neumind
Privacy Notice
How Neumind collects, uses, and protects personal data across our website, app, and professional dashboard.
Version 3.0 (2026-04-28) — This version supersedes the November 2025 baseline. It is currently under regulatory review by Orion MedTech as part of the CSO HIPS/25/14 engagement; we may issue revisions following their sight. Material changes will be published with a version log entry and notified inside the product where applicable.
Purpose
Neumind prioritises safeguarding personal information and adheres to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where applicable — the EU General Data Protection Regulation (EU GDPR). This notice explains how we process personal data across our website, our app, and our professional dashboard (“our services”), and how you can exercise your rights.
Who we are
We are Neumind Ltd, a company registered in England and Wales (company number 12044517) with our registered office at 39 Leeway Avenue, Great Shelford, Cambridge, CB22 5AU, United Kingdom.
We are registered with the UK Information Commissioner’s Office (ICO) as a data controller under reference ZB038508 (registered 6 April 2021; current renewal expires 5 April 2027).
We have appointed an external Data Protection Officer (DPO) for independent oversight of our data-protection practices. You can contact our DPO at dpo@neumind.io. For general privacy queries, data-subject access requests (DSARs), or complaints, you can also write to us at privacy@neumind.io or team@neumind.io.
Our role — controller and processor
Our role under data-protection law depends on the context:
| Context | Our role | Example |
|---|---|---|
| Website visitors, direct-to-consumer app users, professional-dashboard users, and suppliers | Controller | You sign up directly; we decide how and why we process your data. |
| A professional’s client invited via their practice’s dashboard | Processor on behalf of the professional’s practice (the practice is controller) | Your clinician invites you; they determine why your data is processed. We process it only on their documented instructions. |
This notice explains our processing as controller. When we act as processor, our obligations are set out in our Data Processing Agreement (DPA) with the professional’s practice. If you are a professional’s client, please contact your clinician for their privacy notice.
Scope
This notice applies to:
- Users of our app and professional-dashboard services
- Suppliers providing products and services to us
- Visitors to our website at https://www.neumind.io
Services overview
Our subscription-based digital platform provides wellbeing and cognitive-support tools for people living with the effects of brain injury and stroke, and for their carers and clinicians. Features include:
- Expert and peer community forums
- Educational courses for survivors and carers
- Digital cognitive tools to support everyday routines and memory aids
- Personalised content and recommendations
Non-clinical use. Neumind provides wellbeing and cognitive-support tools. Neumind is not a medical device and does not provide medical advice, diagnosis, or treatment. We offer technology-based tools and perspectives only; clinical decisions remain the responsibility of qualified clinicians. Our Intended Purpose Statement sets out the regulatory frame in detail.
Types of personal data collected
We collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | Name, username, professional title |
| Contact data | Address, email address, phone number |
| Financial data | Bank and payment-card details (processed by our payment providers — see § Data sharing and sub-processors) |
| Transaction data | Payment records and service details |
| Technical data | IP address, browser information, device details |
| Profile data | Password (hashed), search history, preferences |
| Usage data | Interaction patterns across the website and services |
| Marketing and communications data | Marketing preferences and subscription status |
| Special category (health-adjacent) data | See § Special categories of data below |
Data collection methods
Direct collection. Registration forms, in-product inputs, feedback submissions, emails and phone calls, ratings, comments, and participation in promotions.
Website usage. Analytics gather aggregate visitor statistics through browsing behaviour and form interactions. On your first visit to our site, our cookie banner lets you accept or decline non-essential analytics cookies. A full list of the cookies we use, what each cookie does, and how long it persists is available at our Cookies Notice. You can change your cookie preferences at any time via the banner’s persistent settings link.
Third-party sources. Identity, contact, and financial information received from professionals who invite their clients into the platform, from our payment providers, and — for contract-recoverable engagements — from case managers and solicitors. We also receive data about professionals from their employers where the employer holds the subscription.
Data provision requirements
Where a legal obligation or contractual term requires specific personal data, failure to provide it may prevent us from delivering the service. We will let you know if this is the case.
How we use personal data
We rely on the following lawful bases under Article 6 UK GDPR:
- Contract performance — delivering the services you (or your professional’s practice) have subscribed to.
- Legal obligation — meeting regulatory and tax requirements.
- Legitimate interest — operating and improving our business in ways that benefit users, balanced against your rights.
- Consent — for specific processing where consent is the most appropriate basis (in particular, special-category data — see below).
Processing purposes
| Purpose | Data types | Legal basis |
|---|---|---|
| App installation for service delivery | Identity, Contact | Consent |
| User registration | Identity, Contact | Contract performance |
| Responding to enquiries | Identity, Contact | Contract / Legitimate interest |
| Payment processing and debt recovery | Identity, Contact, Financial, Transaction, Marketing | Contract / Legitimate interest |
| Service-relationship management | Identity, Contact, Profile, Marketing | Contract / Legal obligation / Legitimate interest |
| Business administration and security | Identity, Contact, Technical | Legitimate interest / Legal obligation |
| Content and communications delivery | Identity, Contact, Profile, Usage, Marketing, Technical | Legitimate interest |
| Analytics and product improvement | Technical, Usage | Legitimate interest |
| Personalised recommendations | Identity, Contact, Technical, Usage, Profile, Marketing | Legitimate interest |
Session recording and analytics
We use PostHog for analytics and session recording within the professional dashboard only (not on our marketing website and not inside our mobile apps).
- Analytics. Aggregate usage data — page views, feature use, and navigation patterns — helps us identify valuable features and improvement opportunities.
- Session recording. With your consent, we may record your screen interactions (mouse movements, clicks, and scrolling) within the dashboard. Sensitive data such as passwords and health data are automatically masked. Only authorised staff access recordings, and only for product-improvement purposes.
- User control. A cookie consent banner appears on your first dashboard visit and can be adjusted at any time through your profile settings.
Special categories of data
Users may provide health-related information such as:
- Injury or condition classification (for example, traumatic brain injury, stroke, brain tumour)
- Time since injury or diagnosis
- Duration of rehabilitation received
- Current focus areas (for example, memory, fatigue, planning)
- User-generated goals
Where you provide information of this kind, our lawful basis for processing is your explicit consent under Article 9(2)(a) UK GDPR. You can withdraw consent at any time (see § Your rights); withdrawal does not affect the lawfulness of processing before withdrawal.
Marketing communications
We send marketing messages only where you have actively opted in, either at signup or through your in-product preferences. You have the right to object to direct marketing at any time. You can unsubscribe using the link in any marketing email, adjust your preferences inside the product, or email privacy@neumind.io. Opting out of marketing does not affect transactional communications about your subscription or service.
Data sharing and sub-processors
We engage the following sub-processors to deliver our services. Each is bound by a written Data Processing Agreement (DPA). International transfers are safeguarded by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), except where a UK adequacy decision applies.
| Sub-processor | Purpose | Processing location | Transfer safeguard |
|---|---|---|---|
Amazon Web Services (RDS, Lightsail, S3 — eu-west-2) | Application hosting, primary database, backend compute, and file storage | UK / EU | UK adequacy (EU) |
| Auth0 (Okta) | Authentication and identity storage (name, email) | EU | UK adequacy (EU) |
| RevenueCat | In-app (mobile) subscription management | US | UK Addendum + SCCs |
| Stripe | Web card-payment processing | US | UK Addendum + SCCs (Stripe acts as our processor for transaction metadata and as an independent controller for card-network and PCI-DSS-mandated processing under its own privacy notice) |
| SendGrid (Twilio) | Transactional email (receipts, account notifications, password resets) | US | UK Addendum + SCCs |
| Firebase Cloud Messaging (Google) | Mobile push notifications | US | UK Addendum + SCCs |
| Firebase Analytics (Google) | Mobile app analytics | US | UK Addendum + SCCs |
| Typeform | Course and onboarding forms | US | UK Addendum + SCCs |
| PostHog | Product analytics and session recording (professional dashboard only) | EU | UK adequacy (EU) |
| ImageKit | Image processing and delivery | India / US | UK Addendum + SCCs |
Our current sub-processors register is published at www.neumind.io/legal/subprocessors. Where we act as processor for a professional’s practice, we provide at least 30 days’ prior notice before adding or replacing a sub-processor that processes the practice’s client data, and the practice has the right to object on reasonable data-protection grounds. For changes to sub-processors that affect controller-context users (website visitors, app users, professional-dashboard users), we will publish updates in the sub-processors register and reflect them in this notice at the next refresh; material changes will be notified inside the product.
Other recipients
In addition to the sub-processors above, we may share personal data with:
- Internal employees and contractors bound by confidentiality obligations and need-to-know access.
- Professional advisers (lawyers, auditors, insurers) bound by professional secrecy.
- Law-enforcement and regulatory authorities where we are lawfully compelled or where disclosure is necessary to protect life or rights.
- Acquirers in the event of a business transfer (merger, acquisition, or asset sale), with notice given where practicable.
International transfers
We transfer personal data outside the UK to service providers based in the European Economic Area (EEA), the United States, and — in the case of ImageKit — India and the US. In each case we rely on one of:
- Adequacy — transfers to the EEA under the UK adequacy regulations (2021).
- UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — applied to transfers to US-based and India-based processors listed in our sub-processors table.
- Your explicit consent in limited circumstances where no other safeguard applies.
We assess each destination country and the processor’s safeguards before we begin any transfer. A copy of our transfer-mechanism documentation is available on request to privacy@neumind.io.
Data security
We protect personal data through layered technical and organisational measures:
Technical measures
- TLS 1.2 or higher for all data in transit
- Encryption at rest for databases and secrets, managed via AWS RDS and AWS Secrets Manager
- Role-based access control inside the application, with least-privilege defaults
- Multi-factor authentication (MFA) is required for professional-dashboard accounts. Authenticated sessions on a trusted device may persist for up to 30 days before re-authentication is required; we may shorten this window in response to security events.
- Automated monitoring and alerting on authentication and infrastructure events
- Regular dependency scanning and patching
Organisational measures
- Access is limited to staff with a documented business need-to-know, with an annual access review
- Documented incident-response procedures, including notification to the ICO within 72 hours of becoming aware of a notifiable personal-data breach, and to affected individuals without undue delay where required by law
- Confidentiality obligations on all employees and contractors
Despite these measures, no system is entirely secure and transmission over the internet carries inherent risk. If you suspect a breach affecting Neumind data, please report it to security@neumind.io.
Data retention
We retain personal data only as long as necessary for the purposes set out in this notice. Our current retention periods are:
| Category | Retention period | Basis |
|---|---|---|
| Account and contact data | While your account is active, plus 6 years after closure | Limitation Act 1980; HMRC record-keeping |
| Rehabilitation and profile data (special category) | While your account is active; deleted on closure, unless you elect to retain for continuity of care with a named professional | User choice; DPA 2018 Schedule 1 Part 1 |
| Payment and transaction data | 7 years | HMRC record-keeping; PCI-DSS |
| Usage analytics (identifiable) | Up to 26 months | Legitimate interest; ICO cookie guidance |
| Usage analytics (aggregated / anonymised) | Indefinite | Not personal data after anonymisation |
| Marketing-communications preferences | Until you unsubscribe, plus 3 years (opt-out record) | Legitimate interest; retention of consent evidence |
| Session recordings (professional dashboard, PostHog) | 30 days rolling | Legitimate interest |
| Support correspondence | 6 years | Limitation Act 1980 |
Where we have not received a subscription payment for six months and you have not contacted us, we will delete special-category and directly identifying data from your account — unless an active request to retain, legal obligation, or anticipated litigation requires extended retention.
We may anonymise personal data for research and statistical purposes. Anonymised data falls outside the scope of data-protection law and may be used indefinitely.
Children’s data
Our website and services are not intended for children. We currently do not knowingly process personal data of individuals under 16 years old. Where a user is a young person affected by brain injury or stroke and wishes to use Neumind with parent or carer mediation, please contact privacy@neumind.io so that we can discuss appropriate safeguards.
Your rights
You may exercise the following rights (with some limitations in law):
| Right | Description |
|---|---|
| Access | Obtain a copy of the personal data we hold about you (a “data-subject access request”, or DSAR). |
| Rectification | Have incomplete or inaccurate information corrected. |
| Erasure | Request deletion of your personal data, subject to legal exceptions. |
| Objection | Challenge processing based on legitimate interest, including direct marketing. |
| Restriction | Ask us to suspend processing in specified circumstances. |
| Portability | Receive your personal data in a structured, commonly used, machine-readable format. |
| Withdraw consent | Stop consent-based processing; this does not affect the lawfulness of processing before withdrawal. |
Automated decision-making. We do not make decisions about you based solely on automated processing that produce legal effects or similarly significant effects on you.
Exercising your rights
Exercising these rights is free of charge. We may ask you to confirm your identity using information already on file (for example, the email address linked to your account); we will not ask for new identifying documents unless there is genuine doubt about your identity. If we consider a request to be manifestly unfounded or excessive — for example, repetitive or vexatious — we may decline it or charge a reasonable administrative fee, and we will explain our reasoning. We will respond within one month of a valid request; complex or numerous requests may be extended by up to a further two months, and we will tell you if that is the case. Where we decline a request or extend the response time, you have the right to complain to the ICO and to seek a judicial remedy.
To exercise a right, contact us at privacy@neumind.io or dpo@neumind.io.
Keeping your information accurate
Please keep your personal data current. You can update most information directly in the product, or contact us at privacy@neumind.io.
Concerns and complaints
If you have a concern about how we process your data, please raise it with us first at privacy@neumind.io or dpo@neumind.io. If you remain unsatisfied, you have the right to complain to the UK Information Commissioner’s Office at https://www.ico.org.uk. Users outside the UK may contact their relevant supervisory authority.
Published cross-references
The following companion documents in our compliance stack are published and accessible:
- Cookies Notice — what cookies and similar technologies we set, the lawful basis, and how to manage them.
- Sub-processors register — canonical list of every third party that processes personal data on our behalf, with purposes, locations, and transfer mechanisms.
- Intended Purpose Statement — what Neumind is, who it’s for, and how it sits within the UK regulatory framework for digital health products.
- Data Processing Agreement (DPA) — processor terms governing how we process personal data on behalf of Customer organisations.
- App End User Licence Agreement and Platform End User Licence Agreement — the licence terms for the Neumind app and the professional dashboard respectively.
Notice updates
We may update this notice to reflect legal, technical, or operational changes. Material changes will be notified to you inside the product and at the URL where this notice is published. Where a change requires your consent, we will obtain it.
Contact
- General and support:
team@neumind.io - Privacy / DSARs:
privacy@neumind.io - Data Protection Officer:
dpo@neumind.io - Security / breach reports:
security@neumind.io - Legal:
legal@neumind.io - Website: https://www.neumind.io
- Postal: Neumind Ltd, 39 Leeway Avenue, Great Shelford, Cambridge, CB22 5AU, United Kingdom