Privacy Policy
1. Introduction
FortiMind LLC (“FortiMind,” “we,” “us,” or “our”) is a Michigan limited liability company that develops software products for health and wellness professionals. Our flagship product, NO Session Control™, is a Stream Deck Plus plugin designed for NeurOptimal® neurofeedback practitioners.
We are committed to protecting your privacy. This Privacy Policy explains how we handle information in connection with our products, services, and the FortiMind.net website (collectively, the “Services”). We believe in transparency, and because our products are designed with privacy at their core, this policy is refreshingly straightforward.
2. Scope of This Policy
This Privacy Policy applies to:
- NO Session Control™ — the Stream Deck Plus plugin distributed through the Elgato Marketplace
- FortiMind.net — our product website
- Any related documentation, support channels, and services provided by FortiMind LLC
This policy does not cover third-party products or services, including the Elgato Marketplace (operated by Elgato Systems / Corsair), NeurOptimal® software (operated by Zengar Institute, Inc.), or the Stream Deck hardware and software platform. Each of those services has its own privacy policy, and we encourage you to review them.
3. Information We Do Not Collect
FortiMind LLC does not collect, receive, access, transmit, or process any of the following categories of information:
| Category | Collected? | Explanation |
|---|---|---|
| Personal identifiers (name, email, address, phone) | No | We do not collect any personal identifiers through our plugin or website |
| Financial information (payment, billing) | No | Purchases are processed entirely by Elgato and Stripe; FortiMind never sees payment details |
| Health or biometric data | No | Session data, mood scores, and client information entered into the plugin remain on your device |
| Geolocation data | No | The plugin does not access GPS, IP-based location, or any geolocation services |
| Device identifiers or fingerprints | No | No device fingerprinting, hardware identifiers, or unique device tracking of any kind |
| Browsing or search history | No | We do not track browsing behavior on our website or within the plugin |
| Usage analytics or telemetry | No | No analytics scripts, crash reporting, usage telemetry, or behavioral tracking of any kind |
| Cookies or tracking technologies | No | FortiMind.net does not use cookies, web beacons, pixels, or similar tracking technologies |
| Audio, visual, or sensor data | No | The plugin does not access your microphone, camera, or any hardware sensors |
| Inferences or profiling data | No | We do not create profiles, inferences, or behavioral models about users |
4. Plugin Data Architecture
NO Session Control is designed with a local-first, zero-transmission architecture. Understanding how your data is handled within the plugin is important:
4.1 Data Created by the Plugin
During normal operation, the plugin creates and manages the following types of data on your local device:
- Session records — start time, end time, duration, completion status, and configured session parameters
- Client profiles — practitioner-entered names and associated session history
- Mood tracking data — numeric mood scores (on a configurable 5-point or 10-point scale) recorded before and after sessions
- Practice analytics — aggregated statistics including completion rates, duration trends, mood patterns, and session streaks
- Plugin settings — user-configured preferences, action settings, and display options
4.2 Where Data Is Stored
4.3 Data Export
The plugin provides optional CSV and JSON export capabilities for session history and analytics data. When you use these features, the exported files are saved to a location you choose on your local device. FortiMind does not receive copies of exported data. You are solely responsible for the handling, storage, and security of exported files.
4.4 Data Deletion
Because all plugin data resides on your local device, you maintain full control over its lifecycle. You may delete any or all plugin data at any time by:
- Using the plugin’s built-in data management features
- Removing the plugin’s data files from your computer
- Uninstalling the plugin through the Stream Deck software
Uninstalling the plugin will remove all associated data from your device. FortiMind does not retain any residual copies, as we never had access to your data in the first place.
4.5 Network Activity
NO Session Control makes zero outbound network connections. The plugin does not contact any servers, APIs, endpoints, or external services during operation. It does not check for updates independently (the Elgato Stream Deck software handles plugin updates through the Marketplace). The plugin has no telemetry, crash reporting, license verification calls, or “phone home” functionality of any kind.
5. FortiMind.net Website
The FortiMind.net website is hosted on Cloudflare Workers. We have designed the website with privacy in mind:
- No analytics: We do not use Google Analytics, Cloudflare Web Analytics, or any other analytics platform
- No cookies: FortiMind.net does not set any cookies — first-party or third-party
- No tracking pixels: We do not use tracking pixels, web beacons, or similar technologies
- No advertising: We do not serve advertisements or participate in any advertising networks
- No social media trackers: We do not embed social media widgets that track your activity
- No forms that collect personal data: Contact inquiries are directed to our email address; we do not operate contact forms that store submissions in a database
5.1 Server Logs
As with any website, our hosting provider (Cloudflare) may process standard server-level information in the course of delivering web pages, including IP addresses, browser type, and request timestamps. This processing is performed by Cloudflare in accordance with Cloudflare’s Privacy Policy and is necessary for security, abuse prevention, and network operations. FortiMind does not access, store, or analyze server log data, and Cloudflare’s processing of this data is governed by their own privacy practices.
5.2 External Links
FortiMind.net may contain links to third-party websites (e.g., the Elgato Marketplace, support resources). These external sites are not operated by FortiMind and are governed by their own privacy policies. We are not responsible for the privacy practices of third-party sites.
6. Third-Party Services
While FortiMind itself does not collect your data, we want to be transparent about the third-party platforms involved in delivering our product:
| Service | Role | Data They Handle | Their Privacy Policy |
|---|---|---|---|
| Elgato Marketplace | Plugin distribution and purchase processing | Your Marketplace account, purchase history, DRM verification | Elgato Privacy Policy |
| Stripe | Payment processing (via Elgato) | Payment card information, billing details | Stripe Privacy Policy |
| Cloudflare | Website hosting and CDN | Standard web request data (IP, user agent) | Cloudflare Privacy Policy |
FortiMind does not receive, access, or store any personal information processed by these third-party services. When you purchase NO Session Control through the Elgato Marketplace, your transaction is between you and Elgato/Stripe. FortiMind receives aggregated revenue data (sales count and earnings), not individual purchaser information.
7. Children’s Privacy
NO Session Control is designed for use by licensed neurofeedback practitioners and wellness professionals in a professional setting. Our Services are not directed to children under the age of 13 (or 16 in jurisdictions where that threshold applies). We do not knowingly collect personal information from children. Because we do not collect personal information from any user, there is no risk of inadvertent collection from minors through our Services.
If you are a practitioner who serves minor clients, please note that all client data you enter into the plugin (including minors’ names and mood data) remains on your local device and is subject to your own professional privacy obligations, including HIPAA, FERPA, or other applicable regulations. FortiMind never accesses this data.
8. Your Privacy Rights Under State Law
FortiMind respects the privacy rights granted by all applicable US state comprehensive privacy laws. While these rights are most meaningful when a company collects personal data — which FortiMind does not — we want to ensure you understand your rights and our position under each applicable law.
8.1 Applicability Statement
8.2 Rights by State
The following table summarizes the consumer privacy rights established by comprehensive state privacy laws currently in effect or taking effect through 2026. FortiMind’s response to each right is the same: we do not hold your personal information, so these rights, while respected and acknowledged, cannot be exercised against data we do not possess.
| State | Law | Key Consumer Rights |
|---|---|---|
| California | CCPA / CPRA | Right to know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI, non-discrimination |
| Virginia | VCDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Colorado | CPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Connecticut | CTDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Utah | UCPA | Right to access, delete, portability, opt-out of sale/targeted advertising |
| Iowa | ICDPA | Right to access, delete, portability, opt-out of sale/targeted advertising |
| Indiana | ICDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Tennessee | TIPA | Right to access, correct, delete, portability, opt-out of sale/targeted advertising/profiling |
| Texas | TDPSA | Right to access, correct, delete, portability, opt-out of sale/targeted advertising/profiling |
| Montana | MCDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Oregon | OCPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Delaware | DPDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Maryland | MODPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Minnesota | MCDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| New Hampshire | NHPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| New Jersey | NJDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Nebraska | NDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Kentucky | KCDPA | Right to access, correct, delete, portability, opt-out of targeted advertising/sale/profiling |
| Rhode Island | RIDPA | Right to access, correct, delete, portability, opt-out of sale; must disclose specific third parties |
| Florida | FDBR | Right to access, correct, delete, opt-out of targeted advertising/sale/profiling |
8.3 California-Specific Disclosures (CCPA / CPRA)
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, California residents have the right to specific disclosures about data practices. In compliance with these requirements, FortiMind LLC discloses:
- Categories of personal information collected in the preceding 12 months: None.
- Categories of sources from which personal information is collected: None.
- Business or commercial purpose for collecting or selling personal information: Not applicable — we do not collect or sell personal information.
- Categories of third parties with whom personal information is shared: None.
- Categories of personal information sold or shared for cross-context behavioral advertising in the preceding 12 months: None. FortiMind has not sold or shared (as defined by the CCPA/CPRA) any personal information.
- Categories of personal information disclosed for a business purpose in the preceding 12 months: None.
- Use of sensitive personal information: FortiMind does not collect or use sensitive personal information as defined by the CPRA.
- Automated decision-making technology: FortiMind does not use automated decision-making technology as defined under the CPPA regulations effective January 1, 2026.
- Financial incentives: FortiMind does not offer financial incentives related to the collection, retention, or sale of personal information.
8.4 Rhode Island-Specific Disclosure
Under the Rhode Island Data Privacy Act, businesses are required to disclose the specific third parties to whom personal data is disclosed. FortiMind discloses personal data to no third parties.
8.5 Universal Opt-Out Mechanisms
Several states (including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas) require businesses to honor Universal Opt-Out Preference Signals (e.g., Global Privacy Control). Because FortiMind does not engage in tracking, targeted advertising, data sales, or cross-context behavioral advertising, there is no data processing activity for a universal opt-out signal to affect. Our website does not set cookies or tracking technologies that would be subject to such signals.
8.6 Exercising Your Rights
If you are a resident of any state with a comprehensive privacy law and wish to submit a request regarding your personal information, you may contact us using the information in Section 13. We will respond to your request within the timeframe required by your state’s law. However, as stated throughout this policy, FortiMind does not collect or hold personal information, and any response will confirm this fact.
You will not be discriminated against, charged different prices, or provided a different level of quality for exercising any privacy rights.
9. International Users
NO Session Control is currently available for Windows 10 and later, distributed through the Elgato Marketplace to users worldwide. Because the plugin operates entirely on your local device with no data transmission to FortiMind, there are no cross-border data transfers to or from FortiMind in connection with your use of the plugin.
For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with comprehensive data protection laws: FortiMind does not process your personal data within the meaning of the GDPR, UK GDPR, or equivalent legislation. No data controller or data processor relationship exists between FortiMind and users of the plugin, as no personal data flows to FortiMind.
If the nature of our Services changes in the future to involve cross-border data processing, we will update this policy with appropriate disclosures regarding transfer mechanisms and safeguards.
10. Data Security
Although FortiMind does not collect your data, we take security seriously in the design of our products:
- Code integrity: The plugin is distributed through the Elgato Marketplace with DRM-enabled file encryption, preventing tampering or unauthorized modification
- No network attack surface: Because the plugin makes zero outbound network connections, there is no network-based attack vector for data exfiltration
- Atomic local writes: Plugin data is written to your local storage using atomic file operations (write to temporary file, then rename), preventing data corruption
- Path validation: All file paths are validated to prevent path traversal attacks
- Automated testing: The plugin maintains a suite of over 2,200 automated tests ensuring code reliability and safety
- Dependency auditing: We regularly audit third-party dependencies for known security vulnerabilities
You are responsible for the physical and digital security of your own device, including maintaining appropriate access controls, operating system updates, and backup procedures for locally stored data.
11. Data Retention
FortiMind does not retain any user data because we do not collect any user data. The only data associated with our product exists on your local device, under your exclusive control.
Plugin data persists on your device for as long as the plugin is installed and you choose to retain it. Upon uninstallation, all plugin data is removed from your device. FortiMind has no backups, copies, or residual records of your data at any point.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, products, or applicable laws. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy
- Post the revised policy on this page
- For significant changes that materially affect your rights, provide notice through the Elgato Marketplace listing or our website
We encourage you to review this policy periodically. Your continued use of our Services after changes are posted constitutes acceptance of the updated policy.
If we ever change our data practices to collect personal information, we will provide advance notice and obtain consent where required by law before any collection begins.
13. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Email: support@fortimind.net
Website: fortimind.net
For privacy-related inquiries, please include “Privacy” in the subject line of your email. We will respond to all privacy requests within 30 days, or within the shorter timeframe required by applicable state law.
NeurOptimal® and Dynamical Neurofeedback® are registered trademarks of Zengar Institute, Inc. Stream Deck and Stream Deck Plus are trademarks of Elgato Systems / Corsair. NO Session Control is independently developed and maintained by FortiMind LLC and is not affiliated with, endorsed by, or sponsored by Zengar Institute, Inc. or Elgato Systems.
© 2026 FortiMind LLC. All rights reserved.