GDPR Compliance Statement
Last updated: May 2025
🇪🇺
EU Data Residency
Frankfurt, DE
🔒
Encrypted at rest
AES-256
✅
Explicit consent
Before collection
🗑️
30-day retention
Auto delete
✅ What we do to comply
- • Patient data collected only after explicit consent via the lead capture form
- • Clear disclosure of what data is collected before submission
- • All data stored exclusively in EU servers (Supabase, Frankfurt Germany)
- • Photos stored in private buckets — never publicly accessible
- • Signed image URLs expire after 1 hour
- • No medical diagnoses — always recommend professional consultation
- • Data deletion available on request within 72 hours
- • Clinics (data controllers) sign Data Processing Agreements (DPA)
Data Processing Agreement
MindTrellis acts as a data processor under GDPR Article 28. Each clinic using MindTrellis is the data controller responsible for their patients' data. We provide a Data Processing Agreement (DPA) to all clinic clients upon request.
To request a DPA: dpa@mindtrellis.com
Sub-processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | EU (Frankfurt) |
| OpenAI | AI chat & photo analysis | USA (SCCs applied) |
| Resend | Transactional email | USA (SCCs applied) |
| Vercel | Application hosting | EU region |
SCCs = Standard Contractual Clauses for third-country transfers
Contact our DPO
Data Protection Officer: privacy@mindtrellis.com