Privacy Policy

Mindset Health Pty Ltd (ABN: 11 617 368 957) ("Mindset Health", "we", or "us") is committed to protecting and respecting your privacy. We build clinically validated digital therapeutics for chronic conditions, delivered through our family of programs (Nerva, Relio, Evia, Claria) and our website, mindsethealth.com.

This Privacy Policy describes how we handle the personal information we collect in connection with our websites, apps, and related services (collectively, the "Services"). Unless specified below, "you" refers to users of our programs, website visitors, and anyone else who uses our Services. Our policy is written to be compliant with numerous national and international laws and frameworks, including HIPAA, the EU and UK GDPR, the Australian Privacy Act 1988 (Cth), and the EU-US Data Privacy Framework.

1. Purpose of this policy

We provide users with access to online and mobile services that deliver personalised, evidence-based programs for the self-management of chronic conditions, including (but not limited to) disorders of gut-brain interaction, menopausal symptoms, chronic pain, anxiety, and related conditions. The Services include the Mindset Health website, our product websites, and the mobile apps for each of our programs.

We collect and process your data in order to provide these programs, and to improve and support their delivery. We require consent from all users before processing their data. This consent can be withdrawn at any time. To request deletion of data, please send an email to hello@mindsethealth.com from the email associated with the data you wish to delete.

2. Personal information we collect

Information you provide

• Contact details, such as your name, phone number, and email and mailing address.
• Product usage information, such as the information you provide when you interact with our Services.
• Health information that you may choose to provide through your use of the Services. This may include self-reported symptoms or difficulties associated with the condition each program addresses, such as IBS and other gut-brain disorders, menopausal symptoms, chronic pain, smoking, mood, sleep, worry, anxiety, and stress. This information is used to personalise your program.
• Payment information needed to complete any purchases made through the Services (including name, payment card information, and billing information), and your transaction history. Payment information is processed by our third-party payment processor Stripe, in accordance with Stripe’s privacy policy and terms of service. We do not have access to payment card numbers.
• Communications that we exchange with you, including when you contact us with questions, feedback, or otherwise.
• Marketing preferences, such as your preferences for receiving communications about our Services and publications, and details about how you engage with our communications.

Information received from referring providers

We may receive limited personal information about you from a healthcare provider or clinic when they refer you to one of our programs. This information typically includes your name and email address, and may optionally include your date of birth and phone number. Your referring provider is responsible for obtaining your consent before sharing this information with us. We use this information solely to facilitate your enrolment in the relevant program and to contact you with onboarding instructions. We require our referring partners to confirm that they have obtained appropriate patient consent before submitting a referral.

Information we obtain from other sources

• Social media information. We maintain pages on social media platforms such as Facebook, Instagram, X, and LinkedIn. When you visit or interact with our pages on those platforms, you or the platforms may provide us with information through the platform.
• Third-party logins. When you link, connect, or log in to the Services with a third-party service (e.g. Auth0), you direct the service to send us information as controlled by that service or as authorised by you via your privacy settings at that service.
• Partner materials. We may receive de-identified materials from our partner clinics in order to improve the quality of our services. We require our partners to ensure that such material is de-identified before being provided to us. If we inadvertently receive personal or health information from a partner, we will treat this information in accordance with this Privacy Policy and applicable laws.

Automatically collected data

We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, such as:

• Device data, such as your computer’s or mobile device’s operating system, manufacturer and model, browser type, IP address, unique identifiers, language settings, mobile device carrier, and general location information such as city, state or geographic area.
• Usage data, such as pages or screens you viewed, how long you spent on a page, browsing history, and access times.

We collect this information using cookies and similar technologies. Cookies are text files that websites store on a visitor’s device or in the browser to help you navigate between pages, remember your preferences, enable functionality, and help us understand user activity and patterns. For information about how to control cookies, see Your privacy rights and choices below or our website data protection policy.

Non-identifiable information

We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and is used to support generalised statements (for example, "women aged 35–40 working in non-office jobs report the highest levels of worry").

3. How we use personal information

To provide the Services

• Enabling users to create an account in our apps and websites.
• Administering, hosting, and operating the Services.
• Communicating with you and responding to any inquiries you may have.
• Analysing your use of the Services to allow us to evaluate and improve them.

Research, development, benchmarking, and improvement

We may use personal information to analyse and improve the Services, identify trends, and operate and expand our business activities. We may also create aggregated, anonymised, or other de-identified statistics, which we may use for lawful business purposes including analytics, forecasting, and strategic planning.

Marketing and advertising

• Direct marketing. We may send direct marketing communications, including newsletters and publications, and notify you of promotions, offers and events via postal mail, email, telephone, text message, and other means.
• Interest-based advertising. We engage advertising partners, including third-party advertising companies and social media companies, to advertise our Services. See Your privacy rights and choices below.

Compliance and protection

We use personal information to enforce any applicable terms and conditions, comply with legal obligations, defend against legal claims or disputes, protect the security and integrity of our Services, and identify and investigate fraudulent, harmful, unauthorised, unethical or illegal activity.

4. AI and personalisation

We use artificial intelligence ("AI") services to personalise the coaching and educational experience within our programs. Specifically, we may process your symptom data, preferences, and program interactions through third-party AI services to tailor content, recommendations, and coaching to your individual needs.

Our AI service providers operate under data protection agreements and, where applicable, Business Associate Agreements that include obligations to protect the confidentiality and security of your information. Your data processed through AI services is used solely to personalise your experience within our programs and is not used by the AI service provider to train or improve their general-purpose AI models.

AI-generated content within our programs is designed to support your self-management and wellbeing. It does not constitute medical advice, diagnosis, or treatment. If you have concerns about your health, please consult a qualified healthcare professional. You may contact us if you wish to opt out of AI-personalised content. Please note that opting out may reduce the personalisation of your program experience.

5. How we share personal information

Mindset Health does not sell or rent your personal or health information. We follow a Minimum Necessary Access Policy so any required disclosure of your personal information is minimised. The following describe the ways in which we use your personal information and the rare instances that require us to disclose it to persons and entities outside of Mindset Health.

• Clinicians. We may share a user’s personal information with the user’s designated clinician at the user’s direction, including a log of events and other relevant personal information, to allow the clinician to provide appropriate assistance. A user can stop sharing information with a clinician at any time by deleting that clinician on the app.
• Service providers. We share personal information with companies and individuals that provide services on our behalf or help us operate our Services or our business (such as hosting, communications, data and cyber security, billing and payment processing, fraud detection and prevention, web and mobile analytics, email distribution, and customer relationship management).
• Advertising partners. We may share personal information that we collect on our website with third-party advertising companies (including for the interest-based advertising purposes described above), lead generation partners, and channel partners, resellers, and distributors.
• Professional advisors. We share personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
• Authorities and others. We may share personal information with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate.
• Business transferees. We may share personal information with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganisation, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Mindset Health or our affiliates (including in connection with a bankruptcy or similar proceeding). We will ensure that information transferred to third parties will only be used in a way that is compliant with the EU-US Data Privacy Framework and the Privacy Act, and will remain liable in cases of onward transfers to third parties.
• Threat to health or safety. We may use and disclose your personal information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure would only be to someone able to help prevent the threat.
• Personal representatives or persons involved with your care. We may use and disclose your personal information to anyone who has the legal right to act for you (your personal representative) or to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated, in an emergency, or when you agree or fail to object when given the opportunity.
• Overseas disclosures. In some cases, we may disclose your personal information to third parties who are located in other jurisdictions, for example the United States. In such cases, we will take reasonable steps to ensure that such recipients do not use or disclose your personal information in a way that is inconsistent with our obligations under applicable privacy laws.

6. Your privacy rights and choices

Unsubscribe from direct marketing communications

You may opt out of marketing-related communications by following the opt-out or unsubscribe instructions contained in the marketing communication we send you. You may continue to receive service-related and other non-marketing communications.

Opt out of push notifications

If you opt in to receive push notifications within an app, we may send push notifications or alerts to your mobile device from time to time. You can deactivate push notifications and alerts at any time by changing your device settings, changing the push notification settings within the application, or deleting the app.

Access, correction, and deletion

Depending on where you reside, you may have the right to obtain information about how we collect, use, and share your personal information; to request access to your personal information; to correct personal information that is out of date or inaccurate; and to delete personal information that is no longer needed for a permitted purpose. Where these rights apply, you are entitled to exercise them free from discrimination. To exercise these rights, please contact us as provided in Contact us below.

Sharing of personal information and targeted advertising

We use cookies on our website to help us advertise our Services on other websites you might visit. We may share information we collect, such as information about the pages you visit on our website and your purchases, with our advertising and channel partners to support our interest-based advertising, which may qualify as a sale or sharing of personal information, or targeted advertising, under applicable law. See Opt out of interest-based advertising below.

Limitations

Your rights may be limited under applicable laws, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights.

Opt out of interest-based advertising

You may limit online tracking by:

• Blocking cookies in your browser. Most browsers let you remove or reject third-party cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. For more information, visit allaboutcookies.org.
• Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
• Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plug-ins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third-party cookies and trackers. You can also opt out of Google Analytics at tools.google.com/dlpage/gaoptout.
• Platform opt-outs. The following advertising partners offer opt-out features:
  • Google: adssettings.google.com
  • Meta: facebook.com/about/ads
• Advertising industry opt-out tools:
  • Digital Advertising Alliance for Websites: optout.aboutads.info
  • Digital Advertising Alliance for Mobile Apps: youradchoices.com/appchoices
  • Network Advertising Initiative: optout.networkadvertising.org

Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device that you use.

Do Not Track

Some internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to "Do Not Track" or similar signals. To find out more, please visit allaboutdnt.com.

7. Additional rights for users in specific jurisdictions

Users in Canada

If you are located in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. In addition to the rights described above, you have the right to withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. You may access and request correction of your personal information held by us. We will respond to your request within 30 days. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Users in the United Kingdom

If you are located in the United Kingdom, we process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our lawful basis for processing your personal data is your consent, which you may withdraw at any time. In addition to the rights described above, you have the right to: request data portability; object to processing of your personal data in certain circumstances; request restriction of processing; and lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

Users in the European Economic Area (EEA)

If you are located in the EEA, we process your personal data in accordance with the General Data Protection Regulation (EU GDPR). You have the same rights as UK users described above. For cross-border data transfers from the EEA, we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission. You may lodge a complaint with your local supervisory authority.

Automated decision-making and profiling

We use automated systems, including artificial intelligence, to personalise the content and coaching you receive within our programs. These systems analyse your symptom data, preferences, and interactions to tailor your experience. This processing does not produce legal effects or similarly significant effects on you. It is used solely to customise educational and coaching content. You have the right to request human review of any AI-personalised recommendations, to express your point of view, and to contest the outcome. To exercise these rights, please contact us at privacy@mindsethealth.com.

8. Research participation

We may engage in clinical research and trials that use only aggregated and de-identified data we have collected. If you would not like your information used in our studies, please contact us at hello@mindsethealth.com.

9. Data security

We employ a number of technical, organisational and physical safeguards designed to protect the personal information we collect. We may also store personal information with third-party storage providers such as Google Cloud Platform. Where this is done, we require the provider to enter into written agreements under which they commit to protecting the security of personal information stored on our behalf. However, no security measures are failsafe, and we cannot guarantee the security of your personal information.

10. Data retention

We may retain your personal data for as long as it is reasonably needed in order to maintain and expand our relationship and provide you with our Services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of such data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and the applicable legal requirements. We may retain de-identified or aggregated data for a longer period to the extent it is reasonably required for us to deliver or improve our services.

11. Children

Our Services are not intended for use by children without the consent of their parents or guardians. If we learn that we have collected personal information through our Services from a child under 13 without the consent of the child’s parent or guardian as required by law, we will delete it.

12. HIPAA

If we are subject to the Health Insurance Portability and Accountability Act ("HIPAA"), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

13. Changes to this privacy policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy. We may also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via email (if you have an account where we have your contact information) or another manner.

14. Complaints and enquiries

If you have any queries or complaints about our Privacy Policy, please contact us via the details below. We will acknowledge your complaint within 7 days of receipt and we will endeavour to resolve it within 30 days, unless we notify you otherwise in writing.

Following receipt of your complaint, we will commence an investigation and may require you to provide additional details. To the extent lawful and practicable, we will deal with any complaints in a confidential manner. If you are dissatisfied with the outcome, you may refer the complaint to the Office of the Australian Information Commissioner or, if you are located outside Australia, your local supervisory authority.

15. Contact us

Security, Privacy, and Compliance Officer: Alexander Naoumidis

Address: Level 2, 620 Church Street, Cremorne VIC 3121, Australia

Email: privacy@mindsethealth.com

© 2026 Mindset Health Pty Ltd