Updated on March 2nd, 2026

Patient Privacy Notice

Introduction

You are typically a patient of a healthcare provider or healthcare institution completing an intake via Mindoo, in preparation for your appointment with your healthcare provider or institution.

Mindoo collects and processes your personal data on behalf of your healthcare provider or institution. Mindoo acts as a data processor and has entered into a data processing agreement with the healthcare provider or institution for this purpose.

Your healthcare provider or institution acts as the data controller and determines the purpose and means of the processing of your personal data.

For more information about how your personal data is processed by your healthcare provider or institution, we refer you to their applicable privacy notice.

This privacy notice describes how we process your personal data on behalf of your healthcare provider or institution.

Who we are and how to reach us

Name: Mindoo AI BV, a company incorporated under Belgian law, with registered office at Moonsstraat 29 B302, 2018 Antwerpen.
Enterprise number: BE 1018.909.873
Court of jurisdiction: Antwerp, division Antwerp
Contact: dpo@mindoo.ai

What data we process and on what legal basis

Mindoo collects your personal data through a conversational system and uses artificial intelligence to analyse your answers and create a structured summary for your healthcare provider or institution.

This includes, among other things: file reference number, language, voice recordings, health data, medication, current symptoms, medical history, and other information you share with us.

The legal basis for this processing is determined by your healthcare provider or institution.

Why we need this

The purpose of the processing of your personal data is determined by the healthcare institution, but in general Mindoo processes your personal data on behalf of the institution to:

enable efficient communication ahead of your consultation;
improve the quality of the consultation by collecting structured and relevant information in advance; and
optimise patient care by helping your healthcare provider or institution better prepare for your appointment.
follow up after a healthcare contact, such as after surgery

Security & Privacy

Mindoo takes appropriate technical and organizational measures to protect your personal data, including (but not limited to):

All personal data is encrypted during transmission and at rest.
Data is collected in pseudonymised form - only your healthcare provider or institution can identify you.
Data is stored in secure, GDPR-compliant facilities in the European Union
No transfer of personal data outside the European Economic Area.

For more details on our security practices, visit our Trust Center.

Data controller & Recipients of your personal data

We share your personal data with the healthcare institution with which you have an appointment.

Where necessary for the performance of our agreement with the healthcare institution, we may also share your personal data with our employees and service providers (such as hosting providers, IT service providers, or security providers).

Our sub-processors always act under our responsibility. When we engage sub-processors, this is always in accordance with a data processing agreement that meets the requirements of the GDPR. We require all our sub-processors to take appropriate technical and organisational (including security) measures to protect your personal data in accordance with our policies. We do not allow our sub-processors to use your personal data for their own purposes.

Your healthcare provider is the data controller. They have a data processing agreement in place with Mindoo AI (Belgium).

Data retention

Data is stored for the duration determined by the healthcare institution.

For more information, we refer you to the privacy notice of your healthcare institution.

Your rights

Under the General Data Protection Regulation (GDPR), you have several rights, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object, the right to data portability, and the right to lodge a complaint with the competent supervisory authority.

Since we act as a processor on behalf of your healthcare provider or institution, we cannot directly respond to requests to exercise these rights. When you send us such a request, we will forward it to the relevant healthcare provider or institution, who is responsible for handling and responding to your request.

If you wish to exercise your rights, please contact your healthcare provider or institution directly. You can also reach us at dpo@mindoo.ai and we will ensure your request is forwarded.

You also have the right to lodge a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit (GBA)Drukpersstraat 35, 1000 Brussels, BelgiumTel: +32 (0)2 274 48 00https://www.gegevensbeschermingsautoriteit.be contact@apd-gba.be

Liability

To the maximum extent permitted by applicable law, we do not accept liability in the following cases:

Where we have lawfully shared your personal data with a third party that is not our sub-processor (such as, but not limited to, the healthcare provider or institution), we are not liable for any subsequent unlawful processing or misuse of those personal data by that third party and any direct or indirect damage resulting therefrom.
Where third parties unlawfully process or use your personal data and we have taken appropriate technical and organisational measures to prevent such unlawful processing or use to the best of our ability (for example in the case of hacking or other cyberattacks).

In any event, we are only liable for damage caused by failure to comply with our specific obligations under the GDPR. We are in no event liable for special, incidental, indirect, or consequential damages or losses in this regard. To the extent permitted under applicable law, Mindoo's liability is in any event limited to the amount paid out by its insurer for the relevant damage event.

Applicable law and jurisdiction

This privacy notice is governed by, interpreted, and enforced in accordance with Belgian law.

The courts of Antwerp (division Antwerp) have exclusive jurisdiction over any dispute arising from the interpretation or performance of this privacy notice, without prejudice to the right of the consumer to bring a dispute before a competent court on the basis of a mandatory legal provision.

Changes

We may update this notice in response to changes in legislation, technology, or our practices. The most recent version will always be available on our website. Changes will be indicated on our website or the platform and, where required and depending on the significance of the changes, may be communicated to you by email or brought to your attention during your next visit to the website or platform (for example via a pop-up).

Where such changes involve new or significantly modified processing activities, we will inform the data subjects before these changes take effect. Where legally required, these changes will be submitted for approval.