Privacy Policy — MindTime Dynamics B.V.

Last updated: July 3rd, 2026

Privacy Policy — MindTime

Version 2.1. Supersedes v2.0 and all earlier versions, including the version dated 7 August 2025 published under the “Clarissimo” naming.

1. Purpose of this policy

This Privacy Policy explains how MindTime processes personal data in the delivery of the MindTime service — the MindTime Profile assessment, Personal Clara, Team Clara, Team Intelligence, and the MindTime websites. It is written to be readable end-to-end in about ten minutes. It is grounded in Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and Dutch implementing law, and reflects the operational state of the service as of the effective date above.

Where this policy talks about processing that also engages the EU AI Act (Regulation (EU) 2024/1689) — in particular the AI-interaction disclosure and the deployer’s use of upstream general-purpose AI systems — those points are called out in Section 12 below.

2. Who we are and how to reach us

MindTime operates through three Netherlands-established entities:

  • MindTime Foundation (Stichting MindTime) — holds the underlying science in trust on behalf of the field. Does not process personal data.
  • MindTime Holding B.V. — owns the product intellectual property (the MindTime Profile Index, the MTAI technology, the platform software, and the trademarks). Licenses the intellectual property to the operating subsidiary. Does not process personal data.
  • MindTime Dynamics B.V. — the operating subsidiary and the sole data controller for every personal-data flow described in this policy. Registered at Groote Veen 71, 9761 DG Eelde, the Netherlands.

Our home supervisory authority is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

A Data Protection Officer has been appointed under Article 37 GDPR. To reach the DPO — for a rights request, a complaint, or any privacy question — use the contact form and mark the message for the DPO’s attention. You may also write to the DPO care of MindTime Dynamics B.V. at the postal address above.

3. Personal data we process

The categories of personal data we process, and what each category is used for, are as follows.

CategoryData elements
IdentifiersName; work email address; organisation (optional); role (optional); IP address; browser and device metadata.
Account and sessionPassword hash; short-lived session tokens; session metadata.
Cognitive assessmentYour responses to the four-minute MindTime assessment; the resulting three-vector profile (Past, Present, Future); the personal and team reports generated from it.
Team-workspaceTeam membership; aggregate team cognitive-composition data derived from members’ profiles.
ConversationClara chat messages (your inputs and Clara’s responses); conversation history within your account.
Uploaded contentOptional files you upload to Clara chat (PDF, PPTX, images, up to 200 MB). Retained for up to 48 hours in the Google Gemini Files API and then auto-deleted. No local copy is retained by MindTime.
BillingOrder metadata and payment references. Payment card data is held by the payment processor, not by MindTime.
Not collectedSpecial-category data under Article 9 GDPR. Criminal-conviction data under Article 10 GDPR. Data from persons under 18 (the service is 18+).

4. What we use personal data for, and the lawful basis

Under Article 6 GDPR every processing activity we carry out rests on a named lawful basis. Ours are set out below.

PurposeArticle 6 lawful basis
Delivering the MindTime service you signed up for (Profile, Personal Clara, Team Clara, Team Intelligence).Contract — Article 6(1)(b).
Team-workspace processing carried out at the request of a subscribing team leader.Contract with the subscribing team leader — Article 6(1)(b).
Service security, abuse prevention, product operation and improvement.Legitimate interest — Article 6(1)(f).
Marketing communications (newsletters, product announcements).Consent — Article 6(1)(a). Revocable at any time.
Optional analytics or error-tracking, where activated.Consent — Article 6(1)(a).
Billing and tax records.Legal obligation — Article 6(1)(c) (Dutch tax law).
Participation in research beyond ordinary service operation.Consent — Article 6(1)(a).

Use of the service is not treated as consent under Article 6(1)(a). The lawful basis for delivering the service you signed up for is contract, under Article 6(1)(b). Consent is reserved for marketing, optional analytics, and research participation.

5. Data minimisation — what actually gets sent where

Data minimisation is a property of the architecture, not a policy we ask staff to remember. Two decisions matter.

Query content sent to language-model providers. When Clara answers your query, the request the AI backend sends to Anthropic (Claude) or Google (Gemini) carries: the query content itself, your MindTime cognitive vector, your name, and — for team deployments — the organisation. Your email address, password, and payment data are not transmitted to the language-model providers. Uploaded files, if any, are additionally sent to Google’s Gemini Files API for temporary processing (up to 48 hours) and then auto-deleted.

Account deletion. The Delete my account control in account settings is a self-service button. It takes effect immediately in the interface and reaches every store within thirty days.

6. How the service is built — where your data lives

The persistent data layer is inside the European Economic Area:

  • The web application is delivered from AWS Amplify in eu-west-3 (Paris), backed by AWS CloudFront.
  • The database and authentication layer runs on Supabase (managed PostgreSQL 17) in eu-west-3 (Paris). Every user record, cognitive profile, team workspace, chat session, generated report, and pending invitation is held here. Direct browser-to-database access is not permitted; every table is accessed through an authenticated Supabase Edge Function.
  • The AI backend is a stateless FastAPI service on AWS EC2 in eu-central-1 (Frankfurt). It composes prompts, calls the language-model providers, and streams responses. Nothing is persisted on this tier.

7. Sub-processors under Article 28 GDPR

The following third parties process personal data on our behalf as sub-processors.

Sub-processorRoleRegionData that crosses to them
Supabase Managed database, authentication, serverless functions EU (eu-west-3, Paris) Full customer data set
Amazon Web Services (Amplify + CloudFront) Frontend delivery and CDN EU (eu-west-3, Paris) Static assets only; no customer content
Amazon Web Services (EC2 + CloudWatch) AI backend compute and operational log storage EU (eu-central-1, Frankfurt) Request payloads in transit; log lines without customer content
Anthropic (Claude API) AI inference for Clara — chat synthesis United States Query content; MindTime cognitive vector; name; organisation (team); chat content; uploaded file content
Google (Gemini API) AI inference for Clara — knowledge retrieval and report generation Primarily United States As Anthropic. Uploaded files additionally held for up to 48 hours in the Gemini Files API and then auto-deleted by Google.
MindTime AI Dashboard API MindTime Profile lookup by key Microsoft Azure Germany West Central (EU) MindTime key per lookup
Resend Transactional email delivery (invitations, password resets) United States Recipient name, email address, invitation or reset link
HubSpot Marketing forms, communications, CRM EU where available; SCCs otherwise Contact form inputs; marketing engagement data
Google Workspace Internal communications and document handling by MindTime staff EU regions Internal use only
Payment processors Billing for paid subscriptions EU-based Order metadata; card data held by the processor, not by MindTime

PostHog (product analytics) and Sentry (error tracking) are integrated in the frontend codebase but are not currently active. If activated they would carry user-interaction and error-trace data respectively. Activation requires DPO review and an update to the consent flow before it takes effect; this policy will be updated at that point.

Each sub-processor is currently engaged under its standard terms, with Standard Contractual Clauses where applicable. Standalone Article 28(3) Data Processing Agreements — binding each material sub-processor to a defined scope of processing, security measures, sub-processor consent, and audit rights — are in progress; execution of these DPAs is scheduled work, not a completed step. A publicly listed sub-processor register with subscribe-for-updates under Article 28(2) will be published as that work completes.

8. International transfers (Chapter V GDPR)

The persistent data layer is inside the European Economic Area (see Section 6). Personal data crosses to third countries at three points in ordinary processing:

  • Anthropic (Claude API), United States. Data transmitted: query content, MindTime cognitive vector, name, organisation (team), chat content, uploaded file content. Data not transmitted: email address, password, payment data.
  • Google (Gemini API), primarily United States. Same payload as Anthropic. Uploaded files additionally processed through the Gemini Files API for up to 48 hours, then auto-deleted by Google.
  • Resend, United States. Recipient name, email address, and invitation or reset link, sent to Resend for delivery.

The transfer mechanism is the European Commission’s Standard Contractual Clauses under Article 46(2)(c), as published by each of the three sub-processors above in their standard data processing terms. Counter-signed SCCs and a transfer-impact assessment per Schrems II are in progress, along with the standalone Article 28(3) DPAs referenced in Section 7. At the language-model providers, Anthropic and Google are contractually barred from training their models on user inputs and from retaining inputs beyond short operational windows required to serve the response and meet abuse-prevention obligations.

9. Retention

Retention windows apply per category:

CategoryRetention
Account data, MindTime Profile, personal and team reports, Clara conversation history, team-workspace data30 days after account (or workspace) closure, then deleted from active systems
Pilot and research dataDuration of the pilot plus 12 months, then deleted or anonymised
Marketing and contact-form dataUp to 24 months from last interaction, or until deletion is requested
Billing records7 years (Dutch tax law)
Records relevant to a legal dispute or claimPeriod required to resolve it
Uploaded chat files (in Google Gemini Files API)Up to 48 hours, then auto-deleted
AI backend operational logs (CloudWatch)Bounded retention is scheduled work; current logs contain no customer content

The 30-day post-closure window is the target state and is enforced by product design today; an automated retention-enforcement mechanism to enforce the window across every store is in the engineering pipeline as a pre-launch item. Where Dutch law requires longer retention (Dutch tax law for billing records), the longer period applies.

10. Your rights

Under Articles 15 to 22 GDPR you have the rights set out below. We respond to a rights request within one month of receiving it (Article 12(3)); if the request is complex, we may extend by a further two months and will tell you within the first month if we do so.

RightHow to exercise it
Access (Art. 15)Contact form marked for the DPO’s attention.
Rectification (Art. 16)Self-service in account settings for most fields; contact form for anything else.
Erasure (Art. 17)Delete my account button in account settings. Takes effect immediately in the interface and reaches every store within 30 days. Contact-form path also available.
Restriction (Art. 18)Contact form marked for the DPO.
Data portability (Art. 20)Contact form marked for the DPO. Delivered in a structured, machine-readable format where technically feasible.
Object (Art. 21)Contact form marked for the DPO. Applies where processing rests on legitimate interest.
Withdraw consent (Art. 7(3))Unsubscribe link in any marketing email; account settings; or contact form.
Complain to the supervisory authority (Art. 77)Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl.

You do not need to exhaust our internal process before complaining to the Autoriteit Persoonsgegevens; you may go to them directly at any time.

11. Security

Our information security measures include encryption in transit and at rest, role-based access controls, audit logging on sensitive operations, multi-factor authentication on administrative access, mandatory two-factor authentication for accounts with elevated privileges, security-awareness briefings for staff, a 24-hour access-offboarding standard, and quarterly access review. Personnel do not have routine access to customer content; access is granted only when required for operations, support, security, or legal compliance, and is logged.

Two technical items are in the pipeline as pre-launch mitigations, disclosed here in the interests of transparency: end-to-end TLS on the internal hop between Supabase Edge Functions and the AI backend, and authentication (API-key or IP allow-list) on the AI backend itself. Until both are complete, the AI backend rate-limits and monitors requests to reduce the exposure.

12. Clara — the AI-interaction disclosure and the deployer role under the EU AI Act

Clara is an AI-based coaching guide. Under Article 50(1) of the EU AI Act (Regulation (EU) 2024/1689), users interacting with an AI system must be informed of that fact. Clara is clearly named and visibly labelled as an AI guide at every interaction.

Under the same Regulation, MindTime Dynamics B.V. is a deployer of the upstream general-purpose AI systems that power Clara — currently Anthropic’s Claude and Google’s Gemini. Anthropic and Google are the providers of the underlying GPAI systems and carry the provider obligations on the models themselves. As deployer, MindTime carries the obligations that attach to deployment: clear instructions for use, meaningful human oversight, ongoing monitoring, and Article 4 AI literacy for staff operating the service.

The Terms of Use (Section 5) contractually prohibit every user from using the service to make decisions about hiring, firing, promotion, performance evaluation, task allocation, or any other change to the terms of a person’s employment. That contractual restriction is what keeps use of the service outside the high-risk classifications in Annex III(4)(a)–(b) of the Regulation. See the Terms of Use for the full text of the restriction.

13. Cookies and analytics

The MindTime websites use cookies that are strictly necessary for the platform to function (authentication, session management, survey progress). Analytics cookies (Google Analytics) run only where you have accepted the analytics category in the cookie banner; Google Analytics data is retained for 38 months. Details, categories, and the ability to change your preferences are in the Cookie Policy.

14. Children

The MindTime service is for individuals aged 18 and over. We do not knowingly collect personal data from persons under 18. Age is self-declared at account creation. If you become aware that a person under 18 has provided personal data to us, please contact the DPO and we will delete the data.

15. Changes to this policy

We update this policy when the service, our sub-processor arrangements, or the law requires. Material changes are communicated to active users by email at least 30 days before they take effect. The effective date at the top of this policy is the date of the current version; the version number lets you tell one revision from the next.

16. Contact

For a rights request, a complaint, or any privacy question:

MindTime Dynamics B.V.
Attn: Data Protection Officer
Groote Veen 71
9761 DG Eelde
The Netherlands

Web: mindtime.com/contact — please mark your message for the DPO’s attention.

If we cannot resolve your concerns, you may lodge a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), the Dutch data protection authority.

This Privacy Policy covers the MindTime service and websites operated by MindTime Dynamics B.V.: the MindTime Profile assessment, Personal Clara, Team Clara, Team Intelligence, and mindtime.com.

MindTime is the human science behind how we think. Built on 25 years of research, it reveals the hidden architecture of thought; past, present, and future. It empowers people to understand one another in profoundly meaningful ways though a powerful framework for trust, collaboration, and human-aligned technology.

Experience it through Clara — AI built on real cognitive science. Experience Clara.

© 2026 MindTime.com