Table of Contents
ℹ️ 1. About MindShift
MindShift ("we", "us", "our") is a personal development and AI-assisted mental wellness application developed by an independent developer. The app is available on Google Play and the Apple App Store.
This Privacy Policy explains how we collect, use, store and protect your personal information when you use MindShift on any device. By using MindShift, you agree to the practices described in this policy.
Developer Contact: privacy@getmindshift.app
🚨 2. Medical Disclaimer
- The AI in MindShift provides motivational guidance, coaching prompts, and educational content only.
- It does not diagnose mental health conditions, prescribe treatments, or replace therapy.
- If you are experiencing a mental health crisis or emergency, please contact a licensed mental health professional or emergency services immediately.
- Emergency resources: EKEPSY (Greece) 10306 · Crisis Text Line · 112 (EU emergency)
MindShift complies with Google Play's Health & Wellness category guidelines and does not make clinical claims.
📋 3. Data We Collect
3.1 Account Data (Required)
| Data Type | Purpose | Required? |
|---|---|---|
| Email address | Account creation, login, password reset | Yes |
| Display name | Personalised greeting | Optional |
| Password (hashed) | Authentication — never stored in plain text | Yes |
3.2 Wellness & App Data
| Data Type | Examples | Purpose |
|---|---|---|
| Mood ratings | 1–10 daily mood score (self-reported by user, not measured by device) | Progress tracking & personalisation |
| Anxiety / energy levels | Self-reported integers — not clinical measurements | Trend analysis & AI coaching |
| Assessment answers | Mindset questionnaire scores | Personalised recommendations |
| AI chat messages | Text conversations with the AI coach | AI response generation & history |
| Check-in notes | Optional free-text reflection | Personal journaling |
| Streak & progress data | Days active, exercises completed | Motivation & gamification |
3.3 Technical Data (Automatic)
| Data Type | Purpose |
|---|---|
| Device type & OS version | Bug fixing & compatibility |
| App version | Feature rollout management |
| Session timestamps | Security & rate limiting |
| IP address (transient) | API security, fraud prevention |
⚙️ 4. How We Use Your Data
- Provide the service: authentication, AI coaching responses, progress charts.
- Personalisation: tailor AI prompts based on your mood history and assessment scores.
- Safety & security: detect abuse, enforce rate limits, prevent fraud.
- Service improvement: aggregated, anonymised analytics to improve features.
- Subscription management: verify active plan, enforce usage tiers.
- Communications: transactional emails only (password reset, billing confirmation). No marketing emails without explicit opt-in.
Legal basis (GDPR Art. 6): performance of contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), and — for sensitive wellness data — your explicit consent (Art. 9(2)(a)).
🔗 5. Third-Party Services
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase (EU Frankfurt) | Database & authentication | Email, hashed password, wellness data | supabase.com/privacy |
| OpenAI (USA) Role: Data Processor |
AI coaching response generation — acts as a data processor on our behalf, not an independent data controller | Chat message text only — no email, no name, no user ID is included. Data transfer covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46. | openai.com/privacy |
| Vercel (Edge Network) | API hosting / serverless | Server-side request logs (IP, timestamps) | vercel.com/legal |
| Google Play Billing | Subscription payments (Android) | Purchase token, subscription status | policies.google.com |
| Apple App Store (planned) | Subscription payments (iOS) | Purchase receipt | apple.com/legal/privacy |
| Stripe (planned) | Web payment processing | Email, payment token (no card data stored by us) | stripe.com/privacy |
- OpenAI is our data processor (GDPR Art. 28) — it processes data only on our documented instructions.
- Chat messages are sent without any personal identifiers (no email, no name, no user ID).
- Cross-border transfer (EU → USA) is lawful under Standard Contractual Clauses (SCCs), GDPR Art. 46.
- OpenAI's API policy: data sent via API is not used to train OpenAI models.
- OpenAI is classified as a service provider, not a data broker or advertising partner.
🤝 6. Data Sharing
We never sell your personal data to any third party.
We share data only in these limited circumstances:
- Service providers listed in Section 5, under strict data-processing agreements.
- Legal obligations: if required by law, court order, or to protect the safety of users.
- Business transfers: if MindShift is acquired, users will be notified 30 days in advance and given the option to delete their account.
AI chat content sent to OpenAI is anonymised (no name or email is included in the API request).
🔒 7. Data Storage & Security
- Primary database: Supabase hosted in EU (Frankfurt, Germany) — fully GDPR-compliant region.
- Encryption in transit: TLS 1.2+ for all API communications.
- Encryption at rest: AES-256 encryption on Supabase storage.
- Passwords: hashed via bcrypt — never stored in plain text.
- Access control: Row-Level Security (RLS) enforced — users can only access their own data.
- API security: JWT authentication, rate limiting, input validation on all endpoints.
- Payment data: card numbers are processed by Google Play / Apple / Stripe and never stored on our servers.
📅 8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, name) | Until account deletion |
| Wellness data (mood, check-ins) | Until account deletion |
| AI chat logs | 90 days (then anonymised) |
| Server / access logs | 30 days |
| Billing records | 7 years (legal requirement) |
| Anonymised analytics | Indefinitely (no personal data) |
⚖️ 9. Your Rights (GDPR)
As a user in the European Economic Area, you have the following rights:
Access
Request a copy of all data we hold about you.
Rectification
Correct inaccurate or incomplete personal data.
Erasure
Request deletion of your account and all associated data.
Restriction
Limit how we process your data in certain circumstances.
Portability
Receive your data in a structured, machine-readable format (JSON/CSV).
Object
Object to processing based on legitimate interests.
Withdraw Consent
Revoke consent at any time without affecting prior processing.
Lodge Complaint
File a complaint with your national Data Protection Authority (e.g., HDPA in Greece).
To exercise any right, email: privacy@getmindshift.app. We respond within 30 days.
👶 10. Children's Privacy
MindShift is intended for users aged 13 and older.
- We do not knowingly collect personal data from children under 13.
- Users aged 13–17 require parental or guardian consent.
- If we discover that a child under 13 has created an account, we will delete it promptly.
- To report a child's account: privacy@getmindshift.app
💳 11. Subscriptions & Billing
| Plan | Features | Price |
|---|---|---|
| Free | 1 AI chat per day, basic mood tracking, check-ins | €0 |
| Premium | Unlimited AI coaching, full history, advanced analytics, priority support | €9.99 / month |
- Billing: Subscriptions are billed through Google Play Billing (Android) or Apple In-App Purchase (iOS). Payment is charged to your Google/Apple account at confirmation of purchase.
- Auto-renewal: Subscriptions renew automatically unless cancelled at least 24 hours before the end of the current billing period.
- Cancellation: Cancel anytime via Google Play → Subscriptions or Apple → App Store → Subscriptions. Access continues until end of current period.
- Refunds: Managed by Google Play and Apple per their respective refund policies. MindShift does not process refunds directly.
- Data we receive: We receive only a subscription token/receipt — never your credit card number or full payment details.
- Free trial (if offered): Terms will be clearly displayed before activation.
🗑️ 12. Account Deletion
You can delete your account and all associated data at any time:
- In-app: Settings → Account → Delete Account → Confirm
- By email: privacy@getmindshift.app — we process requests within 30 days.
- API endpoint:
DELETE /api/auth/account(authenticated)
Upon deletion, we will permanently erase: your email, name, all wellness data, chat logs, and assessment history. Anonymised aggregated statistics (not linked to you) may be retained. Billing records are retained for the legally required 7-year period.
https://getmindshift.app/delete-account
This link works even if you have uninstalled the app. Requests processed within 30 days.
📝 13. Policy Changes
We may update this Privacy Policy periodically. When we do:
- The "Effective Date" at the top will be updated.
- For material changes, we will notify you via in-app notification or email at least 14 days before the change takes effect.
- Continued use of MindShift after the effective date constitutes acceptance of the updated policy.
Previous versions of this policy are available upon request.
📬 14. Contact Us
| Channel | Details |
|---|---|
| Privacy email | privacy@getmindshift.app |
| General support | support@getmindshift.app |
| GDPR / data requests | gdpr@getmindshift.app |
| Response time | Within 30 days for GDPR requests; 2 business days for general queries |
Supervisory authority (Greece): Hellenic Data Protection Authority (HDPA) – www.dpa.gr