Privacy Policy
Effective date: 28 March 2026
1. Introduction & Scope
This Privacy Policy describes how GroundMe ("the Platform", "we", "us", "our") collects, uses, stores, discloses, and protects your personal information. This policy applies to all users of the Platform, including visitors, registered users, and any person whose data is processed through the Platform.
GroundMe is an educational and self-guided wellbeing platform. It does not provide clinical diagnoses, establish a therapist-client relationship, or replace professional mental health care. All content is for educational and self-reflection purposes only.
By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Platform.
2. Australian Privacy Principles (APPs) Compliance
We are committed to handling your personal information in accordance with the Privacy Act 1988 — Australian Privacy Principles (APPs). Our data practices comply with Australian Privacy Principles (APPs) 1 through 13, which govern how personal information is collected, used, disclosed, stored, and accessed.
We also align our practices with the My Health Records Act 2012 for data retention and access controls, and maintain informational compliance with Health Insurance Portability and Accountability Act (US) standards where applicable.
3. Information We Collect
We collect the following categories of information:
3.1 Personal Information
- Name and email address (provided during registration)
- Age and demographic information relevant to platform eligibility
- Account credentials (passwords are hashed and never stored in plain text)
3.2 Assessment Data
- Responses to validated psychometric instruments
- Assessment scores, subscale results, and severity classifications
- Historical assessment data for tracking wellbeing patterns over time
3.3 AI Interaction Logs
- De-identified data sent to AI providers for generating educational insights
- AI-generated outputs and clinical framework alignments
- Prompt and response metadata (timestamps, model identifiers)
3.4 Usage Data
- Pages visited, features used, and session duration
- Device type, browser information, and IP address
- Consent preferences and settings changes
4. How We Use Your Information
Your information is used for the following purposes:
4.1 Primary Care Use
- Providing personalised educational wellbeing insights based on your assessment data
- Generating Wellbeing Action Plans and tracking your progress over time
- Displaying clinical framework alignments for educational self-reflection
4.2 AI Processing
- Processing de-identified assessment data through AI models to generate educational insights
- Pattern identification across validated clinical frameworks (DSM-5-TR, ICD-11)
- Generating strengths-based, educational content tailored to your wellbeing profile
4.3 Platform Improvement
- Analysing aggregated, anonymised usage patterns to improve the Platform
- Monitoring platform performance and reliability
- Ensuring compliance with clinical guardrails and ethical standards
5. AI Processing
The Platform uses Google Gemini AI models to generate educational wellbeing insights. We take the following measures to protect your privacy during AI processing:
- De-identification: Personal health information (PHI) is scrubbed from your data before it is transmitted to AI providers. AI models receive only de-identified assessment scores and contextual data.
- No model training: Your data is not used to train, fine-tune, or improve AI models. Data is processed for inference only and is not retained by the AI provider for training purposes.
- Educational output only: AI-generated content is for educational and self-reflection purposes. It does not constitute clinical advice or diagnosis.
AI-generated insights are produced by machine learning models and may contain inaccuracies. They are intended as educational decision support only and must not be relied upon as clinical advice. All AI output is reviewed against established clinical frameworks but is not validated by a clinician for individual cases.
6. Data Sharing
We are committed to protecting your data. Our data sharing practices are as follows:
- Clinician access: If you choose to share your wellbeing data with a registered health professional, they may access your assessment results and AI-generated insights with your explicit consent. You may revoke this access at any time through your Settings page.
- No third-party marketing: We do not share, sell, rent, or trade your personal information with third parties for marketing or advertising purposes.
- No sale of data: We do not sell your personal data under any circumstances.
- Legal obligations: We may disclose your information if required by law, court order, or government regulation, or to protect the safety of any person in accordance with mandatory reporting obligations.
7. Third-Party Service Providers
We use the following third-party service providers to operate the Platform. Each provider processes data only as necessary to deliver their specific service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database & Authentication | Account data, assessment data, encrypted records |
| Vercel | Web Hosting & Deployment | Request logs, IP addresses, performance data |
| Google Gemini | AI Processing | De-identified assessment data only (PHI scrubbed) |
| Stripe | Payment Processing | Payment information (processed directly by Stripe; we do not store card details) |
8. Data Storage & Security
Your data is encrypted (AES-256), de-identified before AI processing, and stored in compliance with the Australian Privacy Act 1988 and HIPAA standards.
We implement the following security measures to protect your data:
- Encryption at rest: All stored data is encrypted using AES-256 encryption.
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
- Australian data residency: Primary data is stored in the Asia-Pacific region (ap-northeast-2) to maintain proximity to Australian users and comply with data sovereignty expectations.
- Access controls: Role-based access controls (RBAC) and row-level security (RLS) ensure that only authorised users and systems can access your data.
- Regular security reviews: We conduct regular security assessments and monitor for vulnerabilities.
9. Data Retention
We retain your data in accordance with Australian health legislation and best practice:
- Clinical records: Assessment data and AI-generated insights are retained for a minimum of 7 years from the date of last interaction, in accordance with Australian health record retention requirements.
- Account data: Your account information is retained for the duration of your account and for a reasonable period after account closure to fulfil legal obligations.
- Usage data: Aggregated, anonymised usage data may be retained indefinitely for platform improvement purposes.
- Deletion requests: You may request deletion of your data at any time. We will process your request in accordance with our legal retention obligations. Where data must be retained for legal reasons, it will be securely archived and access-restricted.
10. Your Rights
Under the Australian Privacy Principles and applicable legislation, you have the following rights in relation to your personal information:
- Access: You may request access to the personal information we hold about you at any time.
- Correction: You may request correction of any inaccurate or incomplete personal information.
- Deletion: You may request deletion of your personal data, subject to our legal retention obligations.
- Data portability: You may export your assessment data and AI-generated insights in a portable format through your Settings page.
- Consent withdrawal: You may withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please use the controls available in your Settings page or contact us at info@mindspan.com.au.
11. Consent Management
The Platform provides granular consent controls that allow you to manage your privacy preferences. Through your Settings page, you can:
- View and manage your active consent agreements
- Enable or disable AI processing of your assessment data
- Control whether your data is shared with clinicians
- Manage cookie and analytics preferences
- Export your data or request account deletion
Consent is recorded with version tracking. If our Terms of Service or this Privacy Policy change materially, you will be asked to review and re-accept the updated agreements before continuing to use the Platform.
12. Cookies & Analytics
The Platform uses cookies and similar technologies for the following purposes:
- Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
- Functional cookies: Used to remember your preferences and settings (e.g., theme, consent choices).
- Analytics cookies: Used to collect anonymised usage data to improve the Platform. You may opt out of analytics cookies through your Settings page.
We do not use advertising cookies or tracking pixels. We do not serve targeted advertisements.
13. Children's Privacy
The Platform is intended for users aged 18 years and older. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that information. If you believe a minor has provided us with personal information, please contact us at info@mindspan.com.au.
14. International Data Transfers
While our primary data storage is in the Asia-Pacific region, some data processing may occur in other jurisdictions through our third-party service providers:
- Google Cloud (Gemini AI): De-identified assessment data may be processed by Google Cloud infrastructure. Only de-identified data (with PHI scrubbed) is transmitted to Google for AI inference.
- Vercel: Web hosting may involve edge locations outside Australia.
Where data is transferred internationally, we ensure that appropriate safeguards are in place, including contractual obligations with service providers to protect your data in accordance with Australian Privacy Principles.
15. Data Breach Notification
In the event of a data breach that is likely to result in serious harm to affected individuals, we will:
- Assess within 72 hours: Conduct a reasonable and expeditious assessment of the breach within 72 hours of becoming aware of it.
- Notify the OAIC: Report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.
- Notify affected individuals: Inform affected users as soon as practicable, including details of the breach, the type of information involved, and recommended steps to mitigate potential harm.
- Remediate: Take immediate steps to contain the breach and prevent recurrence.
16. Complaints
If you believe we have breached your privacy or mishandled your personal information, you may:
- Contact us directly: Email info@mindspan.com.au with details of your complaint. We will investigate and respond within 30 days.
- Lodge a complaint with the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.
- Lodge a complaint with the APS: For concerns about the ethical conduct of AI-generated psychological content, you may contact the Australian Psychological Society.
17. Changes to Policy
We reserve the right to update this Privacy Policy at any time. Material changes will be communicated through the Platform, and where required, you will be asked to review and accept the updated policy. The effective date at the top of this page indicates when the policy was last revised. We encourage you to review this Privacy Policy periodically.
18. Contact Information
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: info@mindspan.com.au
Privacy complaints: Office of the Australian Information Commissioner (OAIC)