Privacy Policy

Last updated: 15 April 2025

Pivotmindra is a children's mental wellness platform. We take the privacy and safety of children extremely seriously. This policy explains what data we collect, why, and how we protect it — in plain English.

1. Who we are

Pivotmindra is operated by Pivotmindra Ltd, a company registered in England and Wales. We are the data controller for personal data processed through this platform.

Contact us at: privacy@pivotmindra.com

2. What data we collect

Account information

  • Name and email address (provided at sign-up or via Google/GitHub OAuth)
  • Date of birth (children only — to assign the correct age group)
  • Profile display name and chosen avatar
  • User role (child, parent, or educator)

Usage and activity data

  • Content progress (articles read, videos watched, workbooks completed)
  • Mood check-in entries (visible only to the child and linked parent)
  • Journal entries (completely private — never read by parents, educators, or Pivotmindra staff)
  • Goals and check-ins
  • Gamification data (XP, badges, streaks)
  • Daily usage time (for parental controls)

Technical data

  • IP address and device type (collected automatically for security purposes)
  • Session and authentication tokens
  • Browser type and operating system

3. How we use your data

PurposeLegal basis (UK GDPR)
Provide and personalise the platformContract performance
Age-appropriate content recommendationsContract performance
Parental progress reportsLegitimate interest / parental consent
Streak and gamification featuresContract performance
Safeguarding — detect concerning mood patternsVital interests / legal obligation
Send transactional emails (magic links, receipts)Contract performance
Process subscription payments via StripeContract performance
Prevent fraud and abuseLegitimate interest
Comply with legal obligationsLegal obligation

We do not use personal data for advertising, sell data to third parties, or use children's data for profiling or marketing.

4. Children's privacy

Special protections for under-13s (COPPA & UK GDPR)

  • Children under 13 must be registered by a parent or guardian
  • We collect only the minimum data necessary for the service
  • Journal entries are encrypted and cannot be accessed by parents or staff
  • No advertising, third-party tracking, or behavioural profiling of children
  • No public-facing profiles, direct messaging, or social features
  • Parents can request deletion of a child's data at any time

We follow the ICO's Children's Code (Age Appropriate Design Code), KCSIE guidance, UK GDPR, and COPPA requirements for children under 13.

5. Data sharing

We only share data with trusted sub-processors necessary to operate the platform:

SupabaseDatabase and file storageEU/US (EU SCCs in place)
StripePayment processingUS (EU SCCs in place)
VercelHosting and deploymentUS (EU SCCs in place)
ResendTransactional emailUS (EU SCCs in place)
GoogleOAuth sign-in (optional)US (EU SCCs in place)

We do not share data with any other third parties unless required by law.

6. Data retention

  • Active accounts: data retained for the lifetime of the account
  • Deleted accounts: data deleted within 30 days, except where retention is required by law
  • Payment records: retained for 7 years (UK legal requirement)
  • Mood and journal data: deleted immediately on account deletion

7. Your rights

Under UK GDPR, you (and parents acting on behalf of their child) have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest

To exercise any right, email privacy@pivotmindra.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

We use only essential cookies required to operate the platform — session authentication tokens and CSRF protection. We do not use advertising cookies, third-party tracking, or analytics cookies that identify individuals.

9. Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), hashed credentials, row-level security in our database, and access controls. No internet transmission is 100% secure — if you believe your account has been compromised, contact us immediately at security@pivotmindra.com.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users by email for any material changes. The “Last updated” date at the top of this page reflects the most recent revision.

Terms of ServiceSafeguardingBack to login