Privacy Policy
This Privacy Policy describes how MENTINESS HEALTH CARE, S.L. (hereinafter “Mentiness” or the “Controller”) collects, processes and protects the personal data of individuals who interact with us, including users of our platform and the artificial intelligence tools we make available to companies and their teams.
This policy is drafted in compliance with Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”), Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (“LOPDGDD”), and the applicable guidelines of the Spanish Data Protection Agency (“AEPD”).
1.- IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
| Company name | MENTINESS HEALTH CARE, S.L. |
| Tax ID (NIF) | B06962302 |
| Registered address | Calle Santa Eulalia N4 6A, CP 36600, Vilagarcía de Arousa (Pontevedra), Spain |
| hola@mentiness.com | |
| Data Protection Officer (DPO) | Contact: hola@mentiness.com |
| Commercial Registry | Pontevedra — Volume 4371, Book 4371, Sheet 105, Section 8, Page PO 68655, Entry 1 (14.07.2021) |
2.- ROLE OF MENTINESS IN THE PROCESSING OF PERSONAL DATA
Mentiness acts in a dual capacity depending on the context:
- Data Controller for the data of its own clients, suppliers, employees, collaborators, business contacts and information requesters.
- Data Processor with respect to the data of the employees of client companies who access the platform and AI tools (including LeIA). This relationship is formalized through the corresponding Data Processing Agreement (DPA) signed with each client pursuant to Article 28 of the GDPR.
3.- DESCRIPTION OF SERVICES AND AI TOOLS
Mentiness offers a comprehensive well-being and development platform for the workplace that includes, among others, the following services:
3.1 Well-being and psychology services
- Individual sessions with qualified and licensed psychologists.
- Workshops, online training and well-being programs.
- Psychometric assessments of organizational climate, culture and engagement.
3.2 LeIA — AI-Powered Conversation Simulator
LeIA is an AI-powered conversational simulation tool designed to train communication and leadership skills for middle managers and executives. It works as follows:
- The user (manager) accesses practice scenarios (e.g., difficult feedback, conflict management, underperformance) and holds a simulated conversation with an AI avatar playing the role of a fictional employee.
- Upon completing the simulation, LeIA generates personalized feedback with practical suggestions to improve communication in real situations.
- Individual scores and evaluations are visible exclusively to the user. The client company only receives aggregated and anonymized metrics.
LeIA is not a mental health service, nor does it constitute professional advice of any kind. It is a training tool based on fictional simulations.
3.3 AI Health Assistant
An AI-based personalized support tool that provides general well-being guidance. It does not replace a mental health professional and does not provide clinical diagnoses.
3.4 AI Onboarding Assistant (beta)
A beta-phase tool that facilitates the onboarding process for new employees through AI-guided conversations. Its purpose is to streamline adaptation to the work environment.
4.- PURPOSE OF PROCESSING, DATA CATEGORIES AND LEGAL BASIS
Mentiness processes data for different purposes:
| Data subject category | Purpose | Data processed | Legal basis |
|---|---|---|---|
| Clients (companies) | Management of the contractual relationship and service provision | Contact data of representatives, billing data | Art. 6.1.b) GDPR (contractual performance) and Art. 6.1.c) (legal obligation) |
| Suppliers | Management of the contractual relationship | Contact data, tax data | Art. 6.1.b) GDPR |
| Mentiness employees | Management of the employment relationship | Identification, employment and tax data | Art. 6.1.b) and 6.1.c) GDPR |
| Contacts and information requesters | Handling enquiries, sending commercial information | Name, email, company, message | Art. 6.1.a) GDPR (consent) |
| Platform users (well-being / psychology) | Provision of the service contracted by their company; well-being monitoring | Identification data, psychometric assessment data, usage data | Art. 6.1.b) GDPR (performance of the contract with the company) + user consent |
| LeIA users | Conversational simulation, feedback generation, aggregated usage metrics | Pseudonymized ID, name, email (via SSO), completed scenarios, duration, conversation content, skill scores, gamification achievements | Art. 6.1.b) GDPR (performance of the contract with the company) + user consent upon accessing the platform |
| AI Assistant users (health / onboarding) | Personalized support, onboarding facilitation | Identification data, interaction content, usage data | Art. 6.1.b) GDPR + user consent |
| Data analysis and service improvement | Anonymization of data for statistical, research and improvement purposes | Anonymized data (no personal identification) | Art. 6.1.f) GDPR (legitimate interest) |
Data will be retained in accordance with the periods detailed in section 6 of this Policy. As a general rule, data is kept for the duration of the contractual relationship or as long as a legal retention obligation exists. Once the mandatory legal period has elapsed, and after a blocking period, data will be deleted.
Services provided as a Data Processor: Mentiness provides external services to companies that may include psychosocial risk management in accordance with applicable labor regulations, as well as AI-based training tools (such as LeIA). In such cases, Mentiness acts as a Data Processor and manages data exclusively in accordance with the instructions of the Controller (the client company), always formalizing the corresponding Data Processing Agreement (DPA) as required by Article 28 of the GDPR.
5.- DATA PROCESSING IN LeIA — SPECIFIC INFORMATION
Given the innovative nature of LeIA and its use of artificial intelligence, we provide detailed information below about data processing within this service.
5.1 Data collected in LeIA
- Identification data: first name, last name and email address (provided by the user or derived from corporate SSO). An internal pseudonymized ID is assigned.
- Activity data: scenarios selected and completed, start/end date and time of each session, duration, basic outcome (completed/not completed), gamification achievements and challenges.
- Conversation content: the text the user types during simulations and the AI-generated responses are stored for the duration of the client company’s service contract, in order to allow the user to review their previous sessions.
- Scores and feedback: skill evaluations generated by the AI are stored so the user can access them at a later time.
- Technical usage metrics: technical events (errors, timestamps) for support and maintenance purposes. These do not include conversation content.
5.2 Data NOT sent to the AI model
No personally identifiable information (PII) about the user is sent to the artificial intelligence model. The model only receives the scenario context and the simulation messages, without any data that could identify the user (such as name, email or company).
5.3 What the client company (HR) can see and what it CANNOT see
Visible to HR:
- User registration status (registered or not).
- Scenarios completed by each user.
- Achievements and challenges completed (gamification).
NOT visible to HR, under any circumstances:
- Conversation content (simulation text).
- Individual skill scores or personal evaluations.
- Technical logs containing IP or user-agent information.
- Any metric that identifies or could re-identify fewer than 5 individuals.
Aggregated metrics (visible to HR with k-anonymous anonymization ≥5):
- Number of active users, total sessions, time invested, completion rate per scenario, adoption rate and average skill scores per segment.
- All segmentation (by location, unit, scenario or period) is carried out ensuring a minimum of 5 individuals in each group (k-anonymity ≥5), so that individual identification is not possible.
Operational purpose: aggregated metrics are provided to the client company exclusively to drive service adoption and measure collective training impact, never for individual employee evaluation.
5.4 Absence of automated decisions with legal or significant effects
The scores and feedback generated by LeIA serve an exclusively training and self-development purpose for the user. Under no circumstances are they used — by Mentiness or by the client company — for employment decisions such as performance evaluations, promotions, sanctions or dismissals. This prohibition is expressly included in the service contracts and Data Processing Agreements (DPAs) signed with each client.
In accordance with Article 22 of the GDPR, Mentiness does not make decisions based solely on automated processing that produce legal or similarly significant effects on users.
5.5 Gamification
LeIA may include gamification features (personalized scenario calendar, challenges and achievements) with the aim of encouraging participation and continued use. Achievements and challenges are visible among users within the same program, but skill scores and individual evaluations are never exposed to other users or to the company.
6.- DATA RETENTION PERIODS
| Type of data | Retention period |
|---|---|
| Client, supplier and employee data | For the duration of the contractual/employment relationship + applicable legal retention period (tax, commercial, labor). Thereafter, blocking and deletion. |
| Contact and requester data | Until withdrawal of consent or, failing that, 2 years from the last interaction. |
| Platform user data (well-being) | While the service is contracted by the client company. After termination, deletion in accordance with the DPA timelines. |
| LeIA conversation content and scores | While the service is contracted by the client company. After contract termination or deletion request, erasure in accordance with the timelines established in the DPA (by default: raw metrics ≤90 days; backup copies 35 additional days). |
| LeIA activity data (scenarios, achievements) | Same period as conversation content. |
| Anonymous aggregated metrics | Retained indefinitely, as they do not contain identifiable personal data. Used for benchmarking and service improvement. |
7.- RECIPIENTS AND INTERNATIONAL DATA TRANSFERS
Personal data is not disclosed to third parties unless it is necessary for the correct provision of the service or when required by law.
Mentiness works with the following providers who may have access to personal data as sub-processors:
| Provider | Service | Data location | Transfer mechanism | Privacy policy |
|---|---|---|---|---|
| OpenAI Ireland Ltd | AI model for simulations (LeIA) and assistants | USA (contract via Irish entity for EEA clients) | Standard Contractual Clauses (SCCs) + DPA | openai.com/enterprise-privacy |
| Microsoft Azure OpenAI | AI model with EU hosting | European Union (West Europe / Data Zone EUR) | No international transfer (data in EU) | microsoft.com/privacy |
| HeyGen | AI video avatars | USA (AWS) | EU-US Data Privacy Framework (DPF) + SCCs + DPA | heygen.com/privacy |
| Zoom | Video calls for psychology sessions | USA | SCCs + DPA | zoom.us/privacy-and-legal |
| Google (Meet, Calendar, API) | Video conferencing, calendar synchronization | EU / USA | SCCs + DPA | policies.google.com/privacy |
When data is transferred outside the European Economic Area (EEA), Mentiness ensures that adequate safeguards are in place pursuant to Chapter V of the GDPR, including the execution of Standard Contractual Clauses (SCCs) approved by the European Commission, verification of adherence to the EU-US Data Privacy Framework (DPF) where applicable, and/or the existence of adequacy decisions. Mentiness has signed Data Processing Agreements (DPAs) with all its providers.
These service providers may collect and access the information necessary to perform their functions, but are not permitted to share or use the information for any other purpose. AI providers are contractually obligated not to use user data for training their models.
In the case of Google Calendar, information is only obtained to facilitate the synchronization of professionals’ calendars. The use and transfer of information obtained through Google APIs will adhere to the terms and conditions of the «Google API Services User Data Policy» including the requirements for «Limited Use».
MENTINESS HEALTH CARE, S.L. will share information when there is a legal obligation, or when it is necessary to enforce its terms and conditions, or for security reasons.
8.- USER RIGHTS
In accordance with the GDPR and the LOPDGDD, every individual has the right to:
- Access: to know whether their data is being processed and to obtain a copy thereof.
- Rectification: to correct inaccurate or incomplete data.
- Erasure: to request the deletion of their data where the legally required circumstances apply.
- Portability: to receive their data in a structured, commonly used format when the legal basis is the contract or consent.
- Objection: to object to processing based on legitimate interest, except where compelling legitimate grounds apply.
- Restriction: to request the suspension of processing in the circumstances provided by law.
- Withdrawal of consent: to withdraw consent at any time, without affecting the lawfulness of prior processing.
How to exercise your rights:
- Email: hola@mentiness.com
- Address: Calle Santa Eulalia N4 6A, CP 36600, Vilagarcía de Arousa (Pontevedra), Spain
Mentiness will respond to your request within a maximum period of one month from receipt, which may be extended by an additional two months where necessary due to the complexity or number of requests, informing the data subject of such extension within the first month.
If you consider that your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es).
9.- USE OF ARTIFICIAL INTELLIGENCE TOOLS
Mentiness uses artificial intelligence tools to provide more effective and personalized services. The principles governing their use are detailed below:
- Transparency: users are informed at all times that they are interacting with an AI tool, not a natural person.
- Confidentiality: data is processed in secure and controlled environments. It is not shared with third parties beyond the providers necessary for service delivery, identified in section 7.
- No model training with personal data: third-party AI models are not trained with personal data or individualized user information. AI providers are contractually obligated not to use user data for training their models.
- Human oversight: AI-generated results are indicative and do not replace professional human judgment. Mentiness AI tools do not make autonomous decisions with legal or significant effects on individuals.
- Data minimization: only the information strictly necessary for the provision of the service is sent to AI models. In the case of LeIA, no personally identifiable information (PII) about the user is sent to the model.
- Pseudonymization: where technically feasible, data is pseudonymized before processing so that it is not directly identifiable.
10.- SECURITY MEASURES
MENTINESS HEALTH CARE, S.L. adopts appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss or accidental destruction, including:
- Encryption of data in transit (TLS) and at rest.
- Role-based access control and the principle of least privilege.
- Just-In-Time (JIT) access for the technical support team: access to operational data is only activated temporarily when needed to resolve incidents, and is logged.
- Access auditing and security event monitoring.
- Regular encrypted backups.
- Regular staff training on data protection and information security.
Despite these measures, Mentiness cannot guarantee absolute information security, as no system is infallible. Nevertheless, we are committed to applying industry best practices and continuously improving our protection measures.
11.- COOKIES
Mentiness uses cookies and similar technologies on its website. Non-essential cookies (statistics, preferences, marketing) are only activated when the user has given prior and explicit consent through the cookie banner.
For more information, please consult our Cookie Policy.
12.- DISCLAIMER
Mentiness is only responsible for data processing carried out through its website and platform. If the user is redirected to third-party websites or platforms, the privacy policies of such third parties will apply, and Mentiness accepts no responsibility for them.
13.- CHANGES TO THIS POLICY
Mentiness reserves the right to update this Privacy Policy to adapt it to legislative, jurisprudential or operational changes. Any modification will be published on this page with an indication of the date of the last update. We recommend reviewing this policy periodically.
14.- CONTACT
For any enquiry, suggestion or complaint related to the processing of your personal data, you can contact Mentiness at:
- Email: hola@mentiness.com
- Address: Calle Santa Eulalia N4 6A, CP 36600, Vilagarcía de Arousa (Pontevedra), Spain
Policy updated in February 2026
