Data Protection, Responsibility, and Scope 

‍

We respect the privacy of our customers and other interested parties and comply with applicable laws to protect your privacy. These laws include, in particular, the General Data Protection Regulation of the European Union (“GDPR”).

‍

This Privacy Notice applies to: 

• Mobile application:
  
  • CappyMind - AI-supported journaling

‍

The following categories of data subjects are covered by this data protection notice:

• User of the mobile application

‍

The controller responsible for the processing of your personal data within the scope of this data protection notice is:

‍

Mindvoll GesbR
David Jöch & Daria Travnytska
3830 Waidhofen an der Thaya
Schlossergasse 12
Austria

hello@cappymind.com

‍

In the following, we explain:

• For what purposes personal data is collected and processed.
• Which categories of personal data are affected by the collection and processing.
• On what legal basis we process personal data.
• Which involved third parties, acting as data processors, are engaged in the processing of personal data.
• To which third parties personal data is transmitted.
• Further information, such as data retention periods, the rights of data subjects, and other details that help inform you about the described data processing.

‍

CappyMind mobile application – AI-supported journaling – Purposes for processing personal data

‍

App-Hosting

‍

Data collected and processed: 

• Technical information such as your IP address
• Device information
• User behavior relevant for error analysis.

‍

Legal basis:

• Legitimate interest based on Art. 6 para. 1 lit. f GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• Render Services, 525 Brannan Street Ste 300 San Francisco CA 94107, United States

‍

Further information:

• Location of the datacenter where the application is hosted: Germany
• Further information about data processing through render.com is available at the redner.com data processing addendum.

‍

Providing the offered service

‍

Through using our app, the following service is provided:

• AI-supported journaling

‍

Data collected and processed: 

• Information you provide as free text to our AI

‍

Legal basis: 

• (Pre-)Contractual activities based on Art. 6 para. 1 lit. b GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

‍

Further information:

• We ask you not to transmit any particularly sensitive categories of personal data when contacting us. These categories include the following data:

• Ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data.
• Health data.

• Data concerning sex life or sexual orientation.

• If we become aware of a transfer of sensitive categories of data, we will arrange for these to be deleted under consideration of reasonable effort.
• Further information about data processing through OpenAI is available at the OpenAI data processing addendum.

‍

Managing a customer relationship database (CRM)

‍

Data collected and processed: 

• Identification data
• Contact data

‍

Legal basis: 

• (Pre-)Contractual activities based on Art. 6 para. 1 lit. b GDPR
• Standard Contractual Clauses

‍

Involved data processors:

• Supabase, Inc., 970 Toa Payoh North #07-04, Singapore

‍

Further information:

• The Supabase Standard Contractual Clauses can be reviewed as part of the Supabase Data Processing Agreement.
• Further information about data processing through Supabase is available at the Supabase Privacy Policy.

Customer registration and login

‍

We are using the services of Supabase to provide you our registration and login service.

‍

In addition to direct registration and login through our app, you can also do this via your Apple or Google account. If you use your Google or Apple account for registration or login, the respective providers are involved in the registration and login process.

‍

Data collected and processed: 

• Identification data
• Contact data
• Authentication data

‍

Legal basis: 

• (Pre-)Contractual activities based on Art. 6 para. 1 lit. b GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• Google Irland Limited, Gordon House, Barrow Street, Dublin 4, Irland
• Apple, Inc., One Apple Park Way, MS 169-3 IPL Cupertino, CA 95014 USA.
• Supabase, Inc., 970 Toa Payoh North #07-04, Singapore

‍

Further information:

• If you sign in using your Apple account, Apple itself will not track you or create a profile of you. Apple only collects the information necessary to ensure that you can sign in and manage your account. You can find more information about Apple login here.
• If you log in via your Google account, you will be redirected to Google.  Important: We do not access your Google account data at any point and have no ability to post anything in your Google profile without your separate approval. You can find out how Google handles privacy settings in Google's privacy notice and terms of use; the valid terms for registering with us are also outlined in these documents.

Payment and invoicing

‍

For processing payments, we use the services of:

• Apple (Apple Pay)
• Google (Google Pay)

‍

To process web-payments, we use the service “Paddle”, provided by the US company „Paddle.com, Inc.

‍

To manage your subscriptions, we use the services of „RevenueCat“.

‍

Data collected and processed: 

• Payment data
• Invoice data
• Cookies
• Technical information

‍

Legal basis:  

• Fulfillment of legal obligation based on Art. 6 para. 1 lit. c GDPR
• (Pre-)Contractual activities based on Art. 6 para. 1 lit. b GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• Google Irland Limited, Gordon House, Barrow Street, Dublin 4, Irland
• Apple, Inc., One Apple Park Way, MS 169-3 IPL Cupertino, CA 95014 USA
• Paddle Payments Limited, Core B Block 71, the Plaza, Park West, Dublin 12, Ireland
• RevenueCat Inc., 1032 E Brandon Blvd #3003 Brandon, FL 33511, USA

‍

Further information:

• Further information about data processing through Apple services is available at the Apple privacy policy.
• Further information about data processing through Apple services is available at the Google Privacy Policy.
• Further information about data processing through RevenueCat services is available at the RevenueCat Privacy Policy.
• Further information about data processing through Paddle services is available at the Paddle Privacy Policy.

‍

Push Notifications

‍

We use push notifications to show you relevant messages quickly and effectively directly on your device.

‍

For push notifications on Android devices, we use “Firebase Cloud Messaging” from Firebase, a Google subsidiary.

‍

For push notifications on iOS devices, we use the Apple Push Notification Service (APNS) from Apple.

‍

Data collected and processed: 

• Device information
• Technical information
• Notification data

‍

Legal basis: 

• Consent of the data subject  Art. 6 para. 1 lit. a GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• Google Irland Limited, Gordon House, Barrow Street, Dublin 4, Irland
• Apple, Inc., One Apple Park Way, MS 169-3 IPL Cupertino, CA 95014 USA.

‍

Further information:

• Further information on the terms of use of Firebase Cloud Messaging can be found on the Firebase Website.
• You can find further data protection information about Apple Services in the Apple Privacy Policy.
• You can revoke your consent to receive push notifications directly in the settings of your device.

‍

Error detection and correction

‍

We use the “Sentry” service from the US company “Functional Software, Inc” to detect and rectify errors that could impair our service.

‍

Data collected and processed: 

• Error-related technical data
• Data on user behavior and interactions
• Application logs

‍

Legal basis:  

• Legitimate interest based on Art. 6 para. 1 lit. f GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA.

‍

Further information:

• Interest based on the legal basis: Recognizing and correcting errors that affect the service offered.
• Further information on data protection when using Sentry can be found in the  Sentry Privacy Policy.

‍

Analysis of the user behavior in the app

‍

Data collected and processed: 

• Data on user behavior and interactions

‍

Legal basis: 

• Legitimate interest based on Art. 6 para. 1 lit. f GDPR
• Data Privacy Framework
• Standard Contractual Clauses

‍

Involved data processors:

• PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, United States

Further information:

• Interest based on the legal basis: Improving the user experience when using the app.
• Further information on data protection at PostHog can be found in the PostHog Privacy Policy.

‍

Processing support requests

‍

You can send us e-mail support inquiries about problems or other concerns relating to our services.

‍

Data collected and processed: 

• E-mail address
• Information that you send us by e-mail

‍

Legal basis: 

• Legitimate interest based on Art. 6 para. 1 lit. f GDPR

‍

Further information:

• Interest based on the legal basis: Asking and answering questions about problems, products, and other services.

• We ask you not to transmit any particularly sensitive categories of personal data when contacting us. These categories include the following data:

• Ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data.
• Health data.

• Data concerning sex life or sexual orientation.

• If we become aware of a transfer of sensitive categories of data, we will arrange for these to be deleted under consideration of reasonable effort.

‍

Further information

‍

Data Transfer to the USA and the Data Privacy Framework

‍

We would like to inform you that on July 10, 2023, the EU Commission issued an adequacy decision under Article 45(1) of the GDPR for the EU-US Data Privacy Framework (Data Privacy Framework). Consequently, organizations or companies (as data importers) in the USA that are registered in a public list as part of the Data Privacy Framework’s self-certification process provide an adequate level of protection for data transfers. This, therefore, constitutes a valid legal basis for using certified US services.

For all purposes mentioned in this Privacy Policy that utilize services from US providers with an adequate level of protection, the legal basis “Data Privacy Framework” is specified. You can directly verify whether a service provider is certified on the Data Privacy Framework website.

Should a provider not be certified under the Data Privacy Framework, this will be explicitly mentioned for the respective purpose, along with a valid alternative legal basis.

‍

Standard Contractual Clauses (SCC)

‍

In order to enable data transfer to countries without an adequacy decision, the EU Commission has drawn up standard contracts (standard contractual clauses). These standard contractual clauses require contractual partners to adhere to a level of data protection comparable to that in the EU. These contractual texts are made available on the European Union’s website. Standard contractual clauses are abbreviated to “SCC”.

‍

Cookies and local storage

‍

Personal data and information may be stored in cookies, session storage, and/or local storage by our services. Processing takes place on the legal basis specified for the respective service.

‍

You can specify how the web browser handles cookies and local storage, which storage processes are permitted or rejected, and for how long the data processing takes place in the web browser settings.

‍

Data retention

‍

We only store your personal data for as long as it is necessary to fulfill the purposes mentioned or as long as contractual or legal retention periods require.

‍

Transfer of data

‍

We will only disclose your personal data to third parties if this is legally required, if this is necessary for the provision of our services or if you have consented to the transfer. We will never sell your data to third parties without your explicite consent.

Data may, if necessary, be passed on to the following categories of recipients:

• Processors, which are named in this privacy policy
• Banks and payment service providers (payment processing)
• Shipping service providers (shipping goods and invoices)
• Tax consultants (bookkeeping and annual financial statements)
• Debt collection agencies (collection of receivables)
• Lawyers (assertion of legal claims)

Protection of Personal Data

‍

We protect personal data through appropriate technical and organizational measures that comply with current industry standards and best practices. This includes, as reasonable, pseudonymization as well as the encryption of personal data during transmission and storage.

Withdrawal of consent

‍

If you have given your consent to the processing of your personal data for a specific purpose based on Art. 6 para. 1 lit. a GDPR, you can withdraw this consent at any time. The lawfulness of processing personal data until withdrawal is not affected by the withdrawal.

‍

Mandatory provision of data and consequences of non-provision when using services

‍

There is no legal or contractual obligation to provide personal data. Failure to provide personal data means that no offer can be made, or no contract concluded, and the services offered therefore cannot be provided.

‍

For the use of our services, the provision of personal data is partly required by law (e.g. tax regulations) or may result from contractual regulations (e.g. information on the contractual partner).

‍

In the case of consent to the processing of personal data, there is no legal or contractual obligation to provide this data. Failure to provide consent may, depending on the consent given, mean that no contract can be concluded or that the service cannot be used to its full extent. 

‍

Rights of Data Subjects

‍

Right of Access

You have the right to request at any time information about the personal data we store about you and to receive a copy of that information. Furthermore, you have the right to obtain confirmation as to whether the personal data in question is being processed.

‍

Right to Rectification

Should your data be inaccurate or incomplete, we will rectify it upon request.

‍

Right to Data Portability

If we process your personal data in an automated way based on your consent or based on a corresponding agreement, you have the right to request a copy of your data in a structured, commonly used, and machine-readable format, which can be sent to you or another party. This right applies only to the personal data that you have provided to us.

‍

Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances.

‍

Right to Erasure

You have the right to have the personal data processed by us deleted, insofar as this is legally permissible.

‍

Withdrawal of Consent/Objection to Processing

Additionally, you may withdraw your consent to the use of your data or object to its processing at any time. The lawfulness of the processing of your personal data up until the time of withdrawal shall not be affected by that withdrawal.

‍

Right to Lodge a Complaint

If you believe that we are not processing your personal data correctly, you can contact us. You also have the right to lodge a complaint with supervisory authority. For more information on the supervisory authorities in the European Union, please click here. 

‍

All rights can be exercised by sending an e-mail to the contact named at the beginning of this privacy notice.

‍

Changes to this privacy policy

‍

We will update this notice from time to time. Any changes will be posted on this page, accompanied by an updated revision date.

‍

Date of publication of the current version: 10.07.2025

‍

This privacy notice is generated and provided by the Metasoul privacy notice generator.

‍