GDPR Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that gives you control over your personal data. It establishes strict rules about how companies collect, store, and use your information.

As an EU-based company, MindFlo is committed to full GDPR compliance. We believe your data belongs to you, and we've built our service with privacy as a core principle.

Your Rights Under GDPR

As a MindFlo user, you have the following rights:

Right to Access

Request a complete copy of all personal data we hold about you.

Right to Rectification

Correct any inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a machine-readable format to transfer elsewhere.

Right to Object

Object to processing of your data for certain purposes.

Right to Restrict

Request limited processing of your personal data.

How We Protect Your Data

EU Data Storage: All personal data is stored on secure servers within the European Union.
Encryption: Data is encrypted both in transit (TLS/SSL) and at rest.
Access Controls: Strict internal policies limit who can access your data.
No Data Sales: We never sell your personal information to third parties.
Minimal Collection: We only collect data necessary to provide our service.
Regular Audits: We conduct security audits and vulnerability assessments.

Data We Collect

We collect only what's necessary to provide and improve our service:

Account data: Name, email, password (encrypted)
Profile data: Age range, preferences
Usage data: Exercise performance, session duration, progress
Technical data: Browser type, device info, IP address

We do not collect sensitive health data, biometric data, or information about your political opinions, religious beliefs, or sexual orientation.

Legal Basis for Processing

We process your data based on:

Contract: To provide the service you've signed up for
Legitimate Interest: To improve our service and prevent fraud
Consent: For optional features like marketing emails

Data Retention

We retain your data only as long as necessary:

Active accounts: Data is retained while your account is active
Deleted accounts: Personal data is deleted within 30 days
Backup retention: Backups are purged within 90 days
Legal requirements: Some data may be retained longer if required by law

Third-Party Services

We use trusted third-party services that are also GDPR compliant:

Stripe: Payment processing (no card data stored by MindFlo)
OVH: EU-based hosting provider
Google: Optional OAuth login (with your consent)

Exercise Your Rights

To access, correct, delete, or export your data, contact our Data Protection Officer:

privacy@mindflo.eu

We will respond to all requests within 30 days.

Supervisory Authority

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority. For MindFlo, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Updates to This Page

We may update this information periodically. Significant changes will be communicated via email to all registered users.

Last updated: February 1, 2026