By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Cookie Policy for more information.
PreferencesDenyAccept

Privacy Policy

We, MYNDUP Limited a company registered in England and Wales (Company Number: 12419200) having our registered office at 66 Paul Street, London, United Kingdom, EC2A 4NA (we or us) respect your privacy and are committed to protecting your personal data. This privacy policy aims to give you information on how we collect and process your personal data through your use of www.myndup.com, (Website), including any data you may provide through this Website and where you contact us by means other than through our Website, including where we provide services to you.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices we provide to you and is not intended to override them.

Please read this privacy policy carefully.

Scope of this privacy policy

  • This privacy policy applies only to the Website. It does not extend to any websites that can be accessed from the Website including, but not limited to, any links we may provide to social media websites.
  • We are the 'data controller' of the personal data we collect directly from you (such as your account details, booking information, and engagement communications). This means that we determine the purposes for which, and the manner in which, this personal data is processed. Approved Practitioners are independent data controllers of Session content (clinical notes, assessments, and information disclosed during Sessions), and process this data under their own privacy notices in accordance with Article 9(2)(h) of the UK GDPR.

Contact us

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy and processing activity. If you have any questions about this privacy policy or our processing activity, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Name: Ryan Teixeira (DPO)

Email address: data@myndup.com

Postal address: 66 Paul Street, London, United Kingdom, EC2A 4NA

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

The Data we collect

  • We may collect the following personal data about you:
    • Identity Data: including your name; date of birth/age; gender; username or similar identifier, job title and profession;
    • Contact Data: including your email addresses;
    • Demographic Data: such as your region, preferences and interests;
    • Feedback Data: information you provide about your experiences;
    • Technical Data: including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access this Website; and
    • Marketing and Communications Data: including information about your marketing preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

Other than where you have provided your express consent for us to use your feedback in relation to your use of the services and how this has impacted your health, we do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

This Website is not intended for children and we do not knowingly collect data relating to children.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a relationship we have with you, and you fail to provide that data when requested, we may not be able to perform the services we are to provide to you.

How we collect Data

  • When you register your account and provide your name, email address, and other account details;
  • When you book a Session, we collect information about your booking preferences and attendance;
  • When you interact with the Portal, we collect information about your usage (e.g. pages visited, features used);
  • When you provide feedback or respond to surveys;
  • Where your employer or another Customer has entered into an agreement with us to provide you with access to the Services, we collect limited HR data from the Customer (such as your name and work email address) for the purpose of enabling your access;
  • We use tools that allow us to visualise and map how users engage with our site with interactive heat-maps of users clicks and actions to better understand and improve the user experience;
  • We will collect your personal data automatically via cookies, in line with our cookies policy;
  • When you visit the Website. This information helps us to make improvements to Website content and navigation.

Our use of personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

 
Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new user (a) Identity (b) Contact Performance of a contract with you legitimate interests – to provide services to you to perform our contract with your employer
To send engagement and utilisation communications via email, SMS, WhatsApp or other messaging channels (e.g. reminders to book Sessions, tips on using the Portal, information about the benefits of the service) (a) Identity (b) Contact Legitimate interests – to promote the service and maximise your engagement, as authorised by your employer (where applicable under the B2B Agreement). You may opt out at any time.
To process and deliver our services to you, manage bookings of sessions or reply to your enquiry (a) Identity (b) Contact (c) Transaction legitimate interests – to provide services to you and to perform our contract with your employer
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey (c) review your use of the Website (a) Identity (b) Contact (c) Demographic (d) Feedback (a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (to keep our records updated and to study how our services are used)
To process your feedback (a) Feedback Data Legitimate interests – to improve our services and to provide aggregated, anonymised reports to our Customer (where applicable)
To administer and protect our business and the website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity (b) Contact (c) Technical (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud) (b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity (b) Contact (c) Demographic (d) Technical (e) Marketing Necessary for our legitimate interests (to study how our services are used, to develop them, to grow our business and to inform our marketing strategy)

Marketing

  • We distinguish between two types of email communications:
    • Service-related engagement communications: We rely on legitimate interests to send you engagement and utilisation communications (such as reminders to book Sessions, tips on using the Portal, or information about the benefits of the service). These communications are part of how we deliver and optimise the Services and are authorised by your employer (where applicable). You may opt out of these communications at any time by clicking the unsubscribe link in any email or by contacting us.
    • Other marketing communications: For marketing communications beyond the scope of the service, we will seek your explicit consent via an opt-in mechanism. You have the right to withdraw consent or object to marketing communications at any time. To find out how to withdraw your consent or object, see the section headed 'Your rights' below. If you prefer not to receive engagement and utilisation communications, you may opt out at any time by clicking the unsubscribe link in any email or by contacting us.

Data Roles and Processing

  • MYNDUP’s Processing: We process the following categories of personal data as an independent data controller:
    • Account and registration data (name, email address, username, password);
    • Booking data (dates, times, duration, attendance records);
    • Portal usage data (pages visited, features used, session duration);
    • Feedback and survey responses;
    • Engagement communications data (email opens, clicks, opt-outs).

We do not process special category data (health data). Session content is processed by the Approved Practitioner as an independent data controller and is not accessible to us.

  • Practitioners’ Processing:
    • Approved Practitioners process Session content (clinical notes, assessments, and information disclosed during Sessions) as independent data controllers under Article 9(2)(h) of the UK GDPR (provision of health or social care). Each Approved Practitioner maintains their own privacy notice, which will be made available to you before your first Session. For information about how practitioners process your Session data, please refer to the practitioner's privacy notice.
  • Your employer's processing (where applicable):
    • Where your employer has entered into a B2B Agreement with us, your employer is the data controller of your HR data (name, work email address, job title, department). We process this HR data as a data processor on your employer's behalf. For information about how your employer processes your personal data, please refer to your employer's privacy policy.

Who we share Data with

  • We may share your personal data with the following third parties:
    • approved practitioners who provide services on our behalf;
    • third party service providers, such as IT providers or third party resources ;
    • our professional advisers acting as processors or joint controllers including our DPO, lawyers, accountants and insurers;
    • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets and therefore would require this information to continue the business. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
  • SMS/text messaging opt-in data and consent will not be shared with third parties for marketing or promotional purposes

Sub-Processors and International Data Transfers

  • Sub-Processors
    • A list of the sub-processors we use can be found here: https://www.myndup.com/legal/sub-processors-disclosure
    • We will notify you in advance of any changes to our sub-processor list. If you object to a new sub-processor, you may contact us within 10 business days of notification to raise your objection.
  • International Transfers
    • Your booking and administrative data may be transferred to, and stored in, countries outside the UK and EEA, including countries that may not have an equivalent level of data protection to the UK.
    • Where we make such transfers, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.
    • Session content is processed by the Approved Practitioner as an independent controller and may be transferred outside the UK and EEA in accordance with the practitioner's privacy notice and Article 9(2)(h). MYNDUP does not control or facilitate these transfers.

You can contact us at data@myndup.com if you have any questions about how your data is handled internationally.

Keeping Data secure

  • We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
  • We have the following technical and organisational measures in place to safeguard your personal data:
    • 2FA is used on all of our systems where applicable.
    • Our booking, scheduling and payment system is ISO 27001 compliant. Furthermore, the privacy of all internet communication between users and our customers and our system is secured by TLS 1.2.
    • access to your account is controlled by a password and a username that is unique to you.
    • we store your personal data on secure servers.
    • payment details are encrypted using SSL technology (typically you will see a lock icon or green address bar (or both) in your browser when we use this technology.
  • If you suspect any misuse or loss or unauthorised access to your personal data, please let us know immediately by contacting us via this email address: data@myndup.com.

.

Data retention

  • We retain your personal data for as long as necessary to provide the Services and to comply with our legal obligations. Specifically:
    • Account data: retained for the duration of your use of the service and for 12 months after termination, unless longer retention is required by law.
    • Booking and attendance data: retained for 7 years for accounting purposes.
    • Feedback and survey responses: retained for 2 years for service improvement purposes.
    • Portal usage data: retained for 13 months for analytics purposes.
    • Marketing and engagement data: retained for as long as you remain an active user; deleted within 30 days of account termination if you have not re-engaged.
    • Session content is retained by the Approved Practitioner in accordance with their own retention policy and professional obligations. MYNDUP does not retain Session content.

Following the expiry of the applicable retention periods, we may retain anonymised and aggregated information that no longer identifies individuals for analytics, historical reporting, service improvement, research, and business intelligence purposes

Your rights

  • Under UK GDPR, you have the following rights in relation to your personal data:
    • Right to access - You have the right to request a copy of the personal data we hold about you.
    • Right to rectification - You have the right to request that we correct any inaccurate or incomplete personal data.
    • Right to erasure (‘right to be forgotten’) - You have the right to request deletion of your personal data, subject to certain exceptions (e.g. where we need to retain it for legal compliance).
    • Right to request restriction of processing of your personal data - You have the right to request that we limit the processing of your personal data in certain circumstances.
    • Right to data portability - You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller
    • Right to object  - You have the right to object to processing of your personal data for marketing and engagement communications (see 'Opt-out' below). You may also have the right to object to other processing on grounds relating to your particular situation.
    • Right not to be subject to automated decision making - You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

How to exercise your rights: To exercise any of these rights, please contact us at data@myndup.com. We will respond to your request within 30 days (or such longer period as permitted by law).

Opt-out of engagement communications: You may opt out of engagement and utilisation communications at any time by clicking the unsubscribe link in any email or by contacting us at data@myndup.com. Opting out of these communications will not affect your ability to use the Services.

Complaints: If you are unhappy with how we are processing your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance by emailing data@myndup.com. We aim to acknowledge complaints within 30 days of receiving them.

Links to other websites

  • This Website may, from time to time, provide links to other websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are encouraged to read the privacy policy or statement of other websites prior to using them.

Changes to this privacy policy and your information

  • We may update this privacy policy from time to time. Where we make a material change to how we process your personal data, we will notify you in advance and, where required by law, seek your consent. Your continued use of the Services following notification of a non-material update will constitute your acceptance of the updated privacy policy.
  • This privacy policy was last updated on 1 June 2026.
  • It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.