Privacy Policy

Last Updated: May 16, 2026

1. Introduction

Welcome to MindTape (the "App"), an iOS voice journaling application powered by AI. The App is operated by Danylo Dovhodko, an autónomo (self-employed individual) registered in Spain (full provider details in Section 12). We are committed to protecting your privacy and ensuring you have a positive experience on our App. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.

This Privacy Policy applies to all users of the MindTape App, including those using free and paid (Pro) versions. By using the App, you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect various types of information to provide and improve the MindTape App:

Category	Details
Account Information	Apple ID identifier (private relay ID), display name (optional), email address (if shared by Apple Sign In)
Voice Recordings	Audio files you record within the App, stored on our secure servers
Transcripts	Text transcriptions of your voice recordings generated via OpenAI Whisper API
AI-Generated Insights	Daily, weekly, and monthly summaries and insights generated by AI language models
Device Token	Apple Push Notification service token for sending push notifications
Timezone & Locale	Your device timezone and language preferences
Subscription Status	Information about your Free or Pro tier subscription via Apple In-App Purchase
Usage Metrics	Features used, frequency of use, number of entries, interaction patterns
Diagnostics	App crashes, errors, and performance data (optional, via Sentry if enabled)
Analytics Events	App usage events (screens viewed, onboarding steps, button taps, paywall interactions, time spent per step), aggregate device identifiers (IDFV — not IDFA), app version, OS version, country-level location (geo-IP). Collected via Firebase Analytics. We do not collect IDFA (Identifier for Advertisers).
Audit Information	IP address, user agent, and action logs for security and fraud detection

How We Collect This Information

Directly from you: When you create an account, record a voice note, or adjust settings
From your device: Timezone, locale, and device identifiers through iOS APIs
Automatically: When you interact with the App (usage analytics, crash logs)
From third parties: Apple (via Sign In and In-App Purchase), OpenAI (API integration)

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To provide the core functionality of MindTape (recording, transcription, AI insights)
Account Management: To create and manage your account, process subscriptions, and handle authentication
AI Processing: To generate transcriptions and AI-powered insights based on your voice entries
Push Notifications: To send reminders, insights, and subscription-related notifications
Security & Fraud Prevention: To detect unauthorized access, prevent abuse, and protect against threats
Legal Compliance: To comply with applicable laws, regulations, and law enforcement requests
Product Improvement: To analyze usage patterns, fix bugs, and improve App performance and features
Customer Support: To respond to your inquiries and resolve issues

4. AI Processing & OpenAI Disclosure

⚠️ Important: MindTape relies on OpenAI's API services to transcribe your voice recordings and generate AI insights. This section explains exactly what data is sent, how OpenAI handles it, and what protections are in place. Please read it carefully before using the App.

4.1 What Data Is Sent to OpenAI

To deliver the AI features of the App, we send the following content to OpenAI over secure, encrypted connections:

Voice recordings — your original audio files are sent to the Whisper API for speech-to-text transcription.
Transcripts — the resulting text from your voice entries is sent to GPT language models to generate daily insights, weekly deep-dives, and monthly overviews.
Previously generated AI summaries — when producing higher-level insights (e.g., weekly analysis from daily entries, or monthly overview from weekly insights), earlier AI outputs are sent back to GPT as context.

We do not send your Apple ID, email address, payment information, IP address, or device identifiers to OpenAI. Your content is associated with OpenAI requests only through our internal API key — OpenAI does not receive your MindTape account identity.

4.2 No Model Training on Your Data

OpenAI does not use data submitted through its API to train or improve its models. This has been OpenAI's default policy for all API customers since March 1, 2023 — no separate opt-out or contractual amendment is required.

This means your voice recordings, transcripts, and AI-generated insights are never used to improve GPT, Whisper, or any other OpenAI model. For full details, see OpenAI's commitment at OpenAI Enterprise Privacy and the API Data Usage Policies.

4.3 30-Day Retention for Abuse Monitoring

OpenAI retains API request and response data (including voice recordings, transcripts, and AI outputs) for a maximum of 30 days, solely for the purpose of:

Detecting and investigating violations of OpenAI's Usage Policies (e.g., illegal content, abuse of the service)
Ensuring service reliability and safety

During this 30-day window:

Data is stored on OpenAI's servers in the United States under their security controls
Access is restricted to a limited number of authorized OpenAI personnel (e.g., their Trust & Safety team) and only when specifically required to investigate a suspected policy violation
Data is not accessed for any other purpose — not for marketing, not for analytics, not for model training

After 30 days, OpenAI automatically and permanently deletes this data from their systems. MindTape has no ability to extend, bypass, or shorten this window (unless a customer is on OpenAI's Zero Data Retention tier, which MindTape is not).

4.4 OpenAI as a Sub-Processor

For the purposes of the EU General Data Protection Regulation (GDPR) and similar privacy laws, OpenAI acts as our sub-processor: they process your personal data on our behalf, under our instructions, and under the terms of OpenAI's Data Processing Addendum.

We maintain a contractual relationship with OpenAI that includes GDPR-compliant data protection obligations, including use of EU Standard Contractual Clauses (SCCs) for international transfers.

4.5 Security Safeguards

Encryption in transit: All data sent to OpenAI travels over TLS 1.2+ encrypted connections.
Encryption at rest on our side: Before and after processing, your content is stored on our servers with AES-256 per-user envelope encryption (see Section 6).
OpenAI's security posture: OpenAI maintains SOC 2 Type 2 compliance and a public security program. See OpenAI Trust Portal.
Least privilege: Only the specific API requests required to generate a transcription or insight are sent to OpenAI — we do not forward your entire journal history.

4.6 International Data Transfer

OpenAI processes API requests on infrastructure located in the United States. By using MindTape, you acknowledge that your voice recordings and transcripts will be transferred to, stored temporarily on (up to 30 days, per Section 4.3), and processed on servers in the United States.

For users in the European Union, European Economic Area, United Kingdom, or Switzerland, this international transfer is conducted under appropriate legal safeguards, including EU Standard Contractual Clauses (SCCs) executed with OpenAI.

4.7 Your Consent and How to Withdraw It

By creating an account and using MindTape, you explicitly consent to:

The transmission of your voice recordings and transcripts to OpenAI as described above
OpenAI's temporary (up to 30 days) retention of that data for abuse monitoring
The international transfer of your data to the United States

This AI processing is essential to the core functionality of MindTape — without it, the App cannot provide transcription or insights. If you do not consent, please do not use the App.

You may withdraw your consent at any time by deleting your account through the App or by contacting us at [email protected]. Once deleted, we will remove your content from our servers as described in Section 7. However, any content already submitted to OpenAI during the 30-day retention window will remain with OpenAI until their automatic deletion cycle completes.

5. Data Sharing & Third Parties

We share your information only with carefully selected third parties, and only as necessary to provide the App:

Third-Party Service Providers

OpenAI (Whisper & GPT APIs): Voice transcription and AI insight generation. Data retained for 30 days.
Apple (Sign In, In-App Purchase, Push Notifications): Account authentication, subscription processing, and push notification delivery
Cloudflare (R2 Storage & CDN): Secure storage of audio files and content delivery
Sentry (Error Tracking, optional): Crash reports and performance diagnostics. You can opt out in App settings.
Firebase Analytics (provided by Google LLC): Aggregated app usage analytics to understand onboarding flow, feature engagement, and overall App performance. Data includes events triggered (e.g., screens viewed, paywall interactions), device type, app version, OS version, and approximate location (country-level, derived from IP address). Firebase Analytics does not collect IDFA (Identifier for Advertisers) — we have not enabled IDFA collection. Voice recordings, transcripts, and AI insights are never sent to Firebase Analytics. Data is processed on Google's infrastructure in the United States. For more details, see Firebase Privacy Information and Google Privacy Policy.

Legal Obligations

We may disclose your information if required by law, court order, or valid government request. We will notify you of such requests unless legally prohibited.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of such changes.

Aggregated, Anonymized Data

We may use aggregated, anonymized usage statistics (such as feature popularity, error rates, or general retention metrics) internally to improve the App. This aggregated data cannot identify you and is not shared with third parties for marketing, advertising, or research purposes.

6. Data Security & Encryption

We implement industry-leading security measures to protect your information:

Encryption at Rest

Voice Recordings: Encrypted using AES-256 per-user envelope encryption (DEK + KEK via KMS). Each recording is encrypted with a unique key.
Transcripts & Insights: Encrypted at rest in Postgres database using per-user keys
S3/R2 Storage: All files encrypted with SSE-KMS (server-side encryption with AWS Key Management Service)

Encryption in Transit

All data transmitted between your device and our servers uses TLS 1.3 encryption
API calls to OpenAI are conducted over secure, encrypted connections

Key Management

Encryption keys are versioned and rotated regularly
Only authorized services can decrypt your data
Keys are stored in secure key management systems, not in the application code

Access Controls

Your data is only accessible to authorized personnel for support and maintenance
All access is logged and monitored for suspicious activity
You authenticate via Apple Sign In (no passwords stored by us)

Limitation of Liability

While we implement comprehensive security measures, no system is 100% secure. We cannot guarantee absolute protection against all security threats. We recommend using a strong device passcode and enabling biometric authentication on your iPhone.

7. Data Retention

We retain your information for as long as necessary to provide the App and comply with legal obligations:

Voice Recordings & Transcripts: Retained while your account is active. Deleted when you delete your account or after 90 days of account inactivity (if detected).
AI-Generated Insights: Retained while your account is active. Deleted with associated entry data.
Account Information: Retained while your account is active. Anonymized 1 year after account deletion for legal and tax purposes.
Audit Logs & IP Addresses: Retained for 1 year for security and fraud prevention.
Deleted Data: Purged from backups within 90 days of deletion request.
OpenAI API Data: Automatically deleted by OpenAI within 30 days, per OpenAI's standard API retention policy for abuse monitoring. See Section 4.3 for full details.

If you request account deletion, we will initiate the deletion process within 30 days. Backup copies may persist for up to 90 days for data recovery purposes.

8. Your Rights

Depending on your location, you have rights over your personal data. To exercise any of these rights, contact us at [email protected].

GDPR Rights (European Union)

If you are located in the EU, you have the following rights under the General Data Protection Regulation (GDPR):

Right to Access: You can request a copy of all personal data we hold about you.
Right to Rectification: You can correct inaccurate or incomplete information.
Right to Erasure ("Right to be Forgotten"): You can request deletion of your data, subject to certain legal exceptions.
Right to Restrict Processing: You can request that we limit how we use your data.
Right to Data Portability: You can request your data in a portable format (e.g., JSON).
Right to Object: You can object to certain processing, including marketing communications.
Right to Withdraw Consent: You can withdraw consent for AI processing or marketing at any time. Withdraw by contacting us.
Right to Lodge a Complaint: You can file a complaint with your local data protection authority if you believe we have violated your rights. Spanish residents may file complaints with the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es. Other EU/EEA residents may contact their national DPA.

Legal Basis for Processing (GDPR Article 6):

Art. 6(1)(a) - Consent: Processing your voice and transcripts for AI insights (you can withdraw anytime)
Art. 6(1)(b) - Contract Performance: Creating an account, managing subscriptions, providing the App service
Art. 6(1)(f) - Legitimate Interest: Security, fraud prevention, audit logging, and App improvement

CCPA/CPRA Rights (California)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You can request to know what personal information we have collected, the source, and our use of it.
Right to Delete: You can request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: You can request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your data for cross-context behavioral advertising.
Right to Limit Use of Sensitive Information: We use sensitive information (voice, health-related insights) only to provide the service you requested. You can request that we limit use.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

How to Submit a Request: Email [email protected] with "CCPA Request" or "GDPR Request" in the subject line. Include your account email and the specific right you are exercising. We will respond within 30 days (GDPR) or 45 days (CCPA).

Verification: We will verify your identity by confirming your account email and Apple ID before processing your request.

9. International Data Transfers

MindTape operates globally, and your data may be transferred to and processed in countries other than where you reside, including the United States. These countries may not have data protection laws equivalent to those in your jurisdiction.

EU/EEA Users

If you are located in the EU or EEA, we transfer your data based on:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers to ensure appropriate safeguards.
Your Explicit Consent: By using MindTape and agreeing to this policy, you consent to data transfers for service delivery.

For more information on our data transfer mechanisms, contact [email protected].

10. Children's Privacy

MindTape is not intended for children below the minimum age of digital consent applicable in their country of residence. We do not knowingly collect personal information from users below this age.

Specifically:

Spain: Minimum age 14 (per the Spanish Data Protection Law, LOPDGDD Article 7).
Other EU/EEA countries: Between 13 and 16 depending on the national implementation of GDPR Article 8.
United States: Minimum age 13 (per COPPA).
Other regions: 13, unless local law sets a higher age.

If we become aware that a user below the applicable minimum age has created an account or provided information, we will delete that account and information promptly. Parents or guardians can contact us at [email protected] to review or delete a minor's account.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy on the App with a new "Last Updated" date
Sending an email notification to the address associated with your account (if available)
Displaying a prominent notice in the App before the changes take effect

Your continued use of the App after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

12. Legal Information & Contact

This section contains the provider identification required by Article 10 of Spanish Law 34/2002 (LSSI-CE) and serves as our primary contact information for all privacy, legal, and support inquiries.

Service Provider

Name: Danylo Dovhodko

Status: Autónomo (self-employed individual) under the laws of the Kingdom of Spain

Tax Residence: Calle del Maestro Alonso 6, 03012 Alicante, Spain

Tax Identification Number (NIF): Z4343709A

Activity: Information society service — subscription-based mobile application (voice journaling)

Applicable Law: Kingdom of Spain. EU GDPR for European users.

Contact

General inquiries: [email protected]
Privacy & data protection: [email protected]
Legal & compliance: [email protected]
Support: [email protected]

Response Time: We respond to privacy inquiries within 30 days. Complex requests may require additional time, which we will communicate to you.

Supervisory Authority (EU / Spain)

Spanish residents may file complaints with the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es. EU/EEA residents in other countries may contact their national data protection authority.

California Privacy Inquiries

For CCPA/CPRA-related questions, submit your request at [email protected] with "CCPA Request" in the subject line.

Thank you for trusting MindTape with your thoughts and memories. We're committed to protecting your privacy and keeping your voice journal secure.