Privacy Policy

Thank you for using the services offered by Heart & Mind Technologies, Inc. (“Company,” “we,” “us,” or “our”). We are committed to protecting the privacy and security of the information entrusted to us by our business customers and their end users. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our software-as-a-service (“SaaS”) platform and related services (collectively, the “Services”).

Please read this Privacy Policy carefully. By accessing or using our Services, you agree to the collection and use of information in accordance with this policy. If you are accessing or using our Services on behalf of a business or other entity, you represent and warrant that you have the authority to bind that entity to this Privacy Policy.

1. Information We Collect

We collect information in the following categories:

1.1 Account and Contact Information

When you or your organization registers for our Services, we collect:

• Full name
• Job title
• Business email address
• Organization name and billing address
• Phone number (optional)
• Payment and billing information (processed securely via third-party payment processors)

1.2 Usage and Analytics Data

We automatically collect certain information about how you and your users interact with our Services, including:

• Log data (IP addresses, browser type, pages visited, timestamps, referring URLs)
• Device and system information (operating system, screen resolution, hardware identifiers)
• Feature usage patterns and clickstream data
• Performance metrics and error reports
• Session duration and frequency of use

1.3 Health and Sensitive Personal Information

Depending on how your organization configures and uses the Services, we may process health-related or otherwise sensitive personal information on your behalf, including:

• Mental health or behavioral health information
• Other categories of sensitive personal data as defined by applicable law

We process this information solely as a data processor acting on your instructions, under your organization’s privacy notice and applicable agreements with us, including any Business Associate Agreement. We do not use sensitive health information for our own commercial purposes.

1.4 Information You Provide Directly

You may provide us additional information when you:

• Submit support tickets or communicate with our team
• Participate in surveys, research, or feedback programs
• Upload files, documents, or data to the Services

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Improving the Services

• To create, operate, and maintain your account and access to the Services
• To process transactions and deliver features you request
• To diagnose technical issues and improve performance and reliability
• To develop new features, products, and enhancements
• To conduct internal research and analytics on aggregate, de-identified data

2.2 Communication and Support

• To respond to your inquiries, support requests, and feedback
• To send transactional communications (e.g., account notices, security alerts)
• To send service-related updates, product announcements, and marketing communications (where permitted by law and subject to your opt-out rights)

2.3 Legal and Compliance

• To comply with applicable laws, regulations, and legal obligations
• To detect, prevent, and address fraud, abuse, or security incidents
• To enforce our Terms of Service and other agreements
• To protect the rights, safety, and property of our company, customers, and others

3. How We Share Your Information

We do not sell your personal information. We may share information in the following limited circumstances:

3.1 Service Providers

We share information with trusted third-party vendors who assist us in operating the Services, such as cloud hosting providers, analytics platforms, payment processors, email delivery services, and customer support tools. These vendors are contractually obligated to use your information only as directed by us and in accordance with this Policy.

3.2 Business Transfers

In connection with a merger, acquisition, financing, or sale of all or a portion of our business assets, your information may be transferred to the successor entity. We will provide notice of any such change and the choices available to you.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Services; or (d) protect the safety of users or the public.

3.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

4. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to operate and improve the Services. Specifically, we use:

• Strictly necessary cookies: Required for the Services to function (e.g., authentication tokens, session management). These cannot be disabled.
• Analytics cookies: Help us understand how users interact with the Services (e.g., Google Analytics, Mixpanel, or similar). These may be disabled through your browser settings or our cookie preference center.
• Preference cookies: Store your settings and preferences for future visits.

You can control cookie settings through your browser or our cookie preference center. Please note that disabling certain cookies may affect the functionality of the Services.

5. Health Information and HIPAA Compliance

Heart & Mind Technologies, Inc. understands the sensitivity of health-related data and the legal obligations our customers may have under the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and analogous state and international health privacy laws.

5.1 Business Associate Obligations

If your organization is a HIPAA-covered entity or business associate and you use our Services to create, receive, maintain, or transmit Protected Health Information (“PHI”), you must execute a Business Associate Agreement (“BAA”) with us prior to using the Services for that purpose. Please contact us at privacy@heartmindtech.com to request a BAA. Without a signed BAA in place, you may not transmit PHI through our Services.

5.2 Security Measures for Health Data

For customers with a BAA in place, we implement additional administrative, physical, and technical safeguards for PHI, including:

• Encryption of PHI in transit and at rest using industry-standard protocols (TLS 1.2+ / AES-256)
• Access controls and audit logging for all access to PHI
• Regular security risk assessments and vulnerability management
• Employee training on HIPAA requirements and data handling obligations
• Breach notification procedures consistent with HIPAA requirements

5.3 Limited Use of Health Information

We will not use or disclose PHI for any purpose other than as permitted or required under the BAA, as required by law, or as authorized in writing by the covered entity. We do not use PHI to train machine learning models or for any advertising or marketing purposes.

6. Data Security

We implement a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, alteration, or destruction. Key measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access controls and the principle of least privilege
• Multi-factor authentication for access to production systems
• Regular penetration testing, vulnerability scanning, and security audits
• Incident response and breach notification procedures
• SOC 2 Type II audit program (or equivalent)

Despite our best efforts, no security measures are 100% infallible. In the event of a data breach affecting your information, we will notify you in accordance with applicable legal requirements.

7. Data Retention

We retain your information for as long as your account is active or as necessary to provide the Services. We also retain information as required to comply with legal obligations, resolve disputes, enforce agreements, and support our legitimate business operations.

Upon termination of your account or at your request, we will delete or de-identify your personal information within 90 days, subject to exceptions required by law or our standard backup and audit log retention schedules. Please contact us if you have specific retention requirements.

8. Your Rights and Choices

Depending on your jurisdiction and applicable law, you and the individuals whose data you manage through our Services may have certain rights regarding personal information. As a B2B customer (data controller), you are responsible for honoring data subject rights requests from your end users. We will cooperate with you to fulfill such requests as required by applicable law.

Rights that may be available include:

• Access: The right to request a copy of the personal information we hold about you.
• Correction: The right to request correction of inaccurate or incomplete data.
• Deletion: The right to request deletion of your personal information, subject to certain exceptions.
• Portability: The right to receive your data in a structured, machine-readable format.
• Restriction: The right to request that we restrict processing of your data in certain circumstances.
• Objection: The right to object to processing based on our legitimate interests.
• Opt-Out of Marketing: You may opt out of marketing communications at any time by clicking “unsubscribe” in any email or contacting us directly.

To exercise these rights, please contact us at privacy@heartmindtech.com. We will respond to your request within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing certain requests.

9. International Data Transfers

Our Services are operated in the United States. If you or your users are located outside the United States, please be aware that information we collect may be transferred to, processed, and stored in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where required by applicable law (e.g., the EU General Data Protection Regulation (“GDPR”) or the UK GDPR), we implement appropriate safeguards for international transfers, such as Standard Contractual Clauses (“SCCs”), the UK International Data Transfer Agreement (“IDTA”), or other approved transfer mechanisms. Please contact us to request a copy of the relevant transfer safeguards. For additional information specific to European data transfers, please see Section 13.5 of this Policy.

10. Children’s Privacy

Our Services are designed for use by businesses and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently received personal information from a minor, please contact us immediately at privacy@heartmindtech.com and we will promptly delete such information.

11. Third-Party Services and Links

Our Services may contain links to or integrations with third-party websites, platforms, or services (e.g., SSO providers, CRMs, or analytics tools). This Privacy Policy does not apply to the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you connect to or use in conjunction with our Services.

We are not responsible for the privacy practices, content, or security of third-party services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting a notice on our website or within the Services; and/or
• Sending an email to the address of the Company Admin associated with your account.

Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.

13. European Privacy Rights (GDPR / UK GDPR)

This section applies to individuals located in the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland (collectively, “Europe”). If you are such an individual, or if your organization processes personal data on behalf of such individuals, the following additional terms apply in addition to the rest of this Privacy Policy.

13.1 Our Role as Controller and Processor

Heart & Mind Technologies, Inc. acts as a data controller when we collect and process information about your organization’s account representatives and contacts (e.g., names, email addresses, billing information). We act as a data processor when we process personal data on behalf of your organization as part of delivering the Services. In the latter case, your organization is the data controller and is responsible for ensuring a lawful basis exists for that processing.

13.2 Legal Bases for Processing

Where we act as a data controller, we rely on the following legal bases under Article 6 of the GDPR to process your personal data:

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Services you have subscribed to, including account management, billing, and customer support.
• Legitimate interests (Article 6(1)(f)): Processing for purposes such as improving our Services, preventing fraud and abuse, conducting analytics, and communicating about relevant product updates. We conduct a Legitimate Interests Assessment (LIA) for each such purpose. You may request a copy by contacting us.
• Compliance with a legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws and regulations, such as tax, financial reporting, and data breach notification obligations.
• Consent (Article 6(1)(a)): Where we rely on consent (e.g., for certain marketing communications or non-essential cookies), you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

13.3 Special Categories of Personal Data

Where our Services are used to process special categories of personal data under Article 9 GDPR (including health data, mental health information, or other sensitive categories), we do so only:

• On the basis of your explicit consent (Article 9(2)(a)), where applicable; or
• For the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health care (Article 9(2)(h)), where applicable; or
• As otherwise permitted under Article 9(2) or applicable Union or Member State law.

Your organization, as data controller, is responsible for identifying and documenting the appropriate legal basis for processing special category data through the Services.

13.4 Enhanced Data Subject Rights

In addition to the rights described in Section 8 of this Policy, individuals in Europe have the following rights under the GDPR and UK GDPR:

• Right of access (Article 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data along with supplementary information about how it is used.
• Right to rectification (Article 16): You may request correction of inaccurate personal data without undue delay.
• Right to erasure / ‘right to be forgotten’ (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no other legal basis for processing.
• Right to restriction of processing (Article 18): You may request that we restrict processing of your data in certain circumstances, such as while a dispute over accuracy is resolved.
• Right to data portability (Article 20): You may receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller, where the processing is based on consent or contract and carried out by automated means.
• Right to object (Article 21): You may object at any time to processing of your personal data based on our legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not currently engage in solely automated decision-making of this nature, but will notify you if this changes.

To exercise any of the above rights, please contact us at privacy@heartmindtech.com. We will respond without undue delay and within one month of receipt of your request (extendable by a further two months in complex cases, with notice). We will not charge a fee for reasonable requests, but may charge a reasonable administrative fee for manifestly unfounded or excessive requests.

13.5 Data Transfers Outside of Europe

When we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection (including the United States), we rely on appropriate safeguards, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission or, for UK transfers, the International Data Transfer Agreement (IDTA) or Addendum approved by the UK Information Commissioner’s Office (ICO);
• An adequacy decision issued by the European Commission or the UK Secretary of State; or
• Other approved transfer mechanisms as permitted under Chapter V of the GDPR.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@heartmindtech.com. We also conduct Transfer Impact Assessments (TIAs) as required under applicable guidance to evaluate the risks of international transfers.

13.6 Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) as required under Article 37 of the GDPR. Our DPO can be contacted at:

13.7 EU Representative

If Heart & Mind Technologies, Inc. is not established in the European Union but processes the personal data of individuals in the EU in a manner subject to Article 3(2) of the GDPR, we are required to designate an EU representative pursuant to Article 27 of the GDPR. Our EU representative is:

EU Representative Name and Contact Details — To Be Determined Shortly

Contact privacy@heartmindtech.com for updated information.

For UK GDPR purposes, our UK representative is:

UK Representative Name and Contact Details — To Be Determined Shortly

Contact privacy@heartmindtech.com for updated information.

13.8 Right to Lodge a Complaint

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement. In the UK, the competent authority is the Information Commissioner’s Office (ICO) at ico.org.uk. A list of EU supervisory authorities is available at edpb.europa.eu.

We encourage you to contact us first at privacy@heartmindtech.com so that we have the opportunity to address your concerns before you escalate to a supervisory authority.

13.9 Records of Processing Activities

In accordance with Article 30 of the GDPR, we maintain records of processing activities carried out on our own behalf (as controller) and, where required, on behalf of our customers (as processor). Customers subject to Article 30 obligations may request the relevant processing records applicable to their use of the Services.

13.10 Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in a high risk to the rights and freedoms of natural persons (e.g., large-scale processing of special category data), we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR. We will cooperate with customers who need to conduct their own DPIAs relating to their use of our Services.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EU/EEA residents, you also have the right to lodge a complaint with your local supervisory authority.