Privacy Policy
Last Update: May 2026
INTRODUCTION – WHO WE ARE AND WHAT THIS POLICY COVERS
Mindoo AI BV ("Mindoo", "we", "us") is a Belgian company that develops and operates AI-based software-as-a-service (SaaS) solutions and related services enabling organisations to deploy conversational AI agents that handle routine administrative and operational tasks.
This Privacy Policy informs you about the conditions under which Mindoo processes personal data and the principles governing the use of its services.
This Privacy Policy covers two distinct situations:
(i) When Mindoo is your data controller — meaning we decide why and how your personal data is processed. This applies to our website, service accounts, business contacts, marketing, and recruitment. This Privacy Policy is your primary reference for those activities.
(ii) When Mindoo acts as a data processor — meaning we process personal data solely on the documented instructions of a client organisation (the data controller) that has subscribed to and deployed our services to interact with its own end users. In that case, the client organisation's privacy notice governs. See Part II.
Throughout this Privacy Policy, terms such as personal data, processing, data controller, data processor, data subject, special categories of data, sub-processor, data subjects and data processing agreement have the meanings assigned to them under Regulation (EU) 2016/679 on the protection of personal data ("GDPR") and any other applicable data protection legislation.
Mindoo AI is committed to implementing appropriate security measures and to processing personal data in accordance with the GDPR as well as any other applicable data protection laws.
We comply with the GDPR, the Belgian Data Protection Act of 30 July 2018, and the Belgian Electronic Communications Act of 13 June 2005 (for cookies and similar technologies).
Questions? Contact us at dpo@mindoo.ai
Are you a patient or end user who has interacted with a Mindoo agent?
If you have spoken or chatted with a Mindoo agent — for example as part of a scheduling call — your data is processed under the responsibility of the organisation that subscribed to those services (your hospital, clinic, or other service provider), not by Mindoo as an independent controller. The services provided by Mindoo do not perform, and are not intended to perform, any function of medical diagnosis, clinical triage, prognosis, or treatment recommendation. They support administrative and documentation processes only. Please refer to that organisation's privacy notice or contact them directly. If you are unsure who to contact, write to us at dpo@mindoo.ai and we will try to direct your request without delay.
PART I – MINDOO AS A DATA CONTROLLER
This Part applies when Mindoo determines the purposes and means of processing your personal data — in particular for our website, service accounts, business contacts, marketing, and recruitment.
Identity of the Data Controller
For processing activities described in this Part I, Mindoo is the data controller:
- Registered office: Moonsstraat 29 B302, 2018 Antwerpen, Belgium
- Enterprise number: BE1018909873
- Data protection contact: dpo@mindoo.ai
What Data Do We Collect?
In the course of its business activities, Mindoo acts as data controller for the activities described below and processes the following categories of personal data:
Website Visitors
During your visit to the website, Mindoo may collect the following data:
- Technical data: IP address, browser type and version, operating system, device information, visit duration, pages visited, referrer URL — collected via server logs and security tools.
- Cookie and similar data: device or browser identifiers, session identifiers, and language preferences necessary for the website to function correctly. See Section 10 for full details on the cookies we use. Strictly necessary and functional cookies are placed automatically as they are essential for the website to operate. No consent is required for these. All other cookies — including analytics cookies that help us understand how visitors use our website, and marketing cookies used to deliver relevant content and measure campaign effectiveness — are placed only if you have given your consent through our cookie banner, displayed on your first visit to the website. If no cookie banner is displayed: no analytics, marketing, or other non-essential cookies are placed, and no corresponding personal data is collected for those purposes. You can review and change your cookie preferences at any time by clicking the cookie settings link available on the website.
- Contact and demo request data: name, email address, organisation, and message content when you contact us or book a demo.
Professional Users of the Services
If you access Mindoo's SaaS services as a healthcare professional, administrator, or other professional user — through your organisation's subscription or directly — Mindoo processes data relating to your use of the services. Mindoo does not act in a single capacity for all of that data: depending on the category of data and the purpose for which it is processed, Mindoo acts either as a data controller in its own right, or as a data processor on behalf of your organisation.
Mindoo processes the following data for its own purposes — to manage your access to the services, administer the contractual relationship, and ensure the security of the services:
- Account data: name, professional email address, role or function, and affiliated organisation — used to create and manage your user account.
- Authentication and access data: login credentials (hashed), user IDs, and access rights and permissions — used to authenticate you and control access to the services.
- Support data: information provided when contacting Mindoo's support team (descriptions of issues, screenshots, logs, helpdesk communications).
- Billing data (where you subscribe directly): invoicing details and transaction records.
Business Contacts & Prospects
When an individual interacts with Mindoo in a professional context (events, emails, partners), Mindoo may process the following data:
- Last name, first name, job title, company, email address, and phone number.
- Records of communications and meetings.
Where we obtain your contact details from a third party (e.g. a conference organiser or a mutual business partner), we will inform you of the source at or before the first time we contact you, in accordance with Art. 14 GDPR.
Job Applicant Management and Professional References
When an individual applies for a position at Mindoo, the data provided in the application may be processed, including resume, first and last name, contact information, cover letter, or any other information shared by the applicant.
In the context of its recruitment process, Mindoo may contact professional references provided by job applicants. In that case, Mindoo processes the referee's name, professional contact details, and the content of the reference provided.
Anonymized and Aggregated Data
Mindoo may derive anonymized and aggregated insights from the use of the platform for the purpose of improving its services and/or products. Such data shall be processed in a manner that ensures it cannot be attributed, directly or indirectly, to any identified or identifiable natural person, and therefore does not constitute personal data within the meaning of the GDPR.
Human Resources and Staff Data
Mindoo processes personal data relating to its own staff, contractors, and interns (including data relating to recruitment, onboarding, employment or engagement, performance, payroll, benefits, and offboarding) in its capacity as data controller and employer. This processing is not covered by this Privacy Policy. It is governed by Mindoo's internal policies and processes.
Platform Trial and Demo Users
Where Mindoo provides access to its SaaS services on a trial or pilot basis — including through demo environments, proof-of-concept deployments, or limited free-access periods — Mindoo processes the following data in its capacity as data controller:
- Account and access data: name, professional email address, role or function, and affiliated organisation.
- Usage data: actions taken within the trial environment, features tested, session duration.
- Communications: correspondence relating to the trial or pilot, including feedback provided.
The legal basis is Mindoo's legitimate interest in evaluating the fit of its services with prospective clients and improving its commercial offering (Art. 6(1)(f) GDPR), and where applicable pre-contractual measures at the request of the prospective client (Art. 6(1)(b) GDPR).
Important: Any data entered into a trial or demo environment by the prospective client — including any patient or end-user data — is processed by Mindoo as data processor on behalf of that organisation, under a trial-specific DPA or equivalent data protection terms accepted at the point of access. Prospective clients are strongly advised not to use real patient data in trial environments unless appropriate data protection terms are in place.
Event and Webinar Participants
Where Mindoo organises or co-organises events, webinars, product demonstrations, or training sessions — whether in person or online — Mindoo may process the following data about participants in its capacity as data controller:
- Registration data: name, professional email address, job title, and organisation.
- Participation data: attendance records, questions submitted, and engagement during the session.
- Recording data: where sessions are recorded, the recording may capture participants' names, voices, or video images, subject to prior notice and, where required, consent.
The legal basis is Mindoo's legitimate interest in organising and improving its events and in following up with participants (Art. 6(1)(f) GDPR), and consent where recordings are made and shared (Art. 6(1)(a) GDPR). Where events are organised jointly with a partner, that partner may act as a separate data controller for its own follow-up activities.
Suppliers, Partners and Service Providers
In the context of managing its own supplier and partner relationships, Mindoo processes personal data relating to contact persons at its suppliers, sub-processors, technology partners, and other service providers in its capacity as data controller. This may include:
- Name, job title, professional email address, and phone number.
- Contractual correspondence and records of interactions.
- Information necessary for due diligence, compliance checks, or sub-processor assessments.
The legal basis is the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) and Mindoo's legitimate interest in managing its supplier and partner relationships and meeting its own compliance obligations (Art. 6(1)(f) GDPR).
Why We Process Your Data and on What Legal Basis?
The table below covers processing activities for which Mindoo acts as data controller only. Processing carried out by Mindoo as data processor on behalf of client organisations is described in Part II and is governed by the applicable Data Processing Agreement ("DPA").
Website Visitors
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Ensuring the website functions correctly and securely | Technical data, session identifiers | Legitimate interest (Art. 6(1)(f)) |
| Understanding how visitors use the website and improving its performance | Technical data, analytics cookie data | Consent (Art. 6(1)(a)) |
| Responding to contact and demo requests | Contact and demo request data | Pre-contractual measures (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Delivering relevant content and measuring marketing campaign effectiveness | Marketing cookie data | Consent (Art. 6(1)(a)) |
| Security monitoring and fraud prevention | Technical data, server logs | Legitimate interest (Art. 6(1)(f)) |
Professional Users of the Services
| Purpose | Data categories | Legal basis (GDPR) | Capacity |
|---|---|---|---|
| Creating and managing user accounts | Account data, authentication and access data | Performance of contract (Art. 6(1)(b)) | Controller |
| Authenticating users and controlling access to the services | Authentication and access data | Performance of contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) | Controller |
| Invoicing and financial record-keeping (direct subscribers) | Billing data | Performance of contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Controller |
| Providing technical support to users | Support data | Performance of contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) | Controller / Processor* |
| Monitoring usage, ensuring service security and performance | Usage and activity data, audit logs | Performance of contract (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) | Controller / Processor* |
| Sending essential service notifications and product updates | Account data | Performance of contract (Art. 6(1)(b)) | Controller |
*As explained above, usage and activity data and support communications are processed by Mindoo both in its own right (for security and service management purposes) and as data processor on behalf of the client organisation (for audit, traceability, and service delivery purposes). The applicable DPA governs the processor dimension of this processing.
Business Contacts and Prospects
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Managing business relationships and following up on interactions | Name, job title, company, email, phone, communication records | Legitimate interest (Art. 6(1)(f)) |
| Commercial follow-up and business development | Name, job title, company, email, phone | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (newsletters, product updates) | Contact data, marketing preferences | Consent (Art. 6(1)(a)); legitimate interest for B2B communications where permitted (Art. 6(1)(f)) |
| Informing contacts of the source of their data where obtained from a third party | Contact data | Legal obligation (Art. 6(1)(c)); legitimate interest (Art. 6(1)(f)), in accordance with Art. 14 GDPR |
Recruitment and Professional References
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Receiving and processing job applications | Name, contact details, CV, cover letter, application correspondence | Pre-contractual measures (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Assessing candidates and conducting interviews | Application data, interview notes, assessment records | Pre-contractual measures (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Verifying the professional background of candidates via references | Referee name, contact details, content of reference | Legitimate interest (Art. 6(1)(f)) |
| Retaining applications for future opportunities (beyond current process) | Application data | Consent (Art. 6(1)(a)) |
| Complying with employment-related legal obligations | Any relevant data | Legal obligation (Art. 6(1)(c)) |
Trial and Demo Users
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Providing access to trial or demo environments | Account and access data | Pre-contractual measures (Art. 6(1)(b)); legitimate interest (Art. 6(1)(f)) |
| Evaluating fit of services with prospective clients and improving commercial offering | Usage data, communications, feedback | Legitimate interest (Art. 6(1)(f)) |
| Following up on trial outcomes and converting to subscription | Account data, communications | Legitimate interest (Art. 6(1)(f)) or Consent (Art. 6(1)(a)) where relevant |
Any personal data entered into a trial or demo environment by the prospective client is processed by Mindoo as data processor on behalf of that organisation, under trial-specific data protection terms. This processing is not covered by this table.
Event and Webinar Participants
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Organising and managing events, webinars, and training sessions | Registration data (name, email, job title, organisation) | Legitimate interest (Art. 6(1)(f)) unless provided for otherwise in the forms |
| Tracking attendance and engagement for event improvement | Participation data (attendance records, questions submitted) | Legitimate interest (Art. 6(1)(f)) |
| Recording and sharing sessions | Recording data (names, voices, video images) | Consent (Art. 6(1)(a)) |
| Following up with participants after events | Registration data, participation data | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications following events | Contact data | Consent (Art. 6(1)(a)); legitimate interest for B2B communications where permitted (Art. 6(1)(f)) |
Suppliers, Partners, and Service Providers
| Purpose | Data categories | Legal basis (GDPR) |
|---|---|---|
| Managing contractual relationships with suppliers and partners | Name, job title, email, phone, contractual correspondence | Performance of contract or pre-contractual measures (Art. 6(1)(b)) |
| Conducting due diligence and compliance checks (including sub-processor assessments) | Name, role, compliance information | Legitimate interest (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Managing interactions and maintaining records of communications | Communication records | Legitimate interest (Art. 6(1)(f)) |
All Processing Activities — General Remarks
Legal obligations. In addition to the purposes listed above, Mindoo may process personal data where required to comply with a legal obligation under Belgian or EU law (Art. 6(1)(c) GDPR) — for example in response to a lawful request from a public authority, a court order, or applicable regulatory requirements.
Security across all activities. Regardless of the category of data subject or the primary purpose of processing, Mindoo processes technical and log data for security monitoring, fraud prevention, and incident response purposes on the basis of its legitimate interest in protecting its systems, services, and the data of its users and clients (Art. 6(1)(f) GDPR).
HR data. Personal data relating to Mindoo's own staff, contractors, and interns is not covered by this table. It is governed by Mindoo's internal policies.
Who We Share Data With?
We do not sell your personal data. We may share data with the following categories of recipients:
- Cloud infrastructure providers hosting our platform and website.
- AI model providers for platform functionality — these providers process data under strict contractual obligations and do not retain personal data after processing.
- Analytics providers for website usage statistics.
- Email and communication tools for support and marketing communications.
- Professional advisors (legal, accounting) under professional secrecy obligations.
- Public authorities where required by Belgian or EU law.
We maintain a list of our sub-processors. You can consult the current version at https://trust.mindoo.ai/subprocessors
Rights of Data Subjects
In connection with processing operations for which Mindoo is the Controller, every data subject has the following rights:
- Right of access to their data (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent at any time
These rights may be exercised by contacting: dpo@mindoo.ai. Mindoo undertakes to respond within one month of receiving the request. If your request is complex, Mindoo may extend this period by a further two months, in which case we will inform you.
If you are not satisfied with our response, you have the right to file a complaint with the Belgian Data Protection Authority.
International Data Transfers
Our primary infrastructure is hosted within the European Economic Area (EEA). Where personal data is transferred outside the EEA — for example to AI model providers based in the United States — we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission
- An adequacy decision by the European Commission (e.g. the EU-US Data Privacy Framework, where the recipient is certified)
- Additional technical measures where required following the CJEU Schrems II ruling
You may request a copy of the relevant safeguards by contacting dpo@mindoo.ai.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, contractual, accounting, or reporting obligations. Retention periods may vary depending on the nature of the data, the context in which it was collected, and applicable legal requirements.
In certain circumstances, we may retain data for a longer period where:
- required or permitted by applicable law;
- necessary for the establishment, exercise, or defence of legal claims;
- required for audit, compliance, fraud prevention, or security purposes;
- a dispute, investigation, or litigation is ongoing;
- the data has been validly anonymised for statistical or analytical purposes.
Where technically and operationally feasible, personal data will be deleted, anonymised or securely archived once the applicable retention period has expired. Retention periods may be reviewed and adjusted from time to time to reflect legal, regulatory, operational, or technical developments.
Automated Decision-Making and Artificial Intelligence
The Mindoo platform is powered by artificial intelligence. As part of its role as data controller (Part I), Mindoo ensures transparency regarding the use of such technologies.
- Platform analytics and improvement: we may use automated processing techniques to generate aggregated usage insights for the purpose of improving our products and services. These analyses are statistical in nature and do not affect individual users.
- No automated decision-making: we do not use personal data to make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect individuals within the meaning of Article 22 of the GDPR.
Security Measures
Mindoo implements the following technical and organizational measures to protect the data it processes:
- Encryption of data in transit (TLS) and at rest;
- Strong authentication (MFA) for platform access;
- Role-based access control (RBAC);
- Logging of access and sensitive operations;
- Regular security testing (audits, penetration tests);
- Business continuity and disaster recovery plan;
- Regular training for Mindoo teams on data protection.
Mindoo regularly evaluates the effectiveness of these measures and updates them in line with evolving risks.
Cookies
The website of Mindoo uses cookies and similar technologies. We distinguish between the following categories of cookies:
| Cookie category | Purpose | Consent required |
|---|---|---|
| Strictly necessary cookies | Essential for the proper functioning of the website (e.g. session management, security, load balancing). | NO |
| Analytics cookies | Help us understand how visitors use our website and improve its performance. | YES |
| Marketing cookies | Used to deliver relevant content and measure the effectiveness of marketing campaigns. | YES |
You can manage your cookie preferences at any time through the cookie settings on our website. You can also configure your browser to block or delete cookies, though this may affect website functionality.
For a detailed overview of the specific cookies we use, their purposes, and retention periods, please refer to our cookie settings panel.
PART II – MINDOO AS DATA PROCESSOR
This Part applies when Mindoo processes personal data on behalf of a client organisation that has subscribed to and deployed Mindoo's SaaS services to interact with its own end users. In those cases, the client organisation is the data controller and Mindoo acts solely as its data processor, on the basis of a written Data Processing Agreement ("DPA") in accordance with Art. 28 GDPR. The DPA, together with the applicable main service agreement (which may take the form of an Order Form, Statement of Work, Pilot Proposal, or online subscription), governs the relationship between Mindoo and each client organisation.
If you are an end user whose data has been processed through a Mindoo agent, your GDPR rights are exercisable against the organisation that subscribed to and deployed those services — not against Mindoo directly. Please refer to that organisation's privacy notice. If you need help identifying the right contact, write to us at dpo@mindoo.ai and we will direct your request without delay.
Mindoo's Role as Data Processor — General Framework
When a client organisation subscribes to and deploys Mindoo's SaaS services, it acts as data controller and is solely responsible for: determining the purposes and means of processing; establishing and maintaining a valid legal basis for each processing activity; fulfilling information obligations towards data subjects (Arts. 13–14 GDPR); compliance with applicable sector-specific law (including and where relevant, the Belgian Patient Rights Act of 22 August 2002 and the deontological rules of the National Order of Physicians); and handling data subject rights requests.
Mindoo processes personal data solely on the controller's documented instructions as set out in the DPA, the main service agreement, and Schedules to the DPA. Mindoo does not process personal data for its own purposes.
Important limitation of scope. The SaaS services are administrative and documentation-support tools only. They do not perform, and are not intended to perform, any function of medical diagnosis, clinical triage, prevention, monitoring, prediction, prognosis, treatment, or treatment recommendation.
Categories of Personal Data Processed on Behalf of Controllers
The table below describes the potential scope of personal data processed under the services. The specific data actually processed depends on the services ordered by the data controller and their configuration and may additionally include any personal data voluntarily provided by data subjects during interactions.
| Data Categories | Examples |
|---|---|
| User identification information | Name, date of birth, national ID number, gender (e.g. ITSME details where relevant, national identification number where applicable) |
| Health data | Where relevant: diagnoses, medical history, treatment plans & prescriptions, test results, consultation notes & reports, audio recording of consultation, transcriptions and structured clinical summaries generated by AI, information on the use of alcohol, drugs, or medications, allergies, symptoms |
| User administrative data & contact data | Appointments, billing information, health insurance or mutuality details (where applicable), contact data (address, phone number, email address) |
| Professional user data | Name of healthcare professionals and staff, professional identifiers (e.g. INAMI/RIZIV number where applicable), role/function |
| Account & access data | User IDs, login credentials (hashed where applicable), access rights and permissions |
| Technical and usage data | IP addresses, device and browser information, system logs, usage data and interaction logs with the services |
| Communication data | Content of communication data and recordings |
Categories of data subjects covered include: end users or clients of the controller; healthcare professionals where relevant (physicians, nurses, allied health staff); administrative and support staff of the controller; and other users of the services authorised by the controller.
Purpose of the Processing of Personal Data
Mindoo processes personal data solely on the documented instructions of the client organisation, as set out in the DPA and the main service agreement concluded between the parties. The client organisation — acting as data controller — determines the purposes for which personal data is processed, the categories of data collected, and the legal bases applicable to that processing. Mindoo has no discretion over those purposes and does not process personal data beyond what is necessary to deliver the contracted services.
In practice, Mindoo's SaaS services give client organisations the ability to configure and deploy AI agent workflows tailored to their operational needs. Each of those workflows involves the processing of personal data strictly on behalf of, and under the responsibility of, the deploying organisation. The main workflows currently available are described below, together with the categories of personal data typically processed in each case. The specific data actually processed in any given deployment depends on the services ordered, the configuration chosen by the client organisation, and — for conversational and transcription services — any personal data voluntarily provided by data subjects during their interactions with the agent.
This includes collecting, organising, transcribing, and transmitting information provided by or on behalf of end users or healthcare professionals, for the following administrative purposes: scheduling and booking management, registration and file preparation, administrative follow-up and communication, and the formatting and organisation of documentation as directed by the healthcare organisation.
Legal Basis for Processing Special Categories of Data
Health data, biometric data (including voice data processed by the scribe service), and data on substance use constitute special categories of personal data under Art. 9 GDPR. Their processing requires an explicit legal basis, which is determined exclusively by the client organisation as data controller. Applicable bases may include:
- Art. 9(2)(h) GDPR — provision of healthcare or social care, typically combined with the Belgian Patient Rights Act of 22 August 2002;
- Art. 9(2)(a) GDPR — explicit consent of the data subject;
- Any other legal ground applicable and relevant.
Mindoo does not determine the legal basis for the processing of special categories of data. This is the sole responsibility of the data controller.
Your Rights as an End User
When Mindoo acts as data processor, your rights under the GDPR and applicable data protection law are exercisable against the client organisation acting as data controller — not against Mindoo directly. Those rights include:
- the right to access your personal data;
- the right to rectification of inaccurate or incomplete data;
- the right to erasure ("right to be forgotten") where the applicable conditions are met;
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing;
- the right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal; and
- the right to lodge a complaint with a competent supervisory authority, including the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) at www.dataprotectionauthority.be.
To exercise these rights, please consult the privacy notice of the organisation whose services you are using, or contact them directly.
Mindoo's Obligations as a Data Processor
As a data processor, Mindoo:
- processes personal data only on documented instructions from the controller, as set out in the DPA, and does not process personal data for any purpose other than delivering the contracted services or complying with applicable legal obligations;
- ensures all persons authorised to process personal data are bound by contractual confidentiality obligations and complete mandatory annual data protection and security training;
- implements the technical and organisational security measures described in its trust center and the DPA;
- assists the controller in responding to data subject rights requests and in meeting its GDPR obligations, to the extent technically and organisationally feasible and within the scope of the services;
- engages sub-processors under contracts imposing equivalent data protection obligations;
- does not use health data or any other personal data processed under the DPA — in any form, including transcriptions, structured notes, intake data, or derived features — to train, fine-tune, benchmark, or evaluate any AI or machine learning model without the prior explicit written consent; and
- at the end of the services, returns or deletes personal data in accordance with the controller's instructions (see Section on Data Retention below).
Authorised Sub-Processors
Mindoo may engage sub-processors to carry out specific processing activities on its behalf in connection with the delivery of the services. All sub-processors are bound by data protection obligations equivalent to those in the DPA, in accordance with Art. 28(4) GDPR. Sub-processors act solely on Mindoo's documented instructions, may not use personal data for their own purposes, and are subject to zero-data-retention terms for AI inference services — meaning no personal data is retained by AI model providers between separate API calls, and inference calls are logically separated per request.
An up-to-date sub-processor list is maintained at https://trust.mindoo.ai/subprocessors
For the framework governing international transfers to sub-processors outside the EEA, the same transfer mechanisms and obligations apply in the processor context.
Data Retention and Post-Termination Obligations
Retention during the service relationship: personal data is retained for the duration and in accordance with the retention parameters configured by the client organisation within the SaaS platform of Mindoo. The client organisation, acting as data controller, is solely responsible for configuring retention settings in compliance with the principles of data minimisation and storage limitation under Art. 5(1)(e) GDPR. The specific retention periods therefore depend on the settings chosen by the controller, which may vary by agent type, data category, or use case.
Post-termination obligations: At the end of the service agreement, and in accordance with Art. 28(3)(g) GDPR, Mindoo will — at the controller's election and within 30 days of termination:
- delete all personal data processed on behalf of the controller, with permanent deletion of any restricted-access copies retained for statutory compliance upon expiry of the applicable retention period; or
- return all personal data in a standard, commonly used, machine-readable format as part of a structured off-boarding process, at no additional cost for standard export formats.
Where a controller requires data in a non-standard or bespoke format, or requests additional data transformation or export assistance beyond standard service functionality, reasonable fees may be charged as agreed in advance.
Where the controller requires Mindoo to retain data beyond termination — for statutory retention, audit, or litigation defense purposes — this must be expressly agreed in writing, specifying the retention period, the legal basis, and the applicable security measures. Such retained copies are held in a restricted environment with access controls and permanently deleted upon expiry of the agreed retention period.
PART III – GENERAL PROVISIONS
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technologies, or legal requirements. Material changes will be communicated via a notice on our website. Where changes significantly affect how we process your data, we will seek your renewed consent where required. The "Last updated" date at the top reflects the most recent revision.
Children
Under Belgian law implementing Art. 8 GDPR, the age of digital consent is 13 years. Our services are not directed at individuals under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us at dpo@mindoo.ai.
Contact Us
If you have any questions, requests or concerns about Mindoo's services, please contact us using one of the following channels:
- Email: dpo@mindoo.ai
- Postal Address: Moonsstraat 29 B302, 2018 Antwerpen, Belgium
If you are dissatisfied with our services or with the way we have handled a request or concern, you may first submit a complaint to us using the contact details above and clearly indicating that your message is a "Complaint". We will investigate your complaint and aim to provide you with a substantive response within a reasonable period, taking into account the nature and complexity of your complaint.
Without prejudice to any other administrative or judicial remedy available to you, you also have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of personal data relating to you infringes the EU General Data Protection Regulation 2016/679.
In particular, you may lodge a complaint with the supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.
For processing operations falling under Belgian law, the competent supervisory authority is:
Data Protection Authority – Autorité de protection des données / Gegevensbeschermingsautoriteit
Rue de la Presse 35, 1000 Brussels, Belgium
Website: https://www.autoriteprotectiondonnees.be
Email: contact@apd-gba.be
You may also have the right to bring an effective judicial remedy before the competent courts if the supervisory authority does not deal with your complaint or does not inform you within three months of the progress or outcome of your complaint.
Please however bear in mind that, in most cases, Mindoo acts as a "processor" within the meaning of the EU General Data Protection Regulation 2016/679, processing personal data on behalf of its customers who act as "controllers". This means that, for the majority of processing activities, Mindoo does not determine the purposes and essential means of the processing, but follows the documented instructions of the relevant controller. As a consequence, if you are an end-user, customer, employee or any other individual whose personal data are processed through Mindoo's services on behalf of one of our business customers, and you wish to exercise your rights under applicable data protection law — including the rights of access, rectification, erasure, restriction, objection, data portability or to withdraw consent — you should in principle address your request directly to the relevant controller (for example, the company or organisation that has engaged Mindoo to provide services). That controller remains primarily responsible for handling your request and for ensuring compliance with data protection law.
Because healthcare is already stressful enough.
Create breathing room for your team,
without hiring more people to do boring admin work.
