This privacy notice describes how personal data is processed in connection with the MindStim website and service, pursuant to Regulation (EU) 2016/679 («GDPR») and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
1. Data controller
The data controller is MindStim Società a Responsabilità Limitata Semplificata, with registered office at Via Trento 27, 64014 Martinsicuro (TE), Tax ID/VAT number 02223570678.
Contact: certified email (PEC) mindstim@pec.it, email mindstimsrls@gmail.com.
2. Nature of the service and data minimisation
MindStim is designed to not require patient registration, not to maintain persistent clinical records, and not to load marketing tools on patient session pages. The operational state of a working session remains in memory on the realtime server and is deleted when the connection ends.
On the public pages of the site (marketing, registration, subscription), subject to user consent, Meta Pixel may be active to measure the effectiveness of promotional campaigns - see the dedicated section and the cookie policy.
Mental health professionals may voluntarily create an account to access the Pro plan (advanced features, dedicated link, saved preferences). In that case, email, authentication data and, if subscribed, billing data processed via Stripe are handled as described in the dedicated sections.
The invitation link contains a random session identifier, not permanently associated with a person identified by the Controller.
3. Roles in clinical data processing
For personal data processed in the context of the therapeutic relationship (including any health-related data concerning patients), the professional using MindStim acts as an independent data controller, in compliance with applicable law and their own professional obligations, including obtaining the patient's informed consent where required. MindStim provides only the technical stimulation and synchronisation tool and, by design, does not record or store session content.
MindStim SRLS is instead the data controller for the data described in this notice: technical browsing data, therapist account data and subscription data.
4. Data processed
In connection with use of the site and service, the following may be processed:
The Controller does not require the patient to create an account and does not, by design, manage clinical files or structured health data within the application.
- Technical browsing and connection data (e.g. IP address, date and time, browser type, system logs) necessary for operation, security and service diagnostics;
- Technical session data (session identifier, stimulation settings transmitted in real time) processed solely for synchronisation between therapist and patient;
- Language preference, stored via a technical cookie (see cookie policy);
- Contact data voluntarily sent by email or certified email (PEC) by the professional or third parties.
- Therapist account data (registered users only): email address, display name, user identifier, dedicated link slug, current active session identifier, non-clinical technical preferences;
- Record of acceptance (therapist account only): date, time and version of the privacy notice and terms accepted at registration, retained for accountability purposes (Art. 5(2) GDPR);
- Subscription data (Pro plan only): managed by Stripe (subscription status, customer/subscription identifiers, validity period). Payment card data does not pass through MindStim servers.
- Marketing measurement data (subject to consent only): browsing and conversion events (e.g. page view, checkout start, purchase, registration) sent to Meta via Meta Pixel (browser) and, for purchases, Conversions API (server). These may include Meta cookie identifiers (_fbp, _fbc), IP address, user agent and, server-side, hashed email (SHA-256) for advertising matching. Meta acts as an independent controller for processing on its platform.
5. Purposes and legal basis
The checkbox required at registration documents acknowledgement of this notice and acceptance of the legal notice; it does not constitute additional consent to processing, which is based on the legal grounds indicated above.
- Provision of the service - performance of pre-contractual or contractual measures and technical management of sessions (Art. 6(1)(b) GDPR);
- Security and abuse prevention - legitimate interest of the Controller in protecting infrastructure and users (Art. 6(1)(f) GDPR);
- Legal compliance - legal obligations, requests from the Authority (Art. 6(1)(c) GDPR);
- Service communications - response to requests sent to the contacts indicated (Art. 6(1)(b) or (f) GDPR);
- Marketing communications - informational and promotional emails about MindStim (news, guides, offers), subject to express consent at signup or via account preferences; withdrawable at any time (Art. 6(1)(a) GDPR). Marketing emails may include aggregated measurement of delivery, opens and clicks (technical estimates, without storing IP or user agent) via dedicated infrastructure on a separate subdomain; transactional authentication emails do not include tracking pixels;
- Therapist account and Pro subscription - performance of the contract or pre-contractual measures requested by the professional (Art. 6(1)(b) GDPR).
6. Nature of data provision
Simply browsing the site does not require voluntary provision of personal data, except for technical data necessary for operation. To create a therapist account, a valid email address, a password, confirmation of having read the privacy notice and acceptance of the legal notice are required: without these, registration cannot be completed. Display name is optional. Failure to provide payment data only prevents activation of the Pro plan, not use of free features.
7. Processing methods
Data is processed using IT and electronic means, with logic related to the stated purposes and appropriate security measures (access control, encrypted communications where applicable, minimisation of stored data).
8. Retention
- Realtime session data: retained in memory only for the duration of the active connection;
- Server/hosting technical logs: for the time strictly necessary for security and maintenance, within the limits set by the infrastructure provider;
- Language preference cookie: up to 12 months (see cookie policy);
- Email/PEC correspondence: for the time necessary to handle the request and comply with legal obligations;
- Therapist account and subscription data: for the duration of the contractual relationship and, where applicable, for statutory or accounting periods;
- Record of acceptance of privacy notice and terms: for the duration of the account and, after closure, for applicable limitation periods;
- Supabase/Stripe logs and technical data: according to the respective providers' policies and within the limits necessary for the service.
9. Recipients and processors
Data may be processed by authorised personnel of the Controller and by technology providers (e.g. hosting, CDN, network infrastructure) appointed as processors under Art. 28 GDPR, within the limits necessary to provide the service.
For therapist accounts and profile/subscription databases, the Controller uses Supabase (preferably EU region). For Pro plan payments, it uses Stripe as processor for payment and billing purposes.
There is no sale of personal data or transfer to third parties for marketing purposes.
10. Transfers outside the EU
Where infrastructure components are located outside the European Economic Area, the Controller adopts appropriate safeguards (e.g. adequacy decisions, Standard Contractual Clauses) compatible with the GDPR.
11. Data subject rights
Data subjects may exercise the rights of access, rectification, erasure, restriction, objection, portability (where applicable) and withdrawal of consent (if given) by writing to the Controller at the contacts indicated above.
They also have the right to lodge a complaint with the Italian Data Protection Authority (//www.garanteprivacy.it:www.garanteprivacy.it).
12. Changes
The Controller may update this notice to reflect regulatory or service changes. The date of the last update is shown at the top.
