Privacy Policy | MindLoad

Privacy Policy for MindLoad

Last Updated: April 23, 2026
Effective Date: April 23, 2026

Developer: MindLoad AI
Contact: [email protected]
Support: [email protected]
Privacy: [email protected]
Website: https://mindload.app

1. Introduction

MindLoad ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application MindLoad (the "App") and our website at https://mindload.app.

By using MindLoad, you agree to the collection and use of information in accordance with this policy. If you do not agree with this Privacy Policy, please discontinue use of the App and website.

2. Information We Collect

2.1 Personal Information

When you create an account or use authentication services, we collect:

Email address (for account identification and communication)
Display name (optional nickname or name from social providers)
Authentication credentials (encrypted password or OAuth tokens)
Profile information (display name, profile picture if provided by social login)
Apple ID (when using Sign in with Apple - may be anonymized email)

2.2 Study and Learning Data

To provide our AI-powered study features, we collect:

Study sets (flashcards, quiz questions, and your answers)
Uploaded content (PDFs, text files, images of study materials)
Study session data (time spent studying, cards reviewed, quiz scores)
Achievement progress (milestones reached, streaks maintained)
Learning preferences (study modes, notification settings)
NeuroGraph data (focus patterns, performance metrics - stored locally)

2.3 Token and Purchase Information

For our token-based system:

Token balance (current tokens, transaction history)
Purchase receipts (via Apple App Store or Google Play)
Transaction IDs (for fraud prevention and support)
Refund history (if applicable)

Important: We do NOT store credit card information. All payment processing is handled securely by Apple and Google.

2.4 Usage and Analytics Data

We automatically collect:

Device information (device model, OS version, device ID)
App usage patterns (features used, session duration, navigation paths)
Performance data (crash reports, error logs, loading times)
Network information (IP address, timezone, connection type)
Analytics events (button clicks, feature engagement)

2.5 Notification Data

With your permission:

Push notification token (for Firebase Cloud Messaging)
Notification preferences (types of notifications, frequency)
Notification interaction data (opened, dismissed, interacted)
Promotional consent status (whether you've opted in to marketing messages)

2.6 Location Data

We do NOT collect precise location data. We only collect:

Timezone (for scheduling notifications at appropriate times)
General region (from App Store/Play Store for regional analytics)

3. How We Use Your Information

3.1 Primary Service Delivery

Provide AI-powered flashcard and quiz generation
Store and sync your study materials across devices
Track your learning progress and achievements
Process token purchases and manage your account balance
Deliver personalized study recommendations

3.2 Communication

Send essential service notifications (account changes, system updates)
Deliver study reminders (with your permission)
Send achievement notifications
Provide customer support responses
Send promotional messages (ONLY if you opt-in)

3.3 Product Improvement

Analyze usage patterns to improve app features
Debug crashes and technical issues
Conduct A/B testing for feature optimization
Improve our services using aggregated or de-identified data where possible; use of study materials with third-party AI (e.g. Google Gemini) and any improvement of on-device or first-party features is further described in our AI Disclosure Policy
Generate anonymized statistics for research

3.4 Security and Fraud Prevention

Detect and prevent fraudulent purchases
Monitor for abuse of token system
Identify and block malicious activity
Protect against security threats
Comply with legal obligations

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your data based on:

Contract Performance: To provide MindLoad services you've agreed to use
Legitimate Interests: To improve our app, prevent fraud, and ensure security
Consent: For optional features like promotional notifications and analytics
Legal Obligation: To comply with applicable laws and regulations

5. Data Storage and Security

5.1 Where Your Data is Stored

We use Google Firebase (Google Cloud Platform) for data storage:

Firebase Authentication: Login credentials and user profiles
Cloud Firestore: Study sets, progress, preferences
Cloud Storage: Uploaded PDFs and images
Firebase Analytics: Anonymized usage data
Firebase Cloud Messaging: Push notification delivery
Cloud Functions: Server-side processing (token management, AI generation)

Data Location: Firebase services are hosted primarily in the United States, with global distribution. Your data may be transferred to and stored on servers in different countries.

5.2 Local Storage

Some data is stored locally on your device:

SQLite database: Study materials, NeuroGraph data, performance metrics
Cached content: Downloaded images, PDFs for offline access
Preferences: App settings, theme preferences

5.3 Security Measures

We implement industry-standard security practices:

Encryption in Transit: All data transmitted over HTTPS/TLS 1.3
Encryption at Rest: Firebase automatically encrypts all stored data
Secure Authentication: OAuth 2.0, Sign in with Apple, password hashing
Access Controls: Role-based access, principle of least privilege
Security Audits: Regular vulnerability assessments
Secure APIs: Firebase App Check to prevent unauthorized access
Token Security: Cryptographic nonces, secure random generation

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5.4 Data Retention

We retain your data only as long as necessary to provide services and comply with legal obligations. See our complete Data Retention Policy for details.

Summary:

Active accounts: Data retained indefinitely while your account is active
Inactive accounts: Deleted after 24 months of inactivity (with 30-day advance notice via email)
Deleted accounts (user-initiated): Immediate deletion from the app and production systems; no recovery period
Study materials: Retained until you manually delete them
Analytics data: Anonymized and aggregated after 26 months
Transaction records: 7 years (tax and legal compliance)
Backups: Retained for 90 days for disaster recovery, then permanently deleted
Legal holds: Data may be retained longer if required by law or litigation

Deletion schedule (user-initiated):

Immediately: Your account is disabled, you are signed out, and study data is removed from active systems (in-app: Settings → Privacy & Security → Delete Account).
Within 30 days: Remaining personal data purged from production databases where deletion is asynchronous.
Up to 90 days: Encrypted backups may retain fragments until automated purge — we do not restore deleted accounts or study data from backups for routine requests.

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

6.2 Service Providers

We share data with trusted service providers who help us operate MindLoad:

Google Firebase (Google LLC)

Services: Authentication, database, storage, analytics, cloud functions
Data Shared: All user data (as necessary for service provision)
Privacy Policy: https://firebase.google.com/support/privacy
Compliance: GDPR-compliant Data Processing Agreement in place

AI Services (for Content Generation)

Services: AI-powered flashcard, quiz, summary, and study-plan generation (via cloud AI providers and on-device processing as applicable)
Data Shared: The text or files you ask us to process, plus any technical context needed to run the request (see AI Disclosure Policy)
Privacy: Cloud providers process this content to return results; retention, logging, and their use of data are subject to the provider's current terms and our integration settings, as described in the AI Disclosure Policy
Purpose: Generate and refine study materials based on your content

Apple / Google (Payment Processing)

Services: In-app purchase processing
Data Shared: Transaction data, purchase receipts
Privacy: Subject to Apple/Google privacy policies
Purpose: Process token purchases

Cloud Infrastructure Providers

Services: Hosting, CDN, backups
Data Shared: Encrypted data backups
Purpose: Ensure service reliability and disaster recovery

6.3 Legal Requirements

We may disclose your information if required by law or in response to:

Court orders, subpoenas, or legal process
Government or regulatory requests
Investigations of fraud, security, or illegal activity
Protection of our rights, property, or safety
Protection of users or the public

6.4 Business Transfers

If MindLoad is acquired, merged, or undergoes reorganization, your data may be transferred to the new entity. We will notify you before your information becomes subject to a different privacy policy.

6.5 Aggregated Data

We may share anonymized, aggregated statistics that cannot identify you:

"80% of users complete flashcards within 7 days"
"Average study session is 15 minutes"
"Most popular study feature is Quiz Mode"

7. Your Privacy Rights

7.1 Access and Portability

Right to Access: Request a copy of your personal data
Right to Portability: Export your study sets in JSON format

How to exercise:

In-app: Settings → Privacy & Security → Export My Data
Email: [email protected]

Response time: Within 30 days

7.2 Correction and Update

Right to Rectification: Update inaccurate or incomplete information

How to exercise:

In-app: Edit your profile, preferences, or study materials
Email: [email protected]

7.3 Deletion and Erasure

Right to be Forgotten: Delete your account and all associated data

How to exercise:

In-app: Settings → Privacy & Security → Delete Account
Email: [email protected] (include your registered email)

What gets deleted:

User profile and authentication data
All study sets, flashcards, and quiz results
Token balance and purchase history
Preferences and settings
Analytics data (anonymized within 30 days)

What cannot be deleted:

Aggregated, anonymized statistics
Data required for legal compliance (e.g., transaction records for tax purposes)
Backup copies (deleted after 90 days)

Timeline: Account access ends immediately; remaining copies in production systems are removed as soon as practicable (typically within 30 days; backups up to 90 days). There is no undo or recovery period after you confirm deletion.

7.4 Objection and Restriction

Right to Object: Opt out of non-essential data processing
Right to Restrict: Limit how we use your data

How to exercise:

In-app: Settings → Privacy & Security → Data Processing Options
Email: [email protected]

7.5 Withdraw Consent

Right to Withdraw Consent: Revoke permissions at any time

For analytics and crash reports:

In-app: Settings → Privacy & Security → Usage Analytics or Crash Reports → OFF

For promotional notifications:

In-app: Settings → Notifications → Promotional Messages → OFF

7.6 Automated Decision-Making

We do NOT use automated decision-making that significantly affects you. Our AI features (flashcard generation, study recommendations) are tools to enhance your learning, not to make consequential decisions about you.

7.7 Lodge a Complaint

If you're in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority:

EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en
UK: Information Commissioner's Office (ICO) - https://ico.org.uk
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

8. Special Provisions for California Residents (CCPA)

Under the California Consumer Privacy Act (CCPA), California residents have additional rights:

8.1 Categories of Personal Information We Collect

Identifiers: Email, username, device ID
Commercial Information: Purchase history, token transactions
Internet Activity: App usage, browsing within the app
Geolocation Data: Timezone (not precise location)
Sensory Data: Uploaded images, PDFs (study materials)
Inferences: Study patterns, preferences

8.2 CCPA Rights

Right to Know: What personal information we collect, use, disclose, or sell
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do NOT sell personal information (opt-out not applicable)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

8.3 Exercising CCPA Rights

Email: [email protected]
Subject: "CCPA Request: [Access/Delete]"
Include: Your registered email, description of request

Verification: We'll verify your identity before fulfilling requests (may ask security questions)
Response Time: Within 45 days (may extend by 45 days if needed)

8.4 Do Not Sell

We do NOT sell your personal information. We have not sold personal information in the past 12 months.

8A. Additional State Privacy Rights (2025)

As of 2025, residents of additional U.S. states have privacy rights similar to California. This section applies to residents of:

Delaware (effective January 1, 2025)
Iowa (effective January 1, 2025)
Nebraska (effective January 1, 2025)
New Hampshire (effective January 1, 2025)
New Jersey (effective January 15, 2025)
Tennessee (effective July 1, 2025)
Minnesota (effective July 31, 2025)
Maryland (effective October 1, 2025)

8A.1 Your Rights Under State Privacy Laws

Depending on your state, you may have the right to:

Access: Request a copy of personal data we have collected about you
Delete: Request deletion of your personal data
Correct: Request correction of inaccurate personal data
Portability: Receive your data in a portable format
Opt-Out: Opt out of targeted advertising, sale of personal data, and profiling
Non-Discrimination: Not be discriminated against for exercising your rights

8A.2 Universal Opt-Out Mechanisms (UOOM)

We recognize and honor Global Privacy Control (GPC) signals on mindload.app and other MindLoad web properties. The MindLoad mobile app provides equivalent controls in Settings → Privacy & Security (Usage Analytics and Crash Reports).

8A.3 Sensitive Data

Under several state laws, "sensitive data" includes:

Precise geolocation data
Racial or ethnic origin
Religious beliefs
Health information
Biometric data
Data concerning sexual orientation
Data from children under 13

MindLoad does NOT intentionally collect sensitive data. If you upload documents containing sensitive information, you do so at your own risk.

8A.4 How to Exercise State Privacy Rights

Email: [email protected]
Subject: "[State Name] Privacy Request: [Access/Delete/Correct/Opt-Out]"
Include: Your registered email, state of residence, specific request

Response Time: Within 45 days (may extend as permitted by your state's law)

9. Children's Privacy (COPPA/GDPR)

MindLoad is intended for users aged 13 and older (16+ in the EEA).

We do NOT knowingly collect information from children under 13 (or 16 in EEA).

If you believe a child under the minimum age has provided us with personal information:

Email: [email protected]
Subject: "Child Privacy Concern"
We will: Immediately investigate and delete the account and all associated data

Parental Rights: Parents or guardians may request access to or deletion of their child's data.

10. International Data Transfers

MindLoad is operated from the United States. If you access the App from outside the U.S., your data will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

10.1 EU-US Data Transfers

For users in the EEA, UK, and Switzerland, we rely on:

Standard Contractual Clauses (SCCs): Approved by the European Commission
Google's Data Processing Terms: Google Firebase complies with GDPR requirements
Adequacy Decisions: Where applicable (e.g., UK-EU data flows)

10.2 Your Rights

You have the right to obtain information about the safeguards we use for international transfers. Contact [email protected] for details.

11. Cookies and Tracking Technologies

11.1 Technologies We Use

We do NOT use traditional web cookies, as MindLoad is a native mobile app. However, we use:

Device and app identifiers: Firebase app instance IDs and similar technical identifiers (we do not collect IDFA or the Android Advertising ID for ads)
Firebase Analytics SDK: Anonymous event tracking when you leave Usage Analytics enabled
Firebase Crashlytics: Anonymous crash and error reports when you leave Crash Reports enabled
Local Storage: SQLite database, SharedPreferences, UserDefaults (App); essential session cookies on the website where applicable
Session Tokens: Encrypted authentication tokens (stored securely)

11.2 Third-Party Analytics

Google Analytics (for Firebase): Anonymized usage tracking. Google's privacy policy applies.
Apple App Analytics: If you've enabled "Share with App Developers" in iOS settings

11.3 Opt-Out

Website (GPC): We honor Global Privacy Control signals on mindload.app and other MindLoad web properties
Firebase Analytics: Settings → Privacy & Security → Usage Analytics → OFF
Crash reports: Settings → Privacy & Security → Crash Reports → OFF
Apple Analytics: iOS Settings → Privacy → Analytics & Improvements → Share with App Developers → OFF

12. Third-Party Links and Services

MindLoad may contain links to third-party websites or services (e.g., YouTube videos, external resources). We are NOT responsible for the privacy practices of these third parties.

Recommendation: Review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service improvements.

13.1 Notification of Changes

Material Changes: We will notify you via:

In-app notification (pop-up or banner)
Email (to your registered email address)
Push notification (if enabled)

Minor Changes: Updated "Last Updated" date at the top of this policy

13.2 Continued Use

Continued use of MindLoad after changes take effect constitutes your acceptance of the updated Privacy Policy. If you disagree, please discontinue use and delete your account.

13.3 Policy Version History

v1.4 (April 23, 2026): Analytics/crash-report opt-out controls, Gemini/AI disclosure alignment, removed IDFA claims, GPC scoped to web with in-app equivalents, contact email standardization
v1.3 (January 28, 2026): California SB 446 breach notification compliance, 2026 state age verification laws, standardized contact email
v1.2 (December 7, 2025): Added 2025 state privacy laws (8 new states), UOOM/GPC support, enhanced AI disclosures
v1.1 (December 7, 2024): Enhanced breach notification, data retention details, contact information
v1.0 (October 30, 2024): Initial comprehensive privacy policy

14. Data Breach Notification

We take data security seriously and have implemented comprehensive measures to protect your information. However, in the unlikely event of a data breach that affects your personal information, we will:

14.1 Our Response Timeline

For all users:

Immediate action: Contain and remediate the breach
Within 72 hours of discovery: Notify relevant data protection authorities (GDPR requirement)
Within 7 days: Provide follow-up information and guidance

For California residents (SB 446, effective January 1, 2026):

Within 30 calendar days: Notify affected California residents of the breach
Within 15 days of consumer notification: Submit sample notification to California Attorney General (if 500+ residents affected)

For EU/EEA/UK residents (GDPR):

Within 72 hours: Notify affected users and supervisory authorities

For all other jurisdictions:

We will notify affected users in the most expedient time possible and without unreasonable delay, as required by applicable state and federal laws

14.2 What We'll Tell You

Our breach notification will include:

Nature of the breach: What happened and how it occurred
Data affected: What types of personal information were compromised
Timing: When the breach occurred and when we discovered it
Number of affected users: Approximate scale of the incident
Potential consequences: What risks you may face
Our response: Steps we've taken to address the breach
Your next steps: Recommendations to protect yourself (e.g., change password, monitor accounts)
Contact information: How to reach us with questions

14.3 Notification Methods

Depending on the severity and nature of the breach:

Email: To your registered email address (primary method)
In-app notification: Prominent alert when you open the app
Push notification: If the breach is severe and requires immediate action
Website notice: Posted on https://mindload.app/security
Media announcement: For large-scale breaches affecting many users

14.4 Types of Breaches

High-Risk Breaches (immediate notification):

Exposure of passwords or authentication credentials
Financial information compromise
Identity theft risk
Sensitive personal information exposure

Low-Risk Breaches (notification within 72 hours):

Limited metadata exposure
Non-sensitive information
Minimal user impact

14.5 Your Rights After a Breach

If your data is compromised, you have the right to:

Full disclosure: Complete information about what was affected
Free credit monitoring: If financial data was exposed (where applicable)
Account remediation: Assistance securing your account
Complaint: Lodge a complaint with data protection authorities
Compensation: As required by applicable law

14.6 Our Breach Response Plan

We maintain an internal data breach response plan that includes:

Incident detection and assessment procedures
Containment and remediation protocols
User and regulatory notification workflows
Post-incident analysis and improvements
Third-party coordination (if service providers are affected)

For questions about our breach response procedures, contact: [email protected]

15. Contact Us

15.1 General Privacy Inquiries

Email: [email protected]
Website: https://mindload.app/privacy
Response Time: Within 3-5 business days

15.2 Data Protection Officer (DPO)

For GDPR-related inquiries:

Email: [email protected]
Privacy team: [email protected]

15.3 Support Team

For account or technical support:

Email: [email protected]
In-App: Settings → Help & Support → Contact Us

16. Acknowledgment and Consent

By creating an account and using MindLoad, you acknowledge that you have read, understood, and agree to this Privacy Policy.

For optional features requiring explicit consent:

Promotional notifications: Opt-in via Settings → Notifications → Promotional Messages
Analytics: Settings → Privacy & Security → Usage Analytics (on by default; turn off anytime)
Crash reports: Settings → Privacy & Security → Crash Reports (on by default; turn off anytime)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Privacy Policy Version: 1.3
Last Reviewed: April 23, 2026
Next Review Date: April 23, 2027

2026 Compliance Updates:

Updated California data breach notification timeline per SB 446 (30-day requirement effective January 1, 2026)
Standardized contact email to [email protected]
Added Texas, Utah, and Louisiana age verification compliance
Enhanced EU AI Act transparency disclosures

2025 Compliance Updates:

Added 8 new state privacy law provisions (Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland)
Added Universal Opt-Out Mechanism (UOOM) / Global Privacy Control recognition
Enhanced sensitive data definitions per 2025 state laws
Updated AI disclosure requirements
Added data minimization principles