← Back

Privacy Policy

Last updated: 2 April 2026

1. Who we are

Mindset Morph ("we", "us", "our") is a personal performance coaching platform operated by Mindset Morph Ltd. We are committed to protecting and respecting your privacy.

2. What data we collect

When you use Mindset Morph, we collect:

  • Account information: Your name, email address, and password (encrypted).
  • Profile information: Job title, industry, professional context, challenges, goals, and vision that you provide to personalise your coaching experience.
  • Assessment data: Your MORPH diagnostic responses and dimension scores.
  • Coaching conversations: Messages exchanged with your AI coach within the Coaching Room.
  • Goals and action steps: Goals you set and progress you track within the app.
  • Journal entries: Reflections and notes you save.
  • Usage data: Streaks, tool usage, and engagement patterns to improve the product.
  • Payment information: Processed securely by Stripe. We do not store your card details.

3. How we use your data

We use your data to:

  • Provide personalised AI coaching tailored to your profile, goals, and MORPH scores.
  • Generate your MORPH assessment results and track your growth over time.
  • Send daily challenges, goal reminders, and coaching nudges (you can opt out at any time).
  • Process your subscription payments via Stripe.
  • Improve the product based on aggregated, anonymised usage patterns.

4. AI coaching and your privacy

Your coaching conversations are processed using Anthropic's Claude API to provide personalised responses. We take your AI privacy seriously:

  • Your data is never used to train AI models. Not by us, and not by any third party. Anthropic's API data policy explicitly prohibits using customer data for model training or improvement.
  • Zero data retention by AI providers. Conversations are processed in real-time via API calls. Anthropic does not permanently store your conversation data. A temporary safety log may be retained for up to 30 days as required by Anthropic's safety policy, after which it is automatically deleted.
  • No conversation data is shared with AI providers beyond the immediate API call. Each request is processed and discarded. Your data is not included in any training datasets.
  • Your coaching data is only used to provide you with a personalised coaching experience. No other user, employer, or third party can access your coaching conversations.

5. Data sharing and sub-processors

We never sell your personal data. We share data only with the following trusted sub-processors, each of which maintains its own security certifications and data protection agreements:

  • Supabase (database and authentication): Stores your account data, coaching history, and assessments with row-level security and AES-256 encryption at rest. SOC 2 Type II certified.
  • Anthropic (AI coaching): Processes coaching conversations in real-time via API. Data is not used for model training and is not permanently retained. Zero data retention agreement in place.
  • Stripe (payment processing): Handles subscription billing. PCI DSS Level 1 certified. We never see or store your card details.
  • Resend (transactional email): Delivers coaching nudges, goal reminders, and account notifications. Email content is not stored beyond delivery.
  • Vercel (application hosting): Hosts the web application with automatic TLS encryption and DDoS protection. SOC 2 Type II certified.

A Data Processing Agreement (DPA) is available on request for enterprise customers. Contact support@mindsetmorph.co.uk.

6. Data security

Your data is protected using industry-standard security measures:

  • Encrypted in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). This is enforced at the infrastructure level by Vercel.
  • Encrypted at rest: All data stored in our database is encrypted at rest using AES-256 encryption, managed by Supabase.
  • Row-level security: Database-level access controls ensure you can only access your own data. No user can view another user's coaching conversations, assessments, or profile.
  • Secure authentication: Passwords are hashed using bcrypt and never stored in plain text. Session tokens are securely managed.
  • Payment security: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never see, store, or have access to your card details.

7. Your rights (UK GDPR)

Under UK data protection law, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Update or correct your data via your Settings page.
  • Erasure: Delete your account and all associated data at any time from Settings.
  • Portability: Request your data in a portable format.
  • Withdraw consent: Opt out of emails and notifications at any time.

8. Data retention and deletion

We retain only the data necessary to provide the service:

  • Active accounts: Your data is retained for as long as your account is active and your subscription is current.
  • Cancelled subscriptions: If you cancel your subscription, your account and data remain accessible for 30 days in case you wish to resubscribe. After 30 days of inactivity, your data is scheduled for deletion.
  • Account deletion: You can request account deletion at any time by contacting support@mindsetmorph.co.uk. Upon request, all your personal data, coaching conversations, assessments, goals, journal entries, and profile information are permanently deleted within 30 days.
  • Data export: Before deletion, you can request a copy of your data in a portable format (JSON) by contacting us.
  • What is deleted: All profile data, MORPH assessments, coaching conversations, goals, action steps, journal entries, 360 feedback, personality profiles, and emotional check-ins.
  • What is retained: Anonymised, aggregated data that cannot identify you may be retained for product improvement. Payment records are retained as required by UK financial regulations (typically 6 years).

9. AI transparency and compliance

Mindset Morph uses AI to provide coaching insights, not to monitor, score, or evaluate individuals on behalf of employers:

  • No workplace monitoring: Mindset Morph does not analyse emotions, infer sentiment, or rate individual performance for the purpose of employer surveillance or workplace scoring.
  • Self-directed coaching: All assessments and coaching are self-initiated by the user. MORPH scores reflect self-reported data and are visible only to the individual user.
  • No automated decision-making: No employment, promotion, or performance management decisions are made or recommended by the platform.
  • EU AI Act: Our use of AI is designed to comply with the EU AI Act. The platform does not engage in prohibited practices under Article 5, including social scoring, emotion recognition for workplace evaluation, or manipulation of behaviour.

10. Cookies

We use essential cookies only for authentication and session management. We do not use advertising or tracking cookies. No third-party analytics cookies are used.

11. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notification. The "last updated" date at the top reflects the most recent revision.

12. Contact us

If you have questions about this policy or your data, contact us at support@mindsetmorph.co.uk.