Privacy Policy

Last updated: May 2026

1. Who We Are

MycoMind ("we", "us", "our") operates a clinical platform for psychedelic-assisted therapy preparation. We act as a data controller for the personal data we collect and process.

Data Protection Officer: privacy@mycomind.io

2. What Data We Collect

We collect and process the following categories of personal data:

  • Identity data: Name, email address, date of birth, gender, pronouns
  • Contact data: Phone number, emergency contact information
  • Health data (Special Category): Medical history, psychological history, substance use history, therapy assessments, readiness scores, journal entries, session records, mood data
  • Technical data: IP address, browser type, login timestamps
  • Usage data: Content progress, platform interactions, assessment completions
  • Financial data: Billing information processed via Stripe (we do not store card numbers)

3. Lawful Basis for Processing

We process your data under the following legal bases (GDPR Article 6 & 9):

  • Explicit consent (Article 9(2)(a)): Processing of health data for therapy preparation, AI-powered assessments, and research data sharing
  • Contract performance (Article 6(1)(b)): Providing the platform services you signed up for
  • Legal obligation (Article 6(1)(c)): Audit log retention, regulatory compliance
  • Legitimate interest (Article 6(1)(f)): Platform security, fraud prevention, service improvement

4. How We Use Your Data

  • Providing personalized therapy preparation content via AI pipeline
  • Generating readiness assessments and risk analyses
  • Facilitating communication between patients and facilitators
  • Encrypted journal storage and AI-synthesized insights (facilitators never see raw entries)
  • Outcome tracking and progress monitoring
  • De-identified research data sharing (only with your explicit opt-in consent)
  • Platform security and abuse prevention

5. Data Sharing & Third Parties

We share data with the following categories of recipients:

  • Your assigned facilitator: AI-synthesized journal themes, readiness scores, session records (never raw journal text)
  • AI processing (Anthropic): Intake data processed for readiness assessment, content sequencing, and risk analysis. Covered by a Business Associate Agreement (BAA).
  • Payment processing (Stripe): Billing data only. Covered by a Data Processing Agreement (DPA).
  • Approved researchers: Only de-identified data, only with your explicit opt-in, with all 18 HIPAA Safe Harbor identifiers stripped.
  • Hosting infrastructure: Encrypted data at rest and in transit. Covered by BAA/DPA.

We do not sell your personal data. We do not use your data for advertising.

6. Your Rights (GDPR)

You have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of your data
  • Right to rectification (Article 16): Correct inaccurate data
  • Right to erasure (Article 17): Delete your account and data
  • Right to data portability (Article 20): Download your data in machine-readable format
  • Right to restrict processing (Article 18): Limit how we use your data
  • Right to withdraw consent (Article 7): Withdraw consent at any time without affecting prior processing
  • Right to object (Article 21): Object to processing based on legitimate interest

To exercise these rights, visit Settings → Data & Privacy in your dashboard, or contact us at privacy@mycomind.io. We will respond within 30 days.

7. Data Security

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Journal entries encrypted with per-entry keys (AES-256-GCM)
  • Role-based access control with principle of least privilege
  • Multi-factor authentication available for all accounts
  • Comprehensive audit logging with 7-year retention
  • Regular security assessments and penetration testing
  • Automatic session timeout after 15 minutes of inactivity

8. Data Retention

  • Active accounts: Data retained while account is active
  • Deleted accounts: Soft-deleted for 90 days (recoverable), then permanently anonymized
  • Audit logs: Retained for 7 years (legal requirement)
  • Session records: Archived to cold storage after 2 years
  • Backups: Retained for 30 days, then securely destroyed

9. International Transfers

Your data may be processed in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

10. Cookies & Local Storage

We use essential cookies and local storage only for authentication (JWT tokens) and user preferences. We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party tracking scripts are loaded.

11. Children

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

12. Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33).

13. Contact & Complaints

For privacy inquiries: privacy@mycomind.io

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.

14. Changes to This Policy

We will notify you of material changes to this policy via email and/or a prominent notice on the platform. Continued use after notification constitutes acceptance.