Privacy Notice – End Users

1.1. Upon registration for the Service we collect your full name, date of birth, gender, email address, and some health- related details. Upon registration for the Application, we collect your password.

1.2. Registration Information: The Service is available only to registered users. Users may register for the Service through two alternative channels:

• Users who are registered for the Service through the qualified professional administering their Service sessions ("Practitioner").
• Users who register for the Service independently through the Myndlift Application.

When your Practitioner registers you to the Service through our Web Application, we collect your full name, date of birth, gender, email address, mobile phone number when applicable, relevant health-related details, when applicable.

When you register for the Service through the Application, we collect your full name, date of birth, gender, email address, address, and the reason for registration.

1.3. Payment Information:

• If you order Service-hardware through our Shopify store, the payment information is collected and processed by Shopify, not directly by us, and is also subject to such third party’s privacy policy.

1.4. You are not legally required to provide us your information. You do not have a legal duty to provide us the Registration Information. However, you will not be able to sign up to and use the Service without providing us this information.

1.5. Use of Information When you use the Application, we collect your electrical brain activity signals (EEG) and may also collect your cognitive tests results.

1.6. We collect your device information. Metadata: When you access the website or the Application, we collect information about your personal computer or mobile device, including its model, your device’s geolocation, its operating system, unique device identifiers, mobile network information and the Internet Protocol (IP) address through which you accessed the Service.

1.7. We collect analytic information about your use of the Service.

Analytics Information: When you access the Service, we use our own and third-party analytics tools, such as Google Analytics (e.g., GA4), to automatically collect aggregated information about your use of the Service. For example, we may record the frequency and scope of your use of the Service, the duration of your sessions, and your interaction with the Service.

2.1. We process your data for the following purposes:

• To operate the Service: We process your Registration Information and to facilitate your access to and use of the Service, and to operate the Service.

  The legal basis under EU law for processing your Registration Information is the performance of our Terms of Use contract with you and our legitimate interest in the operation of the Service.

• To provide you with the Service, its features and functionality: We process your Use Information to provide you with the Service, its features and functionality.

  The legal basis under EU law for processing your Use Information is your explicit consent.

• To develop and improve the Service: We process aggregated Use Information for research purposes, in order to improve and develop our Service. The legal basis under EU law for processing aggregated Use Information is your explicit consent.
• For security and monitoring purposes: We process Metadata for security and monitoring purposes.

  The legal basis under EU law for processing Metadata is our legitimate interest in monitoring and securing our Service.

• To personalize and improve the Service: We process your Analytics Information to understand how users interact with the Service so that we can personalize and improve it. The legal basis under EU law for processing your Analytics Information is our legitimate interest in understanding how the Service is used in order to personalize and improve it.

3.1. We will share your information with our service providers that help us to operate the Service: We will share your personal information with service providers who assist us with the internal operations of the Service. These companies are authorized to use your personal information only as necessary to provide these services to us and not for their own purposes. Representative examples of service providers we use are listed here.

3.2. We will share your information with your Practitioner: The legal basis under EU law for sharing your information with your Practitioner is your explicit consent.

3.3. We may share your Use Information with other entities for their own research purposes: We may share your Use Information and additional data such as your age, gender, and health related details, with other entities for their own academic research purposes. We will only share this information after removing any data that may directly identify you (such as your name and contact information). The legal basis under EU law for sharing your information with other entities for their own research purposes is your explicit consent.

3.4. If you violate the law, we will share your information with competent authorities: If you violate any applicable law, your Registration Information will be shared with competent authorities and with third parties (such as legal counsels and advisors), for the purpose of handling the violation. The legal basis under EU law for such processing is our legitimate interest in enforcing our legal rights.

3.5. We will share your information if we are legally required: If we are required to disclose your information by a judicial, governmental, or regulatory authority. The legal basis under EU law for this processing is our compliance with the legal obligations we are subject to.

3.6. We will share your information if the operation of the Company is organized within a different framework: If the operation of the Company is organized within a different framework, or through another legal structure or entity (such as due to a merger or acquisition), provided that those entities agree to be bound by the provisions of this Notice, with reasonably necessary changes taken into consideration. The legal basis under EU law for this processing is our legitimate interest in business continuity, following a structural change.

4.1. What are cookies? Cookies are text files, comprised of a small amount of data, that are saved on your computer or other device (e.g., smartphone, tablet, etc.) when you use the Internet and visit various websites.

4.2. We use cookies necessary to the operation of the Service, for analytics and for marketing purposes. We use cookies for the following purposes:

• Necessary: Cookies that are strictly necessary for the functioning of the Service. The Service cannot operate properly without these cookies.
• Analytics: Analytics cookies operated by third parties, such as LinkedIn, Google, and Facebook, that assist us in understanding how users interact with the Service by collecting data that, by itself, does not directly identify you.
• Marketing: Marketing cookies operated by third parties, such as LinkedIn, Google, and Facebook, that track your use of the Service and allow us to tailor content, both on and off the Service, that we believe is relevant to you.

4.3. Our cookie management tool provides you detailed information about the cookies we use and enables you to control their use. We use a cookie management tool to provide you more information about the cookies we use. It also enables you to control the use of analytics and marketing cookies. You can change your mind at any time by enabling or disabling certain cookies or categories of cookies. However, you cannot disable the ‘necessary’ cookies because the Service cannot operate without them. By enabling cookies, you give your consent to collect the data they are intended for.

5.1. We retain your personal data as long as you are a registered user of the Service and thereafter for compliance and legal purposes. We retain your personal data as long as you are a registered user of the Service. Thereafter, we will continue to retain your personal information as necessary to comply with our legal obligations, resolve disputes, establish, and defend legal claims. We will also retain aggregated Use Information for research purposes after removing any data that may directly identify you.

5.2. We implement measures to secure your Information. We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information. However, these measures do not provide absolute security. Therefore, although efforts are made to secure your personal information, it is not guaranteed, and you cannot expect that the Service will be completely protected from information security risks.

6.1. We will transfer your Information internationally only in accordance with applicable data protection laws. The Service, by its nature as an online service, may store and process Information in various locations throughout the globe, including through cloud services.

6.2. Transfer of Information outside the EU. Information we collect from you will be processed in Israel, which is recognized by the European Commission as having adequate protection for personal data. When we transfer your information from within the EU to the United States or other countries that are not recognized by the European commission as having adequate protection for personal data, we will endeavor to do so while using adequate safeguards determined by the European commission, such as the privacy shield framework for the United States.

7.1. You have the right to access, update or delete your Information and obtain a copy of your Information.

7.2. If you are an individual in the EU, you have the following rights:

• Right to Access your personal data that we process and receive a copy of it.
• Right to Rectify inaccurate personal data we have concerning you and to have incomplete personal data completed.
• Right to Data Portability, that is, to receive the personal data that you provided to us, in a structured, commonly used and machine-readable format. You have the right to transmit this data to another service provider. Where technically feasible, you have the right that your personal data be transmitted directly from us to the service provider you designate.
• If the legal basis for processing your personal information is your consent, you may Withdraw Your Consent at any time. If you do that, we will still process certain information on a legal basis other than consent, as described in this Notice. Withdrawing your consent will not affect the lawfulness of data processing we carried out based on your consent before such withdrawal.
• Right to Object, based on your particular situation, to using your personal data on the basis of our legitimate interest. However, we may override the objection if we demonstrate compelling legitimate grounds, or for the establishment, exercise or defense of legal claims. You may also object at any time to the use of your personal data for direct marketing purposes.
• Right to Restrict processing your personal data (except for storing it) if you contest the accuracy of your personal data, for a period enabling us to verify its accuracy; if you believe that the processing is unlawful and you oppose the erasure of the personal data and request instead to restrict its use; if we no longer need the personal data for the purposes outlined in this Policy, but you require them to establish, exercise or defend legal claims, or if you object to processing, pending the verification of whether our legitimate grounds for processing override yours.
• Right to be Forgotten. Under certain circumstances, such as when you withdraw your consent, you have the right to ask us to erase your personal data. However, we may still process your personal data if it is necessary to comply with a legal obligation we are subject to under laws in EU Member States or for the establishment, exercise or defense of legal claims.

If you wish to exercise any of these rights, contact us at privacy@myndlift.com. We reserve the right to ask for reasonable evidence to verify your identity before we provide you with information. Where we are not able to provide you with information that you have asked for, we will explain the reason for this.

• You have a right to submit a complaint to the relevant supervisory data protection authority. Subject to applicable law, you have the right to lodge a complaint with your local data protection authority. If you are in the EU, you can lodge a complaint to the supervisory authority, in particular in the Member State of your residence or place of work, of an alleged infringement of the GDPR. For a list of supervisory authorities in the EU, click here.

We do not knowingly collect information from minors under the age of 13. The Service is not intended for minors under the age of 13. We do not knowingly or intentionally collect information from minors under the age of 13.

If we change this Policy, we will provide notice of such change.

From time to time, we may change this Notice, in which case we will notify you of the updated Notice by email. The latest version of the Notice will always be accessible on the mobile application and on www.myndlift.com.

We are the data controller of the personal data we collect through the Service.

Myndlift Ltd. is the data controller of the personal data we collect and process through the Service.

You can contact us at privacy@myndlift.com.

If you have any questions or requests concerning your personal data or about our privacy practices and policies, you may contact our Data Protection Officer, at: privacy@myndlift.com.