Privacy Notice
Last updated: 5 August 2025
This Privacy Notice explains how Mind Reveal ("we," "us," "our") collects and uses personal data when you access our website and participate in our browser-based virtual reality research game (the "Service"). We are committed to protecting your privacy and processing personal data fairly, lawfully, and transparently.
We are the data controller for personal data described here, unless stated otherwise. If you do not agree with this Notice, please do not use the Service.
1) Who we are & how to contact us
Mind Reveal
Email: privacy@mindreveal.ai
2) Scope
This Notice applies to users of our website and participants in our research-only VR game. It covers account creation, gameplay, telemetry, support enquiries, analytics, and related research activities.
3) What we collect
We collect the following categories of data:
| Category | Examples | Source |
|---|---|---|
| Account & Identity | Name, email address, username, region/country, consent records, age-range confirmation (18+, or 13–17 with parental consent) | Provided by you |
| Gameplay Metrics | Task performance (e.g., reaction times, accuracy, errors, missed responses), session timestamps, round/level results, cumulative scores | Generated during gameplay |
| Device Motion & Telemetry | Headset/controller position and rotation, interaction events, basic device/browser info, connection quality, crash logs | Generated by the device/Service |
| Surveys / Questionnaires (optional) | Self-reported responses related to attention/behaviour, demographics (if requested), and feedback | Provided by you (optional) |
| Support & Communications | Emails, in-app messages, issue reports, timestamps | Provided by you |
| Cookies & Analytics | Page views, session duration, referrers, coarse location (based on IP), cookie preferences | Collected via cookies/SDKs (see Section 12) |
4) Special category data
We do not ask you to provide medical records or clinical diagnoses. However, because our research explores gameplay and movement patterns that may relate to attention and behaviour, there is a possibility that personal data could be used to infer information about health or neurodivergence. Where we intentionally process data for research that may reveal or infer such characteristics in an identifiable way, we will rely on your explicit consent or applicable research provisions under data-protection law with appropriate safeguards. We also use pseudonymisation and, where feasible, de-identification/aggregation to minimise risk.
5) Why we use your data & legal bases
We use your data for the purposes below. Each purpose has a corresponding legal basis under data-protection law.
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and operate the Service | Account registration, authentication, session management, gameplay delivery, technical support | Contract (Art. 6(1)(b)); legitimate interests for Service integrity (Art. 6(1)(f)) |
| Research & product development (research-only phase) | Analyse gameplay and motion data to study patterns; develop and evaluate algorithms; create aggregate statistics | Consent (Art. 6(1)(a)); and where applicable for identifiable special-category inferences: explicit consent (Art. 9(2)(a)) or research safeguards (Art. 9(2)(j)) with appropriate measures |
| Security and fraud prevention | Detect abuse, prevent cheating or disruptive behaviour, protect accounts and systems | Legitimate interests (Art. 6(1)(f)) |
| Analytics & Service improvement | Usage metrics, performance monitoring, A/B testing (where used) | Consent via cookies where required; otherwise legitimate interests (Art. 6(1)(f)) |
| Compliance, legal claims, and record-keeping | Respond to lawful requests; keep consent logs; maintain regulatory records | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
| Communications | Service announcements, changes to terms/privacy, research updates (non-marketing) | Contract/legitimate interests |
6) Do we use your data to make decisions about you?
We do not make decisions producing legal or similarly significant effects solely by automated means. Any future "participant report" will be informational only and must be interpreted by a qualified healthcare professional; it is not a diagnosis and is not medical advice.
7) How long we keep data (retention)
We keep personal data only as long as necessary for the purposes in this Notice, then delete or irreversibly de-identify it. Indicative periods (adjust to your operations):
| Data type | Retention |
|---|---|
| Account & consent records | Life of account + 6 years (for audit/legal) |
| Gameplay metrics & device telemetry (linked to account) | Up to 24 months from collection, then de-identify or delete |
| De-identified/aggregated research datasets | May be kept indefinitely for research and statistical purposes |
| Support tickets/emails | 24 months from closure (unless required longer) |
| Security and event logs | 12–24 months, depending on risk |
| Cookie identifiers/analytics | Per your Cookie Notice (typically 6–24 months) |
8) Sharing your data
We do not sell personal data. We share data only as needed with:
- Service providers (processors) operating our infrastructure, analytics, crash reporting, and support tools, under written contracts and confidentiality obligations;
- Professional advisers (legal, accounting, insurance) under confidentiality;
- Authorities where required by law or to protect rights, safety, and security;
- Successors in the event of a merger, acquisition, or corporate reorganisation, subject to this Notice.
Processors we currently use (edit to match your stack): cloud hosting [e.g., Microsoft Azure], email service [e.g., Outlook/Exchange], product analytics [if any], crash/telemetry [e.g., Application Insights], customer support/email desk [if any].
9) International transfers
We are UK-based but some processors may store or access data from outside the UK/EEA. Where we transfer personal data internationally, we use appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, and conduct transfer risk assessments where required.
10) Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, role-based permissions, environment segregation, vulnerability management, and staff confidentiality obligations. No system is perfectly secure; we maintain incident response processes and will notify you and/or regulators of certain breaches where legally required.
11) Your rights
Subject to legal limits, you may have the right to:
- Access your personal data and obtain a copy;
- Correct inaccurate or incomplete data;
- Delete your data (erasure);
- Restrict or object to certain processing (including where we rely on legitimate interests);
- Data portability (where applicable);
- Withdraw consent at any time (this will not affect processing already carried out);
- Lodge a complaint with your data-protection authority. In the UK, this is the Information Commissioner's Office (ICO).
To exercise your rights, contact us at privacy@mindreveal.ai. We may need to verify your identity before responding.
12) Cookies and similar technologies
We use cookies and similar technologies to operate the site, remember preferences, and perform analytics. Where required, we obtain your consent via a banner and provide granular controls. For details, see our Cookie Notice.
13) Children
The Service is intended for adults 18+. Limited participation by ages 13–17 may be permitted with verified parental/guardian consent and supervision (see our Terms). We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data, contact us and we will delete it.
14) Research safeguards & minimisation
- We design studies to collect only what is necessary for the research aims (data minimisation).
- We pseudonymise datasets and, where feasible, de-identify or aggregate data as early as possible.
- We separate identifying data from research datasets and restrict access on a need-to-know basis.
- We perform Data Protection Impact Assessments (DPIAs) for higher-risk research activities.
15) Third-party services and hardware
Your use of third-party headsets, browsers, or platforms is governed by their privacy policies and terms. We are not responsible for their practices. Please review their notices (e.g., headset manufacturer, browser vendor, app store, network provider).
16) Changes to this Notice
We may update this Notice from time to time. Material changes will be posted here with a new "Last updated" date. If changes materially affect your rights, we will provide additional notice (e.g., email or in-Service message). Please review this page periodically.
17) Jurisdiction-specific information
UK: We process personal data under the UK GDPR and the Data Protection Act 2018. EEA: Where applicable, we process under the EU GDPR. If local law grants you additional rights, we will honour them to the extent required.
18) Contact
If you have questions about this Notice or how we handle your data, contact our privacy team at privacy@mindreveal.ai. You can also write to us at the address above.
We only use strictly necessary cookies required for security through Cloudflare Turnstile. These cookies do not track you for analytics or marketing purposes.
Appendix A — Definitions
"Personal data" means information that identifies or can be used to identify an individual. "Special category data" includes data revealing health or inferences about health, among others. "Processing" means any operation performed on personal data (e.g., collection, storage, analysis). "Pseudonymisation" means processing data so it can no longer be attributed to a specific individual without additional information kept separately.