Privacy Policy

1. Who is responsible (controller)

The controller responsible for processing your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is the operator of Mindoly (mindoly.app):

Tim Geithner, sole proprietor (Einzelunternehmen), Ludwig-Erhard-Str. 18, c/o IP-Management #9778, 20459 Hamburg, Germany. VAT ID: DE361933549.

For any privacy questions, to exercise your rights, or to reach a data protection contact, email us at support@mindoly.app.

We have not appointed a Data Protection Officer, as one is not required for an operation of this size under Art. 37 GDPR and §38 BDSG.

2. What data we collect and why

Account and authentication data. When you create an account we process your email address and authentication credentials so you can sign in. You can sign in with email and password, or with Google or Apple (OAuth); in that case we receive the basic identifier these providers return to confirm your identity. We use this data to create and secure your account, sign you in, and send essential account emails (such as confirmation and password reset).

Profile and gamification data. Your profile includes data you choose to provide or generate by using Mindoly: username, display name, avatar, your selected interests, and your game progress such as XP, level, and streak. We use this to run the core product features and personalise your learning experience.

Learning progress and saved content. We store which topics you have started and completed, your quiz results, and the knowledge nuggets you save. We use this to track your progress through the skill tree, unlock new topics, award XP, and show you the content you have saved.

Payment data (Mindoly Plus). If you subscribe to Mindoly Plus we process the data needed to manage your subscription. Card payments are handled entirely by Stripe; we never see or store your card number. On our side we store only Stripe identifiers (customer and subscription IDs) and subscription status, plan, billing period, and trial information, so we can grant your Plus benefits and let you manage or cancel your subscription.

Email delivery data. To send transactional emails (account confirmation, password reset) we process your email address through our email provider, Resend. We do not send marketing emails unless you have separately opted in.

Server logs and technical data. When you use Mindoly our servers automatically process technical data such as your IP address, request timestamps, the requested URL, and basic device/browser information contained in standard HTTP headers. We use this to deliver the service, keep it secure, prevent abuse, and enforce rate limits (for example, limiting how often you can export your data).

3. Legal bases for processing

We process your personal data only where the GDPR allows it. The legal bases we rely on are:

Performance of a contract (Art. 6(1)(b) GDPR): to create and run your account, deliver the learning features you use, and provide and bill the Mindoly Plus subscription you purchase.

Legitimate interests (Art. 6(1)(f) GDPR): to keep Mindoly secure, prevent fraud and abuse, enforce rate limits, and maintain server logs for operational and security purposes. Our legitimate interest is operating a safe and reliable service; you may object to this processing as described below.

Consent (Art. 6(1)(a) GDPR): where we rely on your consent — for example, optional OAuth sign-in via a third-party provider, or any optional communications you opt into. You can withdraw consent at any time with effect for the future.

Legal obligation (Art. 6(1)(c) GDPR): where we must retain certain data, such as payment and invoicing records, to comply with tax and accounting law.

4. Who we share data with (processors and recipients)

We do not sell your personal data. We share it only with carefully selected service providers who process it on our behalf under data processing agreements, and only as far as needed to run Mindoly. Our processors are:

Lovable Cloud / Supabase — our hosting, database, and authentication provider. It stores your account email, profile and gamification data, learning progress, and saved nuggets, and handles email/password and Google/Apple sign-in.

Cloudflare — our content delivery network and edge compute provider. It delivers and renders the app, processes technical request data (including IP addresses) to route traffic, and provides DDoS protection and security.

Stripe — our payment processor for the Mindoly Plus subscription, routed via Lovable's connector gateway. Stripe collects and stores your card and billing data to process payments; we receive only subscription status and Stripe identifiers.

Resend — used for email delivery. It processes your email address and the content of transactional emails (such as confirmation and password reset) to deliver them.

We may also disclose data where we are legally required to do so, or to establish, exercise, or defend legal claims.

5. International data transfers

Some of our processors are based in, or process data in, the United States or other countries outside the European Economic Area (EEA). This applies in particular to Cloudflare, Stripe, and Resend, and may apply to the infrastructure used by Lovable Cloud / Supabase.

Where personal data is transferred outside the EEA to a country without an adequacy decision by the European Commission, we ensure appropriate safeguards under Art. 46 GDPR — primarily the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures where appropriate.

You can request more information about these safeguards, or a copy of the relevant clauses, by contacting us at support@mindoly.app.

6. How long we keep your data

We keep your personal data only as long as necessary for the purposes described in this policy.

Account, profile, progress, and saved-nugget data is retained for as long as your account exists. When you delete your account, this data is permanently deleted (see your rights below).

Payment and subscription records may be retained beyond account deletion where we are legally required to keep them — for example, invoices and transaction records kept to meet tax and accounting obligations, for the statutory retention periods under German tax and commercial law (§147 AO, §257 HGB), currently up to 10 years.

Server logs containing technical data such as IP addresses are kept only for a short period needed for security and abuse prevention, and are then deleted or anonymised.

7. Cookies and local storage

Mindoly uses technically necessary cookies and local storage to keep you signed in and to remember preferences such as your language/locale. These are required to provide the service you have requested and are always active.

When you first visit, we show a cookie consent banner. You can accept only this essential storage, or additionally consent to optional analytics that would help us improve Mindoly.

We do not currently run any analytics, third-party advertising, or tracking, and we do not build advertising profiles about you. Any optional analytics would only ever run after you have given your consent, and you can withdraw that consent at any time.

8. Your rights

Under the GDPR you have the following rights regarding your personal data:

Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of it.

Right to rectification (Art. 16): have inaccurate or incomplete data corrected.

Right to erasure (Art. 17): have your data deleted where the legal conditions are met.

Right to restriction (Art. 18) and right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and have it transmitted where technically feasible.

Right to object (Art. 21): object at any time to processing based on our legitimate interests.

Right to withdraw consent (Art. 7): withdraw any consent you have given, at any time, with effect for the future.

To exercise any of these rights, contact us at support@mindoly.app.

9. Self-service data export and account deletion

You do not have to wait for us to exercise two of your most important rights — they are built directly into the app.

Data export (portability and access): in your account settings you can export your own data as a JSON file at any time. The export includes your account, profile, learning progress, saved nuggets, and subscription records. This export is rate-limited to once per day.

Account deletion (erasure): in your account settings you can permanently delete your account yourself. Deletion is irreversible and requires a confirmation step. If you have an active Mindoly Plus subscription, we cancel it first so you are not billed for a deleted account, and then we permanently delete all your associated data (profile, progress, saved nuggets, and subscription records on our side). Some payment records may be retained where the law requires, as described under retention above.

10. Right to lodge a complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

The supervisory authority competent for us is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — https://www.lda.bayern.de.

Exercising this right does not affect any other administrative or judicial remedy available to you.

11. Minimum age

Mindoly is intended for users aged 16 and over. We do not knowingly create accounts for, or knowingly process the personal data of, anyone under 16.

This reflects the digital consent age under the GDPR as implemented in Germany. If we learn that we have collected data from a person under this age without the required consent, we will delete it. If you are a parent or guardian and believe a child has provided us with personal data, please contact us at support@mindoly.app.

Please also note that XP, levels, streaks, and other virtual goods within Mindoly have no monetary value and cannot be exchanged, transferred, or cashed out. Accounts may be suspended or banned for abuse.

12. Contact and changes to this policy

For any questions about this privacy policy or about how we handle your personal data, contact the controller at support@mindoly.app.

We may update this privacy policy from time to time, for example to reflect changes in our service, our processors, or legal requirements. The current version is always available at mindoly.app, and the date at the top of this policy indicates when it was last revised.

Where changes are significant, we will take reasonable steps to inform you in advance.