Privacy Policy

1. Introduction

Welcome to MindSpace. We are committed to protecting your privacy and ensuring the security of your personal and mental health information. This Privacy Policy explains how we collect, use, and safeguard your data when you use our mobile application.

2. Information We Collect

2.1 Personal Information

• Email address (for account creation, login, and OTP verification)
• Name (optional, for personalization)
• Profile picture (optional)
• Language preference
• Device information (device model, operating system, app version)
• Push notification tokens (for sending notifications)

2.2 Mental Health Data

• Journal entries and content
• Mood tracking data (mood levels, dates, patterns)
• Personal insights and questionnaire responses
• AI analysis requests and results
• Social posts and comments (if you choose to share)

2.3 Usage Data

• App usage statistics (features used, session duration)
• Error logs and crash reports (via Firebase)
• Analytics data (via Google Analytics for website)

2.4 Payment Information

• In-app purchase data (transaction IDs, purchase dates, token packages)
• Payment processing is handled entirely by Apple and Google - we do not store credit card information

3. How We Use Your Information

We use your information to:

• Provide AI-powered reflections and suggestions: Analyze your journal entries using artificial intelligence to generate personalized reflections and insights. By using the AI analysis feature, you consent to our processing of your mental health journal data for this purpose.
• Track your progress: Display mood trends and statistics
• Improve our service: Enhance app features and user experience using aggregated, anonymized data
• Communicate with you: Send notifications, updates, and support messages
• Ensure security: Protect your account and prevent fraud

4. Data Security

We take your privacy seriously and implement industry-standard security measures:

• Encryption: All data is encrypted in transit (HTTPS) and at rest
• Secure storage: We use FlutterSecureStorage for sensitive data on your device
• Passcode protection: Optional 4-digit passcode lock for app access
• Limited access: Only authorized personnel can access your data for support purposes
• Regular audits: We conduct security audits to identify and fix vulnerabilities

5. Data Sharing and Third-Party Disclosure

5.1 When We Share Data

We may share your data only in these strictly limited circumstances:

• With your explicit consent: When you choose to share posts or comments in the social feed (you control what is shared publicly)
• Essential service providers: Third-party services necessary to operate the app (cloud hosting, email delivery, crash reporting). These providers:
  • Are contractually obligated to protect your data
  • Can only use your data to provide services to us
  • Cannot use your data for their own purposes
  • Are listed in Section 9 of this policy
• Legal requirements: If required by law, court order, or to:
  • Comply with legal processes
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Respond to emergencies involving danger of death or serious physical injury
• Aggregated, anonymized data only: We may share statistical data that cannot identify you individually (e.g., "70% of users journal daily") for research and app improvement

5.2 AI Processing

When you use the AI analysis feature, your journal entries are processed by our AI systems to generate insights. This processing:

• Occurs only when you explicitly request AI analysis
• Is performed securely on our servers
• Does NOT involve sharing your journal entries with third-party AI companies
• Does NOT use your data to train AI models for other users without your explicit consent

6. Mental Health Data Sensitivity and HIPAA

• This app is NOT intended for use in healthcare settings or as a medical records system
• Do NOT use this app to store Protected Health Information (PHI) subject to HIPAA regulations
• MindSpace is a personal journaling and self-help tool, not a medical device or healthcare service
• Healthcare providers should not use this app to document patient care or store patient information

6.1 How We Protect Your Mental Health Data

While not HIPAA-compliant, we treat your mental health data with the highest level of care:

• Encryption: All journal entries and mental health data are encrypted both in transit (HTTPS/TLS) and at rest (AES-256 encryption)
• Access controls: Strict access controls limit who can access your data
• No selling: We will never sell your mental health data
• Purpose limitation: Your data is used only for the purposes you authorize
• Secure deletion: When you delete your account, all data is permanently and securely deleted within 30 days

7. Your Rights and Control Over Your Data

You have the right to:

• Access your data: Request a copy of your personal information
• Correct your data: Update inaccurate or incomplete information
• Delete your data: Request account deletion (all data will be permanently removed)
• Export your data: Download your journal entries and data
• Opt-out: Disable notifications and data sharing features
• Withdraw consent: Withdraw consent for data processing at any time
• Restrict processing: Request limits on how we use your data
• Object to processing: Object to data processing based on legitimate interests

7.1 How to Exercise Your Privacy Rights

Below is a step-by-step guide for exercising each of your privacy rights:

7.2 Verification and Security

To protect your privacy and prevent unauthorized access, we may request identity verification before processing your privacy rights requests. Verification may include:

• Confirming your registered email address
• Answering security questions
• Providing government-issued ID (for sensitive requests like data deletion)

7.3 No Fee for Exercising Rights

You can exercise your privacy rights free of charge. However, if your requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to process the request.

7.4 Right to Lodge a Complaint

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a data protection authority:

• Malaysia Users: Department of Personal Data Protection (JPDP / Jabatan Perlindungan Data Peribadi) — pdp.gov.my | Email: aduan@pdp.gov.my
• EU Users: Contact your local Data Protection Authority (DPA) - Find your DPA
• UK Users: Information Commissioner's Office (ICO) - ico.org.uk
• California Users: California Attorney General - oag.ca.gov

8. Data Retention

We retain your data as follows:

• Active accounts: Your data is stored indefinitely while your account is active
• Journal entries: Kept until you manually delete them or request account deletion
• Account deletion: When you request account deletion, all personal data and journal entries will be permanently deleted within 30 days
• Legal requirements: Some data may be retained longer if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution)
• Anonymized data: Aggregated, anonymized analytics data may be retained indefinitely

9. Children's Privacy

MindSpace requires users to be at least 13 years old. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately at support@mindspaceapps.com, and we will delete the account and all associated data.

10. Third-Party Services

We use the following third-party services to operate MindSpace. Each has its own privacy policy:

• Amazon Web Services (AWS): Cloud hosting and data storage (EC2, S3) - Singapore region
• AWS Simple Email Service (SES): Email delivery for OTP and notifications
• Firebase: Crash reporting, analytics, and Cloud Messaging for push notifications
• Google Analytics: Website traffic analysis (uses cookies)
• Apple In-App Purchase: Payment processing for iOS (subject to Apple's privacy policy)
• Google Play In-App Purchase: Payment processing for Android (subject to Google's privacy policy)

These services have their own privacy policies and terms. We encourage you to review them:

• AWS Privacy Policy
• Firebase Privacy Policy
• Google Privacy Policy
• Apple Privacy Policy

11. Cookies and Tracking Technologies

11.1 Website Cookies

Our website (www.mindspaceapps.com) uses cookies and similar tracking technologies. Below is a detailed breakdown of the types of cookies we use:

Types of Cookies We Use:

Managing Your Cookie Preferences:

• Cookie Banner: Use our cookie consent banner when you first visit the website
• Browser Settings: Configure your browser to block or delete cookies (this may affect website functionality)
• Google Analytics Opt-Out: Use the Google Analytics Opt-Out Browser Add-on
• Do Not Track: We honor Do Not Track (DNT) browser signals where technically feasible

11.2 Mobile App

The MindSpace mobile app does not use browser cookies. Instead, it stores data locally on your device using secure storage mechanisms (FlutterSecureStorage) for:

• Authentication tokens and session management
• User preferences and app settings
• Offline data caching for app functionality

This local storage is encrypted and accessible only by the MindSpace app. Data is deleted when you uninstall the app or delete your account.

12. International Data Transfers

12.1 Where Your Data Is Stored

MindSpace is operated from Malaysia, and your data is primarily stored on Amazon Web Services (AWS) servers located in Singapore. If you access MindSpace from outside Malaysia or Singapore, your data will be transferred to and processed in Singapore.

12.2 Data Transfer Safeguards

We implement the following safeguards to protect your data during international transfers:

• Encryption in Transit: All data transfers use HTTPS/TLS encryption to protect data during transmission between your device, our servers, and service providers
• Encryption at Rest: All data stored on AWS servers is encrypted using AES-256 encryption standards
• Contractual Protections: We have data processing agreements (DPAs) with all third-party service providers that:
  • Require them to protect your data according to this Privacy Policy
  • Prohibit unauthorized use or disclosure of your data
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Implement appropriate technical and organizational security measures
• Standard Contractual Clauses (SCCs): For data transfers to countries outside the EEA, we use European Commission-approved Standard Contractual Clauses to ensure adequate protection of your personal data
• Service Provider Certifications: Our primary service providers (AWS, Firebase, Google) maintain industry-standard security certifications including:
  • ISO 27001 (Information Security Management)
  • SOC 2 Type II (Security, Availability, Confidentiality)
  • AWS maintains GDPR compliance and adequacy mechanisms

12.3 Cross-Border Data Processing

Some of our third-party service providers may process your data in countries other than Singapore:

• Google (Firebase, Analytics): May process data in the United States and EU
• Amazon Web Services: Primary storage in Singapore; backup systems may be in other AWS regions
• Email Services (AWS SES): Email delivery processed in AWS Singapore region

Your Consent: By using MindSpace, you consent to the transfer of your data to Singapore and other countries where our service providers operate. We ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws, regardless of where it is processed.

12.4 Withdrawing Consent for Data Transfers

If you do not consent to international data transfers, you may not be able to use MindSpace, as our infrastructure relies on cross-border data processing. To withdraw consent, you must delete your account by contacting support@mindspaceapps.com.

13. Security Breach Notification

In the unlikely event of a data breach that affects your personal information:

• We will investigate the breach and assess the risk to your data
• We will notify affected users via email within 72 hours of discovering the breach
• We will notify relevant authorities as required by applicable law
• We will take immediate steps to secure the breach and prevent further unauthorized access
• We will provide guidance on steps you can take to protect yourself

14. GDPR Compliance (For European Union Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

14.1 Legal Basis for Processing

We process your data based on:

• Consent: You provide consent when creating an account and using the app
• Contract: Processing is necessary to provide the services you requested
• Legitimate interests: Improving our services and preventing fraud

14.2 Your GDPR Rights

• Right to access: Request a copy of all data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your data
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time
• Right to lodge a complaint: File a complaint with your local data protection authority

14.3 How We Obtain Your Consent

We obtain your explicit, informed, and freely given consent for processing sensitive mental health data through the following mechanisms:

• Account Registration: When you create an account, you explicitly agree to our Privacy Policy and Terms of Service by checking a consent box. You cannot create an account without providing this consent.
• AI Analysis Consent: Before using AI-powered reflections and suggestions for the first time, you must explicitly consent to processing your journal entries for AI analysis. Each AI analysis request represents renewed consent for that specific processing.
• Social Features Consent: When you post to the social feed, you actively choose to make content public. This represents explicit consent to share that specific content with the MindSpace community.
• Notification Consent: You can opt-in to push notifications during onboarding or in Settings. Consent is requested at the operating system level (iOS/Android).
• Analytics Consent: During first app launch, you may be asked to consent to analytics and crash reporting (where required by law).

14.4 How to Withdraw Consent

You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal. Here's how:

• Withdraw AI Analysis Consent: Simply stop using the AI analysis feature. Your journal entries will remain private and will not be processed by AI unless you request it again.
• Withdraw Notification Consent: Go to Settings → Notifications → Disable, or manage permissions in your device settings (iOS/Android).
• Withdraw Social Features Consent: Delete your posts or stop posting to the social feed. You can also make your profile private.
• Withdraw All Consent: Delete your account by contacting support@mindspaceapps.com. All data will be permanently deleted within 30 days.

Important: If you withdraw consent for essential processing (e.g., account creation, data storage), you may not be able to use MindSpace. In this case, you must delete your account.

14.5 Consent Records

We maintain records of your consent to demonstrate compliance with GDPR:

• Timestamp of when consent was obtained
• Version of Privacy Policy and Terms accepted
• Method of consent (account creation, AI feature opt-in, etc.)
• Specific consents granted (AI analysis, notifications, social features)

You can request a copy of your consent records by contacting us at support@mindspaceapps.com.

14.6 Data Protection Contact

To exercise your GDPR rights, contact us at support@mindspaceapps.com with "GDPR Request" in the subject line. We will respond within 30 days.

15. Malaysia PDPA Compliance (For Malaysian Users)

MindSpace is operated from Malaysia and complies with the Personal Data Protection Act 2010 (PDPA), which governs the processing of personal data in commercial transactions in Malaysia.

PDPA Principles We Follow

• General Principle: Personal data is only processed with your consent and for the purposes stated in this Privacy Policy
• Notice & Choice Principle: You are informed of the purposes for which your data is collected and have the right to choose whether to provide it
• Disclosure Principle: Your personal data is not disclosed to third parties except as described in Section 5 of this policy
• Security Principle: We take practical steps to protect your personal data from loss, misuse, modification, or unauthorized access (see Section 4)
• Retention Principle: Personal data is not kept longer than necessary for the stated purposes (see Section 8)
• Data Integrity Principle: We take reasonable steps to ensure your personal data is accurate, complete, and up to date
• Access Principle: You have the right to access and correct your personal data (see Section 7)

Your Rights Under PDPA

• Right to access: Request access to your personal data held by us
• Right to correct: Request correction of inaccurate, incomplete, or outdated personal data
• Right to withdraw consent: Withdraw consent for processing your personal data at any time (note: this may affect your ability to use the app)
• Right to inquire: Make inquiries about our data processing practices

How to Exercise Your PDPA Rights

To exercise your rights under the PDPA, contact us at support@mindspaceapps.com with "PDPA Request" in the subject line. We will respond within 21 days.

If you are unsatisfied with our response, you may lodge a complaint with the Department of Personal Data Protection (JPDP): pdp.gov.my | Email: aduan@pdp.gov.my

16. CCPA Compliance (For California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

16.1 Categories of Personal Information Collected

We collect the following categories as described in Section 2:

• Identifiers (email, name, device ID)
• Internet/network activity (usage data, analytics)
• Sensitive personal information (mental health data, journal entries)
• Commercial information (purchase history)

16.2 Your CCPA Rights

• Right to know: Request information about data we collect and how it's used
• Right to delete: Request deletion of your personal information
• Right to opt-out of sale: We do NOT sell your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your rights
• Right to correct: Request correction of inaccurate personal information
• Right to limit use of sensitive information: Request limits on use of sensitive data

16.3 Do Not Sell My Personal Information

We do NOT sell your personal information to third parties for monetary or other valuable consideration. We only share data with service providers as necessary to operate the app.

16.4 How to Exercise Your CCPA Rights

To exercise your CCPA rights, follow these steps:

Using an Authorized Agent:

You may designate an authorized agent to submit requests on your behalf. The agent must:

• Provide written authorization signed by you (the consumer)
• Verify their own identity
• Provide proof of permission to act on your behalf (power of attorney or signed authorization letter)

We may still require you to verify your identity directly or confirm that you gave the agent permission to submit the request.

16.5 CCPA Non-Discrimination

We will NOT discriminate against you for exercising your CCPA rights. We will not:

• Deny you goods or services
• Charge different prices or rates for services
• Provide a different level or quality of service
• Suggest that you will receive different pricing or service quality

Note: We may offer financial incentives permitted by CCPA (e.g., welcome bonus tokens) that are reasonably related to the value of your data. You can opt-in or opt-out of these programs at any time.

16.6 Response Times and Fees

• Acknowledgment: Within 10 business days of receiving your request
• Response: Within 45 days (may extend to 90 days for complex requests; we will notify you of extension)
• Fee: FREE for up to 2 requests per 12-month period. Excessive or repetitive requests may incur a reasonable administrative fee.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes via email or in-app notification at least 7 days before the changes take effect. Your continued use of MindSpace after changes indicates acceptance of the updated policy. We encourage you to review this policy periodically.

18. Contact Us & Privacy Contact

If you have questions about this Privacy Policy or your data, or wish to exercise your privacy rights, please contact us:

• Email: support@mindspaceapps.com
• Website: www.mindspaceapps.com
• App: MindSpace
• Operator: Individual operation - Malaysia
• Data Location: AWS Singapore

How to submit privacy requests:
For GDPR requests, include "GDPR Request" in the subject line.
For CCPA requests, include "CCPA Request" in the subject line.
For general privacy inquiries, include "Privacy Question" in the subject line.

Note: As an individual-operated app, we do not have a designated Data Protection Officer (DPO). All privacy and data protection inquiries are handled directly by the operator at the email address above.