Mindbit Privacy Policy

Effective date: September 1, 2025

Mindbit ("we", "us") helps you read less and learn more. This policy explains what we collect, why we collect it, how we use it, and the choices you have. It applies to our mobile apps (iOS and Android) and our website at www.mindbit.app/privacy.

Quick summary

  • We collect account details (name, email, avatar), app activity (e.g., device info, crash/diagnostic events), coarse location (via IP), and the content you save (highlights, bookmarks, points & streak history).
  • We use Firebase services (EU region europe-west where configured) for authentication, storage, analytics, push notifications, Remote Config, and App Check.
  • We do not sell or share your data for cross-context advertising, and we don’t show ads.
  • You can access, correct, export, and delete your data. You can unsubscribe from marketing emails at any time.

1) Who we are

Controller: Marcin Dukaczewski, KEN 51, Warsaw, Poland.

How to reach us: privacy@mindbit.app for any privacy questions or requests.

2) Who can use Mindbit

Mindbit is for a general audience aged 16+. We don’t knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we’ll delete it.

3) What we collect

Account & identity

  • Name, email address, profile photo / avatar (from sign-in provider).

Third-party sign-in options:

  • Google (email, basic profile).
  • Sign in with Apple (name/email; Hide My Email supported).
  • Facebook Login (email + public_profile only).

You may link multiple sign-in methods to the same Mindbit account (your choice).

App content you add

  • Highlights from books, bookmarks, points & streaks history.

Usage & device data (collected automatically)

  • Device model, OS version, app version, language, IP address (used for coarse location such as city/region), diagnostic events.
  • Advertising IDs: not collected.
  • Precise GPS location: not collected (we don’t request location permissions).

Push & communications

  • Push notification token (to deliver notifications).
  • Email address for product updates and marketing (only if you opt in).

Website data

We use only essential cookies necessary to run the site. If we add analytics or non-essential cookies later, we’ll update this policy and ask for consent where required.

4) How we use your data (purposes & legal bases)

  • Provide the service: create your account, sync your content, secure access (Contract).
  • Personalize content: recommend content based on your highlights, bookmarks, and in-app activity (Legitimate interests / Contract where needed).
  • Analytics & product improvement: understand usage to improve reliability and features (Legitimate interests).
  • Security and abuse prevention: protect accounts, verify app integrity (App Check) (Legitimate interests).
  • Push notifications: send reminders and product messages (Legitimate interests; you can turn off in system settings).
  • Marketing emails: send news and tips with your consent. You can unsubscribe via the link in any email. Transactional messages (e.g., password resets) are not marketing.

If we rely on consent, you can withdraw it anytime in the app/website or by emailing us; withdrawal won’t affect prior lawful processing.

5) How we process and store data

We use Google Firebase as our primary processor:

  • Firebase Authentication (sign-in), Cloud Storage (store your content), Analytics, Cloud Messaging (push), Remote Config, and App Check.

We configure Firebase data location to europe-west where the product supports it. Some processing by Firebase/Google may still occur outside your country (e.g., for resilience). When data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses and comparable safeguards.

We may use an email service provider to send marketing emails strictly as our processor.

We do not disclose personal data to third parties for their own marketing. We may disclose to:

  • Service providers/processors (e.g., Google/Firebase, email delivery) under contract.
  • Legal: if required by law or to protect rights, safety, and security.

We do not sell personal information and do not “share” it for cross-context behavioral advertising as defined by US state laws.

6) Your choices

  • Email marketing: click Unsubscribe in any email.
  • Push notifications: disable in your device settings.
  • Personalization: you can adjust in-app recommendations by changing what you save, or request deletion (see below).

7) Data retention

  • Account & profile data: kept while your account is active; deleted when you delete your account.
  • Highlights, bookmarks, points & streaks: kept while your account is active; deleted on account deletion.
  • Analytics events: retained up to 14 months (aggregated thereafter).
  • Server logs & security events: typically 90 days.
  • Backups: may persist for up to 30 days after deletion for disaster recovery, then purge automatically.

8) Your rights

Depending on where you live, you may have rights to:

  • Access your data, correct inaccuracies, delete your data, export/portability, restrict or object to certain processing, and withdraw consent.
  • EU/UK users can also complain to a supervisory authority (e.g., the Polish DPA, UODO).

How to make a request

Email privacy@mindbit.app from the address associated with your account. We may need to verify your identity.

9) Account deletion & data export

Delete your account: from in-app settings or by emailing privacy@mindbit.app. Deletion triggers a 30-day grace period (in case you change your mind); after that, we delete active records, with backups purged on their normal cycle.

Export your data: request via email and we’ll provide a portable file of your content where technically feasible.

10) Security

We use industry-standard measures, including TLS encryption in transit, encryption at rest (Firebase), role-based access, least-privilege access controls, App Check to reduce abuse, and periodic access reviews. No method of transmission or storage is 100% secure, but we work to protect your data.

11) International users

If you access Mindbit from outside the EU/UK, your data may be processed in Poland and other countries where our processors operate. We use appropriate safeguards (e.g., SCCs) for cross-border transfers.

12) Third-party sign-in specifics

Google / Apple / Facebook provide us only your basic profile and email (as permitted by you). For Apple, if you choose Hide My Email, we receive a relay email and cannot see your real address.

You can link or unlink sign-in methods at any time in the app.

13) Changes to this policy

We’ll update this policy as needed. We’ll post the new version with a new "Effective date" and, if changes are significant, notify you in-app or by email.

Data categories & purposes (store disclosure map)

CategoryExamplesPurpose(s)Shared?
IdentifiersName, email, avatar; third-party user IDAccount creation, authentication, communicationsWith processors only
User contentHighlights, bookmarks, points & streaksCore functionality, sync, personalizationWith processors only
Device/usageDevice model/OS, app version, IP (coarse location), diagnosticsAnalytics, performance, securityWith processors only
Push tokenFCM tokenDeliver push notificationsWith processors only
Marketing contactEmail addressMarketing emails (with consent), product updatesWith processors only

No Ads. No sale or “sharing” for cross-context ads.