What personal data does MentCura collect?

MentCura collects corporate client information (company name, business address, authorized signatory details, business email, billing information, number of seats), employee registration data (name, email, phone number), mental health and wellness data (mood tracking, journal entries, self-assessments, AI chatbot interactions, self-care activity data, tele-counseling data, symptom tracking, crisis support usage), and technical/usage data (device type, IP address, platform usage patterns, cookies).

How does MentCura protect my mental health data?

MentCura implements robust security measures including AES-256 encryption for data at rest and TLS 1.3 for data in transit, strict access controls, secure cloud infrastructure (Google Cloud Platform and Microsoft Azure in India), regular security audits, and employee training. Mental health data is treated with enhanced protection and is never sold or shared for marketing purposes.

What are my data rights under the DPDP Act?

As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the right to access your personal data, request correction of inaccurate data, request data portability in a machine-readable format, request erasure (right to be forgotten), withdraw consent at any time, file grievances with our Grievance Officer, and nominate another individual to exercise your rights.

Does MentCura sell my personal data?

No. MentCura does not sell, rent, or trade your personal data to third parties for their marketing purposes. We only share data with trusted service providers who assist in operating the Platform and are contractually bound to protect your data.

Does MentCura transfer data outside India?

No. All personal data collected through the Platform is stored and processed within India. We do not transfer personal data outside of India, ensuring full compliance with Indian data sovereignty requirements under the DPDP Act, 2023.

Privacy Policy — MentCura

1. Introduction

MentCura Labs Private Limited ("MentCura," "we," "us," or "our"), a company incorporated under the laws of India, is committed to protecting the privacy and security of your personal data.

This Privacy Policy explains how we collect, use, store, process, share, and protect personal data when you use our corporate mental health and wellness platform accessible at https://corp.mentcura.com/ (the "Platform").

This Privacy Policy applies to:

Corporate Clients: Organizations that subscribe to our Services for their employees;
Employees: Individuals who access the Platform through their employer's corporate subscription;
Website Visitors: Anyone who visits our website.

By accessing or using our Platform, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Platform.

2. Compliance with Indian Data Protection Laws

2.1 Digital Personal Data Protection Act, 2023

MentCura complies with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and all applicable data protection laws in India. We act as a Data Fiduciary under the DPDP Act with respect to personal data collected and processed through our Platform.

2.2 Key Definitions Under DPDP Act

"Data Fiduciary" means an entity that determines the purpose and means of processing personal data.
"Data Principal" means an individual to whom the personal data relates (i.e., Corporate Clients, Employees, and website visitors).
"Personal Data" means any data about an individual who is identifiable by or in relation to such data.

2.3 Information Technology Act, 2000

We also comply with the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

2.4 Mental Health Data Protection

We recognize that mental health data is highly sensitive and warrants special protection. While the DPDP Act does not specifically categorize sensitive personal data, we implement enhanced security measures for all health and wellness data collected through our Platform.

3. Information We Collect

3.1 Corporate Client Information

When a corporate organization subscribes to our Services, we collect the following information:

Company name and business address;
Authorized signatory name and designation;
Business email address and phone number;
Billing and invoicing information (excluding GST number);
Number of employee seats subscribed;
Company size and industry (optional).

3.2 Employee Registration Data

When an employee registers on the Platform, we collect:

Full name;
Email address;
Phone number.

3.3 Mental Health and Wellness Data

During your use of the Platform, we may collect the following health and wellness-related data:

Mood Tracking Data: Mood scores, emotional states, and mood trends over time;
Journal Entries: Written reflections, thoughts, and notes created by employees;
Self-Assessment Responses: Answers to mental health questionnaires, surveys, and screening tools;
AI Chatbot Interactions: Conversations with our AI-powered mental health companion;
Self-Care Activity Data: Usage of breathing exercises, mindfulness activities, and wellness resources;
Tele-Counseling Data: Appointment bookings, session duration, and counselor feedback (note: session content is not recorded or stored);
Symptom Tracking: Self-reported symptoms, stress levels, and wellness indicators;
Crisis Support Usage: Records of access to national mental health helplines through the Platform.

3.4 Technical and Usage Data

We automatically collect certain technical information when you access our Platform:

Device type, operating system, and browser type;
IP address and general location information (city/state level);
Platform usage patterns, features accessed, and time spent on the Platform;
Error logs and performance data;
Cookies and tracking technologies (see Section 3.5).

3.5 Cookies and Tracking Technologies

We use the following tracking technologies:

Facebook Pixel: We use Meta's Facebook Pixel to track website visits, conversions, and user engagement for marketing and analytics purposes. Facebook Pixel may collect information about your device, browsing behavior, and interactions with our website. For more information on how Meta processes data, please review Meta's Privacy Policy at https://www.facebook.com/privacy.

3.6 Payment Information

Payment processing is handled by Razorpay, our authorized payment gateway. We do not store credit card, debit card, or other sensitive payment information on our servers. Please refer to Razorpay's Privacy Policy for information on how they process payment data.

3.7 Information We Do Not Collect

We do not collect:

GST numbers;
Government-issued identification numbers (Aadhaar, PAN, etc.);
Biometric data;
Audio or video recordings of tele-counseling sessions.

4. How We Use Your Information

4.1 Lawful Basis for Processing

We process personal data only when we have a lawful basis under the DPDP Act, including:

Consent: You have provided free, specific, informed, unconditional, and unambiguous consent;
Contractual Necessity: Processing is necessary to fulfill our contractual obligations to provide the Services;
Legitimate Purposes: Processing is necessary for specified legitimate purposes as permitted under the DPDP Act.

4.2 Purposes of Data Processing

We use your personal data for the following purposes:

For Corporate Clients:

To set up and manage corporate accounts;
To process subscription payments and issue invoices;
To communicate regarding service delivery, updates, and support;
To provide aggregated, anonymized analytics and wellness reports (see Section 6).

For Employees:

To create and manage individual user accounts;
To provide access to Platform features including mood tracking, journaling, AI chatbot, self-care exercises, and tele-counseling services;
To generate personalized AI-driven insights and recommendations based on usage patterns and self-reported data;
To facilitate appointment bookings with licensed mental health professionals;
To provide crisis support information and links to national mental health helplines;
To improve Platform functionality and user experience;
To ensure Platform security and prevent misuse.

For Marketing and Communications:

To send promotional materials, newsletters, and updates about our Services (you can opt out at any time by unsubscribing);
To conduct marketing analytics using Facebook Pixel to improve our outreach and advertising effectiveness.

For Legal and Regulatory Compliance:

To comply with applicable laws, regulations, and legal processes;
To enforce our Terms and Conditions;
To protect the rights, safety, and property of MentCura, our users, and the public.

4.3 AI and Automated Decision-Making

We use artificial intelligence (AI) to power certain features of the Platform, including:

AI Chatbot: Provides automated responses to common mental health queries and offers immediate support;
AI-Driven Insights: Analyzes your mood tracking, journaling, and activity data to generate personalized recommendations.

Important: AI-generated content is for informational purposes only and should not be relied upon as professional mental health advice. AI systems may produce inaccuracies or limitations. For personalized mental health support, please consult with licensed professionals through our tele-counseling services.

5.1 We Do Not Sell Your Data

MentCura does not sell, rent, or trade your personal data to third parties for their marketing purposes.

5.2 Sharing with Service Providers

We share personal data with the following trusted third-party service providers who assist us in operating the Platform:

Cloud Storage Providers: Google Cloud Platform and Microsoft Azure (data stored in India);
Payment Processor: Razorpay (for processing subscription payments);
Marketing and Analytics: Meta/Facebook (through Facebook Pixel for advertising and analytics).

All service providers are contractually bound to protect your data and use it only for the specified purposes. They are not permitted to use your data for their own purposes.

5.3 Sharing with Mental Health Professionals

Mental health professionals (clinical psychologists and counselors) who provide tele-counseling services through the Platform are independent contractors, not employees of MentCura.

Counselor Access to Data:

Counselors do not have automatic access to employee personal data, mental health data, or Platform usage information;
Employees must explicitly share information with counselors during tele-counseling sessions;
Counselors can only access data that employees voluntarily disclose during sessions;
MentCura does not record or store the content of tele-counseling sessions.

5.4 Sharing with Corporate Clients (Employers)

Corporate Clients receive access to aggregated, anonymized analytics and wellness metrics for organizational insights. This data does not identify individual employees and is presented in a manner that preserves employee privacy.

Examples of Aggregated Data:

Overall employee engagement rates with the Platform;
General trends in mood and wellness across the organization;
Utilization rates for specific features (e.g., tele-counseling, self-care exercises);
Aggregated stress levels and wellness scores.

Corporate Clients do not have access to:

Individual employee names linked to wellness data;
Personal journal entries, mood scores, or mental health assessments;
Details of tele-counseling sessions or conversations with the AI chatbot.

5.5 No International Data Transfers

All personal data collected through the Platform is stored and processed within India. We do not transfer personal data outside of India.

5.6 Legal Disclosures

We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, government investigation, or legal process), including to meet national security or law enforcement requirements.

We may also disclose personal data to protect the rights, property, or safety of MentCura, our users, or the public, including in emergency situations involving potential harm to individuals.

6. Corporate Analytics and Reporting

6.1 Aggregated, Anonymized Data

Corporate Clients have access to a dashboard that displays aggregated, anonymized employee wellness metrics. This data is presented in a way that does not identify individual employees and complies with data protection principles.

6.2 Purpose of Analytics

Corporate analytics help organizations:

Assess the overall impact of the wellness program;
Identify trends and areas where additional support may be needed;
Make data-driven decisions to improve employee well-being.

6.3 Employee Privacy Protection

We implement the following safeguards to protect employee privacy:

Data is aggregated across groups of employees (minimum group size to prevent identification);
Individual identifiers (names, email addresses) are not linked to wellness data in reports;
Sensitive details (journal entries, chatbot conversations, counselor session content) are never shared with Corporate Clients.

7. Data Retention

7.1 Retention Period

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Specific Retention Periods:

Corporate Client Data: Retained for the duration of the subscription and for up to [Insert Period, e.g., 7 years] thereafter for accounting, tax, and legal compliance purposes;
Employee Data: Retained for the duration of the corporate subscription and for the period requested by the Corporate Client thereafter. Employees who wish to retain access to their personal data after contract termination must contact us at contact@mentcura.com to establish an individual account;
Mental Health and Wellness Data: Retained in accordance with employee preferences and legal requirements. Employees can request deletion at any time (see Section 9.4).

7.2 Data Deletion Upon Request

Upon receiving a verified data deletion request from an employee, we will delete personal data within fourteen (14) days, except where retention is required by law or for legitimate legal purposes (e.g., ongoing disputes, compliance with regulatory obligations).

8. Data Security

8.1 Security Measures

We implement robust technical and organizational security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction.

Security practices include:

Encryption: All personal data is encrypted both in transit (using SSL/TLS protocols) and at rest on our servers;
Access Controls: Strict access controls ensure that only authorized personnel can access personal data on a need-to-know basis;
Secure Cloud Infrastructure: Data is stored on secure cloud servers provided by Google Cloud Platform and Microsoft Azure, located in India;
Regular Security Audits: We conduct regular security assessments and vulnerability testing;
Employee Training: Our team members receive training on data protection and security best practices.

8.2 Compliance with DPDP Act

We comply with all security requirements under the DPDP Act and follow industry best practices for data protection.

8.3 Limitations

While we take reasonable measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you provide personal data at your own risk.

8.4 User Responsibilities

You are responsible for:

Maintaining the confidentiality of your login credentials;
Using strong, unique passwords;
Logging out of your account after each session, especially on shared devices;
Notifying us immediately at contact@mentcura.com if you suspect unauthorized access to your account.

9. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act, you have the following rights:

9.1 Right to Access

You have the right to request and obtain information about the personal data we hold about you, including:

Categories of personal data collected;
Purposes for which personal data is processed;
Recipients or categories of recipients with whom personal data is shared.

How to Exercise: Contact us at contact@mentcura.com with your request.

9.2 Right to Correction

You have the right to request correction or update of inaccurate, incomplete, or outdated personal data.

How to Exercise: Log in to your account to update your profile information, or contact us at contact@mentcura.com.

9.3 Right to Data Portability

You have the right to request a copy of your personal data in a machine-readable format.

How to Exercise: Submit a request to contact@mentcura.com, and we will provide your data in a commonly used electronic format within a reasonable timeframe.

9.4 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, ongoing disputes).

Processing Timeline: We will process data deletion requests within fourteen (14) days of verification.

How to Exercise: Submit a deletion request to contact@mentcura.com.

9.5 Right to Withdraw Consent

If we process your personal data based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise: Contact us at contact@mentcura.com or adjust your preferences in your account settings.

9.6 Right to Grievance Redressal

You have the right to lodge a complaint if you believe your data protection rights have been violated.

How to Exercise: Contact our Grievance Officer (see Section 13) or file a complaint with the Data Protection Board of India.

9.7 Right to Nominate

You have the right to nominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity.

How to Exercise: Submit a nomination request to contact@mentcura.com with the nominee's details.

10.1 How We Obtain Consent

In accordance with the DPDP Act, we obtain your consent before processing your personal data. Consent is:

Free: Given voluntarily without coercion;
Specific: Related to clearly specified purposes;
Informed: Provided after you receive clear information about data processing;
Unconditional: Not bundled with unrelated services;
Unambiguous: Indicated through clear affirmative action (e.g., checking a consent box).

10.2 Notice at the Time of Consent

When we request your consent, we provide a clear notice that includes:

The personal data we intend to collect and the purpose of processing;
How you can exercise your rights under the DPDP Act;
How you can file a complaint with the Data Protection Board;
Contact details of our Data Protection Officer or grievance officer.

10.3 Withdrawal of Consent

You may withdraw your consent at any time by contacting us at contact@mentcura.com or adjusting your preferences in your account settings. Withdrawal of consent may affect your ability to access certain features of the Platform.

10.4 Marketing Communications

If you receive marketing emails from us, you can opt out at any time by clicking the "unsubscribe" link at the bottom of the email or by contacting us at contact@mentcura.com.

11. Children's Privacy

11.1 No Age Restriction

Our Platform does not impose a minimum age restriction for employees accessing the Platform through their employer's corporate subscription.

11.2 Parental Consent for Minors

If you are under the age of 18, you should obtain consent from your parent or legal guardian before using the Platform. We do not knowingly collect personal data from children under 18 without verifiable parental consent.

11.3 Special Protections Under DPDP Act

The DPDP Act imposes stricter consent requirements and prohibits tracking, behavioral monitoring, or targeted advertising of children. We do not engage in behavioral profiling or targeted advertising of minors.

11.4 Parental Rights

Parents or legal guardians have the right to:

Access personal data collected from their child;
Request correction or deletion of their child's personal data;
Withdraw consent for data processing.

How to Exercise: Contact us at contact@mentcura.com.

12. Data Breach Notification

12.1 Breach Response Procedure

In the event of a data breach that affects your personal data, we will:

Immediately notify affected Data Principals (Corporate Clients and Employees);
Notify the Data Protection Board of India as required by the DPDP Act;
Provide information about the nature of the breach, the data affected, and the steps we are taking to mitigate harm;
Offer guidance on measures you can take to protect yourself.

12.2 Our Commitment

We take data breaches seriously and have implemented incident response protocols to detect, respond to, and recover from security incidents.

13. Grievance Redressal

13.1 Grievance Officer

In accordance with the Information Technology Act, 2000, the DPDP Act, 2023, and applicable rules, MentCura has appointed a Grievance Officer to address complaints and concerns regarding data protection and privacy.

Grievance Officer Details:

Name: Pavni Kandpal
Designation: Grievance Officer
Email: contact@mentcura.com
Address: Maharishi Kanad Bhawan Near North Campus University of Delhi, Delhi-110084
Contact Hours: Monday to Friday, 9:00 AM to 6:00 PM IST (excluding public holidays)

13.2 How to File a Complaint

If you have concerns or complaints about how we handle your personal data, please contact our Grievance Officer at contact@mentcura.com with the following details:

Your name and contact information;
Description of the issue or complaint;
Any relevant supporting documents.

13.3 Response Timeline

Our Grievance Officer will:

Acknowledge receipt of your complaint within 24 hours;
Investigate and resolve the complaint within 15 days of receipt, as required by Indian law.

13.4 Escalation to Data Protection Board

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India established under the DPDP Act.

14. Cookies Policy

14.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us recognize your device and improve your user experience.

14.2 Types of Cookies We Use

Essential Cookies: Necessary for the Platform to function properly (e.g., login authentication, security);
Analytics Cookies: Help us understand how users interact with the Platform to improve functionality;
Marketing Cookies: Used by Facebook Pixel to deliver relevant advertisements and measure campaign effectiveness.

14.3 Facebook Pixel

We use Facebook Pixel, a tracking technology provided by Meta, to collect information about your browsing behavior and interactions with our website for marketing and analytics purposes.

Facebook Pixel may collect:

Device information and IP address;
Pages visited and actions taken on our website;
Referring website URLs.

For more information on how Meta processes data collected through Facebook Pixel, please review Meta's Privacy Policy at https://www.facebook.com/privacy.

14.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

Block all cookies;
Accept cookies only from specific websites;
Delete cookies after each browsing session.

Please note that disabling cookies may affect the functionality of the Platform.

14.5 Opt-Out of Facebook Pixel

You can opt out of personalized advertising from Meta by adjusting your ad preferences at https://www.facebook.com/ads/preferences or by using browser extensions that block tracking technologies.

15. Third-Party Links

Our Platform may contain links to third-party websites, services, or resources that are not operated or controlled by MentCura. This Privacy Policy does not apply to third-party websites, and we are not responsible for the privacy practices or content of such websites. We encourage you to review the privacy policies of any third-party websites you visit.

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. We will notify you of material changes by:

Posting the updated Privacy Policy on our website with a new "Last Updated" date;
Sending an email notification to registered users (for significant changes);
Displaying a prominent notice on the Platform.

16.2 Your Continued Use

Your continued use of the Platform after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

MentCura Labs Private Limited
Email: contact@mentcura.com
Website: https://corp.mentcura.com/
Address: Maharishi Kanad Bhawan Near North Campus University of Delhi, Delhi-110084
Phone: +91 827889010
Data Protection Officer / Grievance Officer: Pavni Kandpal
Email: pavnikandpal@mentcura.com

18. Acknowledgment

By using our Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. You consent to the collection, use, storage, processing, and sharing of your personal data as described herein, in accordance with the Digital Personal Data Protection Act, 2023, and other applicable laws in India.

Privacy Policy