Mindfuly

Privacy Policy

This page explains how we handle your data and how to contact us.

Privacy Policy

Last updated: 2024-08-01

We care about your privacy. This page explains how we collect, use, and protect your data. We keep the language clear and simple.

Who we are

We are Mindfuly. You can contact us at support@mindfuly.it.

What data we collect

  • Account data: name, email, password (hashed), and profile settings
  • App data: meditation sessions, progress, ratings, and preferences
  • Communication data: messages you send through our contact form
  • Technical data: IP address, device, and analytics during your visits

We do not collect special-category data unless you choose to add health and wellness notes in the app. These notes may include your mood, stress level, or other well-being information. You can remove them at any time.

Special-category data (health)

If you add health-related notes, we handle them with extra care. We only process this data with your consent, and you can withdraw consent at any time in settings or by contacting us.

Purposes of processing

We process data for:

  • Providing and improving the app and features
  • Saving your progress across sessions
  • Sending service emails (verification, password reset)
  • Supporting you when you ask for help
  • Keeping our platform secure and reliable

Lawful basis

We use these GDPR legal bases:

  • Contract: to provide the service you asked for (e.g., your account and sessions)
  • Consent: for analytics and marketing cookies where required, and for optional health-related notes
  • Legitimate interests: to keep systems secure and prevent abuse
  • Legal obligation: when we must keep records as required by law

Data retention

We keep your data only as long as needed:

  • Account data: kept while your account is active; deleted on request
  • App data: kept while you use the app; deleted on request
  • Communication data: kept for up to 24 months for support history
  • Logs: kept for up to 12 months to secure our services

We may keep limited records to meet legal duties or resolve disputes.

Processors (service providers)

We use trusted processors (subprocessors) to run our service. Examples include:

  • Cloud hosting and databases (infrastructure provider)
  • Email delivery (SMTP email provider)
  • Analytics (only with consent where required)
  • Payment processor for subscriptions (Stripe)

We require all processors to follow strong security and GDPR rules. We sign Data Processing Agreements (DPAs) with them when needed.

International transfers

Some providers may be outside your country. When we transfer data internationally, we use safeguards such as Standard Contractual Clauses (SCCs) or rely on adequacy decisions, as applicable, to protect your data.

Security measures

We apply technical and organizational measures to keep your data safe, including:

  • Encryption in transit (HTTPS/TLS)
  • Limited access to production systems
  • Role-based access control and reviews
  • Backups and monitoring
  • Secure development and vulnerability checks

Your rights

Under GDPR, you have the following rights. You can contact us to use them.

  • Right of access: Ask for a copy of your personal data we process.
  • Right to rectification: Ask us to fix incorrect or incomplete data.
  • Right to erasure: Also known as the “Right to erasure”. You can ask us to delete your personal data when it is no longer needed or when you withdraw consent, if applicable.
  • Right to restriction: Ask us to limit processing in certain cases.
  • Right to data portability: Receive your data in a common, machine-readable format and pass it to another service.
  • Right to object: Object to processing based on legitimate interests or to direct marketing.
  • Rights related to automated decision-making: We do not make decisions that have legal or similarly significant effects, based only on automated processing.

If we process your data based on consent (for example analytics or marketing cookies, or optional health notes), you can withdraw your consent at any time by updating your cookie settings or contacting us. Withdrawing consent does not affect processing that already happened.

Children

Our service is not directed to children under 16. If you believe a child has provided personal data, contact us so we can delete it.

Contact and Data Protection Officer (DPO)

If you have questions, requests, or complaints, contact our DPO or privacy contact:

  • Email: privacy@mindfuly.it
  • Support: support@mindfuly.it

You also have the right to lodge a complaint with your local data protection authority.

Changes to this policy

We may update this policy to reflect changes in our service or law. We will post updates here and update the “Last updated” date. If changes are major, we will notify you in the app or by email.

Detailed categories and examples

Account and authentication

We collect your email to create your account. We use it to verify your email and to help you sign in. You can change your email in settings.

App features and progress

We store your session history and progress so you can track your journey and keep your streaks. You can delete sessions you do not want to keep.

Support messages

When you contact us, we store your message to help you. We keep a short history to resolve follow-up questions. You can ask us to delete past tickets.

Analytics and performance

Where required, we ask your consent for analytics cookies that help us improve features and stability. You can turn off these cookies at any time.

Payments

If you choose a paid plan, payments are processed by a secure provider. We do not store full payment card details on our servers. We store subscription status to deliver your plan benefits.

Exercising your rights

To exercise your rights, write to privacy@mindfuly.it. Tell us who you are and what you want to do (access, erase, object, etc.). We will answer without undue delay and within the timelines set by law.

Thank you for trusting Mindfuly.