General Privacy Policy for Mentalytics AB – last updated on the 18th of October 2021.

Mentalytics AB is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using our websites, our services, or our products (below we use the word “Services” for easier review), you can be assured that it will only be used in accordance with this Privacy Policy.

This Privacy Policy outlines how Mentalytics generally handles your personal data. In connection with some of our Services, we will give you more specific information about our handling of your personal data, and we will, where appropriate, ask for your consent before handling your personal data. At the end of this policy, there is information on how to contact us if you have any questions or if you think anything is unclear.

1. What we collect

Depending on which Services you use, we must process different kinds of information from or about you.
Here’s how:

Personal data and other information you (and others) give us.
We collect the information that you (and others) give us when using our Services. For example:

• When you register to use our Services, we may ask for information such as your name, email address and phone number.
• For many of our Services, you will have the opportunity to create a user profile (for example in one of our web-based Services) and add information to your profile after registration.
• If you buy something from us, we collect information about the transaction. This can include your payment information, purchase activity and delivery and contact details.
• When you communicate with Mentalytics, you provide us with information such as your email address.
• Depending on which Services you use, you have the option of submitting information about your physical features, such as information about your focus data or other health related data.
• If you seek customer support for one of our Services, then it’s sometimes necessary for us to access your personal information to be able to help you with your problem. In those cases, we will either delete the data once the support matter has been resolved or store the data according to applicable retention routines within Mentalytics, if we find that either you or Mentalytics has a legitimate interest in doing so.
• We collect content and information about content that you create using our Services.

Personal data and other information which is automatically collected about you when you use our services.
We also collect information automatically when you are connected to our Services. Depending on how you access and use our Services, we collect information such as:

• Information about how you access our Services, including information about the type of device that you’re using, its configuration (such as your operating system and graphics processing unit), your browser, and how your device is performing.
• Information about the features you interact with our Services. For example, when you use our devices, we collect focus data and other health related data, including data from third parties’ apps and/or devices that you use.
• Information about you and your social media profile if you choose to access our Services with a social media profile. Please note that the information you share within the scope of those social media services, is not applicable to this Privacy policy.

Third parties may also collect information about you through the Services, or receive information collected about you through the Services, as described below.

• Third party companies
  Some of our Services offer the opportunity to use a social media account as an access method to the Service. If you choose to do so, that social media platform will receive information that you chose that access method at one of our Services, and we will receive some types of information from the social media site. How that social media platform processes your information falls outside the scope of this Privacy policy.

2. How do we use your personal data?

We use the information as set out below and to provide our Services to you and our partners.
Here’s how:

To provide and personalize our Services.
We use the information we collect to provide you with our Services. For example, we use this information to:

• Provide you with hardware, content, games, apps, and other needs
• Create accounts and user profiles
• Communicate with you about our Services
• Provide technical support
• Notify you about updates to our Services and
• Customize your usage based on your activities, including the content, games, apps and other experiences you interact with. This allows us to make our Services unique and relevant to you, for example by showing you content that is most relevant to you.

To improve and develop your experience and our Services.
We also use the information that we collect to understand, develop, and improve our Services. For example, we use the information to:

• Seek and analyze input and feedback about our Services
• Identify and address technical issues on our Services
• Conduct and learn from research about the ways in which people use our Services and
• Improve services offered by others, such as third parties that offer games, apps and other content connected to our Services.

To promote our brand and Services.
We use the information that we collect to send you promotional messages and content and otherwise market to you on and offer our Services. We also use this information to measure how users respond to our marketing efforts. If you would like to opt out of receiving marketing emails, then you can always do so by following the instructions implemented in every such promotional message.

To promote safety and security.
We use the personal data that we collect to help promote safety and security on and off our Services, such as by investigating suspicious activity or breaches of our terms or policies and protecting our or others’ rights or property.

3. How is personal data shared?

To provide and support our Services, information that we have about you is shared in certain circumstances. The following can see information about you when you and others use our Services.
Developers, support, and other online content providers on our services.
You can interact with Third-party content, games, apps and other experiences through our Services. We may share information about you with these partners so they can provide you with the experiences that you’ve requested, such as:

• Information in your profile and about how you use our Services. For example, we may provide a third-party games provider with your user id or similar, so that the games provider may deliver a game to you that you’ve purchased bundled with one of our products
• Any other information that you choose to share with the third party through your use of the Services.

Service providers.
We share the information that we collect with vendors, service providers, researchers, and other partners, who work at our direction to support the Services (such as hosting our Services, fulfilling orders, facilitating payments, analyzing the way people use our Services, processing credit card payments, providing customer service or sending electronic communications for us).

Other parties in connection with certain business transactions.
If the ownership of Mentalytics (or any portion of our assets) changes as a result of a merger, acquisition or in the event of a bankruptcy, information from or about you or your device may be transferred to another company.

Law enforcement or legal requests.
We share information with law enforcement or in response to legal requests in the circumstances outlined in Section 6 below.

We also share de-identified or aggregate data with others. “De-identified data” means information where we have removed identifiable data such as your name and other data that could reasonably be used to identify you. “Aggregate data” is data that has been combined with other data so that it doesn’t identify any specific person. For example, we provide developers with aggregated statistics about the number of people from a particular region that use our Services, so developers can create content tailored for people in that market. We may also share de-identified or aggregated data with other third parties.

4. Third parties that provide content, marketing or functionality on our services

Some of the content, marketing and functionality on our Services may be provided by third parties that are not affiliated with us. For example, we work with companies that help us provide content within the Service that you purchased.

5. Data retention and deletion

We store data that identifies you until it is no longer necessary to provide our Services, for example when you delete an account with us. This is a case-by-case determination that depends on things such as the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. For example, we may retain certain purchase information for accounting and tax purposes even after you have deleted your account.
When you delete an account with us, we delete or anonymize the data you provided us with and the data we collected during your use of the Services. Neither you nor we will be able to restore such deleted or anonymized data.

6. How do we respond to legal requests and minimize harm?

We access, preserve, and share information with regulators, law enforcement or others:

• In response to a legal request where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction and is consistent with internationally recognized standards.
• When we have a good faith belief that it is necessary to: detect, prevent, and address fraud or other illegal activity; to protect Mentalytics, our Services, you, and others, including as part of investigations; or to prevent death or imminent bodily harm.

7. How we operate and transfer data as part of our global services

We share information globally, both internally within the Mentalytics and externally with our partners to fully provide the Services you are entitled to receive based on the Service you have purchased or subscribed to and/or otherwise are entitled to receive. Information controlled by Mentalytics will be transferred or transmitted to, or stored and processed in the United States, China and/or other countries outside of where you live for the purposes as described in this policy. These data transfers are necessary for us to globally operate and provide our Services to you. We utilize standard contract clauses approved by the European Commission and rely on the European Commission’s adequacy decisions about certain countries, as applicable, for data transfers from the EU/EEA to the United States and other countries.

8. Changes to this policy

If we make changes to this Privacy Policy, we will provide notice of such changes as appropriate, such as by sending you an email notification to the address that you’ve provided, and/or providing notice through the Services. If we make an administrative change, we may update the “Last Updated” date at the top of this Privacy Policy.

The Data Protection Officer for Mentalytics can be contacted at legal@mentalytics.com You also have the right to lodge a complaint with the Swedish lead supervisory authority; Datainspektionen
www.datainspektionen.se

9. What is our legal basis for processing data?

The legal ground for processing personal data varies depending on the types of data and the situation. The legal grounds we rely on at Mentalytics are the following:

• If processing is necessary to fulfil our contract with you, i.e. what we are obliged to provide under the agreement between you and us. Our obligations to you vary depending on the Service you are using. For example, we may need to store your name and address to keep track of our warranty obligations to you.
• With your consent, which you may withdraw at any time. For example, when you have given your consent for Mentalytics to use your focus data and other personal data to develop our algorithms and thus our products. It should be noted that a withdrawal of a consent shall, and cannot, affect the lawfulness of processing that has already been carried out based on that consent before its withdrawal.
• As necessary to comply with our legal obligations; for example, Mentalytics must store some purchase information to comply with tax and accounting regulations. The legal ground for this processing (storing) is therefore necessary for compliance with legal obligations.
• Occasionally to protect your vital interests or those of others. On rare occasions, we may process your data if doing so is necessary to protect your vital interests. For example, in situations where there is an immediate risk to your health, we may share information with your caregiver.
• As necessary for our (or others) legitimate interests. Mentalytics has a legitimate interest in providing an innovative, personalized, safe and profitable service to our existing and future users and partners, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data.

10. How can you exercise the rights provided to you under the GDPR?

Under the General Data Protection Regulation, you have the right to:
Access your data
You have the right to obtain from Mentalytics a confirmation of whether personal data concerning you is being processed, and if that is the case, a right to access information including, but not limited to, the purpose of the processing and the categories of personal data that Mentalytics has concerning you. By your request, Mentalytics is required to provide you with a copy of undergoing processing of your personal data.

Rectify your data
If it comes to your knowledge that certain personal data of yours which is being processed by Mentalytics is inaccurate, you have the right to obtain a rectification and, in some cases, a right to have incomplete data completed.

Port your data
If the legal ground for a processing of personal data is based on either (i) consent or (ii) fulfilment of a contract between you and Mentalytics, you have a right to receive data which you have provided us in a commonly used and machine-readable format and have the right to transmit such data to another controller.

Erase your data
You have the right to obtain from Mentalytics the erasure of your personal data when, for example, (i) the data no longer is necessary in relation to the purpose for which it was collected, (ii) if you withdraw a consent, (iii) if you object to the processing and there are no overriding legitimate grounds for the processing, or if (iv) the personal data have been unlawfully processed.

Restrict and object to certain processing of your data
You have the right to restrict Mentalytics from processing your data when, for example, (i) you contest the accuracy of the personal data, or (ii) if Mentalytics no longer needs certain data for the purposes of the processing.

Find out more about these rights, and how you can exercise them by either contacting Mentalytics at legal@mentalytics.com or obtain information from the appropriate supervisory authority.

11. Contacting us

The data controller responsible for your information is Mentalytics AB which you can contact by e-mail at legal@i-p.se.