Privacy Policy

Last updated: 2 May 2026

1. Data controller

The data controller in the sense of the GDPR is:

Contact for data protection inquiries: support@mindbuy.app

2. Scope

This Privacy Policy applies to the mobile app MindBuy in its current version, and to the website mindbuy.app.

MindBuy is currently available exclusively for Android devices (distributed via Google Play Store). An iOS version is in preparation; this Privacy Policy will be amended accordingly before the iOS release.

3. General principles

MindBuy is built on a Privacy by Default principle:

• No user account required — the app works without registration or login.
• Local data storage — all your wishes, notes and settings are stored exclusively on your device. There is no cloud sync and no app-owned server where your data ends up.
• No profiling — we don't analyse what you intend to buy or what you discarded. That information stays entirely with you.

Personal data is processed only in the following technically or legally necessary cases:

• Providing the app's functionality (locally on the device)
• Showing ads in the free version
• Processing in-app purchases via Google Play Store
• Optional reminder notifications
• When the "share link" feature is actively used: a single fetch of the shared web page to extract title and price
• For e-mail contact: handling your inquiry

4. Data stored on your device

The following data is stored exclusively locally on your device in a SQLite database or in app settings (PlayerPrefs). It is not transmitted to MindBuy or any third party:

Wish content

• Item titles and descriptions
• Prices
• Personal notes
• Optional: product link / shop URL
• Status (blocked, released, bought, discarded, planned)
• Timestamps (creation date, cooldown end, purchase/discard date)
• Monthly budgets per calendar month

App settings

• Preferred language and currency
• Notification setting (on/off)
• Premium status (verified against Google Play Billing)
• Consent to personalised advertising
• Onboarding status (welcome completed or not)
• Status of one-time tutorial hints (which overlays you've already seen)
• Timestamp of the last update check

This data is deleted as soon as you uninstall the app or manually reset app data.

Legal basis: Article 6(1)(b) GDPR (performance of contract — providing the requested app functionality).

5. Permissions and data access

MindBuy requests the following permissions:

You can revoke each of these permissions at any time in Android system settings.

6. Advertising

In the free version MindBuy shows ads delivered via Google AdMob. Specifically:

• Banner ads on the dashboard, calendar and statistics screens
• Full-screen ad on app start ("App Open Ad"), at most every 4 hours or once per app launch

The Premium version shows no ads.

Personalised vs. non-personalised ads

On first launch you're asked whether you want personalised ads. This is opt-in by default (under GDPR Article 7). You can change the setting at any time in app settings under "Personalised advertising".

If consent is given: Google AdMob may use your Advertising ID and related device and usage data to show you more relevant ads.

If consent is denied: only non-personalised (contextual) ads are delivered.

Resetting the Advertising ID

You can reset or disable your Advertising ID in Android system settings under "Privacy → Ads" at any time. This applies to all ad-supported apps on your device.

What data does AdMob process?

Google AdMob may process the following data when ads are loaded:

• Advertising ID
• Device model and OS version
• Approximate location (based on IP, not GPS)
• App version
• If personalisation is enabled: ad interactions (clicks, impressions)

Processing is performed by Google Ireland Ltd., possibly also on servers outside the EU. Details in Google's Privacy Policy.

Legal basis:

• Personalised ads: Article 6(1)(a) GDPR (consent)
• Non-personalised ads: Article 6(1)(f) GDPR (legitimate interest in financing the app)

7. "Share link" from other apps

When you share a product link with MindBuy from another app (e.g. Amazon, Otto, browser), the app fetches the shared web page once to extract title, price and a possible preview image. This request goes directly from your device to the website — no MindBuy server in between.

The website may, as with any normal browsing, see your IP address, browser headers (user agent) and similar technical info.

Legal basis: Article 6(1)(b) GDPR (performance of contract — providing the user-requested feature).

8. Reminders / Push notifications

If you enable notifications in app settings, MindBuy schedules local push notifications reminding you of expired cooldowns.

• Notifications are scheduled and triggered exclusively on your device.
• There is no push server and no data connection involved.
• You can disable notifications at any time in app settings or Android system settings.

Legal basis: Article 6(1)(a) GDPR (consent — toggle in app settings).

9. App updates

MindBuy checks the Google Play Store at most once every 24 hours for a newer version, using Google's official In-App Updates API. Only technical info necessary for the update check (installed app version, device identification) is sent to Google.

For critical updates (e.g. security fixes) MindBuy may show an in-app prompt to update.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in keeping the software current and secure).

10. Backup feature (Premium)

The Premium "Backup" feature lets you export and import a copy of your full database as a file. The following applies:

• The backup file contains all your wishes, notes and settings in SQLite format.
• The file is not uploaded to a MindBuy server.
• Where you store the file (local folder, e-mail to yourself, cloud storage like Google Drive) is entirely your choice.
• Important: backup files are not encrypted. Store them securely.

Legal basis: Article 6(1)(b) GDPR (performance of contract).

11. In-app purchases (Premium features)

MindBuy offers optional Premium features via in-app purchases. Payment processing is handled exclusively via the Google Play Store.

• The provider (us) receives no payment data like credit card or account numbers.
• We only learn whether a Premium feature was purchased, in order to unlock it in the app.
• Google Play's privacy terms apply additionally.

Legal basis: Article 6(1)(b) GDPR (performance of contract — delivery of purchased features).

12. Analytics & usage data

Current version status: MindBuy currently uses no analytics or tracking services (no Firebase Analytics, no Crashlytics, no comparable third party).

Should such services be integrated in a future version, this Privacy Policy will be amended before activation, and affected users will be notified in the app.

13. The mindbuy.app website

The website mindbuy.app currently processes no personal data for marketing or analytics. There are no tracking cookies and no analytics tools in use.

When the website is accessed, technical server log files (IP address, date and time of access, browser type) are temporarily created — as with any website request. These are processed by the hosting provider (Hetzner Online GmbH, Germany) for the operation of the service and deleted shortly after.

14. Contact

If you contact us by e-mail at support@mindbuy.app, the data you provide (e-mail address, message content, any other voluntary info) is stored to handle your request.

E-mail processing is handled via the servers of our e-mail provider IONOS SE (1&1 IONOS, Montabaur, Germany). This data is not shared with third parties without your consent and is deleted within a reasonable period after the request is closed, unless statutory retention obligations apply.

Legal basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in answering inquiries).

15. Sharing data with third parties

As part of the above features, data is transferred to the following third parties:

These providers process data on their own responsibility under their respective privacy terms.

15.1 Transfers to third countries (especially the USA)

When using Google services (Play Store, AdMob), data is primarily handled via Google Ireland Ltd. (EU), but may be technically processed in the USA, where parent company Google LLC and much of the server infrastructure is located. Under the CJEU's "Schrems II" ruling (16 July 2020, C-311/18), the USA is generally not deemed to provide an adequate level of data protection, so additional safeguards are required for such transfers.

The following mechanisms are used for transfers to Google in the USA:

EU-US Data Privacy Framework (DPF): Google LLC has been certified under the EU-U.S. Data Privacy Framework since 17 July 2023. With its adequacy decision of 10 July 2023, the EU Commission has determined that DPF-certified US companies offer an adequate level of data protection. The transfer thus relies on Article 45(3) GDPR (adequacy decision).

Standard Contractual Clauses (SCC) as fallback: for processing not covered by the DPF, Google has implemented the Standard Contractual Clauses adopted by the EU Commission (Modules 2 / 3, decision of 4 June 2021). The transfer thus relies on Article 46(2)(c) GDPR.

What you as a user should know:

• Under certain conditions (e.g. FISA Section 702), US authorities can access data processed by US companies. The DPF includes a multi-level redress mechanism via the Data Protection Review Court (DPRC), which you can theoretically use.
• Personal data in our context is limited to Advertising ID, device metadata and IP address — your wish list, notes and purchase decisions are not transferred, since they are stored locally only.
• You can effectively limit data transfers by disabling personalised ads in app settings (the default) and optionally buying Premium (fully ad-free → no AdMob transfers).

Provider privacy info:

• Google Privacy Policy: policies.google.com/privacy
• Google DPF certification: dataprivacyframework.gov (list of "Active Participants")
• Google AdMob data processing: support.google.com/admob/answer/6128543

16. Legal bases at a glance

17. Storage period

• Local app data: as long as the app is installed on your device and you don't delete it yourself.
• Ad data (AdMob): per Google's retention periods. You can reset the Advertising ID at any time.
• E-mail correspondence: up to 6 months after closure of your inquiry, unless statutory retention obligations apply.

18. Data security

• Locally stored data lives in an app-specific directory protected by Android against access from other apps.
• The SQLite database is by default not encrypted — if an unencrypted device is lost, technically savvy third parties may read the data. We recommend enabling device encryption in Android system settings.
• The app's internet communication (e.g. ads, link parsing) is encrypted via HTTPS / TLS where supported by the remote endpoint.

19. Rights of data subjects

You have the right at any time to:

• Access the data stored about you (Article 15 GDPR)
• Rectification of inaccurate data (Article 16 GDPR)
• Erasure of your data (Article 17 GDPR)
• Restriction of processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Object to processing based on legitimate interest (Article 21 GDPR)
• Withdraw consent with effect for the future (Article 7(3) GDPR)

Since MindBuy keeps no accounts and stores no data on its own servers, you can exercise most of these rights yourself:

• Access: all data is visible in the app.
• Erasure: uninstalling the app or resetting app data deletes all stored data.
• Object to personalised ads: toggle in app settings under "Personalised advertising".

For any other inquiries, an e-mail to support@mindbuy.app is enough.

You also have the right to lodge a complaint with a supervisory authority — typically the data protection authority of the federal state in which you reside.

20. Changes to this Privacy Policy

We may amend this Privacy Policy if app features or legal frameworks change. For substantial changes you'll be informed on next app launch. The current version is always available at mindbuy.app/datenschutzerklarung-mindbuy/ and via app settings.

Last updated: 2 May 2026