Privacy Policy: The Convergence of Behavioral Intervention and Data Stewardship

The emergence of sophisticated mobile applications in the mental health sector has necessitated a rigorous re-evaluation of privacy frameworks and data protection strategies. Platforms such as MindResets, operated by Mind Help LTD, represent a significant advancement in behavioral technology, utilizing the Split-second Unlearning (SSU) model to address emotional memories and trauma.

However, the efficacy of these digital interventions is fundamentally dependent on the integrity of the data processing mechanisms and the transparency of the privacy communications provided to the user. As the digital health industry moves into 2025 and 2026, the regulatory requirements in the United Kingdom are undergoing a transformative shift, driven by the implementation of the Data (Use and Access) Act 2025 (DUAA) and the evolving oversight of the Information Commissioner’s Office (ICO).

The therapeutic model employed by MindResets involves complex interactions between the user and the mobile device, including the use of eye-tracking technology to interrupt subconscious connections. This technological implementation creates a unique data footprint that must be managed within the strictures of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The sensitivity of mental health data, classified as special category data, demands a higher standard of care than typical consumer applications. This report provides an exhaustive analysis of the privacy considerations for MindResets, integrating the required statutory disclosures with a deep examination of technical and regulatory compliance.

Technical Architecture of MindResets and Privacy Implications

The MindResets platform is designed to facilitate mental wellness in as little as two minutes per day. The application targets conditions such as stress, anxiety, trauma, and depression through a unique therapeutic approach that combines behavioral change work with advanced mobile hardware capabilities. Understanding the technical flow of information is essential for establishing a compliant privacy architecture.

The Split-Second Unlearning (SSU) Model and Data Flow

The SSU model, developed over 25 years, relies on interrupting the neurological connection between the mind and emotional memories. Within the application, this is achieved through eye-tracking technology. A critical privacy-preserving feature of this technology is its local execution; the front-facing camera tracks eye movements, but the resulting video or image data is processed entirely on the user’s device and is not transmitted to external servers. This “edge processing” strategy is a cornerstone of privacy-by-design, as it eliminates the risks associated with the centralized storage of biometric or facial data.

Despite the local processing of therapeutic data, the application still engages in “Passive Data Collection,” which includes IP addresses, location information, and browser data. This information is utilized for security purposes, such as preventing fraudulent activity and ensuring site functionality. The tension between the platform’s “Privacy-focused” marketing and the actual technical necessity of data collection requires a clear and comprehensive disclosure in the privacy policy to avoid “uninformed choice” among users.

The Regulatory Framework: UK GDPR and the Data (Use and Access) Act 2025

Mind Help LTD, as a private limited company incorporated in the United Kingdom, must navigate a dual-layer regulatory environment. The UK GDPR remains the primary baseline, but the DUAA 2025 introduces significant refinements intended to promote innovation and economic growth while maintaining high privacy standards.

The Data (Use and Access) Act 2025: Key Changes

The DUAA 2025 modifies the UK GDPR in several critical areas that affect mental health platforms. One of the most impactful changes is the introduction of “recognised legitimate interests”. This new lawful basis allows organizations to process data for specific purposes—such as crime prevention, safeguarding national security, or responding to emergencies—without the need for a traditional balancing test. For a platform like MindResets, this could facilitate more streamlined safeguarding procedures when user interactions indicate a risk of self-harm or public danger.

Furthermore, the Act relaxes the restrictions on automated decision-making (ADM) for non-sensitive data. However, because MindResets handles mental health information, any ADM that results in a significant effect on the user still requires high levels of human intervention and transparent safeguarding. The Act also codifies the “reasonable and proportionate” standard for responding to Subject Access Requests (DSARs), reducing the administrative burden on small organizations like Mind Help LTD.

Transparency and the Right to be Informed

Under Article 13 and 14 of the UK GDPR, and reinforced by the DUAA, the right to be informed is a mandatory transparency requirement. This requires the platform to provide information that is concise, transparent, intelligible, and easily accessible. The ICO has highlighted four key concerns for 2025: deceptive choice, uninformed choice, undermined choice, and irrevocable choice. To address these, the MindResets privacy policy must clearly articulate not only what data is collected but why it is necessary and how the user can exercise control.

privacy policy

privacy policy

This privacy policy describes how MindResets collects and uses the personal data that we receive about you, as well as your privacy rights in relation to that personal data, when you visit our website or use the service through our mobile application. At MindResets, we are committed to compliance with the gdpr, the uk Data Protection Act 2018, and the Data (Use and Access) Act 2025. This policy describes our commitment to protect your personal information and ensure data protection across all our operations.

We use your personal data to provide and improve the service. By accessing or using the service, you agree to the collection and use of information in accordance with this privacy policy. If you do not agree with the terms set out in this privacy, you should immediately cease use of the service.

information we collect

While using our service, we may collect certain personal information that can be used to contact or identify you. The information we collect is categorized based on your interaction with the platform.

personal data

When you create an account or register for our services, we may ask you to provide certain personal data, including your name and email address. This personal information is necessary for the purposes set out in this policy and allows us to provide a personalized experience. We may also collect personal information through voluntary registration or when you contact us for support.

data

We collect certain information collected automatically when you browse our website or access the service. This usage data may include your internet protocol address (ip address), browser type, operating system, and mobile operating parameters. This information may include the browser settings, browser version, and the pages of our service that you visit. This data is collected to ensure the technical stability of the application and to improve the service.

cookie

We use cookies and similar technologies, such as web beacons and tracking technologies, to track the activity on our service and collect information. A cookie is a small file placed on your device. You can instruct your browser to accept cookies or refuse all cookies through your browser settings. However, if you do not accept cookies, you may not be able to use some parts of our service. Our policy regarding tracking technologies ensures that we only use beacons and similar technologies for legitimate purposes, such as analyzing usage data and maintaining absolute security.

use the information

The company will use the information for several purposes:

• To provide and maintain the service, including monitoring usage data.
• To manage your user account and provide access to specific functionalities.
• For the performance of a contract, such as the processing of purchases.
• To contact us: We may use your personal data to contact you with notification regarding updates or service-related communications.
• For data analysis and to aggregate statistics to improve the service.

share

We may share your information in limited circumstances:

• With third-party service providers to monitor and analyze the use of our service.
• In the event of a merger, acquisition, or asset sale, your personal information may be transferred.
• If we are involved in a merger, we will provide notification before your personal data is transferred and becomes subject to a different privacy policy.
• To protect the rights: We may disclose your personal information if necessary to comply with valid requests by public authorities or to comply with a legal obligation.

third

Our service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review this privacy policy of every site you visit. We have no control over and assume no responsibility for the content or privacy practices of any third-party sites or services.

retention

We will retention your personal data only for the period reasonably necessary for the purposes set out in this privacy policy. We will retention and use your personal data to the extent necessary to comply with our legal obligations. The information for as long as it is needed for legitimate business purposes or to comply with law will be stored securely.

right

You have the right to access, update, or request deletion of your personal data. You may also object to the processing of your personal information or request that we restrict the processing. To exercise your privacy rights, please contact us. We will respond to all valid requests in accordance with the law.

security

We implement technical and organizational measures to protect your personal data and ensure absolute security. However, please remember that no method of transmission over the internet is 100% secure. We strive to use commercially acceptable means to protect your information, but we cannot guarantee its absolute security.

changes to this privacy policy

We may update our privacy policy from time to time. We will notify you of any changes to this privacy policy by posting the new policy periodically on this page and updating the date at the top. You are advised to review this privacy policy from time to time for any changes.

Special Category Data and Mental Health Considerations

As a health-focused application, MindResets inherently processes data that may reveal insights into a user’s mental state. This is categorized as “Special Category Data” under Article 9 of the UK GDPR. The processing of such data is prohibited unless a specific condition is met, the most common being the explicit consent of the data subject. For MindResets, this consent is obtained at the point of interaction, where users are informed that their engagement with targeted programs (e.g., Trauma, Anxiety, Depression) involves the processing of sensitive information to facilitate the SSU model.

Lawful Basis for Processing

The determination of a lawful basis is a central pillar of the accountability principle. Mind Help LTD utilizes several bases depending on the nature of the data:

1. Consent: Applied for eye-tracking metrics and participation in mental wellness programs.
2. Contractual Necessity: Required for managing user accounts and processing billing for premium features.
3. Legitimate Interests: Used for improving application performance and security, where such interests are not overridden by the user’s fundamental rights.
4. Legal Obligation: Necessary for financial reporting and compliance with warrants or court orders.

Data Minimization and Storage Limitation

The principle of data minimization requires that an organization only collects the information necessary for its specific purposes. MindResets practices this by not requiring a login or personal information for basic use. When data is collected, it is subject to strict “Storage Limitation” protocols.

Retention Standards in Mental Health

In the UK, therapeutic records are often subject to professional standards that mandate retention for specific periods. For example, records of minors are typically retained until the individual reaches the age of 25, while adult records are often kept for six to seven years post-discharge to protect against legal claims. While MindResets is a wellness app and not a formal clinical practice, adhering to these standards where applicable enhances its “Accountability” and protects both the company and the user in the event of future disputes.

The DUAA 2025 clarifies the retention of information in connection with the death of a child, introducing specific requirements for internet service providers. This reflects a broader trend toward “Children’s Higher Protection Matters,” requiring platforms to be more diligent in how they manage the data of younger users.

Subject Access Requests and the Right to Erasure

The “Right of Access” allows individuals to obtain a copy of their personal data and understand how it is being used. The DUAA 2025 has refined this by codifying that organizations only need to conduct “reasonable and proportionate” searches. This is particularly relevant for MindResets, as the data generated by the eye-tracking SSU model is transient and processed locally. A user requesting their “eye-tracking data” would be informed that such raw data is never stored on the platform’s servers, thus satisfying the request while emphasizing the platform’s privacy-preserving architecture.

The “Right to Erasure” (Right to be Forgotten) is also fundamental. When a user deletes their account, MindResets must ensure that all identifiable data is removed or anonymized. Anonymization must be robust enough that the data can no longer be linked to a natural person, even with the addition of external datasets.

The Role of the ICO and Compliance Fees

Every organization in the UK that processes personal data as a controller is required to pay a data protection fee to the ICO unless they are exempt. Mind Help LTD is registered with the ICO, reflecting its commitment to regulatory oversight.

ICO Fee Tiers

The fee tier for an organization depends on its size and turnover. For a company like Mind Help LTD, which operates as a small enterprise, the fee is generally £40 or £60 annually. Failure to pay this fee can result in a fine of up to £4,000.

Registration is a matter of public record, and the ICO publishes a register of all data controllers who have paid the fee. This transparency is intended to build public trust in the digital economy.

International Data Transfers and the US-UK Bridge

MindResets may utilize cloud infrastructure or third-party service providers located outside the UK, specifically in the United States. Under the UK GDPR, transfers of personal data to a “third country” are restricted unless adequate protections are in place.

The DUAA 2025 introduces a “data protection test,” which moves away from the requirement for “essential equivalence” and instead allows transfers if the level of protection is “not materially lower” than that in the UK. This provides a more flexible pathway for health-tech startups to leverage global infrastructure while maintaining safety standards. MindResets ensures compliance by utilizing Standard Contractual Clauses (SCCs) or the UK Extension to the Data Privacy Framework where applicable.

Security and Technical-Organizational Measures

Security is not merely a technical requirement but a core principle of data protection. Article 32 of the UK GDPR requires controllers to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk.

Measures Implemented by MindResets

The application employs several layers of security to protect user information:

1. Encryption: Sensitive data is encrypted both at rest and in transit.
2. Access Controls: Role-based access ensures that only authorized personnel can access user data, and only when necessary for service delivery.
3. Local Processing: By keeping eye-tracking video data on the device, the platform eliminates the largest potential vector for a sensitive data breach.
4. Regular Audits: The platform periodically reviews its data handling practices to identify and mitigate new security risks.

Despite these measures, the platform acknowledges that “absolute security” is unattainable in the digital realm. This realistic disclosure is required under the transparency principle to manage user expectations and maintain trust.

Children’s Higher Protection Matters and Age Assurance

The ICO has placed a significant emphasis on “Age Appropriate Design” for online services likely to be accessed by children. MindResets, by offering an “Exam Anxiety” program, may attract users under the age of 18.

Implementing the Children’s Code

Under the DUAA 2025, the “children’s higher protection matters” duty requires MindResets to:

• Understand that children merit specific protection as they may be less aware of the risks of data processing.
• Design services to be age-appropriate, considering different needs at different developmental stages.
• Ensure that default settings are high-privacy for child users.

In the UK, the age of digital consent is 13. If the platform knowingly collects data from a child under 13, it must obtain parental or guardian consent and use “reasonable efforts” to verify that the person giving consent holds parental responsibility.

Online Tracking and the ICO 2025 Strategy

The ICO’s 2025 strategy for online tracking focuses on ensuring that users have “meaningful control” over how they are tracked online. This includes a crackdown on “Consent or Pay” models and the use of cookies for personalized advertising without explicit, informed consent.

MindResets must ensure that its cookie consent mechanism is not deceptive. The “Reject All” option must be as prominent and easy to access as the “Accept All” option. The DUAA 2025 offers some relief for “low-risk” cookies—such as those used for basic analytics or security—which may no longer require explicit consent as long as an opt-out is available. However, for a mental health platform, the threshold for “low-risk” is higher, and the safest approach remains obtaining clear consent for any non-essential tracking.

Complaints and Redress Mechanisms

The DUAA 2025 creates a statutory right for individuals to raise data privacy-related complaints directly with organizations. Organizations are now required to facilitate a formal complaints mechanism, acknowledge receipt within 30 days, and investigate without undue delay.

If a user is unsatisfied with the company’s response, they have the right to lodge a complaint with the ICO. This tiered approach to redress ensures that minor issues can be resolved quickly at the organizational level, while serious or systemic breaches are escalated to the national regulator.

The Future of Digital Wellness and Privacy Compliance

As we look toward 2026, the intersection of AI and mental health will likely present new privacy challenges. The DUAA 2025 has already begun to pave the way for a more streamlined regulatory approach to AI and automated decision-making, but the underlying principles of fairness, transparency, and accountability remain unchanged.

For MindResets, maintaining a competitive edge in the health-tech market requires a proactive approach to privacy engineering. This involves not only meeting the current legal requirements but anticipating future trends in data protection and user expectations. By prioritizing edge processing, robust encryption, and transparent communication, Mind Help LTD can ensure that MindResets remains a trusted tool for mental wellness in an increasingly data-conscious world.

Conclusion

The analysis of MindResets within the context of the UK’s evolving privacy laws reveals a platform that has successfully integrated privacy-by-design into its core therapeutic offering. The use of the SSU model and eye-tracking technology, while complex from a data processing perspective, is mitigated by the strategic decision to process sensitive behavioral data locally on the user’s device. This significantly lowers the platform’s risk profile under the UK GDPR and the Data (Use and Access) Act 2025.

However, the requirement for transparency remains paramount. The detailed privacy policy, as analyzed in this report, must continue to evolve alongside the platform’s features and the ICO’s regulatory strategies. As the digital mental health sector grows, the organizations that prioritize user privacy and regulatory compliance will be the ones that succeed in building long-term trust and delivering meaningful wellness outcomes. The integration of the DUAA 2025 provides a clearer, more proportionate framework for small businesses like Mind Help LTD to thrive while ensuring that the “Special Category” nature of mental health data is never compromised.

Through continuous auditing, adherence to the principles of data minimization, and a commitment to children’s higher protection matters, MindResets can serve as a benchmark for how behavioral technology can coexist with the highest standards of data stewardship. The ongoing oversight of the ICO, combined with the refined statutory protections of the DUAA, ensures a robust ecosystem where innovation in mental health is supported by an uncompromising commitment to the privacy rights of the individual.

If you have any questions, please visit our Contact Page.