Privacy Policy

MindSpectrum is deeply committed to protecting your privacy and safeguarding your sensitive psychological assessment data. This comprehensive privacy policy explains how we collect, use, protect, and manage your personal and health information in strict accordance with HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and other applicable international privacy regulations. Given the sensitive nature of mental health information, we employ the highest standards of data protection to ensure your psychological assessment results and personal information remain confidential and secure.

We collect only essential information necessary to provide psychological assessment services: account registration details (name, email, date of birth for age verification), assessment responses and results, usage analytics to improve platform functionality, technical logs for security monitoring, and optional payment information processed through PCI-DSS compliant third-party providers. We strictly adhere to data minimization principles under HIPAA and GDPR, collecting only what is necessary for providing assessment services. Your assessment data is classified as Protected Health Information (PHI) and receives enhanced security protections. We never collect information about your physical location, device identifiers are anonymized, and all health data collection requires explicit informed consent.

Your psychological assessment data is used exclusively for: delivering assessment reports and insights, tracking your personal mental health trends over time (if you enable this feature), improving assessment algorithms and platform functionality through anonymized aggregate analysis, and providing technical support when requested. We NEVER sell, rent, or share your identifiable health information with third parties for marketing or commercial purposes. We do not share your assessment results with insurance companies, employers, educational institutions, or government agencies without your explicit written consent or legal requirement. All data processing activities follow HIPAA's minimum necessary standard and are conducted with documented legal basis under GDPR.

We implement healthcare-grade security measures exceeding HIPAA Technical Safeguards requirements: AES-256 encryption for data at rest and TLS 1.3 for data in transit, multi-factor authentication (MFA) for all accounts, regular penetration testing by independent security firms, HIPAA-compliant cloud infrastructure with AWS/GCP healthcare configurations, automated security monitoring and intrusion detection systems, annual third-party HIPAA compliance audits, disaster recovery and business continuity protocols, and strict access controls limiting staff access to PHI on a need-to-know basis. All employees undergo HIPAA privacy and security training annually. We maintain comprehensive audit logs of all access to your assessment data.

Under HIPAA Privacy Rule and GDPR, you have comprehensive rights: Right to Access (download complete copy of your PHI within 30 days), Right to Correction (request amendments to inaccurate assessment data), Right to Deletion (request complete erasure of your data, with limited exceptions), Right to Data Portability (export assessment results in machine-readable format), Right to Restrict Processing (limit how we use your data), Right to Object (opt out of optional data uses), Right to Revoke Consent (withdraw consent for data processing), and Right to Accounting of Disclosures (receive log of who accessed your PHI). Exercise these rights through your account privacy settings or by contacting our Privacy Officer.

You have complete control over your data retention. Active accounts: assessment data retained indefinitely until you request deletion. Inactive accounts (no login for 24+ months): we will email you before archiving data. Deleted accounts: all assessment data permanently deleted within 30 days, with secure data destruction methods meeting NIST 800-88 standards. Aggregate anonymized data used for research may be retained, but contains no identifiable information. You can download your complete assessment history at any time before deletion.

If you access MindSpectrum from outside the United States, your data may be transferred to and processed in the US. We implement Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance and maintain equivalent protections for international data transfers. EU users' data is processed in accordance with GDPR Article 49 derogations for explicit consent and necessary service provision.

For privacy questions, to exercise your rights, or to report concerns: Email our Data Protection Officer at [email protected], write to MindSpectrum Privacy Officer [Company Address], or use our secure HIPAA-compliant contact form. We respond to privacy requests within 30 days as required by HIPAA and GDPR. For data breach notifications or security concerns, contact [email protected] immediately.