Mind Haven Privacy Policy

Effective: July 17, 2025 | Last updated: July 17, 2025

Mind Haven Inc. ("Mind Haven," "we," "our," or "us") is a Delaware corporation with its principal business address at 410 Dunaway Dr, Valrico, FL 33594. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Mind Haven mobile application, website, and related services (collectively, the "Service"). If you have any questions, please contact us at company@mindhavenus.com.

Mind Haven is not a "covered entity" or "business associate" under the U.S. HIPAA statute because we do not submit insurance claims or perform other standard electronic transactions on behalf of health‑care providers or plans. Nevertheless, we recognise that many of the details you share with us—such as journal entries and mood ratings—are highly sensitive consumer health data. We protect that data with industry‑standard safeguards and in accordance with the U.S. federal and state laws described below.

1 · Information We Collect

Category Examples Purpose
Account Information Name or alias, email address, password, age verification, subscription tier Create and secure your account, communicate with you
Self‑Reported Well‑Being Data
(Consumer Health Data)		 Mood check‑ins, activity reflections, journal entries, voice notes, images, chat transcripts Provide personalised mental‑health support and track progress
Usage Information Time in app, feature clicks, session length Improve and debug the Service
Payment Information Last 4 digits of card, billing ZIP/postal code (processed by Stripe or Apple/Google); we do not collect insurance information or CPT codes Process cash‑pay subscriptions and purchases
Device & Technical Data Device type, OS version, IP address, app version, crash logs, cookies Secure the Service, prevent fraud

We do not knowingly collect government‑issued identifiers, insurance claim numbers, medical‑record numbers, or any data whose transmission would render Mind Haven subject to HIPAA.

2 · Consumer Health Data Notice & Consent

Certain U.S. states—including Washington (My Health My Data Act), Nevada (SB 370), Connecticut (Data Privacy Act), Colorado, Maryland, and Virginia—require opt‑in consent for the collection and use of consumer health data.

How we obtain consent.

On first sign‑in you will see an unticked check‑box labelled:

“I consent to Mind Haven collecting and using my mental‑health information as described in the Privacy Policy.”

If you decline, you may still browse generic content, but personalised features will be unavailable. You can withdraw consent at any time under Settings › Privacy › Data Consent.

Sale or sharing.

Mind Haven does not sell your consumer health data. Should we ever wish to do so, we will first obtain a signed, standalone authorization naming the specific buyer and purpose, as required by Washington MHMDA § 9 and Nevada SB 370 § 13. California residents may halt any future sale or sharing by clicking “Do Not Sell or Share My Personal Information” in the app footer or by sending a Global Privacy Control (GPC) signal from their browser.

A summary of your state‑specific rights appears in Appendix A.

3 · How We Use Information

  1. Provide & maintain the Service – personalise content, deliver sessions, process payments, and troubleshoot.
  2. Improve & develop new features – analyse aggregated usage trends, run A/B tests, and refine recommendations.
  3. AI Model Improvement (with consent)Optional. With your explicit permission (collected via a separate checkbox and toggleable at any time), we may use de‑identified excerpts of your journals and chat transcripts to train and evaluate our machine‑learning algorithms. Opting out will not affect other features.
  4. Security & fraud prevention – monitor for suspicious activity, enforce our Terms of Service, and protect user safety.
  5. Legal compliance – comply with U.S. federal, state, or local laws, lawful requests, and court orders.

We never use consumer health data for targeted advertising.

4 · Security Measures

We employ administrative, technical, and organisational safeguards, including but not limited to:

  • AES‑256 encryption at rest and TLS 1.3 in transit;
  • Role‑based access control and mandatory multi‑factor authentication for staff;
  • Annual third‑party penetration testing and risk assessments;
  • SOC 2 Type II–compliant cloud infrastructure;
  • 24/7 security monitoring and logging.

5 · Breach Notification (FTC Health‑Breach Notification Rule)

If we discover that your personal information or consumer health data has been accessed, acquired, or disclosed in a manner that violates this Privacy Policy or applicable law, we will:

  1. Notify you in writing without unreasonable delay and no later than sixty (60) days after discovery, and
  2. Submit the required notice to the U.S. Federal Trade Commission through its online portal.

The notice will describe the nature of the breach, the data involved, steps you can take to protect yourself, and the measures we have taken to mitigate harm.

6 · Your Rights & Choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your data;
  • Export your data in a portable format;
  • Withdraw consent to consumer health data processing or AI training;
  • Opt out of any future sale or targeted advertising;
  • Appeal an adverse decision.

You can exercise most rights by visiting Settings › Privacy. For other requests, email company@mindhavenus.com.

7 · Data Retention

We keep your personal data only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law. If you delete your account, we will erase or de‑identify your data within 30 days, except for (a) transaction records needed for accounting, (b) logs required for security or legal reasons, and (c) any content you consented to use for AI training, which we will purge from training corpora within 30 days of withdrawal.

8 · Children’s Privacy

Mind Haven is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 13. During sign‑up we request your date of birth; accounts indicating an age under 18 cannot enter mental‑health reflections and are directed to external crisis resources instead. If you believe a child has provided data to us, please email company@mindhavenus.com and we will delete it promptly.

9 · Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via in‑app message or email at least 14 days before the new policy takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

10 · Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Mind Haven Inc.
410 Dunaway Dr
Valrico, FL 33594
Email: company@mindhavenus.com

Appendix A – State‑Specific Privacy Rights

A.1 Washington (My Health My Data Act)

You have the right to confirm, access, delete, or withdraw consent to the processing of your consumer health data. To exercise these rights, email company@mindhavenus.com or use the in‑app request form. We will respond within 45 days.

A.2 Nevada SB 370

You may request a list of consumer health data we have collected and ask us to delete it or stop processing it. Call our toll‑free number (listed in‑app) or email company@mindhavenus.com.

A.3 Connecticut Data Privacy Act (effective July 1 2025)

We require opt‑in consent before processing your consumer health data. You may withdraw consent at any time and request deletion.

A.4 California Consumer Privacy Rights Act (CPRA)

You may click “Do Not Sell or Share My Personal Information” to opt out of future sale or sharing. We honour Global Privacy Control signals.

A.5 Colorado Privacy Act

You may opt out of processing for targeted advertising and profiling. Appeals of denied requests can be submitted via email.

A.6 Virginia Consumer Data Protection Act

You have the right to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising. We respond within 45 days.

A.7 Maryland Consumer Data Privacy Act

You may withdraw consent to processing of sensitive data at any time and request deletion or export.

End of Policy