Login

Legal

Privacy Policy

Effective May 1, 2026

At Mindset, your privacy isn't a checkbox — it's the foundation of trust we ask you to place in us. This policy explains what we collect, why we collect it, and the choices you have. We've tried to write it in plain language; the legal terms you'll find here are required by Indian data-protection law.

This policy is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

1. Who we are

“Mindset”, “we”, “us”, or “our” refers to the Mindset platform operated from India. We are the Data Fiduciary under the DPDP Act for personal data we collect from you (“Data Principal”).

2. What we collect

2.1 Information you give us

  • Account information: name, email, phone number, password (hashed), date of birth, gender (optional).
  • Health and well-being information: session notes, journal entries, mood check-ins, intake-form responses, and anything you share with a therapist on our platform. This is “sensitive personal data” under Indian law and we treat it accordingly.
  • Payment information: Razorpay handles all card / UPI / net-banking data on its own PCI-DSS-compliant infrastructure. We only receive a transaction ID and status — we do not see or store your card details.
  • Shipping information: for physical products, we collect your shipping address and pincode and share these with our logistics partner Shiprocket.
  • Communications: messages you send through our contact forms, support emails, and any feedback you choose to share.

2.2 Information we collect automatically

  • Device information (browser type, operating system, screen size).
  • Usage data (pages visited, features used, approximate time spent).
  • IP address and approximate location (city / region only).
  • Cookies and similar technologies for authentication, preferences, and basic analytics. We do not use third-party advertising trackers.

3. Why we collect it

  • To provide the service you signed up for — sessions, workshops, products, journals, library access.
  • To process payments, fulfill orders, and ship physical products.
  • To match you with appropriate therapists and to let your therapist see what you choose to share with them.
  • To send transactional emails (booking confirmations, receipts, password resets).
  • To prevent fraud, abuse, and to keep the platform safe.
  • To comply with legal obligations (tax invoices, response to lawful requests).

4. The legal basis we rely on (DPDP Act)

We process your personal data on the basis of (a) the consent you give us when you sign up, book a session, or place an order, and (b) certain “legitimate uses” permitted under Section 7 of the DPDP Act — for example, fulfilling an obligation under law, or responding to a medical emergency.

Where we rely on consent, you can withdraw it at any time by writing to our Grievance Officer. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How we keep mental-health information confidential

What you tell a Mindset therapist in a session is confidential. It is not visible to our administrative team, our marketing team, or other users of the platform. Confidentiality may only be broken in narrow situations recognised by Rehabilitation Council of India (RCI) ethics — chiefly when there is a serious and imminent risk to your life or someone else's, or when we are compelled by a court order.

Therapists access only their own clients' records and are bound by professional confidentiality codes in addition to this policy.

6. Who we share your information with

We do not sell your personal data. We share specific data with specific partners only where it's necessary to deliver the service:

  • Razorpay — payment processing.
  • Shiprocket — shipping for physical products.
  • Resend — transactional email delivery.
  • Cloudinary — image and media hosting.
  • Google Calendar — session scheduling for therapists who opt in.
  • OpenRouter — certain AI-assisted features. Where we use AI, we do not send identifiable session content.
  • Hosting and database providers who store the data on our behalf.
  • Lawful authorities when we receive a valid legal request.

We require each partner to handle the data with security standards comparable to ours. Some of these partners may store data outside India; in that case we ensure transfer is permitted under the DPDP Act and is governed by appropriate contractual safeguards.

7. How long we keep it

  • Account data: while your account is active, plus a short retention window after deletion to handle disputes and comply with tax / regulatory requirements.
  • Session and clinical notes: retained as required by RCI / professional record-keeping norms (typically 3 years from last interaction) unless you ask for earlier deletion and there is no legal bar to it.
  • Payment and tax records: retained for the period required under Indian tax law.
  • Marketing consent records: until you opt out.

8. Your rights

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we process about you.
  • Correct or update inaccurate or incomplete data.
  • Erase your data, subject to lawful retention requirements.
  • Nominate another individual to exercise your rights if you are unable to.
  • Grievance redressal — lodge a complaint with us, and if unresolved, with the Data Protection Board of India.

To exercise any of these rights, write to our Grievance Officer (details below). We will respond within the timelines required by law.

9. Children

Our services are intended for users aged 18 and above. If you are between 13 and 18, you may use the platform only with the verifiable consent of a parent or legal guardian. We do not knowingly process the personal data of anyone below 18 without that consent. If you believe we have collected such data, please contact us and we will delete it.

10. Security

We use TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, and routine security reviews. No system is perfectly secure, but we treat any incident seriously and will notify affected users and the Data Protection Board where the law requires.

11. Cookies

We use a small number of essential cookies for sign-in and preferences, and we may use first-party analytics to understand how the site is used in aggregate. You can control cookies through your browser settings.

12. Changes to this policy

We may update this policy as the platform evolves or as the law changes. The “Effective” date at the top reflects the latest version. For material changes we will also notify registered users by email.

13. Grievance Officer

In accordance with the IT Act, the IT Rules, and the DPDP Act, our Grievance Officer receives and resolves complaints about how your data is handled.

  • Name: [To be appointed before launch]
  • Email: grievance@mindset.example
  • Address: [Your registered office address]

We aim to acknowledge complaints within 48 hours and resolve them within 30 days.

14. Contact

For anything else — questions, requests, feedback — reach us at hello@mindset.example.

Important:This policy is provided as a starting point and reflects our good-faith reading of Indian data-protection law as of the effective date. Please have your appointed legal counsel review and tailor it before publishing it on the live domain — particularly the Grievance Officer details, registered office address, and any region-specific terms.