MindBright Logo

Einen Moment ...

Etwas Gutes beginnt.

MindBright®
MindBright · Legal

Privacy Policy – MindBright

As of: February 2026

Note on this translation

This English version is provided for convenience only. In case of discrepancies, the German version shall prevail.

1. Privacy at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit or use our web app "MindBright". Personal data is any data that can be used to identify you personally.

Data collection in our app

Who is responsible for data collection? Data processing is carried out by the app operator (Controller).

IT Quadrat InformationsmanagementMaik LudewigAmberbaumallee 4914089 BerlinGermanyEmail: info@it-quadrat.de

A data protection officer has not been appointed, as there is no legal obligation to do so.

How do we collect your data? Your data is collected in two ways: firstly, data you provide to us directly (e.g. during registration: email address, password; during onboarding: first name; or when creating personal entries). Secondly, data is recorded automatically by our IT systems when you use the app (e.g. technical data such as browser, operating system, IP address, login status).

What do we use your data for? Some data is collected to ensure the error-free provision of the app (hosting, database, security). Other data is used to provide you with the app's features (storing your entries, AI feedback, personalisation of communication) and — with your consent — for information by email.

2. Hosting and infrastructure (data processing agreement)

We use external service providers to operate the app. We conclude the necessary data processing agreements (DPA) with service providers who process personal data on our behalf. This ensures that data is only processed according to our instructions and in compliance with the GDPR.

Hosting with Replit

We use the Replit Inc. (USA) platform as the technical runtime environment for our application. Data: Replit processes technical metadata, log files and temporary data to run the app's code. The permanent storage of your user data (journal entries) takes place separately in our database (see Google Firebase). Third-country transfer: Processing may take place in the USA. Replit relies on the Standard Contractual Clauses (SCC) of the EU Commission for this. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (security and efficiency).

Google Firebase (Database, Authentication, Hosting)

We use Google Firebase (Google Ireland Limited, Ireland) as backend infrastructure. Data & purpose:

  • Authentication: Management of your login (email, hashed password).
  • Firestore Database: Encrypted storage of your user data, settings and personal entries.
  • Hosting: Delivery of website data.
  • Cloud Functions: Technical sending of system emails (e.g. verification).

Third-country transfer: Google may transfer data to servers in the USA. This is safeguarded by Standard Contractual Clauses (SCC).

3. Your rights (data subject rights)

You have the following rights with regard to your personal data at any time:

  • Right of access (Art. 15 GDPR): You can request information about the data we have stored about you at any time.
  • Right to rectification (Art. 16 GDPR): You can request the correction of incorrect data.
  • Right to erasure (Art. 17 GDPR): You can delete your account and all data at any time directly in the profile settings of the app or by contacting us.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR): You have the right to receive data that we process automatically and to have it transferred to you or a third party.
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw any consent you have given at any time.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your data (in particular logs for security purposes) insofar as this is carried out on the basis of Art. 6(1)(f) GDPR.
  • Right to lodge a complaint with a supervisory authority.

4. Data collection when using the app

Registration and login

To use MindBright, you need to register. The data entered during registration (email address, password) is used exclusively to provide the service. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Social Login: If you sign in via Google or Apple, we receive authentication data from these providers (e.g. an ID, email address, and possibly your name). This data is stored to create your account.

Personalisation (first name / nickname)

You can voluntarily provide a first name or nickname. Purpose: Personal form of address within the app. Legal basis: Art. 6(1)(a) GDPR (Consent). You can change or delete the name at any time.

Personal entries and sensitive data (Art. 9 GDPR)

The core function of the app is writing journal entries. You are entirely free to enter information that falls under "special categories of personal data" (e.g. health data, political opinions, etc.). Voluntariness: Entering such sensitive data is not required to use the app (you can also write about neutral topics). Legal basis: If you enter and save such data, we process it exclusively to provide you with the app's features (storage, display, AI feedback). By entering it voluntarily, you consent to processing for this purpose (Art. 9(2)(a) GDPR). Confidentiality: We do not manually access this content during regular operation.

Log files and cookies

The app uses technically necessary cookies or the local storage of your browser to save your login status. We do not use tracking or advertising cookies. Logs: Our servers automatically collect information in log files (e.g. IP address, browser, timestamp). Purpose: Detection and prevention of misuse and error analysis. Retention period: Logs are stored for a maximum of 14 days and then deleted. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security).

5. Use of Artificial Intelligence (AI)

We use artificial intelligence to generate feedback and analyses for your entries. Provider: We use the API services of OpenAI Ireland Limited (Dublin, Ireland). Data transmission: When you request feedback, the text of your entry is transmitted to OpenAI. Purpose: Generation of the response/reflection. Privacy & training: Use is based on OpenAI's business terms of service. According to the provider, data submitted via the API ("Customer Content") is not used for training by default. Third-country transfer: Transfer to the parent company OpenAI, LLC in the USA is possible and is safeguarded by Standard Contractual Clauses.

6. Newsletter and marketing emails

Distinction

We distinguish between system emails (necessary for the app, e.g. password reset) and marketing emails (tips, updates).

Marketing data & Brevo

If you subscribe to the newsletter/updates ("opt-in"), we use your email address and first name for sending. Service provider: Sending is handled via Brevo (Sendinblue GmbH, Berlin, Germany). Your data is stored on servers in Germany. Legal basis: Art. 6(1)(a) GDPR (Consent). Data transfer: Contact data is only transferred to Brevo when sending is active and an opt-in exists. As long as no sending takes place, the data remains exclusively in our system. Withdrawal: You can withdraw your consent at any time in the account settings ("Email Updates") or via the unsubscribe link in any email.

7. Retention periods

We store your data only for as long as necessary for the purposes described:

  • Account data & entries: Until deletion of your account by you (in settings) or by us.
  • System logs: Max. 14 days.
  • Consent records: Retained for evidence purposes (Art. 7(1) GDPR) until expiry of limitation periods (typically 3 years).

Privacy

Your data is safe and protected. No data sharing. SSL secured.

Made in Germany

Developed and produced in Germany to the highest quality standards.

Science-based

Based on recognized scientific methods and findings.