Privacy Policy

Last Updated: March 5, 2026

Mindset offers a mobile app and website that assists users to assess their suitability for, and provides access to, online hypnotherapy sessions for chronic lower back pain management. ("Users")

This Privacy Policy describes how we handle the personal information we collect in connection with our website, apps, and related services (collectively, the "Services"). Unless specified below, "you" refers to Users, website visitors, and anyone else who uses our Services.

Personal Information We Collect

We collect the following categories of information.

Information provided by Users:

• Contact details, such as your name, phone number, and email and mailing address.
• Product usage information, such as the information you provide to us when you interact with our Services.
• Health information that you may choose to provide through your use of the Services, for example, information pertaining to chronic lower back pain, physical discomfort, mobility, whether you have received prior treatment, or information about your pain levels, sleep, mood, and stress in order to personalize our program.
• Payment information needed to complete any purchases made through the Services (including name, payment card information, billing information), and your transaction history. Payment information is processed by our third-party payment processor Stripe, in accordance with Stripe's privacy policy and terms of service. We do not have access to payment card numbers.
• Communications that we exchange with you, including when you contact us with questions, feedback, or otherwise.
• Marketing information, such as your preferences for receiving communications about our Services and publications, and details about how you engage with our communications.

Information we obtain from other sources:

• Social media information. We may maintain pages on social media platforms, such as Facebook, Instagram, Twitter, and LinkedIn. When you visit or interact with our pages on those platforms, you or the platforms may provide us with information through the platform.
• Third-party logins. When you link, connect, or login to the Services with a third party service (e.g. Auth0), you direct the service to send us information as controlled by that service or as authorized by you via your privacy settings at that service.

Automatic data collection

We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, such as:

• Device data, such as your computer's or mobile device's operating system, manufacturer and model, browser type, IP address, unique identifiers, language settings, mobile device carrier, and general location information such as city, state or geographic area; and
• Usage data, such as pages or screens you viewed, how long you spent on a page, browsing history, and access times.

We may collect this information using cookies and other similar technologies. Cookies are text files that websites store on a visitor's device or in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, and helping us understand user activity and patterns. For more information on how you can control cookies, please see the Your Privacy Rights and Choices section below.

How We Use Personal Information

We use personal information for the following purposes:

To provide the Services. This includes:

• Enabling Users to create an account on our app;
• Administering, hosting, and operating the Services;
• Communicating with you and responding to any inquiries you may have; and
• Analyzing your use of the Services to allow us to evaluate and improve the Services.

Research, development, benchmarking, and improving our Services. We may use personal information to analyze and improve the Services, identify trends, and operate and expand our business activities. We may also create aggregated, anonymized, or other de-identified statistics, which we may use for lawful business purposes, including for analytics, forecasting, and strategic planning.

Marketing and advertising, including for:

• Direct marketing. We may send direct marketing communications, including, but not limited to, sending newsletters or publications, and notifying you of promotions, offers and events via postal mail, email, telephone, text message, and other means.
• Interest-based advertising. We engage our advertising partners, including third party advertising companies and social media companies, to advertise our Services. For more information, or to understand your choices, please visit the Your Privacy Rights and Choices section below.

For compliance and protection, including to enforce any applicable terms and conditions, comply with legal obligations, defend against legal claims or disputes, protect the security and integrity of our Services, and identify and investigate fraudulent, harmful, unauthorized, unethical or illegal activity.

How We Share Personal Information

We may share personal information with:

Service providers. We share personal information with companies and individuals that provide services on our behalf or help us operate our Services or our business (such as hosting services, communications, data and cyber security services, billing and payment processing services, fraud detection, investigation and prevention services, web and mobile analytics, email and communication distribution and monitoring services, and customer relation management systems).

Advertising partners. We may share personal information that we collect on our website with third party advertising companies (including for the interest-based advertising purposes described above), lead generation partners, and channel partners, resellers, and distributors that allow us to explore and pursue growth opportunities.

Professional advisors. We share personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. We may share personal information with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate.

Business transferees. We may share personal information with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Mindset or our affiliates (including, in connection with a bankruptcy or similar proceedings).

Your Privacy Rights and Choices

Unsubscribe from direct marketing communications. You may opt out of marketing-related communications by following the opt out or unsubscribe instructions contained in the marketing communication we send you. You may continue to receive service-related and other non-marketing communications.

Opt-out of push notifications. If you opt in to receive push notifications within the app, we may send push notifications or alerts to your mobile device from time to time. You can deactivate push notifications and alerts at any time by changing your device settings, changing the push notification settings within the application, or deleting the app.

Privacy rights. Depending where you reside, you may have the following rights:

• Information. You may have the right to obtain information about how we collect, use, and share your personal information. We provide this information within this Privacy Policy.
• Access, correction and deletion. You may also have the right to request access to your personal information, to correct personal information that is out of date or inaccurate, or to delete personal information that is no longer needed for a permitted purpose. Where these rights apply, you are entitled to exercise these rights free from discrimination.
• Sharing personal information and targeted advertising. We use cookies on our website to help us advertise our Services on other websites you might visit. We may share information we collect, such as information about the pages you visit on our website and your purchases, with our advertising and channel partners to support our interest-based advertising, which may qualify as a sale or sharing of personal information, or targeted advertising, under applicable law. You can opt-out of our use of sharing of personal information for these purposes as described in the Opt-out of interest-based advertising section below.

To exercise these privacy rights, or if you have any questions about how we handle your personal information, please contact us as provided in the Contact Us section below.

Limitations. Your rights may be limited under applicable laws, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights.

Additional Rights for Users in Specific Jurisdictions

Users in Canada. If you are located in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. In addition to the rights described above, you have the right to withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. You may access and request correction of your personal information held by us. We will respond to your request within 30 days. If you are not satisfied with our response to your privacy complaint, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Users in the United Kingdom. If you are located in the United Kingdom, we process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our lawful basis for processing your personal data is your consent, which you may withdraw at any time. In addition to the rights described above, you have the right to: request data portability (to receive your personal data in a structured, commonly used, machine-readable format); object to processing of your personal data in certain circumstances; request restriction of processing; and lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

Users in the European Economic Area (EEA). If you are located in the EEA, we process your personal data in accordance with the General Data Protection Regulation (EU GDPR). You have the same rights as UK users described above. For cross-border data transfers from the EEA, we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission. You may lodge a complaint with your local supervisory authority.

Opt-out of interest-based advertising. You may limit online tracking by:

• Blocking cookies in your browser. Most browsers let you remove or reject third-party cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
• Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
• Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third party cookies/trackers. You can also opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.
• Platform opt outs. The following advertising partners offer opt out features that let you opt out of use of your information for interest-based advertising:
  • Google: www.adsettings.google.com
  • Facebook: https://www.facebook.com/about/ads
• Advertising industry opt out tools. You can also use these opt out options to limit use of your information for interest-based advertising by participating companies:
  • Digital Advertising Alliance for Websites: optout.aboutads.info
  • Digital Advertising Alliance for Mobile Apps: https://youradchoices.com/appchoices
  • Network Advertising Initiative: optout.networkadvertising.org

Note that because these opt out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device that you use.

Do Not Track. Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to "Do Not Track" or similar signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com.

Research Participation

We may engage in clinical research and trials that use only aggregated and de-identified data we have collected. If you would not like your information used in our studies, please contact us at hello@mindsethealth.com.

Data Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal information we collect. However, no security measures are failsafe and we cannot guarantee the security of your personal information.

Data Retention

We may retain your personal data for as long as it is reasonably needed in order to maintain and expand our relationship and provide you with our Services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of such data, the potential risk of harm from unauthorized use or disclosure of such data, the purposes for which we process it, and the applicable legal requirements.

Children

Our Services are not intended for use by children without the consent of their parents or guardians. If we learn that we have collected personal information through our Services from a child under 13 without the consent of the child's parent or guardian as required by law, we will delete it.

HIPAA

If we are subject to the Health Insurance Portability and Accountability Act ("HIPAA"), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy. We may also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner.

Contact Us

Security, Privacy, and Compliance Officer: Alexander Naoumidis, Level 2, 620 Church Street, Cremorne VIC 3121.

Email: privacy@mindsethealth.com

Privacy Policy (Australia)

Last updated on March 5, 2026

Mindset Health Pty Ltd ("we", "Mindset Health" or "Mindset") is committed to protecting and respecting your privacy. This Privacy Policy ("Policy") (together with our Terms and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and how you can get access to this information.

1. Purpose of this Policy

Mindset Health provides you (the "User") with access to the online and mobile services associated with Mindset, including but not limited to, mindsethealth.com and all associated subdomains (the "Website"), and the Relio mobile application (the "App"), collectively the "System".

Our privacy policy is written to be compliant with numerous national and international laws and frameworks, including (but not limited to) HIPAA, GDPR, and the EU-US Data Privacy Framework.

2. Collecting and processing your data

What is the purpose of our collection and processing?

We collect and process your data in order to provide a program of personalized tools for managing chronic lower back pain (and to improve and support the delivery of that program).

What is our legal basis for collection and processing?

We require consent from all users before processing their data. This consent can be withdrawn at any time. To request deletion of data, please send an email to hello@mindsethealth.com from the email associated with the data you wish to delete.

What data do we collect and process?

Personal information

We collect and use information like your name, email address, and phone number to personalize the services provided to you and communicate with you. Where practicable to do so, we generally collect this information directly from you (such as via the App or the Website).

Health information

We collect information about your chronic lower back pain (including, but not limited to, self-reported symptoms or difficulties associated with pain levels, physical discomfort, mobility, mood, sleep, and stress) in order to personalize our program.

We may collect information about pre-existing medical conditions in order to ensure the safety of the pain management program we provide.

We also collect general information about your mental and physical wellbeing in order to evaluate progress against your self-defined goals.

Information collected from our partners

In some cases, we may receive materials from third parties such as our partner clinics. We collect this material to improve the quality of our services provided through the App. We require our partners to ensure that such material is de-identified before being provided to us so that it no longer contains any personal or health information. We also require that where our partners collect personal or health information, they obtain all required consents and make all required disclosures under the Privacy Act 1988 (Cth) ("Privacy Act").

Despite the precautions described above, we may from time to time inadvertently receive material from our partners that contains personal information or health information. In the event that we do receive personal information or health information from our partners, we will treat this information in accordance with this Privacy Policy and applicable laws. This includes taking reasonable steps to protect the security of this information, not disclosing the information to any party unless required by law or with your consent and de-identifying or destroying the information where required.

Electronic metadata

We may collect information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size. This information is used to provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications).

Cookies

We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include: recognizing you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system may issue cookies when you visit the System.

Non-identifiable information

We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and would be used for supporting generalized statements (e.g., "adults aged 30-50 with desk-based jobs report the highest levels of chronic lower back pain").

How do we store your data?

We take reasonable steps to ensure the security and safety of personal information that we hold about you. These include implementing and maintaining reasonable current data protection and virus screening procedures and technologies.

We may also store personal information with third party storage providers such as Google Cloud Platform (GCP). Where this is done, we require the provider to enter into written agreements under which the provider commits to protecting the security of personal information stored on our behalf.

We will generally only store your personal information for as long as it is required for the purposes set out in section 3 below. However, we may retain health information for longer periods if required under applicable law. We may also retain de-identified or aggregated data for a longer period to the extent it is reasonably required for us to deliver or improve our services.

3. How do we use, access and disclose your data?

Mindset Health understands that your personal and health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.

We follow a Minimum Necessary Access Policy so any required disclosure of your personal information is minimized. The following categories describe the ways in which we use your personal information and the rare instances that require us to disclose it to persons and entities outside of Mindset. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.

Mindset Health does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected.

Disclosure at your request

We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.

Payment

We do not store credit card or customer details with any third parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards. As such, we may use and disclose your personal information to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, health maintenance organization (HMO), or other company that arranges or pays the cost of some or all of your use of the System ("Your Payor") or to verify that Your Payor will pay for health care.

Services and Operations

We may use and disclose your personal information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve the quality of the service and deliver satisfaction surveys. We may also use de-identified health information to further improve the quality of customer services and deliver internal training. To the extent you receive access to our Website and App through your employer or your health plan, our services may include supporting, and sharing information with, your employer's wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e. the fact that you used Relio), milestone data (e.g. number of sessions you complete or how many times you practice the techniques) to allow you to earn incentives and rewards (if those are offered as part of your wellness program). Information that identifies you as an individual will not be shared with your employer.

Emails and other communications

We may use or disclose your personal information for the purposes of sending you communications by email and/or SMS message about our products and services, for example to notify you of offers or services that may be of interest to you. We will only do so in accordance with the Privacy Act and other applicable laws.

We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful.

When you receive an email or SMS from us, you can opt out of receiving further such communications by following the included instructions to unsubscribe. However, by opting out of further communications after you sign up, you may limit program reminders and other valuable program content and components.

Reminders and notifications

We may use and disclose your personal information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Mindset account in the App, and/or by accessing the native notification settings on your mobile device when using the App.

Third party service providers

There are some services provided in our organization through third party services providers. Examples of third party services providers include accounting services, server hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your personal information to our third party services providers so that they can perform the job that is required of them. To protect your personal information, we require appropriate contracts or written agreements be in place with such services providers that safeguard your personal information.

Third party medical professionals

With your explicit permission, we may share your personal information with third party medical professionals nominated by you.

Threat to health or safety

We may use and disclose your personal information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

As required by law

Certain laws permit or require certain uses and disclosures of personal information for example, for public health activities, health oversight activities and law enforcement. In these instances, Mindset Health will only use or disclose your personal information to the extent the law requires.

Personal representatives or persons involved with your care

We must use and disclose your personal information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also use or disclose your personal information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose health information to family members and others involved in a deceased individual's care. We may disclose health information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased.

For research and publicity purposes

We may use personal information for internal and external research and publicity purposes. This may include publishing aggregate information about our users (for example, that adults aged 30-50 with desk-based jobs report the highest levels of chronic lower back pain) in the context of providing public health information and conducting academic research. In certain instances, we may only provide such information with special waivers and permissions from you.

Transfer of business assets

In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If Mindset Health or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. Mindset Health will ensure that information transferred to third parties will only be used in a way that is compliant with the EU-US Data Privacy Framework and the Privacy Act, and will remain liable in cases of onward transfers to third parties.

Overseas disclosures

In some cases, we may disclose your personal information to third parties who are located in other jurisdictions, for example the United States of America.

In such cases, we will take reasonable steps to ensure that such recipients do not use or disclose your personal information in a way that is inconsistent with our obligations under the Privacy Act.

4. How can I access and correct my data?

Access

You may access the personal information we hold about you and request that we update and/or correct it, subject to certain exceptions.

If you wish to access or correct your personal information, please contact us in writing at the contact details listed in section 5 below. We will endeavour to respond to your request within 30 days. If we are unable to provide access or make the requested correction within the above timeframe, we will provide you with written reasons and suggest alternative approaches to address your concerns.

We will not charge any fee for your access request, but may charge an administrative fee for providing a copy of your personal information.

In order to protect your personal information, we may require identification from you before providing the requested information.

5. Complaints and enquiries

If you have any queries or complaints about our Privacy Policy, please contact us via:

Attention: Alexander Naoumidis, Security, Privacy, and Compliance Officer

Address: Level 2, 620 Church Street, Cremorne VIC 3121

Email: privacy@mindsethealth.com

We will acknowledge your complaint within 7 days of receipt and we will endeavour to resolve it within 30 days, unless we notify you otherwise in writing.

Following receipt of your complaint, we will commence an investigation and may require you to provide additional details. To the extent lawful and practicable, we will deal with any complaints in a confidential matter. We will endeavour to complete the investigation within a reasonable timeframe, and we will inform you of the outcome following completion of the investigation. If you are dissatisfied with the outcome, you may refer the complaint to the Office of the Australian Information Commissioner.

‍