We never sell your data
Your clinical information is private and is never shared with third-party advertisers.
No human listeners
Processing is fully automated. No Mind Flash staff can access or listen to your recordings.
SUMMARY
Mind Flash is a mobile application designed for psychotherapists to manage documentation from therapy sessions. The application enables creation of text and voice notes, which are automatically transcribed. Upon user request, the system can generate summaries from selected notes.
Personal data of users is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Polish Personal Data Protection Act, and other applicable laws. Patient data is processed by us solely as a data processor on behalf of the user who remains the data controller.
Application servers are located within the European Union (Frankfurt, Germany). Data transfers to third countries occur only to the extent necessary for service provision and are secured by appropriate legal mechanisms.
1. DATA CONTROLLER
The data controller for Mind Flash application users' personal data is:
Gabinet Psychologiczny i Psychoterapii Jakub Litwin
ul. Jarosława Dąbrowskiego 14
35-036 Rzeszów, Poland
Tax ID (NIP): 8172038116
Email: office@mind-flash.com
2. CATEGORIES OF PROCESSED DATA
2.1. Personal Data of Application Users
In connection with service provision, we process the following categories of user data:
- Identification data: first name, last name, email address
- Billing data: payment and subscription information
- Technical data: system logs, IP address, device identifiers
- Analytics data: information about application usage
2.2. Patient Data Entrusted by Users
Users may enter the following patient data into the application:
- Patient identifiers (names, initials, or pseudonyms)
- Therapy session notes
- Voice recordings and their transcriptions
- Session dates and times
- Health information contained in notes
Patient data constitutes a special category of personal data within the meaning of Article 9 GDPR.
3. PURPOSES AND LEGAL BASES FOR PROCESSING
3.1. Processing of User Data
| Purpose of Processing | Legal Basis | Retention Period |
|---|---|---|
| Service provision | Art. 6(1)(b) GDPR - performance of contract | Until account deletion |
| Payment processing | Art. 6(1)(b) GDPR - performance of contract | 5 years from end of tax year |
| Communication with users | Art. 6(1)(f) GDPR - legitimate interest | Until objection is raised |
| Analytics and service development | Art. 6(1)(f) GDPR - legitimate interest | 14 months |
| Fulfillment of legal obligations | Art. 6(1)(c) GDPR - legal obligation | As required by law |
3.2. Processing of Patient Data
Processing of patient data occurs based on data processing entrustment by the user who is their data controller. The legal basis for processing is Article 28 GDPR in conjunction with Article 9(2)(h) GDPR (processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care).
4. DATA PROCESSING AGREEMENT
The application user remains the data controller of their patients' personal data. Mind Flash acts solely as a data processor based on the concluded data processing agreement.
Within the scope of processing, we commit to:
- Processing data only on documented instructions from the controller
- Ensuring that persons authorized to process data have committed to confidentiality
- Taking all measures required pursuant to Article 32 GDPR
- Respecting the conditions for engaging another processor
- Assisting the controller in fulfilling obligations under Articles 32-36 GDPR
- Deleting or returning data after the end of service provision
- Making available all information necessary to demonstrate compliance with obligations
5. DATA RECIPIENTS
5.1. Data Processors
To provide services, we use the following data processors:
| Entity | Scope of Cooperation | Location | Security Measures |
|---|---|---|---|
| Amazon Web Services | Infrastructure hosting | EU (Germany) | ISO 27001, SOC 2 |
| Supabase Inc. | Database | EU (Germany) | SOC 2 Type II |
| OpenAI LLC | Audio transcription | USA | Model training on data disabled |
| Google LLC | Summary generation | USA | Model training on data disabled |
| RevenueCat Inc. | Payment processing | USA | PCI DSS Level 1 |
| Google Analytics | Analytics | USA | IP anonymization |
5.2. Transfers to Third Countries
Personal data transfers to the United States are based on:
- Standard contractual clauses adopted by the European Commission
- Additional technical and organizational safeguards
6. DATA RETENTION PERIODS
| Data Category | Retention Period |
|---|---|
| User account data | Until account deletion by user |
| Notes and patient data | Until deletion by user |
| Voice recordings | 30 days from transcription creation |
| Transaction data | 5 years from end of tax year |
| System logs | 90 days |
| Analytics data | 14 months |
7. RIGHTS OF DATA SUBJECTS
7.1. Rights under GDPR
Each person whose data we process has the right to:
- Access their personal data (Art. 15 GDPR)
- Rectification of data (Art. 16 GDPR)
- Erasure of data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consent at any time (Art. 7(3) GDPR)
- Lodge a complaint with a supervisory authority
7.2. International Compliance
For United States users: We follow HIPAA (Health Insurance Portability and Accountability Act) best practices for the protection of electronic protected health information (ePHI).
For California users: In accordance with the California Consumer Privacy Act (CCPA), we provide the right to information about processed data, the right to deletion, and the right to opt-out of the sale of personal data (we do not sell data).
8. SECURITY MEASURES
8.1. Technical Safeguards
- Data encryption at rest: AES-256-GCM
- Transmission encryption: TLS 1.3
- Access control: Row Level Security (RLS)
- Password hashing: bcrypt (cost factor 12)
- Regular encrypted backups
- 24/7 security monitoring
8.2. Organizational Safeguards
- Limited access to personal data
- Confidentiality agreements with personnel
- Regular data protection training
- Incident management procedures
- Periodic security audits
- Clean desk and screen policy
9. USE OF ARTIFICIAL INTELLIGENCE
9.1. Automatic Processing
The application uses the Whisper model (OpenAI) for automatic transcription of voice recordings. This process occurs automatically after uploading a recording.
9.2. On-Demand Processing
The Gemini model (Google) is used exclusively upon explicit user request to generate summaries from selected notes.
9.3. AI Usage Limitations
- Data is not used for AI model training
- No automatic analysis of note content
- No patient profiling
- No automatic extraction of diagnostic conclusions
11. BREACH NOTIFICATION PROCEDURE
In case of a personal data breach, we apply the following procedure:
- 1Identification and containment - maximum 4 hours
- 2Risk assessment and documentation - maximum 12 hours
- 3User notification - maximum 24 hours
- 4Notification to supervisory authority - maximum 72 hours
12. USER OBLIGATIONS
Application users, as data controllers of their patients' data, are obligated to:
- Inform patients about the processing of their data
- Obtain appropriate consents or ensure another legal basis
- Apply the principle of data minimization
- Ensure secure access to the application
- Comply with local medical data protection regulations
13. CONTACT INFORMATION
For matters related to personal data protection, please contact:
- Email: office@mind-flash.com
- Address: ul. Jarosława Dąbrowskiego 14, 35-036 Rzeszów, Poland
Supervisory Authority:
President of the Personal Data Protection Office (PUODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Phone: +48 22 531 03 00
Email: kancelaria@uodo.gov.pl
14. PRIVACY POLICY CHANGES
Users will be notified of any privacy policy changes:
- Electronically with 30 days' notice
- Through in-app notification
- With the ability to download data before changes take effect
15. FINAL PROVISIONS
- 1This privacy policy is governed by Polish law.
- 2In matters not regulated herein, the provisions of GDPR, the Personal Data Protection Act, and the Civil Code shall apply.
- 3For users from other jurisdictions, we additionally apply local data protection laws, particularly HIPAA for the USA and CCPA for California.
- 4In case of discrepancies between language versions, the Polish version shall prevail.
Document Version: 2.0
Last Updated: August 1, 2025