MindCova

This Privacy Policy is currently under legal review. The content below reflects MindCova’s GDPR posture as understood by engineering and will be finalised by qualified legal counsel before launch. Last updated: 2026-05-31.

Datenschutzerklärung (Privacy Policy)

Information on the processing of your personal data under Art. 13 and 14 GDPR.

Controller

Controller per Art. 4(7) GDPR: to be supplemented after the final entity decision (TBD — Marco).

Data Protection Officer

Data Protection Officer: not currently appointed; requests to be directed to the controller.

Scope

This privacy policy applies to the MindCova online platform at mindcova.com and all associated services (booking system, user account, blog). It is addressed to patients and visitors of the platform.

Processing of special-category personal data (Art. 9 GDPR)

Using psychological support via MindCova involves health data, which is classified as a special category of personal data under Art. 9 GDPR and is subject to the highest level of protection.

The legal basis for processing this data is the explicit consent of the data subject under Art. 9(2)(a) GDPR in conjunction with Art. 6(1)(a) GDPR. Consent is collected at account creation; the consent version and timestamp are recorded.

To protect this data we apply pseudonymisation, encryption at rest and in transit, and strict access controls. All data access is logged in AWS CloudWatch. Session content from consultations (video call content) is not stored on our infrastructure.

Legal basis for processing

We process your personal data on the following legal bases under GDPR Art. 6 and Art. 9:

  • Art. 9(2)(a) GDPR (explicit consent) — for processing special-category mental-health data exchanged during the booking and session lifecycle. Consent is captured at sign-up via an explicit checkbox; the consent version and timestamp are recorded.
  • Art. 6(1)(b) GDPR (performance of a contract) — for booking, payment processing, session scheduling, and account management. Without this processing the booking service cannot be provided.
  • Art. 6(1)(c) GDPR (legal obligation) — for retention of booking and invoice records under HGB §257 (10 years) and for fulfilment of GDPR rights requests.
  • Art. 6(1)(f) GDPR (legitimate interest) — for security monitoring (CloudWatch alarms, PII regex filter, audit log) and fraud prevention; balanced against the rights and freedoms of data subjects.

Data location and third-country transfers

All personal data is stored and processed exclusively in the AWS eu-central-1 region (Frankfurt, Germany). No transfer to third countries outside the European Economic Area (EEA) takes place.

Subprocessors

We use the following subprocessors. A Data Processing Agreement (DPA) under Art. 28 GDPR is concluded with each subprocessor:

  • Amazon Web Services EMEA SARL (AWS)Cloud infrastructure (Amazon Cognito, DynamoDB, SES, S3, CloudFront, CloudWatch) — eu-central-1 region only; legal basis: AWS GDPR Data Processing Addendum and EU Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.
  • Google Meet (Google LLC)We store only the meeting invite link; the video connection takes place directly between the user and the psychologist via Google's infrastructure. MindCova does not process session content. Google's privacy terms apply to the use of Google Meet.
  • Stripe Payments Europe Limited (Ireland)Online payment processing (Stripe Checkout) for session fees in EUR; EU-based controller-to-processor relationship under Art. 28 GDPR. Stripe processes cardholder data on its own systems; MindCova never receives raw card numbers (PCI scope minimised via Stripe Checkout). Stripe’s standard data processing terms apply: https://stripe.com/legal/dpa.
  • CCM19 (Papoo Software & Media GmbH)Consent management platform — self-hosted EU installation at consent.blencode.com; legal basis: DPA under Art. 28 GDPR.

Rights of data subjects

As a data subject you have the following rights with respect to the controller:

  • Art. 15 GDPR — Right of access: you have the right to obtain information about the personal data we hold about you.
  • Art. 16 GDPR — Right to rectification: you have the right to have inaccurate data corrected.
  • Art. 17 GDPR — Right to erasure: you have the right to request deletion of your data, provided no statutory retention obligations apply.
  • Art. 18 GDPR — Right to restriction of processing: you have the right to request that processing of your data be restricted.
  • Art. 20 GDPR — Right to data portability: you have the right to receive your data in a machine-readable format.
  • Art. 21 GDPR — Right to object: you have the right to object to the processing of your data.
  • Art. 77 GDPR — Right to lodge a complaint: you have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence.

For exercising your rights to access, data portability, and erasure, our self-service area is available: My account. For all other requests please contact the address given in section 11.

Withdrawal of consent (Art. 7(3) GDPR)

You may withdraw your consent to the processing of your personal data at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Platform consent: withdraw via the 'Delete account' section in your user account. Cookie consent (TTDSG §25): adjust at any time via the Cookie settings button in the footer or by re-opening the consent banner.

Retention periods

  • Booking and invoice data: 10 years under HGB §257 (statutory retention obligation for business records).
  • Account data: until deletion by the user; following a deletion request, immediate deactivation and permanent deletion after any applicable statutory retention periods have elapsed.
  • Session content (video call content): not stored on our infrastructure. Google Meet hosts the connection directly.

Cookies and local storage

Our platform uses cookies and comparable storage technologies. Consent is collected and managed via CCM19.

Strictly necessary cookies (authentication, consent storage) are set without prior consent as they are essential for platform operation (TTDSG §25(2)).

Analytics and marketing cookies are set only with explicit consent (TTDSG §25(1)). No analytics or marketing cookies are currently active. This framework applies to any services added in the future.

Contact for data protection enquiries

For data protection enquiries, to exercise your rights, or for any other data-protection-related matters, please contact us at the address below. Postal address: to be supplemented after the final entity decision.

Email: datenschutz@mindcova.com

Changes to this privacy policy

We reserve the right to update this privacy policy to reflect changes in the legal framework, technical developments, or new services. We will notify you by email of any material changes. The current version is always available here: mindcova.com/datenschutz

Document version: 2026-05-31

Datenschutzerklärung (Privacy Policy) — MindCova