Legal Document

Privacy Policy

MindBridge is committed to protecting your privacy and the security of your personal health information. This policy explains how we collect, use, and safeguard your data.

Effective Date: April 28, 2026
Last Updated: April 28, 2026
Jurisdiction: Ontario, Canada
Section 01

Overview

MindBridge ("we," "us," or "our") operates a HIPAA-compliant mental health mobile application designed to support patients between therapy sessions and assist licensed therapists in monitoring client wellbeing.

This Privacy Policy applies to all users of the MindBridge iOS and Android mobile application, our backend services, and any related web interfaces. By using MindBridge, you agree to the collection and use of information as described in this policy.

Important: MindBridge handles Protected Health Information (PHI) as defined under HIPAA. We take this responsibility seriously and have implemented enterprise-grade security measures to protect your data at every level of our platform.

Section 02

Information We Collect

We collect information necessary to provide mental health support services. This includes:

Category Data Collected Purpose
Account Information Full name, email address, password (hashed), role (patient/therapist) Account creation and authentication
Mood Data Daily mood scores (1–5), emotional context notes, timestamps Mood tracking and therapist monitoring
Assessment Responses PHQ-9 and GAD-7 questionnaire answers and calculated scores Clinical mental health monitoring
Chat History Messages exchanged with the AI (encrypted), crisis flags, crisis scores AI-powered support and crisis detection
Exercise Activity Assigned exercises, completion timestamps, exercise types CBT/DBT exercise tracking
Session Notes Therapist-authored notes linked to session dates Clinical record keeping
Device & Technical Data Push notification tokens, IP addresses (in server logs), app version Notifications and security auditing
Audit Log Data User actions, resource accessed, timestamps HIPAA-required audit trail

We do not collect financial information, government identification numbers, or data unrelated to mental health support services.

Section 03

How We Use Your Information

Your information is used exclusively to deliver and improve MindBridge's mental health support services. Specifically, we use your data to:

  • Authenticate your identity and maintain your account securely
  • Deliver AI-powered CBT and DBT support through the chat interface
  • Generate weekly mood summaries visible to you and your assigned therapist
  • Calculate PHQ-9 and GAD-7 clinical scores and display them in the therapist dashboard
  • Detect crisis indicators in chat messages and notify your therapist when at-risk language is detected
  • Enable therapists to assign exercises, write session notes, and invite patients
  • Maintain a HIPAA-compliant audit trail of all data access and modifications
  • Send email invitations to patients on behalf of their therapist via SendGrid
  • Deliver push notifications for crisis alerts and session reminders (where enabled)

We do not use your health information for advertising, sell your data to third parties, or use it for any purpose unrelated to your direct care.

Section 04

HIPAA Compliance

MindBridge is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) as a healthcare technology platform. Our HIPAA compliance measures include:

  • AES-256 Encryption at Rest: All Protected Health Information (PHI) stored in our database is encrypted using AES-256, the same encryption standard used by the U.S. government for top-secret data.
  • Encrypted Transmission: All data transmitted between the mobile app and our servers uses TLS/HTTPS encryption.
  • Role-Based Access Control: Patients can only access their own data. Therapists can only access data for patients linked to them through our verified relationship system.
  • Comprehensive Audit Logging: Every data access event — who accessed what data and when — is recorded in our audit_log table, fulfilling HIPAA's audit control requirements.
  • Minimum Necessary Standard: API endpoints are designed to return only the data necessary for the specific function being performed.
  • Secure Authentication: Multi-factor authentication (MFA) is available for all users and required for therapist accounts.

Note for Therapists: As a licensed mental health professional using MindBridge, you remain responsible for your professional obligations under applicable laws and your professional licensing body's standards of care. MindBridge provides tools to support — not replace — your clinical judgment.

Section 05

Data Sharing

We share your data only in the following limited circumstances:

  • Your Therapist: Mood data, assessment scores, exercise activity, and crisis alerts are visible to the licensed therapist you are linked with on the platform.
  • Infrastructure Providers: We use Railway (database and server hosting) and GitHub (code repository) as infrastructure providers. These services process data on our behalf under strict data processing terms.
  • AI Processing (Anthropic): Chat messages are processed by Anthropic's Claude AI model. See Section 10 for details on how AI data is handled.
  • Email Delivery (SendGrid): Patient email addresses are shared with SendGrid solely for the purpose of delivering therapist-generated invitation emails.
  • Legal Requirements: We may disclose information if required by law, court order, or to protect the safety of users or the public.

We never sell, rent, trade, or share your personal health information for commercial purposes.

Section 06

Data Security

We implement multiple layers of security to protect your information:

  • AES-256 Encryption: PHI in the database is encrypted at rest using AES-256 with server-side key management.
  • Secure Token Storage: On mobile devices, authentication tokens are stored in Expo Secure Store — the device's hardware-backed keychain — never in plain storage.
  • Password Hashing: Passwords are hashed using bcrypt with a strong work factor before storage. We never store plain-text passwords.
  • JWT Authentication: Short-lived access tokens and rotating refresh tokens reduce the risk of token compromise.
  • API Rate Limiting: All API endpoints are rate-limited to prevent brute force and denial-of-service attacks.
  • Request Validation: All incoming API requests are validated using express-validator to prevent injection attacks and malformed data.

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We encourage users to use strong, unique passwords and enable MFA.

Section 07

Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Specifically:

  • Account data is retained for the duration of your account and for 7 years after account deletion to comply with healthcare record-keeping requirements.
  • Mood entries, assessments, and chat history are retained as part of your clinical record and accessible to your therapist throughout the therapeutic relationship.
  • Audit logs are retained for a minimum of 6 years as required by HIPAA.
  • Refresh tokens expire after 30 days and are permanently deleted upon logout.
  • Invite tokens expire after 7 days and are purged from the system after expiry.

You may request deletion of your account and associated data by contacting us. Note that some records may be retained as required by law or for legitimate clinical purposes.

Section 08

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal and health information we hold about you.
  • Right to Rectification: Request correction of inaccurate personal information.
  • Right to Erasure: Request deletion of your account and associated data, subject to legal retention obligations.
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Data Portability: Request your data in a machine-readable format.
  • Right to Withdraw Consent: You may withdraw consent for non-essential data processing at any time.

HIPAA also grants patients specific rights regarding their Protected Health Information, including the right to access, amend, and receive an accounting of disclosures. To exercise any of these rights, please contact us using the information in Section 12.

Section 09

Children's Privacy

MindBridge is intended for use by adults aged 18 and older, and by licensed mental health professionals. We do not knowingly collect personal information from individuals under the age of 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at the address in Section 12. We will promptly delete any such information upon verification.

Section 10

AI & Claude Usage

MindBridge uses Anthropic's Claude AI model to power the in-app therapy support chat. Here is how your data is handled in the context of AI processing:

  • Chat messages you send are transmitted to Anthropic's API for real-time processing to generate a supportive response. This transmission occurs over encrypted HTTPS.
  • Messages are processed using the claude-haiku-4-5-20251001 model within Anthropic's Default workspace under our account.
  • Conversation history is stored encrypted in our own database (Railway/PostgreSQL) and is used to maintain context across sessions. This history is not permanently retained by Anthropic.
  • Crisis detection scoring is performed by our own internal keyword detection service, independent of the AI, to ensure reliability.
  • The AI does not have access to your assessment scores, therapist notes, or other profile information unless explicitly included in the conversation context.

Important: The AI chat feature provides supportive tools and psychoeducation based on CBT and DBT frameworks. It is not a substitute for professional therapy, diagnosis, or crisis intervention. If you are in crisis, please call or text 9-8-8 (Suicide Crisis Helpline) immediately.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify active users via email or in-app notification
  • For significant changes affecting how PHI is used, obtain fresh consent where required by HIPAA or applicable law

Your continued use of MindBridge following any changes constitutes your acceptance of the updated Privacy Policy.

Section 12

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out to us.

MindBridge Privacy Team

Location: Toronto, Ontario, Canada

Email: service@mindbridgecare.com

We will respond to all privacy-related inquiries within 30 days. For urgent safety concerns, please call 9-8-8 or your local emergency services.