PRIVACY POLICY FOR MINDWAY EAP
Last updated: 25 July 2025

Mindway Group PTY LTD, trading as Mindway EAP (ABN: 29682230075) ("Mindway EAP," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and safeguard your personal information when you use the Mindway EAP services and App.

1. Key Definitions
Mobile Application: The Mindway EAP App designed for mobile devices (iOS, Android, etc.), including meditation and mindfulness features.
Personal Data: Any information about you that identifies you, including data you provide or data collected automatically.
User: Any person who downloads, activates, or uses the App and/or utilises EAP counselling services.
Cookies: Small files used to enhance functionality and performance.
EAP Services: Employee Assistance Program services, including virtual and telephone-based counselling sessions.
We/Us/Our: Mindway Group PTY LTD, trading as Mindway EAP, located in Victoria, Australia.

2. Applicability
This Privacy Policy applies to all personal data collected through the App and/or EAP services. By downloading, installing, or using the App, you acknowledge and agree to the terms outlined herein. If you do not agree with this policy, you must immediately cease using the App and its services.

3. Data We Collect
We collect the following types of information:
3.1. Device DataDevice ID, IP address, operating system, and network details. This helps us optimise the App's performance across various devices and platforms.
3.2. Voluntary DataInformation provided during signup or usage, such as your name, email address, phone number, notes, journal entries, meditation session data (frequency, duration, progress), and any other data you choose to submit through the App.
3.3. Employer Data Sharing on SignupYour name and email address are shared with your employer during the signup process to manage access to Mindway EAP services. This occurs regardless of whether you subsequently use counselling services. Some employers may also provide departmental breakdowns to enhance the allocation of resources and services.
3.4. First-Time Client FormInformation submitted via the First-Time Client Form is shared with your assigned counsellor. This data remains strictly confidential and is used solely for providing tailored counselling services.
3.5. Meditation and Mindfulness DataData related to your use of meditation features, including session completion, duration, preferences, and progress tracking. This data is used to personalize your wellness experience.
3.6. CookiesCookies are utilised to enhance the user experience, track app performance, and improve functionality. These may include both session cookies (temporary) and persistent cookies (stored for future visits).

4. Purpose of Collecting DataWe process your data for the following purposes:
  • To enhance your user experience and analyse app usage patterns
  • To provide technical and customer support, ensuring seamless operation of the App
  • To communicate updates or changes related to your account or the App's features
  • To securely store notes, journal entries, meditation progress, and other personal data submitted through the App
  • To validate and log counselling sessions for accurate record-keeping and compliance
  • To monitor app performance and usage trends using Google Analytics, helping us continuously improve service quality and user experience
  • To provide personalized meditation and mindfulness content recommendations
4.1. Confidentiality ExceptionAggregated and anonymised data may be shared with employers to provide insights into workforce engagement. This includes statistics such as:
  • Overall counselling service utilisation rates (e.g., "20% of eligible employees accessed services this quarter")
  • App usage trends (e.g., "meditation feature engagement increased by 15%")
  • General service categories accessed (e.g., "work stress" or "relationship issues" as broad themes)
  • Peak usage times and service demand patterns
  • Departmental breakdowns of service utilisation (where departmental data is available)
Such data will never include identifiable personal information, specific session content, or individual usage patterns.
5. Data Security
We implement industry-leading measures to safeguard your data, including:
  • Encryption of sensitive information during data transmission and storage
  • Regular updates and security patches to minimise vulnerabilities
  • Stringent access controls to ensure data is accessed only by authorised personnel
  • Multi-factor authentication for administrative access
While we strive for robust security, no system is entirely infallible. By using the App, you acknowledge the inherent risks associated with data transmission over the internet.

6. Data Retention
We retain data only as long as necessary or as required by law. Specific retention periods include:
Counselling Session Data: Retained for seven (7) years from the last interaction to comply with Australian psychological services standards and legal requirements.
User Account Data: Retained while the account remains active and permanently deleted within thirty (30) days after account closure, unless retention is required by law.
Meditation/App Usage Data: Retained for the duration of your account activity and permanently deleted within thirty (30) days after account closure.
Marketing Communications: Retained until you unsubscribe or are removed.
To request data deletion, please contact support@mindwayeap.com.au.

7. Confidentiality of EAP Services
We prioritise the confidentiality of our Employee Assistance Program services. Your identity and participation in counselling services will never be disclosed to your employer, except as required by law. Identifiable information from counselling sessions is not shared with employers under any circumstances, unless:
  • You provide written consent for disclosure
  • Disclosure is legally required (e.g., court orders)
  • There is a risk of harm to the individual or others, in accordance with professional ethical guidelines and legal requirements
  • There is evidence or suspicion of child or elder abuse

7.1. Data Not Shared with Employers
  • Your name or identity in connection with counselling services (except where legally required)
  • Counselling notes taken
  • Person engaging in counselling
  • Individual app usage data or counselling usage
  • Specific personal information shared during counselling sessions
  • Individual meditation or mindfulness app usage patterns
7.2. Limited Exceptions
  • Aggregated Data Sharing: Statistical information such as overall counselling utilisation rates, app engagement metrics, general categories of issues addressed (without specifics), and departmental usage trends may be shared with employers
  • Billing Information: The date of a counselling session may be disclosed for billing or contractual compliance purposes
  • Registration Data: Your name and email are shared with your employer during the signup process for access verification, but this is not linked to your actual service usage or session content
8. User Rights
You have the following rights regarding your personal data:
Access: Request details on how we process your data and receive a copy of the data we hold about you.
Correction: Request updates or corrections to inaccurate or incomplete data.
Deletion: Delete your account directly via the App or by contacting us at support@mindwayeap.com.au.
Objection: Object to the processing of your data under specific circumstances, as outlined in applicable privacy laws.
Portability: Request a copy of your personal data in a structured, commonly used, and machine-readable format.

9. Data Storage
Your data is securely stored on industry-leading platforms to ensure its safety and integrity. Specifically:
AWS (Amazon Web Services): A globally trusted hosting provider offering advanced security measures, including encryption and access control.
Firebase (Google): A secure and reliable platform for data management, known for its robust privacy and security features.
Google Analytics: Used for analysing app usage, performance, and user behaviour in an aggregated, non-identifiable form. Data collected through Google Analytics is subject to strict access and retention controls.

Third-Party Services
Brevo: Used to facilitate email delivery and communication messaging. Brevo adheres to stringent privacy and security standards to protect your information.
CognitoForms: Utilised for consent and intake forms, ensuring secure handling of sensitive data in compliance with privacy laws and regulations.

Data Processing Agreements (DPAs)
To ensure your data is processed securely and lawfully, Mindway EAP has signed Data Processing Agreements with each of the providers listed above. These DPAs outline each provider's data protection obligations and ensure compliance with Australian and international privacy laws, including the GDPR where applicable.

10. Minors
The App and its services are intended for users aged 18 years and over. Users under the age of 18 must discontinue use immediately. We do not knowingly collect or store personal data from minors. If we become aware that we have collected personal information from someone under 18, we will take steps to delete such information promptly.

11. Data Breaches
In the event of a data breach:
  • We will promptly assess the impact and notify affected individuals if there is a risk of serious harm within 72 hours
  • We will report the breach to the relevant data protection authority or government body based on the jurisdiction of the affected individuals, including but not limited to the OAIC (Australia) or ICO (UK)
  • We will provide updates as necessary and take steps to mitigate the impact of the breach
  • We will conduct a thorough investigation to prevent similar incidents
12. International Data Transfers
Some of our third-party service providers may process your data outside of Australia. When this occurs, we ensure appropriate safeguards are in place, including:
  • Data Processing Agreements with adequate protection clauses
  • Compliance with applicable international data transfer regulations
  • Regular monitoring of third-party security practices
13. Consent and Legal Basis
We process your personal data based on the following legal grounds:
Consent: For app registration and optional features like meditation progress tracking
Legitimate Interests: For service improvement, security monitoring, and providing aggregated insights to employers (balanced against your privacy rights)
Legal Obligations: For record-keeping requirements in counselling services and mandatory breach reporting
Vital Interests: For disclosure in situations involving risk of harm
You may withdraw consent at any time where we rely on consent as the legal basis, though this may limit your access to certain services.

14. Data Minimisation and Purpose Limitation
We adhere to data minimisation principles by:
  • Collecting only data necessary for the specific purposes outlined in this policy
  • Using data only for the purposes for which it was collected
  • Regularly reviewing data collection practices to ensure continued relevance
  • Implementing privacy-by-design principles in new features and services
15. Policy Updates
This policy is effective as of 25 July 2025. We may update this policy periodically to reflect changes in laws, regulations, or our practices. When significant changes are made, we will:
  • Update the "Last updated" date at the top of this policy
  • Notify users through the App or via email where practical
  • Continue to protect your data in accordance with applicable privacy laws
The latest version will always be accessible via the App or our website. Your continued use of our services after policy updates constitutes acceptance of the revised policy.

16. Contact Us
For questions or concerns regarding this policy, data access requests, or to exercise your privacy rights, please contact us at:
Email: support@mindwayeap.com.au

Response Time: We aim to respond to privacy-related inquiries within 10 business days and will acknowledge receipt within 2 business days.

Privacy Officer: For complex privacy matters, you may request to speak with our designated Privacy Officer.

Complaints: If you believe we have not handled your personal information appropriately, you may lodge a complaint with us first. If unsatisfied with our response, you have the right to complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Disclaimer: While we employ stringent security measures, no internet transmission can be guaranteed as completely secure. By using the App or EAP services, you acknowledge and accept this inherent risk.