Mindscape Health is now available on Windows, Mac & Android

LEGAL

Privacy Policy

Effective Date: December 3rd, 2025 | Last Updated: March 2, 2026

Introduction

Welcome to Mindscape Health, a platform operated by Mindscape Health LLC Kenya ("Company," "we," "our," or "us"). We are committed to protecting your privacy and handling your personal data with the highest standards of security and integrity. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use our platform, including the website, mobile application, and related services (collectively, "the Platform").

Mindscape Health operates across multiple jurisdictions, including Kenya, the United States, and East and Southern African countries. Depending on your country of residence, different data protection laws may apply to how we handle your personal data. Please refer to Section 6 for jurisdiction-specific information.

By using the Platform, you consent to the practices outlined in this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.

1. Information We Collect

We collect personal information that you provide to us directly, as well as information automatically collected from your use of the Platform.

1.1 Personal Information

This includes any information that can be used to identify you. The types of personal information we collect include, but are not limited to:

  • Full name
  • Email address
  • Phone number
  • Date of birth
  • Gender
  • Profile photo (optional)
  • Emergency contact details
  • Payment information (for corporate clients and therapy services)

1.2 Health and Demographic Data

Given the nature of our services, we also collect sensitive health-related data, including but not limited to:

  • Therapy session notes and treatment history
  • Mental health status, self-reported conditions, and diagnosis (if provided)
  • Symptom tracking and mood assessments
  • Medication tracking
  • Health history provided by you during your use of the Platform

1.3 AI-Generated Data

When using the AI matching algorithm or our AI assistant (Nuru), we collect information regarding your preferences, responses, and mental health needs. This data includes:

  • Type of therapy requested (e.g., Cognitive Behavioral Therapy, etc.)
  • Responses to intake forms and questionnaires
  • AI-generated recommendations or matches with therapists
  • Conversation logs with the Nuru AI assistant

Important Note on AI Data Processing: Conversations with our AI assistant (Nuru) may be processed by third-party AI service providers (such as Anthropic or OpenAI). By using Nuru, you consent to your conversation data being processed by these providers in accordance with their respective privacy policies. We take steps to minimize sensitive data shared with these providers and require them to maintain appropriate confidentiality standards.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide our services: Facilitate the connection between users and licensed therapists; deliver therapy services (including AI matching); enable corporate clients to track employee wellbeing.
  • To improve the Platform: We continuously work to enhance functionality and user experience, including personalized therapy recommendations and improvements in AI matching.
  • To communicate with you: Send notifications, updates about your therapy progress, account-related messages, and promotional information (you can opt out of marketing emails).
  • For legal compliance: To comply with applicable laws, regulations, and requests from regulatory bodies across all jurisdictions in which we operate.

3. Sharing and Disclosure of Information

We do not sell your personal data. However, we may share your data with third parties in the following scenarios:

3.1 With Therapists

When you connect with a therapist, your data, including health information and responses to intake forms, will be shared with the relevant therapist for the purpose of providing therapy services. Therapists are bound by confidentiality and must adhere to all applicable laws and ethical standards in their respective jurisdictions.

3.2 Third-Party Service Providers

We may engage third-party service providers to assist us with various services, including hosting, analytics, payment processing, AI processing, and customer support. These providers will have access to your data solely for the purposes of providing their services and will not use your data for any other purposes. This includes AI service providers who process data for the Nuru assistant.

3.3 Legal Requirements

We may disclose your information to law enforcement or government authorities if required by applicable law, to comply with a legal obligation, or in response to a subpoena or other legal process. This may include sharing your data with regulatory bodies in any jurisdiction where we operate, including but not limited to the Data Protection Commissioner of Kenya, relevant US state and federal authorities, and other applicable regulatory bodies in East and Southern African countries.

3.4 Corporate Clients and EAP Partners

If you are an employee participating through a corporate or Employee Assistance Program (EAP) partnership, we may share anonymized and aggregated data regarding employee wellbeing with your employer. The data shared with employers will not include personal information that could identify you individually. For clarity:

  • Individual session content and identifiable health data is never shared with employers
  • Only aggregated, anonymized insights and trends are provided on employer dashboards
  • Session billing data shared with corporate clients contains no personal health information

4. Data Security Measures

We take the security of your personal data seriously. To protect your information, we use the following measures:

  • Encryption: All sensitive data is encrypted using industry-standard encryption protocols both in transit and at rest.
  • Access Control: We implement strict access controls to ensure that only authorized personnel can access your data.
  • Data Retention: We store personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by applicable law in relevant jurisdictions.
  • Backup: We regularly back up your data to prevent loss.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your data, but we will take all reasonable steps to protect it.

5. User Rights and Choices

As a user of the Platform, you have rights regarding your personal data. The specific rights available to you may vary based on your jurisdiction (see Section 6 for jurisdiction-specific rights), but generally include:

  • Access and Correction: You have the right to request access to the personal data we hold about you and to request corrections of inaccurate or incomplete information.
  • Deletion: You can request the deletion of your account and personal data by contacting our support team. We may need to retain certain information for legal reasons or to comply with regulatory requirements.
  • Opting Out of Marketing Communications: You may opt out of receiving promotional emails or other marketing communications at any time by clicking the "unsubscribe" link in our emails.
  • Consent Withdrawal: Where we rely on your consent to process your data, you may withdraw your consent at any time. This may affect your ability to access certain features of the Platform.
  • Data Portability: Where applicable law requires, you may request a copy of your personal data in a portable format.
  • Objection to Processing: Where applicable law permits, you may object to certain types of data processing.

6. Compliance with Applicable Data Protection Laws

Mindscape Health is committed to complying with applicable data protection and privacy laws across all jurisdictions where we operate. These include, but are not limited to:

6.1 Kenya

We comply with the Kenyan Data Protection Act, 2019, and the regulations promulgated thereunder. Mental health and medical data is treated as sensitive personal data subject to stricter safeguards, consistent with the Act.

6.2 United States

For users based in the United States, we comply with applicable US federal and state privacy laws, including:

  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) for California residents
  • Applicable state mental health privacy laws
  • Children's Online Privacy Protection Act (COPPA) for users under 13
  • Other applicable state and federal data protection requirements

California residents have additional rights including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.

6.3 East and Southern Africa

For users in other jurisdictions across East and Central/Southern Africa, we comply with applicable local data protection laws, including but not limited to:

  • Uganda: Data Protection and Privacy Act, 2019
  • Rwanda: Law No. 058/2021 on the Protection of Personal Data and Privacy
  • Tanzania: Electronic and Postal Communications Act and related data protection regulations
  • South Africa: Protection of Personal Information Act (POPIA), where applicable
  • Other applicable national data protection frameworks

6.4 General

Where specific local legislation exists in any jurisdiction where we operate, we will comply with the applicable data protection and privacy laws of that jurisdiction, in addition to the above. We maintain a general commitment to processing personal data lawfully, fairly, and transparently, collecting data only for specified and legitimate purposes, and implementing appropriate technical and organizational measures to protect personal data.

6.5 Google Play Health Apps Policy

We comply with all applicable policies and guidelines regarding the handling of health data as set forth by app stores and third-party platforms, including Google Play's Health Apps Policy.

7. International Data Transfers

Mindscape Health operates across multiple countries, and your personal data may be transferred to, stored in, or processed in countries other than your country of residence. This includes:

  • Data from users in East and Southern Africa may be stored or processed in Kenya or on servers operated by our third-party service providers in other countries.
  • Data from US users may be transferred to and stored in Kenya or other countries where our service providers operate.
  • Data may flow between any countries in which we operate as part of providing our services.

Whenever we transfer your data internationally, we take all necessary measures to ensure that your data is protected in accordance with this Privacy Policy and applicable laws. These measures may include relying on adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms as required by applicable law in your jurisdiction.

By using the Platform, you acknowledge and consent to the transfer of your data to countries that may have different data protection standards than your country of residence.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies to improve user experience, analyze trends, and provide personalized content. By using the Platform, you consent to the use of these technologies as described in this Privacy Policy.

You can control the use of cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

9. Children's Privacy

The minimum age to use the Platform varies by jurisdiction:

  • United States: Users must be at least 13 years of age. Users under 13 are not permitted to use the Platform. For health data purposes, some US states may require users to be 16 or older; we will comply with applicable state-specific age requirements.
  • Kenya and other African jurisdictions: Users must be at least 13 years of age. Users under 18 must obtain consent from a parent or legal guardian.

We do not knowingly collect personal data from children below the applicable minimum age in their jurisdiction. If you believe we have inadvertently collected such data, please contact us immediately so we can take appropriate steps.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or services. Any updates will be posted on this page, and we will indicate the updated "Last Updated" date. We encourage you to review this Privacy Policy periodically. For material changes, we will provide more prominent notice.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, or to exercise any of your rights under applicable data protection law, please contact us at:

Conclusion

By using Mindscape Health's Platform, you acknowledge that you have read, understood, and agree to the terms outlined in this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must cease using our services.