An AI integrated mental well-being and support platform for employees.
Try Mindsherpa For Free Beta version request a demo
Book a Demo

Privacy Policy | Mindsherpa
FYMAB Inc. or Mindsherpa Privacy Policy

Privacy Policy

This policy explains how FYMAB Inc.or Mindsherpa.health. collects, stores, uses, shares, protects, and retains personal information when you use Mindsherpa services.

Effective: August 18, 2025 Last Updated: August 18, 2025
This Privacy Policy for FYMAB Inc. or mindsherpa.health ("we," "us," or "our") describes how and why we might collect, store, use, and/or share ("process") your personal information when you use our services ("Services", or "FYMAB Inc." or "Mindsherpa").

Introduction

This policy applies when you:

  • Visit our website at https://www.mindsherpa.health/, or any of our other websites that link to this Privacy Policy.
  • Download and use the Mindsherpa mobile application, an employee mind and body wellness platform.
  • Engage with us in other related ways, including sales, marketing, or events.

Reading this Privacy Policy will help you understand your privacy rights and choices. We are dedicated to protecting your personal information and your right to privacy. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact our Privacy Officer at privacy@mindsherpa.health.

1. Summary of Key Points

This summary provides key points from our Privacy Policy. You can find more details by using the table of contents to navigate to the relevant sections.

  • What personal information do we process? We process personal, usage, and sensitive health-related information depending on how you interact with our Services.
  • Do we process sensitive personal information? Yes. As a health and wellness application, we process sensitive data, including health information. In the United States, this data may be considered Protected Health Information (PHI) under HIPAA. We process this information with your explicit consent and in accordance with applicable laws.
  • How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with the law. We do not share your individual personal data with your employer. Reports provided to employers contain only aggregated and anonymized data.
  • With whom do we share personal information? We may share information with third-party service providers who help us operate our Services, when required by law, or as part of a business transfer. We do not sell your personal information.
  • How do we keep your information safe? We use a combination of organizational and technical security measures, including encryption and access controls, to protect your personal information, in line with industry best practices and legal requirements like HIPAA.
  • What are your rights? Depending on your geographical location, you have specific rights regarding your personal information under laws like Canada's PIPEDA and various US state and federal laws, including HIPAA.
  • How can you exercise your rights? You can exercise your rights by contacting us at info@mindsherpa.health. We will respond to all requests in accordance with applicable data protection laws.

2. What Information Do We Collect?

We collect Personal Data when you visit our website, download our mobile application, or use our Services. The chart below details the categories of Personal Data we may collect.

Category of Personal Data Examples Purpose(s) for Collection
Account & Contact Data First and last name, email address, username, password. To create and manage your account, provide Services, and communicate with you.
Payment Data Credit/debit card number, billing address. Processed by a third-party payment processor. To process payments for subscription services.
Device & Usage Data IP address, device ID, browser type, operating system, usage statistics, interaction with features. To provide and improve the Services, for security, and to identify usage trends.
Sensitive Personal Information & Protected Health Information (PHI) Health data you provide, responses to wellness surveys, usage of mental health exercises, information about physical or mental health conditions, race or ethnic origin. To personalize your wellness program, track your progress, and provide the core functionality of the Services. This is done only with your explicit consent.
Employer-Provided Data Your name and work email may be provided by your employer to confirm eligibility for our Services. To facilitate your enrollment in the employer-sponsored wellness program.
User-Generated Content Information you voluntarily provide in free-form fields, journal entries, or communications with us. To provide the features you use and to respond to your inquiries.

3. How Do We Process Your Information?

We process your information for the following reasons:

  • To Provide and Manage the Services: We use your data to facilitate account creation, manage your account, and deliver the core features of the Mindsherpa wellness program.
  • To Personalize Your Experience: We use your health and usage data to tailor content and wellness recommendations to you.
  • To Communicate With You: We may use your contact information to send you service-related updates, security alerts, and support messages, or to request feedback.
  • To Provide Anonymized Reporting to Employers: We process user data to create aggregated and anonymized reports for employers. These reports show general trends in workforce well-being, such as "25% of users engaged with stress-reduction modules this month," and never contain your individual personal information.
  • For Security and Fraud Prevention: We process information to protect our Services, our users, and our company from security threats and fraudulent activity.
  • To Comply with Legal Obligations: We may process your information to comply with applicable laws, respond to legal requests from law enforcement or government bodies, and to establish or defend our legal rights.
  • To Improve Our Services: We analyze usage trends to understand how our users interact with our Services so we can improve them.

5. When and With Whom Do We Share Your Personal Information?

We may share your personal information in the following situations:

  • Third-Party Service Providers: We share information with vendors, consultants, and other third-party service providers who perform services on our behalf, such as cloud hosting, payment processing, and data analytics. These providers are contractually obligated to protect your data and can only use it for the purposes we specify. For example, we use Amazon Web Services (AWS) and Google Cloud for cloud hosting, Stripe for payment processing, and Google Analytics for website analytics.
  • Anonymized Data with Employers: We only share aggregated and anonymized data with the employer sponsoring your access to our Services.
  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • Legal Requirements: We may disclose your information where we are legally required to do so in order to comply with applicable law, a court order, or other governmental request.

6. Data Security: How We Protect Your Information

We have implemented robust administrative, technical, and physical security measures designed to protect the security of any personal information we process. Our measures are designed to meet the stringent requirements of privacy laws like HIPAA and include:

  • Encryption: All data, including Protected Health Information (PHI), is encrypted both in transit using TLS and at rest.
  • Access Control: Access to personal information is strictly limited to authorized personnel who have a legitimate need to access it to perform their job functions.
  • Regular Audits: We conduct regular security risk assessments and vulnerability scanning to identify and remediate potential threats.
  • Employee Training: Our employees receive regular training on data privacy and security protocols.
  • Data Breach Notification: In the event of a data breach, we will notify affected individuals and authorities as required by applicable laws, including PIPEDA and HIPAA.

However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. While we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk.

7. Data Retention

We retain your personal information for as long as it is necessary to provide the Services to you and to fulfill the purposes outlined in this Privacy Policy. We have specific data retention policies that dictate how long we hold onto information. For example, we generally delete or anonymize personal information within 90 days of a user's account termination, unless a longer retention period is required by law, such as for tax, legal, or accounting purposes.

8. Information from Minors

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information.

9. Your Canadian Privacy Rights (PIPEDA & Provincial Laws)

If you are a resident of Canada, you have specific rights regarding your personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, such as Alberta's and British Columbia's PIPA and Quebec's Act respecting the protection of personal information in the private sector (Law 25). These rights include:

  • The Right to Access: You have the right to request access to the personal information we hold about you.
  • The Right to Correction (Rectification): You have the right to request the correction of inaccurate or incomplete personal information.
  • The Right to Withdraw Consent: You have the right to withdraw your consent to our processing of your personal information at any time, subject to legal or contractual restrictions.

To exercise these rights, please contact our Privacy Officer.

10. Your United States Privacy Rights (HIPAA & State Laws)

If you are a resident of the United States, your rights are governed by various federal and state laws.

Health Insurance Portability and Accountability Act (HIPAA)

Because our Services involve the processing of health information and are offered through employer-sponsored wellness programs, we are considered a "Business Associate" under HIPAA. We are legally obligated to protect your "Protected Health Information" (PHI) in accordance with HIPAA's requirements. Your rights regarding your PHI under HIPAA include:

  • The Right to Access: You can request a copy of your PHI that we maintain.
  • The Right to Amend: You can request that we amend any inaccurate or incomplete PHI.
  • The Right to an Accounting of Disclosures: You can request an accounting of certain disclosures we have made of your PHI.

State-Specific Privacy Rights (e.g., CCPA/CPRA)

Residents of states like California, Virginia, Colorado, and others have additional rights, which may include:

  • The right to know what personal information is being collected.
  • The right to delete personal information.
  • The right to opt-out of the "sale" or "sharing" of personal information. For the record, we do not sell your personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise any of your US privacy rights, please contact our Privacy Officer.

11. Controls for Do-Not-Track Features & Cookies

Do-Not-Track: Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

Cookies and Other Tracking Technologies: We use cookies and similar tracking technologies to collect and store your information. This helps us provide and improve our Services and remember your preferences. You can typically manage your cookie preferences through your web browser's settings. However, disabling certain cookies may affect the functionality of our Services.

12. Updates to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a "Last Updated" date at the top of this policy. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to stay informed of how we are protecting your information.

13. How to Contact Us

If you have questions, comments, or wish to exercise your privacy rights, you may contact our Privacy Officer by email or post:

Privacy Officer
FYMAB Inc.
Unit# 221
1854 Carling Avenue
Ottawa, Ontario K2A 1E3
Canada

Email: privacy@mindsherpa.health

Get In Touch with Us
Want to contact us? We’d love to hear from you any questions!
Our offices
Canada Headquarters:

Unit# 221, 1854 Carling Avenue, Ottawa, ontario K2A 1E3 

 +1 (613) 702-1671

Gatineau, Québec
+1 (819) 200-2448
Europe:
Luxembourg city,Luxembourg
Portugal, Lisbon