Privacy Policy
Plain-language note: MindFriend is a mental health and wellness app. We may process information that can be sensitive (like mood check-ins and what you write in chats). We designed this policy to be readable while staying legally accurate.
Not medical care / not emergency services: MindFriend provides wellness tools and supportive features. It does not provide medical diagnosis or treatment and is not intended for emergencies. If you are in immediate danger, contact local emergency services.
Contents
1. Introduction
This Privacy Policy describes how we collect, use, disclose, and protect information when you use:
- The MindFriend mobile application (the "App")
- Any related services we provide (the "Services")
This policy applies globally. Additional region-specific terms (e.g., GDPR for the EEA/UK, CCPA/CPRA for California) are included where relevant.
Who we are (roles under privacy laws)
- Data Controller (GDPR/UK GDPR): Daniel Escalante is the controller of personal data processed through the Services, unless stated otherwise.
- Service Providers/Processors: We use third parties (e.g., cloud hosting, analytics, AI providers) who process data on our behalf under contractual safeguards.
HIPAA notice
MindFriend is a consumer wellness app. We are not a "covered entity" or "business associate" under HIPAA in typical consumer use. Therefore, information you provide in MindFriend is generally not "PHI" regulated by HIPAA.
2. Information We Collect
We collect information in the following categories. Some of this data may be considered sensitive under certain laws (e.g., "special category" under GDPR or "sensitive personal information" under CPRA).
2.1 Account and profile information
- Identifiers: user ID, username/handle, display name
- Authentication data: Sign in with Apple identifier, Google sign-in identifier, or email address (depending on your login method)
- Profile settings: timezone, language/locale, notification preferences, privacy settings, AI tone preferences
2.2 Wellness and mental health-related information (sensitive)
You may provide information that relates to your mental health and wellbeing, including:
- Mood check-ins: mood score(s), anxiety/energy ratings (if enabled), timestamps, reflections/notes
- Journal/reflection entries: short notes or reflections tied to quests or exercises
- AI conversations: messages you send to the AI companion and the AI responses
- Wellness activity history: quests assigned/completed/skipped, exercise sessions, streaks/badges
Important: You control what you choose to share. Please avoid entering information you do not want processed (e.g., highly sensitive identifiers).
2.3 Social and community information (Circles)
If you use friend Circles:
- Circle membership: circle IDs, role (owner/member), join date
- Circle posts/check-ins: mood emoji/status, short text check-ins, timestamps
- Invites: invite codes, invitation events, and related metadata
2.4 Purchases and subscriptions
- Subscription status: active/expired, product identifier, renewal or expiration dates
- Transaction identifiers: e.g., Apple transaction/original transaction IDs or signed transaction data
- Entitlements: premium/free status, feature access limits
Payment information: Purchases are processed by Apple (App Store). We do not receive your full payment card details.
2.5 Usage and analytics data
- App interactions: screens viewed, feature usage (quests started/completed, exercises played), session length, taps/clicks
- Engagement signals: streak changes, push notification opens, referral/invite events (if used)
- Aggregated analytics: statistics derived from usage (e.g., total completions) in non-identifiable form when possible
2.6 Device and technical information
- Device identifiers: device model, OS version, app version, language/region settings
- Network information: IP address (typically captured server-side), connection type
- Push notification token: Apple Push Notification service (APNs) token
- Diagnostics: crash logs, performance metrics, error logs
2.7 Customer support communications
If you contact support, we may collect:
- Your contact information
- Contents of your message
- Attachments you send us
- Support interaction history
2.8 Information we do not intentionally collect
We do not intentionally request:
- Government-issued identifiers (e.g., SSN)
- Full payment card information
- Detailed medical records
- Genetic or biometric identifiers
3. How We Collect Information
We collect information through:
3.1 Information you provide directly
- When you create an account or update your profile
- When you log mood, write reflections, or complete quests
- When you chat with the AI companion
- When you post in Circles or join via invite code
- When you contact support
3.2 Automatically collected information
- App usage analytics and events
- Device and technical information
- Crash and diagnostic logs
- IP address and server logs (for security and performance)
3.3 Information from third parties
- Apple / Google sign-in: identity information necessary to authenticate you (e.g., a stable sign-in identifier; email may be relay-based)
- Apple App Store: subscription status and transaction verification information
- Service providers: analytics, crash reporting, cloud hosting, AI service providers (see Section 6)
4. How We Use Your Information
We use personal information for the following purposes:
4.1 Provide and operate the Services
- Create and manage your account
- Provide the AI companion experience and conversation history
- Deliver daily quests, exercises, streaks, and progress tracking
- Enable Circles (private group features) and related activity feeds
- Maintain subscription entitlements and feature access
4.2 Personalization and improvement
- Personalize quests and recommendations (e.g., suggest a breathing exercise when stress is high)
- Improve content, features, and user experience
- Debug and fix issues (crashes, errors)
4.3 Safety and integrity
- Detect and prevent fraud, abuse, and security incidents
- Apply safety measures for harmful content (e.g., self-harm crisis detection) and show crisis resources
- If our systems detect content suggesting you may be in crisis, we log this event to ensure appropriate safety resources are displayed
- Enforce rate limits and fair usage (e.g., AI message quotas for free users)
4.4 Communications
- Send service-related messages (e.g., verification, important updates)
- Send reminders and notifications (quests, inactivity nudges) if you enable them
- Respond to support inquiries
4.5 Legal and compliance
- Comply with legal obligations (tax, accounting, lawful requests)
- Enforce our Terms of Service and protect rights and safety
4.6 Research and analytics (de-identified/aggregated where possible)
- Understand feature adoption, retention, and performance
- Create aggregate insights (e.g., completion rates) without identifying individuals
5. Legal Basis for Processing (GDPR/UK GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or a jurisdiction requiring legal bases, we rely on:
5.1 Contract (Article 6(1)(b))
Processing necessary to provide the Services you request, such as:
- Account creation, authentication, quest delivery, storing your settings
- Managing subscription entitlements
5.2 Consent (Article 6(1)(a); special category: Article 9(2)(a))
We rely on your consent for:
- Processing sensitive wellness data (mood logs, reflective notes, chat content) to provide personalization and wellness features
- Push notifications (where required by platform policy)
You may withdraw consent at any time (see Section 9). Withdrawal does not affect processing before withdrawal.
5.3 Legitimate interests (Article 6(1)(f))
We may process data to:
- Secure and improve our Services
- Prevent abuse and fraud
- Perform internal analytics and debugging
When we rely on legitimate interests, we balance them against your rights and expectations.
5.4 Legal obligations (Article 6(1)(c))
We process data as required to comply with laws and regulatory requests.
6. Data Sharing and Disclosure
We do not sell your personal information. We share data only as described below.
6.1 With your Circles (social sharing you control)
If you join a Circle, information you post (e.g., mood emoji, check-in text) is visible to other Circle members. Please share thoughtfully. Circle content is intended to be private to that Circle, but we cannot fully control what other members do with what you share.
6.2 With service providers (processors)
We use vendors to help operate the Services:
| Provider | Purpose |
|---|---|
| Supabase, Inc. | Database hosting, user authentication, Edge Functions (backend logic) |
| xAI | AI chat processing — your messages to the AI companion are sent to xAI to generate responses |
| Apple (APNs) | Push notification delivery |
We require service providers to:
- Use data only to provide services to us
- Maintain security safeguards
- Follow contractual privacy obligations
6.3 With Apple (payments)
Subscriptions and in-app purchases are processed by Apple. Apple provides us limited transaction verification and subscription status information needed to grant entitlements.
6.4 Legal requirements and protection
We may disclose information if we believe in good faith that disclosure is necessary to:
- Comply with law, regulation, legal process, or government request
- Protect the rights, property, and safety of MindFriend, our users, or others
- Investigate fraud or security incidents
6.5 Business transfers
If we undergo a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, user information may be transferred as part of that transaction. We will provide notice and choices where required by law.
6.6 De-identified and aggregated information
We may share aggregated or de-identified data that cannot reasonably identify you, for example for analytics, research, or reporting.
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
7.1 Retention periods
| Data Type | Retention Period |
|---|---|
| Account data (profile, settings) | While your account is active |
| Mood entries, quests, exercises, chats | While your account is active (unless you delete specific items) |
| Circle posts | While your account is active or until deleted |
| Security logs and events | 90 days |
| Subscription and accounting records | 7 years (legal/tax compliance) |
| Encrypted backups | 30 days after deletion |
7.2 Deletion
You can request deletion of your account and associated data (see Section 9). Deletion generally:
- Deletes or anonymizes account identifiers
- Removes your content from active systems
- May leave limited information in backups for up to 30 days until backups rotate
8. Data Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
- Encryption in transit: TLS/HTTPS for data transmitted between your device and our servers
- Encryption at rest: encryption for stored data at the database level
- Access controls: role-based access, least privilege, strong authentication for internal tools
- Row Level Security: database policies ensuring users can only access their own data
- Monitoring and logging: detection of suspicious activity and operational events
- Rate limiting: protection against abuse of accounts and AI features
- Secure development practices: code review, dependency updates, and testing
No system can be guaranteed 100% secure. You are responsible for keeping your device and account credentials secure.
9. Your Rights
Depending on where you live, you may have rights regarding your personal information.
9.1 Global rights (all users)
- Access: request a copy of your data
- Correction: correct inaccurate profile data
- Deletion: delete your account and associated data (subject to legal retention)
- Portability: request export of certain information in JSON format
- Withdraw consent: where we rely on consent, you may withdraw it
- Opt out of notifications: disable push notifications in app settings and/or system settings
9.2 GDPR/UK GDPR rights (EEA/UK users)
You may also have:
- Right to object to processing based on legitimate interests
- Right to restrict certain processing
- Right to lodge a complaint with your local data protection authority
9.3 California privacy rights (CCPA/CPRA)
If you are a California resident, you may have the right to:
- Know what personal information we collect, use, and disclose
- Delete personal information (with exceptions)
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information
- Limit the use and disclosure of sensitive personal information
- Non-discrimination: you will not be discriminated against for exercising your rights
Do Not Sell/Share: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
9.4 How to submit requests
- Email: support@mindfriend.app with subject "Privacy Request"
- In-app: Settings → Privacy → "Export Data" / "Delete Account"
We will respond within the timeframes required by applicable law.
10. Children's Privacy
MindFriend is not intended for children under 13. We do not knowingly collect personal information from children under 13.
- If you believe a child under 13 has provided us personal information, contact us at support@mindfriend.app
- If we learn we have collected such information, we will delete it as required by law
If you are between 13 and the age of majority in your jurisdiction, you should use MindFriend only with appropriate parental permission where required.
11. International Data Transfers
MindFriend may process and store information in countries other than your own, including the United States and other locations where our service providers operate.
When required by law, we use appropriate safeguards for cross-border transfers, such as:
- Standard Contractual Clauses (SCCs) and/or UK transfer addenda
- Reliance on the EU–U.S. Data Privacy Framework (where applicable)
- Additional technical and organizational measures as needed
Contact support@mindfriend.app for more information about transfer safeguards.
12. Cookies and Tracking Technologies
MindFriend is a mobile app. We do not use cookies, but we may use similar technologies:
- Device identifiers for analytics and crash reporting
- Analytics SDKs to understand usage and improve performance
- Crash reporting to diagnose errors
Your choices
- App Tracking Transparency (iOS): We do not currently use IDFA for advertising
- Device settings: You can limit ad tracking in your device settings
- In-app settings: Analytics preferences available in app settings
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the App and/or other appropriate means.
- The Effective Date above indicates when this policy took effect
- Your continued use of MindFriend after changes become effective means you accept the updated policy, to the extent permitted by law
14. Contact Information
If you have questions, concerns, or requests related to privacy or this policy, contact:
Email: support@mindfriend.app
Appendix: California "Notice at Collection" Summary (CPRA)
Categories collected:
- Identifiers (account ID, handle, email if provided)
- Sensitive personal information (mood and wellness data you submit; AI chat content)
- Internet/electronic activity (app usage)
- Device/technical info (IP address, device identifiers, push token)
Purposes:
- Provide the Services (quests, chat, circles)
- Security and fraud prevention
- Analytics and product improvement
- Customer support
- Legal compliance
Retention: See Section 7
Sale/Sharing: We do not sell personal information; we do not share for cross-context behavioral advertising.