Privacy Policy

1. Introduction

Welcome to MindTape (the "App"), an iOS voice journaling application powered by AI. The App is operated by Mind Start Technologies L.L.C, a limited liability company registered in Dubai, United Arab Emirates (full provider details in Section 12). We are committed to protecting your privacy and ensuring you have a positive experience on our App. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.

This Privacy Policy applies to all users of the MindTape App, including those using free and paid (Pro) versions. By using the App, you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect various types of information to provide and improve the MindTape App:

How We Collect This Information

• Directly from you: When you create an account, record a voice note, or adjust settings
• From your device: Timezone, locale, and device identifiers through iOS APIs
• Automatically: When you interact with the App (usage analytics, crash logs)
• From third parties: Apple (via Sign In and In-App Purchase), Stripe (website payment & subscription status), OpenAI (API integration)

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide the core functionality of MindTape (recording, transcription, AI insights)
• Account Management: To create and manage your account, process subscriptions, and handle authentication
• AI Processing: To generate transcriptions and AI-powered insights based on your voice entries
• Push Notifications: To send reminders, insights, and subscription-related notifications
• Security & Fraud Prevention: To detect unauthorized access, prevent abuse, and protect against threats
• Legal Compliance: To comply with applicable laws, regulations, and law enforcement requests
• Product Improvement: To analyze usage patterns, fix bugs, and improve App performance and features
• Customer Support: To respond to your inquiries and resolve issues

4. AI Processing & OpenAI Disclosure

4.1 What Data Is Sent to OpenAI

To deliver the AI features of the App, we send the following content to OpenAI over secure, encrypted connections:

• Voice recordings — your original audio files are sent to the Whisper API for speech-to-text transcription.
• Transcripts — the resulting text from your voice entries is sent to GPT language models to generate daily insights, weekly deep-dives, and monthly overviews.
• Previously generated AI summaries — when producing higher-level insights (e.g., weekly analysis from daily entries, or monthly overview from weekly insights), earlier AI outputs are sent back to GPT as context.

We do not send your Apple ID, email address, payment information, IP address, or device identifiers to OpenAI. Your content is associated with OpenAI requests only through our internal API key — OpenAI does not receive your MindTape account identity.

4.2 No Model Training on Your Data

OpenAI does not use data submitted through its API to train or improve its models. This has been OpenAI's default policy for all API customers since March 1, 2023 — no separate opt-out or contractual amendment is required.

This means your voice recordings, transcripts, and AI-generated insights are never used to improve GPT, Whisper, or any other OpenAI model. For full details, see OpenAI's commitment at OpenAI Enterprise Privacy and the API Data Usage Policies.

4.3 30-Day Retention for Abuse Monitoring

OpenAI retains API request and response data (including voice recordings, transcripts, and AI outputs) for a maximum of 30 days, solely for the purpose of:

• Detecting and investigating violations of OpenAI's Usage Policies (e.g., illegal content, abuse of the service)
• Ensuring service reliability and safety

During this 30-day window:

• Data is stored on OpenAI's servers in the United States under their security controls
• Access is restricted to a limited number of authorized OpenAI personnel (e.g., their Trust & Safety team) and only when specifically required to investigate a suspected policy violation
• Data is not accessed for any other purpose — not for marketing, not for analytics, not for model training

After 30 days, OpenAI automatically and permanently deletes this data from their systems. MindTape has no ability to extend, bypass, or shorten this window (unless a customer is on OpenAI's Zero Data Retention tier, which MindTape is not).

4.4 OpenAI as a Sub-Processor

For the purposes of the EU General Data Protection Regulation (GDPR) and similar privacy laws, OpenAI acts as our sub-processor: they process your personal data on our behalf, under our instructions, and under the terms of OpenAI's Data Processing Addendum.

We maintain a contractual relationship with OpenAI that includes GDPR-compliant data protection obligations, including use of EU Standard Contractual Clauses (SCCs) for international transfers.

4.5 Security Safeguards

• Encryption in transit: All data sent to OpenAI travels over TLS 1.2+ encrypted connections.
• Encryption at rest on our side: Before and after processing, your content is stored on our servers with AES-256 per-user envelope encryption (see Section 6).
• OpenAI's security posture: OpenAI maintains SOC 2 Type 2 compliance and a public security program. See OpenAI Trust Portal.
• Least privilege: Only the specific API requests required to generate a transcription or insight are sent to OpenAI — we do not forward your entire journal history.

4.6 International Data Transfer

OpenAI processes API requests on infrastructure located in the United States. By using MindTape, you acknowledge that your voice recordings and transcripts will be transferred to, stored temporarily on (up to 30 days, per Section 4.3), and processed on servers in the United States.

For users in the European Union, European Economic Area, United Kingdom, or Switzerland, this international transfer is conducted under appropriate legal safeguards, including EU Standard Contractual Clauses (SCCs) executed with OpenAI.

4.7 Your Consent and How to Withdraw It

By creating an account and using MindTape, you explicitly consent to:

• The transmission of your voice recordings and transcripts to OpenAI as described above
• OpenAI's temporary (up to 30 days) retention of that data for abuse monitoring
• The international transfer of your data to the United States

This AI processing is essential to the core functionality of MindTape — without it, the App cannot provide transcription or insights. If you do not consent, please do not use the App.

You may withdraw your consent at any time by deleting your account through the App or by contacting us at privacy@mindtape.app. Once deleted, we will remove your content from our servers as described in Section 7. However, any content already submitted to OpenAI during the 30-day retention window will remain with OpenAI until their automatic deletion cycle completes.

5. Data Sharing & Third Parties

We share your information only with carefully selected third parties, and only as necessary to provide the App:

Third-Party Service Providers

• OpenAI (Whisper & GPT APIs): Voice transcription and AI insight generation. Data retained for 30 days.
• Apple (Sign In, In-App Purchase, Push Notifications): Account authentication, subscription processing, and push notification delivery
• Stripe (Payments): Processes subscription payments made on our website. Card details are handled directly by Stripe under PCI-DSS standards — we never receive or store your full card number. Stripe may process data in the United States under EU Standard Contractual Clauses. See Stripe's Privacy Policy.
• Cloudflare (R2 Storage & CDN): Secure storage of audio files and content delivery
• Sentry (Error Tracking, optional): Crash reports and performance diagnostics. You can opt out in App settings.
• Firebase Analytics (provided by Google LLC): Aggregated app usage analytics to understand onboarding flow, feature engagement, and overall App performance. Data includes events triggered (e.g., screens viewed, paywall interactions), device type, app version, OS version, and approximate location (country-level, derived from IP address). Firebase Analytics does not collect IDFA (Identifier for Advertisers) — we have not enabled IDFA collection. Voice recordings, transcripts, and AI insights are never sent to Firebase Analytics. Data is processed on Google's infrastructure in the United States. For more details, see Firebase Privacy Information and Google Privacy Policy.

Legal Obligations

We may disclose your information if required by law, court order, or valid government request. We will notify you of such requests unless legally prohibited.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of such changes.

Aggregated, Anonymized Data

We may use aggregated, anonymized usage statistics (such as feature popularity, error rates, or general retention metrics) internally to improve the App. This aggregated data cannot identify you and is not shared with third parties for marketing, advertising, or research purposes.

6. Data Security & Encryption

We implement industry-leading security measures to protect your information:

Encryption at Rest

• Voice Recordings: Encrypted using AES-256 per-user envelope encryption (DEK + KEK via KMS). Each recording is encrypted with a unique key.
• Transcripts & Insights: Encrypted at rest in Postgres database using per-user keys
• S3/R2 Storage: All files encrypted with SSE-KMS (server-side encryption with AWS Key Management Service)

Encryption in Transit

• All data transmitted between your device and our servers uses TLS 1.3 encryption
• API calls to OpenAI are conducted over secure, encrypted connections

Key Management

• Encryption keys are versioned and rotated regularly
• Only authorized services can decrypt your data
• Keys are stored in secure key management systems, not in the application code

Access Controls

• Your data is only accessible to authorized personnel for support and maintenance
• All access is logged and monitored for suspicious activity
• You authenticate via Apple Sign In (no passwords stored by us)

Limitation of Liability

While we implement comprehensive security measures, no system is 100% secure. We cannot guarantee absolute protection against all security threats. We recommend using a strong device passcode and enabling biometric authentication on your iPhone.

7. Data Retention

We retain your information for as long as necessary to provide the App and comply with legal obligations:

• Voice Recordings & Transcripts: Retained while your account is active. Deleted when you delete your account or after 90 days of account inactivity (if detected).
• AI-Generated Insights: Retained while your account is active. Deleted with associated entry data.
• Account Information: Retained while your account is active. Anonymized 1 year after account deletion for legal and tax purposes.
• Audit Logs & IP Addresses: Retained for 1 year for security and fraud prevention.
• Deleted Data: Purged from backups within 90 days of deletion request.
• OpenAI API Data: Automatically deleted by OpenAI within 30 days, per OpenAI's standard API retention policy for abuse monitoring. See Section 4.3 for full details.

If you request account deletion, we will initiate the deletion process within 30 days. Backup copies may persist for up to 90 days for data recovery purposes.

8. Your Rights

Depending on your location, you have rights over your personal data. To exercise any of these rights, contact us at privacy@mindtape.app.

GDPR Rights (European Union)

If you are located in the EU, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: You can request a copy of all personal data we hold about you.
• Right to Rectification: You can correct inaccurate or incomplete information.
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your data, subject to certain legal exceptions.
• Right to Restrict Processing: You can request that we limit how we use your data.
• Right to Data Portability: You can request your data in a portable format (e.g., JSON).
• Right to Object: You can object to certain processing, including marketing communications.
• Right to Withdraw Consent: You can withdraw consent for AI processing or marketing at any time. Withdraw by contacting us.
• Right to Lodge a Complaint: You can file a complaint with your local data protection authority if you believe we have violated your rights. EU/EEA residents may contact their national DPA.

Legal Basis for Processing (GDPR Article 6):

• Art. 6(1)(a) - Consent: Processing your voice and transcripts for AI insights (you can withdraw anytime)
• Art. 6(1)(b) - Contract Performance: Creating an account, managing subscriptions, providing the App service
• Art. 6(1)(f) - Legitimate Interest: Security, fraud prevention, audit logging, and App improvement

CCPA/CPRA Rights (California)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You can request to know what personal information we have collected, the source, and our use of it.
• Right to Delete: You can request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your data for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Information: We use sensitive information (voice, health-related insights) only to provide the service you requested. You can request that we limit use.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

How to Submit a Request: Email privacy@mindtape.app with "CCPA Request" or "GDPR Request" in the subject line. Include your account email and the specific right you are exercising. We will respond within 30 days (GDPR) or 45 days (CCPA).

Verification: We will verify your identity by confirming your account email and Apple ID before processing your request.

9. International Data Transfers

MindTape operates globally, and your data may be transferred to and processed in countries other than where you reside, including the United States. These countries may not have data protection laws equivalent to those in your jurisdiction.

EU/EEA Users

If you are located in the EU or EEA, we transfer your data based on:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers to ensure appropriate safeguards.
• Your Explicit Consent: By using MindTape and agreeing to this policy, you consent to data transfers for service delivery.

For more information on our data transfer mechanisms, contact privacy@mindtape.app.

10. Children's Privacy

MindTape is not intended for children below the minimum age of digital consent applicable in their country of residence. We do not knowingly collect personal information from users below this age.

Specifically:

• EU/EEA countries: Between 13 and 16 depending on the national implementation of GDPR Article 8.
• United Kingdom: Minimum age 13 (per the ICO Age-Appropriate Design Code).
• United States: Minimum age 13 (per COPPA).
• United Arab Emirates: Parental consent is required for minors under 18 in accordance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).
• Other regions: 13, unless local law sets a higher age.

If we become aware that a user below the applicable minimum age has created an account or provided information, we will delete that account and information promptly. Parents or guardians can contact us at privacy@mindtape.app to review or delete a minor's account.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on the App with a new "Last Updated" date
• Sending an email notification to the address associated with your account (if available)
• Displaying a prominent notice in the App before the changes take effect

Your continued use of the App after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

12. Legal Information & Contact

This section identifies the operator of the MindTape App and serves as our primary contact information for all privacy, legal, and support inquiries.

Service Provider

Contact

• General inquiries: hello@mindtape.app
• Privacy & data protection: privacy@mindtape.app
• Legal & compliance: legal@mindtape.app
• Support: support@mindtape.app

Response Time: We respond to privacy inquiries within 30 days. Complex requests may require additional time, which we will communicate to you.

Supervisory Authority (EU/EEA)

EU/EEA residents may file complaints with their national data protection authority.

California Privacy Inquiries

For CCPA/CPRA-related questions, submit your request at privacy@mindtape.app with "CCPA Request" in the subject line.

Thank you for trusting MindTape with your thoughts and memories. We're committed to protecting your privacy and keeping your voice journal secure.