Data privacy policy

Last revision of this policy: August 2023

The following terms: “MindMaze”, “we”, “us”, “our” or the “Company” are references to MindMaze SA, the controller, and to companies held by MindMaze Group SA.

MindMaze attaches great importance to the protection and respect of your privacy.

When you use one of our products or services, or visit our websites, we collect your personal and/or personal data related to your neurological impairments. This document describes when and why we collect them, how we use them, with whom we share them, the processing we do on them, and the measures we take to ensure their safety. Please read this policy carefully to find out what your rights are and what means are available to you to exercise them.

This privacy policy complies with the General Data Protection Regulation in European Union (EU), the Data Protection Act in Switzerland (CH), the Data Protection Act in the United Kingdom (UK), the Personal Data Protection Law in the Kingdom of Saudi Arabia (KSA), and sets out how we collect, process, retain, disclose, and if permissible by the law, transfer your personal and/or health data pursuant to your use of our products. It also describes your choices regarding use, access, and correction of your personal and/or health data.

1.   Who are we?

MindMaze SA and the other companies of the MindMaze group create intuitive human-machine interfaces on their revolutionary IT platform inspired by neuroscience. Our innovations are at the intersection of neuroscience, mixed reality and artificial intelligence and are therefore ready to transform a large number of industries.

Data controller
MindMaze SA,
Chemin de Roseneck 5,
1006 Lausanne
Switzerland

Legal representative in the EU
MindMaze France SARL, 
26 rue Cambacérès
75008 Paris
France

Legal representative in the Kingdom of Saudi Arabia
Hamza Al Kholi Trading Co Ltd 
Zubaidah Bint Jafar, Al Murabba 2 
Al Riyadh 
Saudi Arabia

2.   What personal data do we collect?

2.1   The data we collect from you

When using our products

We collect information about you when you use one of our products and/or participate in our registry, clinical studies, clinical trials or clinical evaluations. These data are for example:

  1. Your name, first name, address, and email address.
  2. Your laterality (right-handed or left-handed).
  3. Your Gender (Male or Female).

Our products collect information about your impairment by tracking your different sessions (activity score, game time, etc.). They also produce information that allows us to identify you. This information can be, for example:

  1. Your patient and user identifiers.
  2. Your calibration measurements (upper body and lower limb movements, dexterity, etc.).
  3. Your exercise and session identifiers.
  4. Your exercise values (type, inventory, level, side, date, duration, performance, etc.).

We need this personal and/or health data to provide you with our services and improve your user experience.

In some cases, a therapist may schedule a videoconference with a patient, for example, to assess progress or carry out rehabilitation, but also for other activities that the therapist deems useful at his or her discretion. This videoconference uses the https://zoom.us (Zoom) platform. From their MindMotion Companion account at https://mm-companion.com or https://sa.mm-companion.com, therapists can connect to their Zoom account and schedule a videoconference for the patient. The information needed to connect to the videoconference is sent to the patient and stored in the therapist’s and patient’s MindMotion Companion profile. Information exchanged during the videoconference, including video, voice, metadata, etc., is exchanged directly between the patient’s Zoom client, the therapist’s Zoom client and the Zoom servers. No information is collected or processed by us when using this functionality.

When you use our websites

We collect information about you when you use our contact forms on our website https://www.mindmaze.com. These data are for example: Your name, first name, phone number and email address.

We need this information to get back in touch with you and process your request. This information may be stored in our customer management tool (CRM): Salesforce. More information about Salesforce’s data protection policy can be found on their website: https://compliance.salesforce.com/en/gdpr.

When you apply for an open position

MindMaze publishes its job offers on its website https://www.mindmaze.com/careers. You can also find our job offers on other social network platforms such as LinkedIn, Facebook, Indeed, etc. The channel for submitting your applications remains our website https://www.mindmaze.com/careers. Our open positions are created and managed on our data processor platform https://jobs.smartrecruiters.com. You can find our talent acquisition policy for more detail about data we collect and process here: https://mindmaze.com/mindmaze-talent-acquisition-privacy-notice.

2.2   Data we collect from other sources

When using our products

It is possible that other sources such as hospitals, our subsidiaries, or other companies active in the health field, may send us health information about you. This can happen when for example you, as a patient, use our product in a clinic or a hospital. These clinics and hospitals can send us information about you. The information received is then combined with other information we already have about you. This data can be, for example:

  1. Your pathologies
  2. Your rehabilitation exercises that you do at home
  3. Your statistics and performance
  4. Other information about your health

The various sources that will send your data to us have their privacy policies, which are independent from ours. In any case, we will always ask you for your consent to our processing of your information.

When you apply for an open position

When you submit your application and are selected in our recruitment process, we perform certain tasks that require the collection of information from other sources. You can find our talent acquisition policy for more detail about data we collect and process here: https://mindmaze.com/mindmaze-talent-acquisition-privacy-notice.

3.   What data do we process about your devices?

When you visit our website https://www.mindmaze.com using your mobile devices or from a computer, we collect and store information in their internal storage space. We then reuse this data to improve your user experience or to perform statistics. The different data we collect can be, for example:

  1. Your IP address and location data
  2. The type of device you use
  3. The link from which you access our platform
  4. Configurations on certain equipment for the use of our services

You will be able to choose whether to store this information by accepting cookies or not.

3.1   The different types of cookies we use

Cookies are small amounts of information stored in files within your computer’s browser itself. Cookies are accessible and stored by the websites you visit, and by companies that display their advertisements on websites, so that they can recognize the browser. Websites can only access the cookies they have stored on your computer.

By using our website, you consent to the use of cookies placed by them.

Our websites or web applications use cookies for the following purposes:

  1. Site Usage: to help us recognize your browser as that of a previous visitor and to record the preferences you determined during your previous visit to the Site. For example, we may record your login information so that you do not have to log in each time you visit the Site.
  2. Social networks: to check if you are connected to third party services (Facebook, Twitter, Google+\…)
  3. Targeting: to allow us to target (emailing, basic enrichment) later or in real time the Internet user who navigates on our Site.
  4. Audience measurement: to track statistical data on Site usage (i.e., users\’ use of the Site and to improve the Site\’s services) and to help us measure and study the effectiveness of our interactive online content, features, advertising, and other communications

3.2   Your choices regarding cookies and web beacons

You have the option of configuring your browser to accept all cookies, reject all cookies, notify you when a cookie is issued, its validity period and content, and allow you to refuse to save it on your device, and delete your cookies periodically.

You can set your Internet browser to disable cookies. Please note, however, that if you disable cookies, your username and password will no longer be saved on any website. For more information on how to delete and control cookies stored on your computer, visit https://www.aboutcookies.org

Your consent to the use of cookies will be requested when you access our sites. You will be able to set them up and adjust them to your preferences.

More information regarding cookie management is given in our cookie policy.

4.   How do we process your information?

When using our products

We may use your personal and/or health data for the following purposes:

  • To provide our services and to enable the use of our products.
  • To ensure the maintenance of our products.
  • To improve our services and/or products.
  • To develop new services and/or products.
  • To participate in registries, clinical studies, clinical trials or clinical evaluations.
  • To gather information for scientific research.
  • To provide evidence to support scientific initiatives.
  • For the publication of articles or similar communications, including scientific and marketing articles; and
  • For statistics, performance analysis.
When you apply for an open position

All our processing of your information can be found on our talent acquisition policy: https://mindmaze.com/mindmaze-talent-acquisition-privacy-notice/.

Lawful basis of data processing

Your personal and/or health data may only be used with your express consent, which must be collected in advance, based on the contractual agreement you may have concluded with MindMaze SA or any subsidiaries of the MindMaze Group.

For certain products such as MindMotion Companion for example, your therapist can create an account on your behalf. However, you still have the ability to review and agree with this policy, and to update your consent afterwards.

Insofar as we process your personal data based on your consent, you have the right to withdraw your consent at any time. However, the withdrawal of your consent does not compromise the lawfulness of the processing operation before your consent is withdrawn.

If you are unable to legally establish contractual links with MindMaze SA or another company of the MindMaze group or to give your consent to the processing of your personal data, for medical or similar reasons, your personal data may however only be processed if this is necessary to safeguard your vital interests.

Data retention

Personal data collected by MindMaze SA and subsidiaries of the MindMaze group will only be kept for as long as necessary until we have achieved the purposes for which they were collected. To ensure that we do not keep them longer than necessary, we periodically review and delete our files in accordance with these objectives.

5.   Who has access to your information?

MindMaze employees and consultants: to improve our services, products, user experience, security, and the proper performance of the contract between you and MindMaze.

Third party service providers working for us: we are authorized to share your personal information with our third-party service providers, agents and subcontractors and other associated organizations for the purpose of performing tasks and providing services on our behalf. When we use third party service providers, however, we only disclose personal information necessary to provide the relevant services and we enter into a written agreement (including in electronic form) in accordance with EU, CH, UK, and KSA laws requiring them to ensure the security of your information and not to use it for their own purposes, except with your express consent.

Third-party product suppliers with whom we work: we work closely with various third-party suppliers to provide you with quality and reliable products and services designed to meet your needs. When you are interested in one or more of these products or when you purchase them, the third-party supplier of the product(s) concerned will use the information about you to inform you and fulfil its obligations under any contract you have concluded with it. In some cases, they will act as the controller of the processing of your personal information. That is why we recommend that you read their Privacy Policy. These third-party product providers may share your information with us, and we will use it in accordance with this Privacy Policy.

We are also authorized to disclose your personal information to a third party if we are required to disclose or share your personal data in order to comply with a legal obligation, to apply or enforce our terms of use or to protect the rights, property or safety of our customers or, with the exception of personal data relating to your health or to your impairment, in connection with the sale of all or part of our activities and assets to a third party or in connection with a restructuring or reorganization of our business. However, we will take all appropriate measures to ensure that your privacy rights remain protected.

We are also authorized to enter into contracts with third parties to enable them to offer you devices and solutions to improve the treatment of your disabilities or handicaps. In this context, we are authorized to transmit your personal information to insurance companies and pharmaceutical companies for a fee, only for this purpose and subject to your express consent.

6.   How we secure your information?

6.1   The security of your data at MindMaze

When you provide us with personal and/or health data about yourself, we take steps to ensure its security. All the information you send us is encrypted in transit, meaning that when it is collected from one endpoint to another, the data remains confidential; and it is encrypted at rest, meaning that we store your data on an encrypted storage.

Our products you use are also designed to comply with the best production, physical security, and storage security practices. Risk studies are carried out there in order to limit them as much as possible.

We regularly carry out security reviews on our platforms and services that we offer you and correct weaknesses as soon as possible. We strive to keep all our systems as up to date as possible with the latest security patches.

The accounts you create with us are all protected by a password that is your responsibility. You must define one that is complex enough to limit the risk that it will be easily deductible. To help you in this task we have defined a password complexity policy. When you define your password, we give you the expected criteria for it to be accepted. On our systems, your passwords are not displayed in clear text, but secured with secure cryptographic algorithms.

Despite all the measures taken to guarantee the security of your information, we draw your attention to the fact that there is no such thing as zero risk. We do our best to protect your information, but we cannot guarantee 100% flawless security. Safety is effective when all parties follow good practices. You are responsible for keeping your login information and any other access data to our services confidential.

6.2   The security of your data with our partners

MindMaze uses powerful solutions to provide you with the best user experience, quality, and reliable services. In the criteria for choosing our suppliers of third-party products and services, information security plays a very important role. However, MindMaze has no control over the internal policies of our suppliers and cannot guarantee 100% flawless security of the products and/or services we use at home.

Please refer to the security and privacy policy of our third-party product and service providers by going directly to their website:

  1. Salesforce: https://compliance.salesforce.com/en/gdpr
  2. Smartrecruiters: https://www.smartrecruiters.com/legal/candidate-privacy-policy
  3. Microsoft Azure: https://privacy.microsoft.com/en-us/privacystatement
  4. Alibabacloud: https://alibabacloud.sa/privacyPolicy
  5. Zoom: https://explore.zoom.us/en/trust/privacy

7.   Transfer of your personal and/or health data

7.1  For users in EU, CH, and UK

Our servers are in Germany, in Europe. In some cases, the information you provide us may be transferred outside the EU, CH, and UK. For example, this may be the case if we scale our infrastructure and one or more of our servers are located outside the EU, CH, and UK. In these countries, data protection legislation may be different from that of EU, CH, or UK. We will adopt appropriate safeguards recognized by EU, CH and UK regulatory authorities and take steps to ensure that appropriate security measures are taken to ensure the uninterrupted protection of your privacy rights as set out in the Privacy Policy.

7.2. For users in the Kingdom of Saudi Arabia

Our servers are in the Kingdom of Saudi Arabia. In accordance with applicable law, including the Personal Data Protection Law and Regulations in the Kingdom of Saudi Arabia, we may transfer your personal and/or health data from Kingdom of Saudi Arabia to an overseas jurisdiction. For example, this may be the case if we scale our infrastructure and one or more of our servers are located outside the Kingdom of Saudi Arabia. We will adopt appropriate safeguards recognized by the Kingdom of Saudi Arabia regulatory authorities and take steps to ensure that appropriate security measures are taken to ensure the uninterrupted protection of your privacy rights as set out in the Privacy Policy.

8.   What are your rights regarding your personal data?

8.1   Your rights

The general data protection regulations grant you rights over your personal or health data. Your rights are applicable subject to local data protection laws. Depending on the applicable laws and, more particularly, if you are in the EU, CH, UK and KSA these rights may include:

  1. The right of access: access to your personal and/or health data that we hold.
  2. The right of rectification: The rectification of inaccurate Personal and/or health data and, considering the purpose of the processing of personal and/or health data, to ensure that they are complete.
  3. The right to erase (the right to forget): the erasure/deletion of your personal and/or health data, to the extent that applicable data protection laws allow it.
  4. The right to limit processing: the limitation of our processing of your personal and/or health data, to the extent permitted by law (right to limit processing).
  5. The transfer of your personal and/or health data to another controller, if possible.
  6. The right to object: the objection to any processing of your personal and/or health data based on our legitimate interests. When we process your personal and/or health data for commercial prospecting purposes or share them with third parties for their own commercial prospecting purposes, you have the right to object to this processing at any time without having to invoke any reason.
  7. Automated decision: The right for the data subject not to be the subject of a decision based exclusively on automated processing, including profiling, which produces legal effects. No automated decisions are currently being implemented on our websites, services, or products; and
  8. The right to withdraw your consent: to the extent that we base the collection, processing and sharing of your personal data on your consent, you may withdraw your consent at any time, without compromising the lawfulness of the processing based on the consent given before the withdrawal. MindMaze will act on withdrawals of consent as soon as we can and will not penalise individuals who wish to withdraw consent. However, the withdrawal of your consent may have as a consequence that MindMaze or the relevant subsidiary of the MindMaze group will not be in a position to provide you with its services.
  9. The right to be duly informed of the purpose of collection and whether it will be shared with a third party.

8.2   How to exercise your rights?

To exercise your rights, please contact us using the information in the “Contact us” section below. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you to satisfy your request. However, the deadline may be longer than one month if we have a high demand. In such a case, you will be informed within one month of receiving your request. If your request concerns one of our third-party product suppliers, we recommend that you submit this request directly to that supplier.

You have the right to file a complaint with the competent supervisory authority in the country where you reside if you believe that we have not complied with the requirements of the data protection regulations.

For users in EU

Your complaint will be transferred to our lead supervisor, the CNIL (France).

For users in UK

You can file a complaint with the Information Commissioner’s Office https://ico.org.uk/make-a-complaint

For users in CH

You can file a complaint with the competent supervisory authority, the Federal Data Protection and Information Commissioner https://www.edoeb.admin.ch/edoeb/en/home.html

For users in KSA

You can file a complaint with the competent supervisory authority, the Saudi Data & Artificial Intelligence Authority (SDAIA) https://sdaia.gov.sa/ar/default.aspx

8.3   How can you change your data and how we process it?

For users with our product accounts, you can change your information and data processing preferences directly in your profile.

To update your billing information, close your account and/or request the return or deletion of your Personal Data and other information related to your account, please contact us using the information in the “Contact Us” section below.

9.   Our policy on children

We do not collect data from children under 16 years of age voluntarily without parental consent. This age limit can be different in some countries following local law, in this case we will follow the local law requirements. If you are a parent or guardian and you believe that your child has provided us with personal data without your consent, please contact us using the information in the “Contact Us” section below. We will take steps to remove this personal information from our systems.

10.   Review of the Privacy Policy

We regularly review this privacy policy and may update it at any time to better protect you. Any future changes or additions to the processing of personal and/or health data described in this document concerning you will only be applicable to you with your express consent.

11.   Contact Us

Any questions regarding this privacy policy and our privacy practices should be sent to our Data Protection Officer by e-mail [email protected] or by post to MindMaze France SARL, 26 rue Cambacérès, 75008 Paris, France or MindMaze SA, Chemin de Roseneck 5, 1006 Lausanne, Switzerland. You can also call us at +41 (0)21 552 0801.