PRIVACY POLICY

INTRODUCTION

This privacy and cookie policy (“Policy”) describes how MindLAB Neuroscience and its affiliated entities collect, use and share personal data when using the website (the “Site”), mobile applications (each, an “App”) and the services provided in connection in addition to (the “Services”). Please read the following information carefully to understand our views and practices regarding your data and how we will treat it.

By accessing our Site, an App, or using the Services, you consent to our collection, storage, transfer, use, or disclosure of your data, as described herein. If you do not accept the terms of this Policy, do not access the Site or an App and do not use the Services.

IMPORTANT INFORMATION

WHO WE ARE: For applicable data protection legislation, the data controller of your data is MindLAB Neuroscience, LLC.

MUST-READ SECTIONS: We draw your attention in particular to the sections entitled “International Data Transfer,” “Your Rights,” “Advertising Platform Disclosures,” and “Your California Privacy Rights (CCPA / CPRA).”

CHANGES TO THIS POLICY: We will post any modifications or changes to the Policy on our Sites/Apps/Services. We reserve the right to modify the Policy at any time, so we encourage you to review it frequently. The “Last Updated” legend above indicates when this Policy was last changed. If we make any material change(s) to the Policy, we will notify you via email or post a notice on our Sites/Apps/Services before such change(s) taking effect. Your continued use of the Site/Apps/Services indicates your acceptance of any changes to this Policy.

PURPOSES OF PROCESSING

What is personal data? We collect information about you in a range of forms, including personal data. As used in this Policy, “personal data” is as defined any information which, either alone or in combination with other information we hold about you, identifies you as an individual, including, for example, your name, postal address, email address and telephone number.

Why do we need your data? We will only process your data in accordance with applicable data protection and privacy laws. We need certain personal data to provide you with access to the Sites/Apps/Services.

COLLECTING YOUR PERSONAL DATA

We collect information about you in the following ways:

Information You Give Us. This includes:

• The personal data you provide when you register for an account, including your name and email;
• The personal data you provide when you book a coaching or therapy session, including your name, email and intake information related to the issue(s) you would like to discuss, as well as your background and medical history;
• The personal data you provide when you complete any clinical follow-up tasks using the App;
• The personal information you provide when you report a problem with our Sites/Apps/Services or when we provide you with customer support;
• The personal information you provide when you make payment through our Sites/Apps/Services; and
• The personal information you provide when you correspond with us by phone, email, or otherwise.
• The personal data you provide to support receiving payment for our services, including a credit card number or other payment information.

Information Automatically Collected. We automatically log information about you and your computer or mobile device when you access our Sites/Apps/Services. For example, when visiting our Sites/Apps/Services, we log your computer or mobile device operating system name and version, manufacturer and model, browser type, browser language, screen resolution, the website you visited before browsing to our Sites/Apps/Services, pages you viewed, how long you spent on a page, access times and information about your use of and actions on our Sites/Apps/Services. We collect this information about you using cookies, pixel tags, software development kits, and similar tracking technologies. Please refer to the sections on cookies, pixel tags, and Advertising Platform Disclosures for further detail.

Advertising and Conversion Tracking Tags. We deploy the following advertising-platform tracking technologies on our Sites:

• Google Ads conversion tracking tags and Google Analytics 4 (GA4) measurement tags, which collect device identifiers, IP address, page-view events, and conversion events (such as form submissions, scheduling actions, and outbound clicks) and transmit them to Google for advertising performance measurement and optimization.
• Microsoft Advertising Universal Event Tracking (UET) tag, which collects device identifiers, IP address, page-view events, and conversion events for Microsoft (Bing) Advertising performance measurement and optimization.
• Microsoft Clarity behavioral analytics, which captures behavioral metrics, heatmaps, and session replay to help us improve the Site and our services.

Each platform’s data handling is described in their respective privacy statements (linked in the Advertising Platform Disclosures section below).

COOKIES

We may collect information using “cookies.” Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Sites/Apps/Services.

We use two broad categories of cookies: (1) first-party cookies, served directly by us to your computer or mobile device, which are used only by us to recognize your computer or mobile device when it revisits our Sites/Apps/Services; and (2) third party cookies, which are served by service providers on our Sites/Apps/Services, and can be used by such service providers to recognize your computer or mobile device when it visits other websites.

Cookies we use

Our Sites/Apps/Services uses the following types of cookies for the purposes set out below:

Essential Cookies: These cookies are necessary to provide you with services available through our Sites/Apps/Services and to enable you to use some of its features. For example, they allow you to log in to secure areas of our Sites/Apps/Services and help the content of the pages you request load quickly. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.

Functionality Cookies: These cookies allow our Sites/Apps/Services to remember choices you make when you use our Sites/Apps/Services, such as remembering your language preferences, remembering your login details and remembering the changes you make to other parts of our Sites/Apps/Services which you can customize. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Sites/Apps/Services.

Analytics and Performance Cookies: These cookies are used to collect information about traffic to our Sites/Apps/Services and how users use our Sites/Apps/Services. The information gathered does not identify any individual visitor. It includes the number of visitors to our Sites/Apps/Services, the websites that referred them to our Sites/Apps/Services, the pages they visited on our Sites/Apps/Services, what time of day they visited our Sites/Apps/Services, whether they have visited our Sites/Apps/Services before, and other similar information. We use this information to help operate our Sites/Apps/Services more efficiently, to gather broad demographic data, and to monitor the level of activity on our Sites/Apps/Services. We use Google Analytics for this purpose. Google Analytics uses its own cookies. It is only used to improve how our Sites/Apps/Services work. You can find out more information about Google Analytics cookies at https://policies.google.com/technologies/cookies. You can find out more about how Google protects your data at https://policies.google.com/privacy. You can prevent the use of Google Analytics relating to your use of our Sites/Apps/Services by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout.

Microsoft Clarity and Microsoft Advertising: We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, session replay, and conversion tracking via the Microsoft Universal Event Tracking (UET) tag, to improve and market our products and services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products and services and online activity. Additionally, we use this information for site optimization, fraud and security purposes, and advertising. For more information about how Microsoft collects and uses your data, please review the Microsoft Privacy Statement.

Targeted and Advertising Cookies: These cookies track your browsing habits to enable us to show advertising, which is more likely to be of interest to you. These cookies use information about your browsing history to group you with other users who have similar interests. Based on that information, and with our permission, third-party advertisers can place cookies to enable them to show adverts, which we think will be relevant to your interests while you are on third party websites. MindLAB Neuroscience may allow other companies (e.g., ad partners, ad servers and ad networks) to use cookies and other technology to collect information about your browsing activities over time and across different websites when you use our Sites/App/Services. For example, we may use advertising services provided by third-party ad partners (including Google Ads and Microsoft Advertising) to market our services to you on other websites and to determine what advertisements you click on. Through a process called “retargeting,” each service may place cookies on your browser when you visit our Site/App/Services so they can identify you and serve you ads on other sites around the web based on your browsing activity.

Disabling cookies

You can typically remove or reject cookies via your browser settings. To do this, follow the instructions provided by your browser (usually located within the “settings,” “help,” “tools,” or “edit” facility). Many browsers are set to accept cookies until you change your settings. Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit allaboutcookies.org. If you do not accept our cookies, you may experience some inconvenience in your use of our Sites/Apps/Services. For example, we may not be able to recognize your computer or mobile device, and you may need to log in every time you visit our Sites/Apps/Services.

Industry opt-outs for advertising cookies

In addition to your browser controls, you may opt out of personalized advertising at the following industry-wide opt-out portals:

• Microsoft Ads Settings: https://account.microsoft.com/privacy/ad-settings
• Google Ads Settings: https://adssettings.google.com
• Digital Advertising Alliance (DAA): https://optout.aboutads.info/
• Network Advertising Initiative (NAI): https://optout.networkadvertising.org/
• European Interactive Digital Advertising Alliance (EDAA, for EEA users): https://www.youronlinechoices.eu/

PIXEL TAGS

We may also use pixel tags (which are also known as web beacons and clear GIFs) on our Sites/Apps/Services to track the actions of users on our Sites/Apps/Services. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on webpages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the Sites/Apps/Services so that we can manage our content more effectively. The information we collect using pixel tags may be combined with cookie-collected data to support advertising performance measurement and conversion attribution as described in the Advertising Platform Disclosures section below.

DO NOT TRACK AND GLOBAL PRIVACY CONTROL SIGNALS

Some Internet browsers may be configured to send “Do Not Track” (DNT) signals to the online services that you visit. We currently do not respond to DNT signals because there is no consistent industry standard for how DNT signals should be interpreted. To find out more about “Do Not Track,” please visit allaboutdnt.com.

Where the law applicable to you (such as the California Privacy Rights Act / CPRA) recognizes Global Privacy Control (GPC) as a valid opt-out mechanism and your browser sends a GPC signal (via the Sec-GPC HTTP header or globalPrivacyControl JavaScript property), we will treat that signal as a request to opt out of the sale or sharing of personal information for cross-context behavioral advertising purposes for that browser session and device.

USING YOUR PERSONAL DATA

We may use your personal data as follows:

• to operate, maintain, and improve our Sites/Apps/Services, products, and services;
• to respond to your comments and questions and to provide customer service;
• to send information including technical notices, updates, security alerts, and support and administrative messages;
• with your consent, to send you marketing emails about upcoming promotions, and other news, including information about products and services offered by us and our affiliates. You may opt-out of receiving such information at any time: such marketing emails tell you how to “opt-out.” Please note, even if you opt-out of receiving marketing emails, we may still send you non-marketing emails. Non-marketing emails include emails about your account with us (if you have one) and our business dealings with you;
• as we believe necessary or appropriate (a) to comply with applicable laws; (b) to comply with lawful requests and legal process, including to respond to requests from public and government authorities; (c) to enforce our Policy; and (d) to protect our rights, privacy, safety or property, or that of you or others; and
• as described in the “Sharing of your Personal Data” and “Advertising Platform Disclosures” sections below.

Health-data and Sensitive-data targeting commitment. Although our Services are not regulated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), all uses and disclosures of your data will comply with other applicable health information privacy and security laws and regulations. We do NOT use your intake information, medical history, mental-health-related disclosures, or any other Sensitive Personal Data (as defined under applicable Data Privacy Laws or the Microsoft Advertising Agreement) for advertising-platform targeting, retargeting, or audience-building purposes on Google Ads, Microsoft Advertising (Bing), or any other advertising network. Aggregated, non-identifying analytics may be used to measure overall site performance.

SHARING YOUR PERSONAL DATA

We may share your data as follows:

Third Parties Designated by You. We may share your data with third parties where you have provided your consent to do so.

Our Third-Party Service Providers. We may share your data with our third-party service providers who provide services such as data analysis, payment processing, information technology, and related infrastructure provision, customer service, email delivery, auditing, and other similar services. These third parties are only permitted to use your data to the extent necessary to enable them to provide their services to us. They are required to follow our express instructions and to comply with appropriate security measures to protect your data.

Third-Party Advertisers. We may share your data with our third-party ad partners — including Google (for Google Ads, Google Analytics 4, and Google Ads Customer Match if used) and Microsoft (for Microsoft Advertising / Bing UET, Microsoft Clarity, and the Microsoft Advertising Customer/Company Data feature if used) — so that we can determine what advertisements may be of interest to you and measure the effectiveness of our advertising. For example, we may share your name and email address with our third-party ad partners, so that they can match your information to information they may have collected from you on their or other websites, to identify the advertisement(s) you clicked on. The full list of advertising platforms in active use, the categories of data shared with each, and links to each platform’s privacy statement and opt-out portal are detailed in the Advertising Platform Disclosures section below.

Affiliates. We may share some or all of your data with our affiliates, in which case we will require our affiliates to comply with this Policy. In particular, we may share data with our affiliates as part of the management and administrative services that MindLAB Neuroscience, LLC provides to its affiliates that provide services to you. You also may let us share personal data with our affiliates where you wish to receive marketing communications from them.

Corporate Restructuring. We may share personal data when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.

Other Disclosures. We may share personal data as we believe necessary or appropriate: (a) to comply with applicable laws; (b) to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; (c) to enforce our Policy; and (d) to protect our rights, privacy, safety or property, or that of you or others.

ANONYMOUS DATA

When we use the term “anonymous data,” we are referring to data and information that does not permit you to be identified or identifiable, either alone or when combined with any other information available to a third party. We may create anonymous data from the personal data we receive about you and other individuals whose personal data we collect. Anonymous data might include analytics information and information collected by us using cookies. We make personal data into anonymous data by excluding information (such as your name) that makes the data personally identifiable to you. We use this anonymous data to analyze usage patterns to make improvements to our Sites/Apps/Services.

USER GENERATED CONTENT

If you provide feedback to us, we may use and disclose such feedback on our Sites/Apps/Services, provided we do not associate such feedback with your data. If you have provided your consent to do so, we may post your first and last name along with your feedback on our Sites/Apps/Services. We will collect any information contained in such feedback and will treat the personal data in it in accordance with this Policy.

We have no control over, and no liability for, any third-party websites or materials, including social networking websites, or apps. We make no guarantees about the accuracy, currency, content, or quality of the information or services provided by any sites linked on our Site or an App, and we assume no responsibility for unintended, objectionable, inaccurate, misleading, or unlawful content that may reside on those sites. When linking to a third-party website, you should read the privacy policy stated on that website. Links to third-party websites do not imply our endorsement of such Site or such Site’s products or services.

INTERNATIONAL DATA TRANSFER

Your information, including personal data that we collect from you, may be transferred to, stored at and processed by us and our affiliates and other third parties outside the country in which you reside, including, but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. By using our Site/Application(s)/Services, you agree to this transfer, storing or processing. We will take reasonable steps designed to ensure that your data is treated securely and in accordance with this Policy.

Consent gating for EEA, UK, and Switzerland visitors

Where required by applicable law (including the EU General Data Protection Regulation (Regulation (EU) 2016/679), the ePrivacy Directive (Directive 2002/58/EC), the UK Data Protection Act 2018, and equivalent laws in any relevant jurisdiction), we will request your consent before activating advertising-platform tracking technologies (including the Microsoft Universal Event Tracking tag and Google Ads conversion tags) and before disclosing any personal data to those advertising platforms. You may grant or withdraw consent at any time via the cookie banner controls on the Site or by contacting us using the details in Section 17.

SECURITY

We seek to use reasonable organizational, technical and administrative measures to protect personal data within our organization. Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. You agree and stipulate that use of the Site and Apps is at your own risk and you will not hold us responsible for any breach of security that is not solely caused by our negligence. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us using the details in Section 17 below.

RETENTION

We will only retain your data as long reasonably required for you to use the Sites or to provide you with the Services unless a more extended retention period is required or permitted by law (for example, for regulatory purposes).

SENSITIVE PERSONAL DATA

If you send or disclose any sensitive personal data to us when you submit user-generated content to our Sites/Apps/Services, you consent to our processing and use of such sensitive personal data in accordance with this Policy. If you do not agree to our processing and use of such sensitive personal data, you must not submit such user-generated content to our Sites/Apps/Services.

Per the Microsoft Advertising Agreement and Google Ads policies, we do NOT use Sensitive Personal Data (including health, mental status, intake/medical-history disclosures, and any other categories defined as Sensitive Personal Data under applicable Data Privacy Laws) for advertising-platform targeting, retargeting, or audience-building.

CHILDREN’S PRIVACY

We do not knowingly solicit or collect personal information from, nor do the Sites/Apps provide content for children under the age of 18. If we are made aware that we are in possession of information from a child under 18, we will delete it. If you believe that we are in possession of any such information, please contact us through the means discussed in Section 17.

YOUR RIGHTS

Opt-out. You may contact us anytime to opt-out of (i) direct marketing communications; (ii) automated decision-making or profiling; (iii) our collection of sensitive personal data; (iv) any new processing of your data that we may carry out beyond the original purpose; and (v) personalized advertising via Google Ads, Microsoft Advertising, or any other advertising network we engage. Please note that your use of some of the Sites/Apps/Services may be ineffective upon opt-out.

Access. You may access the information we hold about you at any time via your profile/account or by contacting us directly.

Amend. You can also contact us to update or correct any inaccuracies in your data.

Move. Your data is portable — i.e., you have the flexibility to move your data to other service providers as you wish.

Erase and forget. In certain situations, for example, when the information we hold about you is no longer relevant or is incorrect, you can request that we erase your data.

If you wish to exercise any of these rights, please contact us using the details in Section 17 below. In your request, please make clear: (i) what personal data is concerned; and (ii) which of the above rights you would like to enforce. For your protection, we may only implement requests concerning the personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable and in any event within one month of your request. Please note that we may need to retain certain information for record keeping purposes or to complete any transactions that you began before requesting such change or deletion.

Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the following rights:

• Right to know what personal information we collect about you, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected about you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt-out of the sale or sharing of your personal information. “Sharing” under the CPRA includes cross-context behavioral advertising. To exercise this right, you may (a) submit a request via the “Do Not Sell or Share My Personal Information” link in the footer of our Site, (b) configure your browser to send a Global Privacy Control (GPC) signal which we will honor where required by applicable law, or (c) contact us using the details in Section 17.
• Right to limit the use and disclosure of Sensitive Personal Information (which we already commit not to use for advertising-platform targeting per the section above).
• Right to non-discrimination for exercising any of these rights.

We will not require you to create an account to submit a CCPA/CPRA request, and we do not discriminate against you for exercising your rights.

ADVERTISING PLATFORM DISCLOSURES

To support our marketing operations, we use the following advertising and analytics platforms. For each platform, we describe the data collected, the purpose, the platform’s privacy statement, and how you can opt out.

Google (Google Ads + Google Analytics 4)

• Data collected and shared: device identifiers, IP address, page-view events, conversion events (form submissions, scheduling actions, outbound clicks), referrer information, and (if you provide it) hashed email addresses for Customer Match audiences.
• Purpose: advertising performance measurement, audience optimization, and (where applicable) cross-device attribution.
• Privacy statement: https://policies.google.com/privacy
• Opt-out: https://adssettings.google.com (Google Ads personalization controls); https://tools.google.com/dlpage/gaoptout (Google Analytics opt-out browser add-on)

Microsoft (Microsoft Advertising / Bing + Microsoft Clarity)

• Data collected and shared: device identifiers, IP address, page-view events, conversion events captured via the Universal Event Tracking (UET) tag, behavioral metrics, heatmaps, and session-replay data captured via Microsoft Clarity, and (if you provide it) hashed email addresses for Microsoft Advertising’s Company Data / Customer Match feature if we elect to use it.
• Purpose: advertising performance measurement, audience optimization, retargeting, conversion attribution, and behavioral analytics for site improvement.
• Privacy statement: https://privacy.microsoft.com/en-us/privacystatement
• Opt-out: https://account.microsoft.com/privacy/ad-settings (Microsoft Ads Settings)

As Microsoft Advertising Agreement Section 9.a requires: Microsoft collects or receives Personal Data from users or from MindLAB (the advertiser) to provide Microsoft Advertising. The Universal Event Tracking (UET) feature is documented at https://help.ads.microsoft.com/apex/index/3/en-us/53056. Per our commitment in the “Sensitive Personal Data” section above, we do NOT share intake/medical-history or other Sensitive Personal Data with Microsoft for advertising-platform purposes.

Industry-wide opt-outs (apply to most advertising networks)

• Digital Advertising Alliance (DAA): https://optout.aboutads.info/
• Network Advertising Initiative (NAI): https://optout.networkadvertising.org/
• European Interactive Digital Advertising Alliance (EDAA, for EEA visitors): https://www.youronlinechoices.eu/

Consent gating (EEA / UK / Switzerland)

For visitors from the European Economic Area, the United Kingdom, or Switzerland, advertising-platform tracking is subject to consent as required by applicable law. See “Consent gating for EEA, UK, and Switzerland visitors” above.

COMPLAINTS

We are committed to resolve any complaints about our collection or use of your data. If you would like to make a complaint regarding this Policy or our practices concerning your data, please contact us using the details in Section 17 below. We will reply to your complaint as soon as we can and in any event, within 45 days. We hope to resolve any complaint brought to our attention; however, if you feel that your complaint has not been adequately resolved, you reserve the right to contact your local data protection supervisory authority.

SECTION 17 — CONTACT

For all data-protection inquiries, complaint submissions, or rights requests, please contact us at: legal@mindlabneuroscience.com