Privacy Policy

Effective Date: 9. October 2025

Last Updated: 9. October 2025

1. Introduction

This Privacy Policy explains how Mindstash B.V. ("MindStash," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use our curiosity companion application and services (the "Service").

MindStash is an AI-powered curiosity companion that helps you capture, explore, and connect your interests through intelligent note-taking and knowledge management.

Data Controller:

Mindstash B.V.
KvK: 97780626
Science Park 608
1098 XH Amsterdam, the Netherlands
VAT: NL 868228564B01

Contact:

Email: privacy@mindstash.app
Contact Person: Cosimo Radler

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and Dutch data protection laws.

2. Data We Collect

2.1 Information You Provide Directly

Account Information:

  • Email address
  • Name
  • Profile information (optional bio, preferences)
  • Authentication credentials (when using email sign-in)

Content You Create:

  • Notes and written content
  • Photos and images
  • URLs and web links
  • Voice recordings (if you use microphone features)

Optional Information:

  • Location data (only if you opt-in for location-based features)

2.2 Information Collected Automatically

Device and Usage Information:

  • IP address
  • Device type and model
  • Operating system version
  • App version
  • Device identifiers
  • Usage patterns and interaction data (time spent, features used)
  • Crash reports and error logs

Analytics Data (Anonymized):

  • App performance metrics
  • Feature usage statistics
  • Navigation patterns
  • Session duration

This analytics data is collected anonymously and is never linked back to your personal identity.

2.3 AI-Generated Information

Semantic Context Data:

To provide you with an intelligent, context-aware AI experience, we process your content to extract semantic meaning and connections between your notes, interests, and curiosities. This includes:

  • Extracted topics and themes from your notes
  • Connections between different pieces of content
  • Contextual understanding of your interests
  • AI-generated summaries and insights

This processing is essential to MindStash's core functionality as your personal curiosity companion.

3. How We Use Your Data

3.1 Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Art. 6(1)(b)):

Processing necessary to provide you with the MindStash service, including:

  • Creating and managing your account
  • Processing your content with AI to deliver curiosity companion features
  • Enabling synchronization across your devices
  • Providing customer support

Legitimate Interests (Art. 6(1)(f)):

  • Improving app functionality and user experience
  • Analyzing anonymized usage patterns
  • Detecting and preventing fraud or abuse
  • Ensuring security and service stability

Consent (Art. 6(1)(a)):

  • Optional location-based features (you can withdraw consent anytime)
  • Marketing communications (if you opt-in)
  • Non-essential cookies

3.2 Purposes of Processing

We use your data to:

  1. Provide AI-Powered Features: Process your notes, photos, and content with artificial intelligence to deliver personalized insights, connections, and suggestions
  2. Manage Your Account: Create, maintain, and secure your user account
  3. Enable Authentication: Verify your identity through Apple Sign-In, Google Sign-In, or email authentication
  4. Deliver Notifications: Send push notifications about your content and app updates
  5. Improve the Service: Analyze anonymized usage data to enhance UI/UX and develop new features
  6. Ensure Security: Detect fraud, prevent abuse, and maintain service security
  7. Comply with Legal Obligations: Respond to legal requests and enforce our terms

4. AI Content Processing

4.1 How AI Works in MindStash

Core Functionality:

MindStash is fundamentally an AI-powered application. When you create content, our AI processes it to:

  • Understand the context and meaning of your notes
  • Identify connections between your interests
  • Provide intelligent suggestions and insights
  • Build your personalized curiosity profile
  • Enable conversational interactions with your content

AI Processing is Essential: AI content processing is not optional—it is core to how MindStash works as your curiosity companion. Without AI processing, the fundamental features of the service cannot function.

4.2 AI Service Providers

We use the following AI providers to process your content:

  • OpenAI (ChatGPT/GPT models): Content analysis, natural language processing, conversational AI
  • Anthropic (Claude): Content understanding, semantic analysis, intelligent responses
  • Google Gemini: Multi-modal content processing, image understanding, contextual insights

International Data Transfers:

These AI providers are based in the United States. When your content is processed, it may be temporarily transferred to servers outside the European Union. We ensure these transfers comply with GDPR through:

  • Standard Contractual Clauses (SCCs) with our AI providers
  • Adequate security measures
  • Data minimization (only necessary data is sent)
  • Anonymization where possible for API calls

Data Retention by AI Providers:

We use enterprise/API agreements with our AI providers that include:

  • No use of your data for training their models
  • Limited retention periods for processing
  • Compliance with our data protection requirements

5. Third-Party Services

5.1 Service Providers

We share your data with the following categories of third-party service providers:

Infrastructure and Hosting:

  • Amazon Web Services (AWS - EU Region): Server hosting, data storage, infrastructure (data remains in EU)

Authentication:

  • Apple Sign-In: Apple account authentication (subject to Apple's Privacy Policy)
  • Google Sign-In: Google account authentication (subject to Google's Privacy Policy)
  • Firebase Authentication: User authentication management

Payment Processing (Future):

  • Stripe: Payment processing when freemium model launches (subject to Stripe's Privacy Policy)

AI and Content Processing:

  • OpenAI: AI content analysis (data may be transferred to US with SCCs)
  • Anthropic: AI content analysis (data may be transferred to US with SCCs)
  • Google Gemini: AI content analysis (data may be transferred to US with SCCs)
  • ScrapingBee: URL content extraction and web scraping

Analytics and Performance (Anonymized):

  • Google Analytics: Anonymized app usage analytics
  • Firebase Analytics: Anonymized app performance monitoring
  • Vercel: Website performance analytics (if applicable)

Communication:

  • SendGrid: Transactional emails (account notifications, password resets)

5.2 Data Sharing Principles

  • We only share data necessary for the specific service
  • Third parties are contractually bound to protect your data
  • We do not sell your personal data to anyone
  • Analytics data is anonymized before sharing

6. International Data Transfers

6.1 Data Storage Location

Your data is primarily stored on AWS servers located in the European Union.

6.2 Transfers Outside the EU

AI Processing:

When you use MindStash's AI features, your content is temporarily processed by AI providers based in the United States (OpenAI, Anthropic, Google). These transfers are necessary for the core functionality of the Service.

Safeguards:

We protect these transfers through:

  • Standard Contractual Clauses (SCCs): EU-approved contracts ensuring EU-level data protection
  • Data Minimization: Only necessary data is transferred
  • Encryption: Data is encrypted in transit (TLS/SSL)
  • Limited Retention: AI providers process and delete data according to agreed retention periods

Analytics:

Anonymized analytics data may be processed outside the EU by Google Analytics and Firebase. This data cannot be linked back to you personally.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Encryption in transit (TLS/SSL)
  • Secure authentication protocols
  • Regular security updates
  • Access controls and authentication
  • Monitoring and logging

Organizational Measures:

  • Limited employee access to personal data
  • Confidentiality agreements with staff
  • Regular security training
  • Incident response procedures
  • Third-party security assessments

Note: While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet.

8. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you.

8.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data through your account settings or by contacting us.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data. You can delete your account directly in the app or email privacy@mindstash.app.

8.4 Right to Data Portability (Article 20)

You can request your data in a machine-readable format (JSON/CSV) to transfer to another service. Use the data export feature in the app or contact us.

8.5 Right to Restrict Processing (Article 18)

You can request temporary restriction of data processing in certain circumstances.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests, including for direct marketing purposes.

8.7 Rights Related to Automated Decision-Making (Article 22)

MindStash uses AI to provide personalized suggestions, but these do not constitute automated decision-making with legal or significant effects. You remain in control of your content and how you use AI suggestions.

8.8 How to Exercise Your Rights

In-App:

  • Account settings: Edit profile information
  • Data export: Download all your data
  • Account deletion: Permanently delete your account

By Email:

  • Send requests to: privacy@mindstash.app
  • We will respond within 30 days
  • We may require identity verification

8.9 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag, the Netherlands
Website: autoriteitpersoonsgegevens.nl

9. Data Retention

9.1 Active Accounts

We retain your personal data for as long as your account is active and as necessary to provide you with the Service.

9.2 Account Deletion

When you delete your account:

  • Your personal data and content are permanently deleted within 30 days
  • Anonymized analytics data (not linked to you) may be retained
  • We may retain certain data longer if required by law or for legitimate purposes (e.g., fraud prevention, legal disputes)

9.3 Backup Systems

Data in backup systems may take up to 90 days to be fully purged after account deletion.

9.4 Legal Retention

We may retain minimal data if required by law (e.g., financial records for tax purposes, data related to legal claims).

10. Cookies and Tracking Technologies

10.1 What We Use

Essential Cookies:

  • Authentication and session management
  • Security features
  • Core app functionality

Analytics Cookies:

  • Google Analytics (anonymized)
  • Firebase Analytics (anonymized)
  • Usage patterns and performance monitoring

Third-Party Cookies:

  • Authentication providers (Apple, Google)
  • May set their own cookies subject to their privacy policies

10.2 Your Choices

Browser Settings:

You can control cookies through your browser settings, though this may affect app functionality.

Opt-Out:

For analytics, you can opt-out through:

11. Children's Privacy

11.1 Age Requirement

MindStash is not intended for children under 16 years of age. We do not knowingly collect personal data from anyone under 16.

Users must be at least 16 years old to create an account, in compliance with GDPR Article 8 and Dutch law.

11.2 Parental Notice

If we become aware that we have collected personal data from a child under 16 without proper consent, we will delete that information promptly. If you believe we have collected data from a child under 16, please contact us at privacy@mindstash.app.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

  • We will notify you of material changes via email or in-app notification
  • The "Last Updated" date at the top will be revised
  • Continued use after changes constitutes acceptance

Your Rights:

If you do not agree with changes, you may delete your account before the changes take effect.

13. Data Protection Officer

For privacy-related questions or concerns, contact:

Email: privacy@mindstash.app

Contact Person: Cosimo Radler

Address:
Mindstash B.V.
Science Park 608
1098 XH Amsterdam, the Netherlands

14. Additional Information

14.1 Business Transfers

If MindStash is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you and ensure the new entity complies with this Privacy Policy or obtain your consent.

14.2 Legal Disclosure

We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, safety, or property.

14.3 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

15. Contact Us

For any questions about this Privacy Policy or our data practices:

Email: privacy@mindstash.app

Mail:
Mindstash B.V.
Science Park 608
1098 XH Amsterdam, the Netherlands

By using MindStash, you acknowledge that you have read and understood this Privacy Policy.

← Back to home