safe adopting the best practices and highest standards in terms of security. All data handling is GDPR (General Data Protection Regulation) compliant.
All required technical and organisational security measures have been adopted.
We take various steps to protect your Personal Data from unauthorized access, use or modification and unlawful destruction and disclosure, for example:
- we adopt encryption technology (such as SSL) to transfer and store your Personal Data;
- we limit the access to your Personal Data on a strict need-to-know basis;
- we put in place physical, electronic, and procedural safeguards in line with industry standards.
Please be aware that, despite our efforts, we do not warrant or guarantee that unauthorized access will never occur as no method of transmitting or storing information is completely secure.
We have adopted appropriate procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
DATA RETENTION AND STORAGE
In principle, unless otherwise stated, your personal data will only be stored until the purpose of the collection and storage no longer applies. In accordance with your consent, data may also be stored for longer, as long as you do not withdraw your consent.
Furthermore, data may be stored if this has been provided for by the competent legislator in regulations, laws or other regulations to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
In the event of termination - for whatever reason - of the agreement between the user and the provider, the provider shall keep all content, information and (personal) data uploaded by the user available for retrieval by the user for further 60 days (it could be extended to 3 months in case of justified necessity) after termination. After expiry of this period, the aforementioned content will be irrevocably deleted or anonymized in accordance with data protection regulations.
We will retain your Personal Data for as long as is reasonably necessary for the various purposes mentioned above or to otherwise comply with any applicable laws and regulations concerning the mandatory retention of specific types of Personal Data.
All personal data processed and collected to provide our Services outside of the device in which the App is installed is stored in cloud service providers managed by us.
All personal data is stored in cloud service providers located in the European Economic Area (EEA).
Under certain circumstances, you have certain rights under data protection laws in relation to your personal data:
TO BE INFORMED
TO ACCESS YOUR PERSONAL DATA
You have the right to request access to your personal data and request a copy of your personal data that we store. If you have created a user account, you can view certain information directly from our Services on your user interface or by sending us a specific request.
TO UPDATE YOUR PERSONAL DATA
You have the right to request that personal data that is incorrect or incomplete is corrected or completed. If you have created a user account, you can update certain information directly in your account or by sending us a specific request.
TO WITHDRAW CONSENT
If we rely on your consent to the use of your personal data you have the right to, at any time, withdraw your consent. The consent withdrawal does not affect the legality of the processing carried out previously on the basis of the consent.
TO DELETE YOUR PERSONAL DATA (RIGHT TO BE FORGOTTEN)
You can at any time request that your user account is deleted. Moreover, under certain circumstances, you have the right to request that your personal data shall be deleted.
Please note that if you request us to remove your Personal Data, you may not be able to use our Services.
We may, however, still need to keep your personal data if we are obligated to keep certain data in order to fulfill legal obligations or to manage or defend legal claims.
TO RESTRICT THE USE OF YOUR PERSONAL DATA
You have, under certain circumstances, the right to request that the use of your personal data is restricted. If you have requested restriction of the use of your personal data, please note that you cannot use the platform during the time that the use of your personal data is restricted.
TO OBJECT TO THE USE OF YOUR PERSONAL DATA
Certain use of your personal data may be based on our or others’ legitimate interest. You have the right to object to the use of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the use is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.
TO NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED DECISION-MAKING
You may have the right not to be subject to such type of automated decision-making about you, unless: (a) you gave us your explicit consent to use your personal data to make our decision; (b) we are allowed by law to make our decision; or (c) our automated decision was necessary to enable us to enter into a contract with you.
TO TRANSFER YOUR PERSONAL DATA (DATA PORTABILITY)
You have the right to obtain a copy of certain information that you have provided to us in a structured machine-readable format which allows you to transfer the data to another recipient.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at the email address below.
As a data subject, you have a right to lodge a complaint with the competent supervisory authority under the conditions provided in Article 77 GDPR or seek a remedy in the national courts if you think that your rights in relation to your personal data have been breached. However, we would be grateful if you could give us the opportunity to address your complaint in the first instance by using the contact details provided at the end of this policy.
If you have questions, suggestions, or concerns about this Policy, or about our use of your Personal Data, please contact us at firstname.lastname@example.org.
Mendi Innovation AB
Birger Jarlsgatan 57
113 56 Stockholm
Responding to Your Requests
Subject to applicable law, we reserve the right to charge a fee for requests that are duplicative, or require excessive technical means (for example, developing new systems or fundamentally changing current practices).
In certain situations, we may not be able to respond to your request. These situations may include, without limitation, situations:
- relating to national security and national defense security;
- relating to public safety, public health, and major public interests;
- relating to criminal investigation, prosecution and trial;
- where there is sufficient evidence that you do not have good faith intentions or you may abuse rights; and
- where a response will result in serious damages to the legitimate rights and interests of you or other individuals and organizations.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Updates to this policy
This version was last updated on March 9, 2021.