Privacy Policy

Privacy Policy

Effective date: 15 July 2026 Version: 2.7.0

This Privacy Policy explains how Mind Wobble Limited ("Mind Wobble", "we", "us", or "our") collects, uses, stores, shares, and otherwise processes personal data when you use:

  • the Mind Wobble website and blog (the "Site"); and
  • the Mind Wobble web application (the "App").

Mind Wobble Limited is the controller of the personal data described in this Privacy Policy.

Contact details:
Mind Wobble Limited
Email: hello@mindwobble.com

If you have any questions about this Privacy Policy or want to exercise your data protection rights, you can contact us at hello@mindwobble.com.

If you are in the United Kingdom, you have the right to complain to the Information Commissioner’s Office (ICO).

This Privacy Policy applies to personal data we collect directly from you, automatically when you use the Site or App, and in some cases from service providers we use to operate the Site and App, such as our payment, authentication, hosting, analytics, AI, and security providers.

The Site and App are intended only for adults aged 18 or over. We do not knowingly offer the Site, the App, or AI-powered features to anyone under the age of 18.

0. Territorial scope — where Mind Wobble is offered

Mind Wobble Limited is established in the United Kingdom and is regulated under the UK GDPR and the Data Protection Act 2018. The UK is our home jurisdiction.

Mind Wobble is not offered to individuals located in any of the following jurisdictions:

  • the European Union, the European Economic Area (Iceland, Liechtenstein, and Norway), Switzerland, and the territories of EU Member States where EU law applies (the Åland Islands, French Guiana, Guadeloupe, Martinique, Mayotte, Réunion, and Saint Martin), because Mind Wobble does not offer the Service in jurisdictions where the EU GDPR applies;
  • sanctioned or high-restriction jurisdictions (Belarus, China, Cuba, Iran, Iraq, North Korea, Russia, Syria, and the occupied regions of Crimea, Donetsk, and Luhansk); and
  • jurisdictions where Paddle, our payment provider and Merchant of Record, cannot process payments (Afghanistan, Antarctica, the Central African Republic, the Democratic Republic of the Congo, Haiti, Libya, Mali, Myanmar, Nicaragua, Somalia, South Sudan, Sudan, Venezuela, Yemen, and Zimbabwe).

Access to account creation and paid features is restricted for all of those jurisdictions at our edge network (Cloudflare).

Our Terms of Service require you to confirm at sign-up that you are not located in any of those regions. If you relocate to any of them during your subscription, you must stop using the Service and contact us at hello@mindwobble.com so that we can close your account. We will cancel the subscription, offer a pro-rata refund of the unused portion of the current billing period as a goodwill gesture, preserve your data-subject rights under Section 8 before closure, and close the account.

In addition to the United Kingdom, the Service is available to individuals in the United States, Australia, and New Zealand. Jurisdiction-specific privacy rights for those regions are set out in Section 8A (United States) and Section 8B (Australia and New Zealand).

If you are located in a jurisdiction that is not specifically addressed in this Privacy Policy and that is not on the excluded list above, the general protections in this Privacy Policy under the UK GDPR will apply to your personal data, to the extent it is lawful for us to provide the Service to you in that jurisdiction. Local mandatory laws that apply to you may give you additional rights, and nothing in this Privacy Policy is intended to limit those.

References to supervisory authorities in this Privacy Policy are to the UK Information Commissioner’s Office (ICO) unless otherwise stated in a jurisdiction-specific section.

1. Information We Collect

We collect personal data in the following categories.

1.1 Information We Collect for the Site

If you use the Site or blog, we may collect:

  • Newsletter information: your email address and, if you provide them, your first name and last name when you subscribe to our newsletter.
  • Site usage and technical information: limited analytics and device information such as pages viewed, referring website, browser type, device type, operating system, language, and approximate location inferred from your IP address by our analytics provider.
  • Communications: information you provide if you contact us directly, such as your name, email address, and the contents of your message.

We use Rybbit Analytics (self-hosted) for website and in-app analytics. We do not use analytics cookies for Rybbit analytics and do not use analytics to build advertising profiles about you. Rybbit records page-level usage (such as which pages you visit) and does not access the content you create in the App, such as journal entries, mood logs, assessment answers, or messages.

1.2 Information We Collect for the App

If you create an account for the App or use App features, we may collect:

  • Account and authentication information: your email address, Supabase user ID, authentication metadata, and account status information. Passwords are handled by our authentication provider, Supabase Auth.
  • Profile and onboarding information: information you choose to provide in onboarding or account settings, which may include your name, username, date of birth, gender, country, timezone, profile avatar, height, weight, and health conditions.
  • Mood and wellbeing data: information you enter into wellness features, including mood scores, emotions, sleep information, stress levels and sources, coping strategies, exercise, physical health, weather, social interactions, optional notes, and related check-in data.
  • Journal content: journal entries, prompts, drafts, editor content, AI-generated summaries, and related metadata.
  • AI coaching data: messages you send to AI-powered features, AI responses, conversation summaries, and related context used to support those features.
  • Goals and planning data: goals, steps, milestones, categories, priorities, due dates, notes, and progress information.
  • Assessment and self-discovery data: your responses to and results from in-app assessments, such as values, personality, learning style, or wheel-of-life style exercises.
  • Tracking data: information you choose to record in tracking tools, such as liquid type and quantity.
  • Subscription and billing records: subscription status and limited billing-related information we receive from Paddle, such as your Paddle customer ID, subscription ID, plan or product information, billing dates, transaction status, and the email address associated with the purchase. Payment card details are collected directly by Paddle and are not stored by us.
  • Diagnostic, security, and operational data: technical information generated when you use the App, such as browser type, device information, IP address or network signals, timestamps, log records, error reports, performance data, and internal identifiers used to maintain security, prevent abuse, and diagnose problems.
  • Communications and support: information you provide when you contact us for help, provide feedback, or otherwise communicate with us.

1.3 Information We Receive from Service Providers

In some cases, we receive personal data from service providers we use to operate the Site and App, including:

  • Supabase: authentication and account-related information necessary to operate your account.
  • Paddle: subscription, purchase, and billing status information required to manage your access to paid features.
  • Cloudflare Turnstile: bot-detection and request-validation signals used to help protect sign-up and login flows.

1.4 Sensitive and Special Category Data

Because Mind Wobble is a mental wellness app, some of the personal data we process may be special category data under data protection law, including:

  • data concerning your physical or mental health;
  • information contained in journal entries, coaching conversations, assessments, or profile fields that reveals or concerns sensitive aspects of your health or wellbeing; and
  • in some cases, summaries, tags, or inferences generated from content you provide where those summaries or inferences reveal sensitive information.

You do not have to provide all profile fields to use the App, and some fields are optional. However, if you choose to use wellness, journaling, coaching, or assessment features, the information you provide may be sensitive by its nature.

2. How We Use Your Information and Our Lawful Bases

We only process personal data where we have a valid lawful basis under applicable data protection law. Depending on how you use the Site or App, we may rely on one or more of the following lawful bases under the UK GDPR:

  • Contract — Article 6(1)(b): where processing is necessary to create and manage your account, provide the App features you request, manage your subscription, and otherwise perform our contract with you or take steps at your request before entering into that contract.
  • Consent — Article 6(1)(a): where you have given us permission to process your personal data for a specific purpose (for example, newsletter sign-up).
  • Legitimate interests — Article 6(1)(f): where processing is necessary for our legitimate interests or those of a third party (for example, security, fraud prevention, and service analytics), provided those interests are not overridden by your rights and interests.
  • Legal obligation — Article 6(1)(c): where processing is necessary for us to comply with legal or regulatory obligations (for example, accounting and tax records).

Because Mind Wobble processes information about your mental and physical health — including mood, journal content, AI coaching conversations, self-discovery test results, and related wellness signals — much of what we process is special category data (health data) under Article 9 of the UK GDPR. For all such special-category processing, we rely on your explicit consent under Article 9(2)(a) as the lawful condition. At sign-up you give explicit consent to:

  • our collection and use of your health-related wellbeing data; and
  • the use of that data to provide the App's core features, personalised insights, AI-supported coaching, and AI-generated summaries, including sending relevant content and account context to AI providers — currently Google's Gemini API as our primary provider and OpenAI's API as a fallback provider when Gemini is unavailable.

You also acknowledge, as a separate statement, that these AI features are not medical advice, diagnosis, treatment, crisis support, or emergency services.

We use your personal data for the following purposes:

  • To operate the Site and manage newsletter subscriptions: We use your contact details to send you newsletters and related updates where you have asked to receive them.
    Lawful basis: Consent.
  • To understand and improve how the Site is used: We use analytics and technical usage information to understand traffic, improve performance, and improve our content.
    Lawful basis: Legitimate interests.
  • To respond to enquiries, feedback, and support requests: We use the information you provide to respond to questions, investigate issues, and communicate with you about your use of the Site or App.
    Lawful basis: Legitimate interests, and in some cases contract where the request relates to services we provide to you.
  • To create and manage your account: We use your registration, authentication, and account information to create your App account, log you in securely, and manage access to the App.
    Lawful basis: Contract.
  • To provide core App functionality: We use the information you enter into the App to provide features such as mood tracking, journaling, goals, assessments, dashboards, account settings, and related App functions.
    Lawful basis: Contract.
  • To personalise your experience: We use profile information, settings, and feature inputs to tailor parts of the App experience, including showing locally relevant resources and adapting features to your preferences.
    Lawful basis: Contract where this is necessary to provide a feature you request; otherwise consent. Where this involves special category data, we rely on your explicit consent.
  • To process sensitive wellness information you choose to provide: If you choose to use wellness, journaling, coaching, or assessment features, we process the sensitive information contained in that content so those features work as intended.
    Lawful basis: Contract for the provision of the requested feature. Where that information is special category data, we rely on your explicit consent as the relevant condition for processing that data.
  • To provide AI-powered features: When you choose to use AI-powered features, we process the content you submit and selected contextual information to generate responses, summaries, insights, and guidance within the App.
    Lawful basis: Contract for the provision of the requested AI feature. Where prompts, context, or outputs involve special category data, we rely on your explicit consent as the relevant condition for processing that data.
  • To manage subscriptions, billing, and access to paid features: We use account and subscription information to verify entitlement, manage paid access, handle billing administration, and maintain transaction-related records.
    Lawful basis: Contract, legal obligation, and legitimate interests.
  • To protect the security, integrity, and reliability of the Site and App: We use technical, diagnostic, and security-related data to detect abuse, prevent fraud, secure authentication flows, investigate incidents, enforce our terms, and maintain service reliability.
    Lawful basis: Legitimate interests, and legal obligation where applicable.
  • To comply with legal obligations and protect our legal position: We may use personal data where necessary to comply with applicable laws, regulations, court orders, law enforcement requests, tax and accounting requirements, or to establish, exercise, or defend legal claims.
    Lawful basis: Legal obligation and legitimate interests.
  • To provide in-app reminders and service messages: We may use your account and usage information to provide in-app reminders, prompts, and important service-related notices within the App.
    Lawful basis: Contract where necessary to provide the service, and legitimate interests for general service administration.

Where we rely on your consent under Article 6(1)(a) or your explicit consent under Article 9(2)(a), you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.

Withdrawing your Article 9(2)(a) explicit consent means we can no longer provide the Service to you. If you withdraw that consent, access to App features will be blocked and you will be directed to your account settings, where you can choose to cancel your subscription, close your account, or re-accept the required consent. Withdrawal of consent does not by itself cancel your subscription or delete your account. Where access to the Service is blocked following withdrawal of consent, you remain responsible for cancelling your subscription. However, we will not knowingly continue to charge you for a period where the Service is not accessible to you due solely to withdrawal of required consent. We will not continue to process your wellness data for the Service after you withdraw consent, except where retention is required by law or permitted elsewhere in this Privacy Policy. You will retain your rights to access, export, and erasure of your data under Section 8.

2A. Consumer Health Data

Mind Wobble is a mental-wellbeing product. Much of what you enter into the App is health-related wellbeing data — information that describes your state of mind, your body, your routines, and how those things change over time. We treat this category of data as consumer health data and it is subject to additional safeguards on top of the general protections described elsewhere in this Privacy Policy.

2A.1 What we treat as consumer health data

For the purposes of this Privacy Policy, consumer health data includes:

  • Mood and emotion entries — mood scores, emotion tags, stress levels, and the notes you attach to them.
  • Journal content — free-text journal entries, drafts, in-progress writing, AI-generated summaries of your entries, and the prompts you respond to.
  • AI coaching conversations — messages you send to the AI coach, the coach’s replies, and summaries of those conversations.
  • Self-reflection and assessment results — answers and outputs from values, wheel-of-life, personality, learning-style, limiting-belief, and similar exercises.
  • Sleep, exercise, hydration, and physical-health data — anything you enter into the App’s tracking features.
  • Profile context that describes your health — date of birth, gender, height, weight, and any health conditions you choose to record.
  • Inferences and summaries — tags, signals, recent-trend summaries, and short-form contextual snapshots we generate from the information above to help the AI coach be more relevant to you.

If a piece of data describes your health, your wellbeing, or your mental state — whether you typed it in yourself or we generated it from what you typed in — we treat it as consumer health data.

2A.2 Why we process it

We process consumer health data only for the following purposes:

  • to deliver the wellness and journaling features you choose to use;
  • to provide AI-supported coaching, AI-generated journal summaries, personalised reflection prompts, and dashboard insights;
  • to detect wording that suggests acute risk to you and to surface crisis-support information inside the App;
  • to keep the App functioning reliably, securely, and free from abuse; and
  • to respond to your support requests and to comply with applicable law.

We do not use consumer health data for advertising, behavioural profiling across other sites or apps, automated decisions that produce legal or similarly significant effects on you, or to train general-purpose AI models provided by third parties.

We process your consumer health data on the basis of your explicit consent under UK GDPR Article 9(2)(a). You give that consent at sign-up through the explicit health-data consent described in Section 2. You can withdraw it at any time from your account settings in the App, or by emailing hello@mindwobble.com. Withdrawal does not affect the lawfulness of processing carried out before you withdrew.

Because consumer health data is the core input to the Service, withdrawing this consent ends the Service for you, as described at the end of Section 2.

2A.4 Sources and sharing of consumer health data

We collect consumer health data directly from you when you enter it into the App, from your use of App features, and in limited cases from service providers that support account, security, or subscription functions.

Consumer health data is shared only with the infrastructure providers strictly needed to run the Service you requested:

  • Supabase hosts your account, profile, and all wellbeing data you enter. Journal entries and AI coaching messages are encrypted at rest using strong, industry-standard cryptographic methods, and are only decrypted on our backend when needed to deliver a feature you have requested.
  • Google (Gemini API) is our primary AI provider. It receives the prompt, selected contextual information, and system instructions needed to generate AI coaching responses, journal summaries, and reflection prompts when you use an AI feature. This is covered in detail in Section 3.
  • OpenAI (OpenAI API) is our fallback AI provider. When the Gemini API is unavailable, the same prompt, selected contextual information, and system instructions are sent to OpenAI instead so that the AI feature you requested can still complete. This is covered in detail in Section 3.
  • Cloudflare processes network-level signals (such as IP address and request metadata) for security and bot protection. Cloudflare does not receive the contents of your journal entries or AI coaching conversations.
  • Sentry receives error reports and diagnostic telemetry. We configure Sentry to minimise collection of directly identifying information, and we do not knowingly send journal content or AI coaching content to Sentry.

We do not share consumer health data with advertisers, data brokers, social networks, analytics platforms for behavioural profiling, or any third party for cross-context behavioural advertising.

Support staff may access consumer health data on a least-privilege basis only when strictly necessary to resolve a support request you have made, to investigate a suspected security incident, or to comply with a lawful request.

2A.5 Security measures specific to consumer health data

In addition to the general security measures described in Section 6, we apply the following controls to consumer health data:

  • Encryption at rest for journal entries and AI coaching conversations, using strong, industry-standard cryptographic methods.
  • Access controls on records containing consumer health data, designed so that your records are accessible to you and to authorised Mind Wobble systems acting on your behalf, and are not accessible to other users.
  • Encryption in transit for all traffic between your browser and our backend, and between our backend and our service providers.
  • Least-privilege access controls for staff, with audit logging of privileged operations.
  • Minimisation in AI context — when we build the context we send to our AI providers (Gemini API or OpenAI API), we include only the profile fields, goals, assessment results, and recent entries that are relevant to the feature you asked for. The same minimisation rules apply whether the request is served by the primary or the fallback provider.

2A.6 Your rights over consumer health data

The data-subject rights described in Section 8 apply to consumer health data, including the right of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You can exercise any of these rights by emailing hello@mindwobble.com. We do not require you to explain why you are exercising a right, we do not charge a fee for responding, and we will not retaliate against you for exercising a right.

2A.7 Retention of consumer health data

Consumer health data is kept for as long as your account is active. If you delete your account, your consumer health data is deleted from our production systems within a reasonable period after the deletion request. Encrypted backup copies may persist for a limited disaster-recovery window before being automatically purged.

2A.8 Children

Consumer health data about people under 18 is not within the scope of this Service. We do not knowingly collect consumer health data from anyone under 18. See Section 10.

3. AI Features and Data Processing

Some features in the App use artificial intelligence provided by third-party AI model providers. These features may include AI coaching, journal summaries, values or self-reflection exercises, and similar tools that generate responses, summaries, prompts, or guidance based on information you provide.

Mind Wobble currently uses two AI model providers:

  • Google's Gemini API is our primary AI provider. The vast majority of AI feature requests are served by Gemini.
  • OpenAI's API is our fallback AI provider. When the Gemini API is unavailable, slow, or returns an error, the same request is automatically retried against OpenAI so that the AI feature you requested can still complete.

The same categories of data, the same minimisation rules, and the same on-device behaviour apply regardless of which provider serves a given request.

3.1 When AI features are used

We only send data to an AI provider when you choose to use an AI-powered feature in the App. Using the App generally does not mean that all of your data is automatically sent to Google or to OpenAI. Data is sent only where it is needed to provide the AI feature you have requested, and only to whichever provider is handling that specific request.

3.2 What we may send to the AI providers

Depending on the feature you use, we may send some or all of the following information to whichever AI provider is handling your request:

  • the prompt, message, journal text, or other content you submit to the AI feature;
  • selected contextual information needed to make the response more relevant, such as parts of your profile, active goals, values, assessment results, recent mood trends, and summaries of recent journal entries or previous coaching conversations; and
  • system instructions and technical metadata required to operate the feature.

We aim to limit the amount of data shared with AI providers to what is reasonably necessary for the feature to work. The same context-minimisation rules apply whether the request is served by Gemini (primary) or by OpenAI (fallback).

3.3 How Google processes AI feature data (primary provider)

Mind Wobble uses Gemini API services under Google's paid-service terms. The Google Cloud project that owns our Gemini API key has billing enabled, which places our usage under Google's Gemini API Additional Terms of Service for paid services.

Under Google's current Gemini API terms for paid services:

  • Google states that prompts and responses are not used to improve Google's products;
  • Google may retain prompts, contextual information, and outputs for a limited period for abuse detection, safety, security, and legal or regulatory reasons; and
  • if content is flagged by Google's safety or abuse-monitoring systems, it may be reviewed by authorised Google personnel for policy enforcement purposes.

Google's terms and policies may change over time. We recommend reviewing Google's current terms and privacy documentation for the latest information about how Google handles data submitted to the Gemini API.

3.3A How OpenAI processes AI feature data (fallback provider)

Mind Wobble uses the OpenAI API as a fallback when the Gemini API is unavailable. Our usage is governed by OpenAI's API terms and OpenAI's Business / Enterprise privacy commitments for API customers.

Under OpenAI's current API terms and published data-usage policies:

  • OpenAI states that data submitted by API customers — including prompts and the model's outputs — is not used to train or improve OpenAI's models by default. Mind Wobble has not opted in to any model-training, evaluation, or feedback-sharing programme, and our integration does not enable optional features (such as the Chat Completions store flag) that would cause responses to be retained by OpenAI for distillation or evaluation.
  • OpenAI may retain prompts, contextual information, and outputs for up to 30 days for abuse-monitoring purposes, after which the data is deleted unless otherwise required by law. This 30-day window is OpenAI's default for API customers that have not been granted Zero Data Retention (ZDR) or Modified Abuse Monitoring.
  • If content is flagged by OpenAI's safety or abuse-monitoring systems, it may be reviewed by authorised OpenAI personnel for policy enforcement purposes.

Mind Wobble does not currently have a Zero Data Retention or Modified Abuse Monitoring agreement in place with OpenAI. We may pursue one of those arrangements in the future as our user base grows; if we do, we will update this Privacy Policy to reflect the change.

OpenAI's terms and policies may change over time. We recommend reviewing OpenAI's current terms and privacy documentation for the latest information about how OpenAI handles data submitted to its API.

3.4 Logging and data-sharing settings

Whether AI prompts and responses are used to improve a provider's models is determined by each provider's API terms and configuration rather than by a user-facing toggle inside Mind Wobble.

  • For Google Gemini, our usage runs on Google's paid tier (the Google Cloud project has billing enabled), and under the paid-tier terms Google states that prompts and responses are not used to improve Google's products. We do not enable optional Gemini API features — such as dataset contribution or feedback sharing — that would allow prompts or outputs from Mind Wobble users to be used for model training.
  • For OpenAI, our usage runs against the standard API where, under OpenAI's published data-usage policy for API customers, prompts and outputs are not used to train or improve OpenAI's models by default. We have not opted in to any model-training, evaluation, or feedback-sharing programme, and our integration does not set the Chat Completions store flag (which would retain responses on OpenAI's side for evaluations or distillation).

If we ever opt in to a feature on either provider that would expand how a provider may use Mind Wobble user prompts or outputs, we will update this Privacy Policy and, where required, seek additional consent before making the change.

3.5 Important limitations of AI features

AI-generated content may be inaccurate, incomplete, biased, or inappropriate for your situation. AI features in the App are provided for general wellbeing, reflection, and informational purposes only.

AI features are not a substitute for professional medical advice, mental health care, diagnosis, treatment, crisis support, or emergency services. You should not rely on AI features for clinical, medical, or crisis decision-making. If you are in crisis or think you may be at risk of harm, you should contact emergency services or an appropriate crisis support service immediately.

3.6 Age restriction for AI features

The Site, App, and AI-powered features are intended only for adults aged 18 or over. We do not knowingly make AI-powered features available to anyone under the age of 18.

4. Data Sharing

We do not sell or rent your personal data. We only share personal data where this is necessary to operate the Site and App, provide services you request, comply with the law, protect our rights, or support a corporate transaction.

4.1 Service providers and partners

We share personal data with the following categories of third parties:

ProviderPurposeTypes of data sharedData location
Brevo (Sendinblue SAS)Newsletter delivery and email communications for the SiteEmail address, first name, last name, and email engagement data where applicableFrance (EU)
Rybbit Analytics (self-hosted)Privacy-focused, cookieless usage analytics for the Site and the AppLimited usage and technical data such as the pages visited (including in-app page paths), referrer, browser, device type, and approximate location derived from IP address. It does not receive the content you create in the App.EU
Supabase (Supabase Inc.)Authentication, database hosting, backend functions, and application infrastructureAccount data, profile data, and App data you submit or generate through the serviceUnited States (Ohio)
Google (Gemini API)AI-powered features such as coaching, summaries, and reflective exercises (primary AI provider)Prompts, submitted text, selected contextual information, and AI outputs as described in Section 3United States
OpenAI (OpenAI OpCo, LLC)AI-powered features such as coaching, summaries, and reflective exercises (fallback AI provider, used when Gemini is unavailable)Prompts, submitted text, selected contextual information, and AI outputs as described in Section 3United States
Paddle (Paddle.com Market Ltd)Payment processing, subscriptions, billing administration, fraud prevention, and transaction managementBilling contact information, subscription and transaction details, and purchase-related identifiersUnited Kingdom / EU
Cloudflare (Cloudflare Inc.)Bot detection, CDN, and abuse prevention on sign-up and login flowsIP address, browser and device signals, and request-related technical dataGlobal edge network (United States headquarters)
Sentry (Functional Software Inc.)Error monitoring, crash reporting, and diagnostic telemetry for the AppError events, stack traces, and technical metadata such as app version, browser type, and operating system. We configure Sentry to minimise collection of directly identifying information.United States (Iowa)

We require service providers acting on our behalf to handle personal data only as necessary to provide their services to us, subject to contractual and security safeguards where applicable.

4.2 Independent processing by third parties

Some providers may process personal data for their own purposes as independent controllers, depending on the service they provide and the legal obligations that apply to them. For example, payment providers may process transaction information for fraud prevention, compliance, tax, regulatory, or financial reporting purposes under their own privacy notices and legal obligations.

We may disclose personal data to courts, regulators, law enforcement agencies, government authorities, or professional advisers where necessary to:

  • comply with applicable law, regulation, legal process, or enforceable government request;
  • enforce our terms or other legal rights;
  • detect, investigate, or prevent fraud, abuse, security incidents, or illegal activity; or
  • protect the rights, property, safety, or security of Mind Wobble, our users, or others.

4.4 Business transfers

If Mind Wobble is involved in a merger, acquisition, investment, reorganisation, sale of assets, or similar corporate transaction, personal data may be disclosed to relevant parties such as buyers, investors, lenders, and professional advisers, subject to appropriate confidentiality and legal safeguards.

4.5 No sale of personal data

We do not sell your personal data and do not share it with third parties for cross-context behavioural advertising.

5. Cookies, Local Storage, and On-Device Caching

Mind Wobble uses cookies and other technologies that store information on, or access information from, your device, including browser storage, session storage, local storage, and service worker caching.

5.1 Strictly necessary storage and access technologies

We use certain storage and access technologies where they are necessary to provide the Site or App, support security, or deliver functionality you request. These may include:

  • Authentication and session storage: to keep you signed in securely, maintain your session, and protect account access.
  • Security-related storage or access: to support login protection, bot detection, fraud prevention, and related security controls.
  • Preference storage: to remember settings such as theme preferences or similar user interface choices.
  • Draft and continuity storage: to preserve in-progress journal, mood, coaching, or other feature data locally on your device so that your session is more resilient and your work is less likely to be lost.
  • PWA and performance caching: to cache application assets and related files so the App can load faster, remain installable as a progressive web app, and support limited offline or low-connectivity use.

Where these technologies are strictly necessary to provide the service you request, we rely on the applicable legal exemptions under PECR and related laws.

5.2 Analytics technologies

Across both the Site and the App, we use Rybbit Analytics (self-hosted) to understand which pages are visited and how the product is used, so we can improve it. Rybbit is cookieless, so we do not use analytics cookies. It records page-level usage such as the pages you visit, referrer, device type, and approximate location derived from your IP address, and it does not access the content you create in the App (such as journal entries, mood logs, assessment answers, or messages).

5.3 What may be stored on your device

Depending on how you use the Site and App, data stored on your device may include:

  • session or authentication tokens;
  • user interface and preference settings;
  • in-progress drafts or temporary state for App features;
  • cached static assets and application files; and
  • in some cases, limited cached application data needed to support performance or continuity of use on your device.

We do not intentionally use on-device storage for cross-site advertising or cross-context behavioural advertising.

5.4 How long information may remain on your device

The duration of on-device storage depends on the type of technology and its purpose. For example:

  • session-related data may remain until you log out, your session expires, or you close your browser;
  • preferences and locally stored drafts may remain until they are deleted, overwritten, or cleared by you or by the App;
  • service worker and cached files may remain until they are refreshed, invalidated, replaced by a newer version of the App, or cleared through your browser or device settings.

If you use a shared or public device, we recommend that you log out after use and clear browser or app storage where appropriate.

5.5 Managing storage on your device

You can usually control cookies and other on-device storage through your browser or device settings. You may also be able to clear local storage, cached files, or installed PWA data through your browser or operating system controls.

Please note that disabling or clearing strictly necessary storage may affect the availability, security, or functionality of parts of the Site or App.

6. Security

We take the security of personal data seriously and implement appropriate technical and organisational measures designed to protect it against unauthorised access, alteration, disclosure, loss, misuse, and other unlawful or accidental processing.

These measures may include:

  • encryption of data in transit;
  • encryption at rest for selected sensitive content within the App, including certain journal and AI-related content;
  • access controls and least-privilege restrictions designed to limit access to personal data to authorised personnel and service providers who need it for legitimate operational purposes;
  • authentication, role-based access controls, and administrative safeguards for internal systems;
  • logging, monitoring, and diagnostic processes to help detect, investigate, and respond to reliability and security issues;
  • use of reputable infrastructure and service providers to support hosting, authentication, bot protection, and payment processing;
  • processes designed to test, review, and improve the security of our systems and services over time; and
  • measures intended to support the confidentiality, integrity, and availability of personal data.

Because Mind Wobble may process sensitive wellness information, we apply additional care to systems and workflows that handle that type of data.

No method of transmission over the internet, electronic storage, or security control is completely secure. While we work to protect your information, we cannot guarantee absolute security.

You are also responsible for helping to protect your information, including by using a strong password, keeping your account credentials confidential, and using care when accessing the App on shared or public devices.

7. Data Retention

We keep personal data only for as long as we need it for the purposes described in this Privacy Policy, including to provide the Site or App, comply with legal obligations, resolve disputes, enforce our agreements, and protect our legal rights.

Retention periods vary depending on the type of data and the reason we hold it. In general:

  • Account information is kept for as long as your account remains active and for a limited period afterwards where necessary for account recovery, security, fraud prevention, legal compliance, or dispute resolution.
  • Profile information and App content such as mood entries, journal entries, goals, assessments, coaching conversations, and related summaries are generally retained for as long as your account remains active, unless you delete them earlier or we no longer need them for the purpose for which they were collected.
  • Subscription and transaction records may be retained for longer where necessary for accounting, tax, fraud prevention, audit, legal, or regulatory purposes. In particular, Paddle acts as the merchant of record for Mind Wobble subscriptions and is an independent controller of your payment and billing data. Paddle retains transaction records (including purchase-related identifiers, billing country, amount, VAT, and refund history) for as long as Paddle is required to do so under its own accounting, tax, and regulatory obligations applicable to merchant-of-record services. UK HMRC rules generally require business records to be kept for at least six years; VAT obligations in some EU Member States can extend retention up to ten years. The exact period depends on the country a transaction is billed from and is set by Paddle under its own privacy notice. This retention is managed by Paddle and continues even if you close your Mind Wobble account, and even if we have deleted the subscription-state copy we hold in the App. You can review Paddle's retention practices in Paddle's privacy notice.
  • Support communications and attachments may be retained for as long as reasonably necessary to respond to your request, maintain support history, improve service quality, and protect our legal interests, including the defence of disputes, complaints, and legal claims. This includes any files you upload to a support ticket. Where we retain support records after you close your account, we do so as described under "Retention after account closure" below.
  • Technical logs, security records, and diagnostic data are retained for limited periods based on operational need, incident investigation, abuse prevention, and system security requirements.
  • Newsletter and marketing data is retained until you unsubscribe, withdraw consent, or we otherwise determine that we no longer need to keep it for that purpose.
  • Data stored on your device through local storage, browser storage, or service worker caching may remain until it expires, is refreshed, is overwritten, or is deleted by you or through your browser or device settings.

When we no longer need personal data, we will delete it, anonymise it, or securely isolate it where deletion is not immediately possible, for example in backup systems or where retention is required by law.

If you request deletion of your account or personal data, we will take reasonable steps to delete or anonymise the relevant data, subject to any information we need to retain for legal, security, fraud prevention, accounting, tax, dispute resolution, or regulatory reasons.

Retention after account closure. When you close your account, we permanently delete your identity, profile, and wellbeing and therapeutic content (such as mood entries, journals, coaching conversations, assessments, and related summaries), as described in Section 2A.7. We do, however, retain a limited set of support and billing records in pseudonymised form for up to 6 years from the date of account closure. The records retained are support-ticket metadata (such as category, status, and timestamps), support messages with their personal content removed, the files you uploaded to support tickets, and subscription and transaction records. These records are stripped of direct identifiers and are linked only by an internal reference; they are held solely to prevent fraud and to establish, exercise, or defend disputes, complaints, and legal claims, and are never used for product, analytics, or marketing purposes. Access is restricted to authorised administrators. Our lawful basis for this limited retention is our legitimate interests (UK GDPR Article 6(1)(f)) in preventing fraud and defending legal claims, and the right to erasure does not apply to this set while it remains necessary for the establishment, exercise, or defence of legal claims (UK GDPR Article 17(3)(e)). We use a 6-year period because that is the limitation period for bringing most contract claims under the Limitation Act 1980 (England and Wales). At the end of the 6-year period these records, including the retained attachment files, are permanently deleted. This is separate from Paddle's own retention of billing and tax records described above; for erasure of data Paddle holds as an independent controller, you can contact Paddle directly via paddle.net.

We do not keep personal data indefinitely on a just-in-case basis. We review retention where appropriate and aim to delete or anonymise data when it is no longer needed.

8. Your Rights

Depending on where you are located and subject to applicable law, you may have the following rights in relation to your personal data:

  • Right of access: to request confirmation of whether we process your personal data and, if so, to receive a copy of it and related information.
  • Right to rectification: to request correction of inaccurate personal data or completion of incomplete personal data we hold about you.
  • Right to erasure: to request deletion of your personal data in certain circumstances. This right does not apply where we need to keep data to establish, exercise, or defend legal claims; as explained in Section 7, after account closure we retain a limited set of pseudonymised support and billing records for up to 6 years on this basis.
  • Right to restriction of processing: to request that we limit how we use your personal data in certain circumstances.
  • Right to object: to object to processing based on legitimate interests in certain circumstances, including processing for direct marketing.
  • Right to data portability: to request a copy of certain personal data in a structured, commonly used, and machine-readable format, and in some cases to have that data transmitted to another provider where technically feasible.
  • Right to withdraw consent: where we rely on your consent or explicit consent, you can withdraw it at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. References in this Privacy Policy to a supervisory authority are to the ICO.

You can exercise your rights by contacting us at hello@mindwobble.com. For access and data portability, you can also generate a copy of your data yourself at any time from your account settings in the App, which produces a structured, commonly used, machine-readable export on demand.

We aim to respond to any rights request without undue delay and in any event within one month of receipt. We may extend this period by up to two further months where a request is complex or where we receive a number of requests from you; if we need to extend, we will let you know within the first month and explain why.

We may need to verify your identity before acting on your request. We may also ask for more information where necessary to understand, process, or respond to your request.

These rights are not absolute and may be limited or subject to exceptions under applicable law. For example, we may need to retain certain information to comply with legal obligations, establish or defend legal claims, prevent fraud or abuse, or maintain security and service integrity.

If we decline or cannot act on a request, we will explain the reasons. You may ask us to review that decision by replying to our response, or by emailing hello@mindwobble.com with "Review of data request" in the subject line. If we deny your appeal and you are entitled to do so under applicable law, we will provide information about any further complaint route available to you, including how to contact the relevant regulator or attorney general where required.

You can also unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email we send.

If you are a paid user, you may also be able to manage or cancel your subscription through the Paddle billing portal or through billing settings made available within the App.

8A. Additional Privacy Rights — United States

If you are a resident of a US state with a consumer privacy law, you may have additional rights beyond those listed in Section 8. This section describes how those laws apply to your use of Mind Wobble.

8A.1 Applicability

This section applies if you reside in California (CCPA/CPRA), Connecticut (CTDPA), Virginia (VCDPA), Colorado (CPA), Utah (UCPA), or any other US state that enacts comparable consumer privacy legislation. Where a state law applies to your personal data, we will honour the rights it provides.

8A.2 Categories of personal information we collect

For the purposes of applicable US state privacy laws, the categories of personal information we have collected in the preceding 12 months include: identifiers (name, email address, account ID); internet or electronic network activity (usage data, device information, error logs); professional or employment-related information (only if you choose to include it in profile or journal content); health-related information and inferences (mood data, journal content, coaching conversations, assessment results, and wellness signals as described in Section 2A); and geolocation data (approximate location derived from IP address).

8A.3 How we use personal information

We use personal information for the business and commercial purposes described in Section 2. We do not use or disclose sensitive personal information for purposes other than providing the Service you requested.

8A.4 Sale, sharing, and targeted advertising

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising or targeted advertising as those terms are defined under applicable US state privacy laws. Because we do not sell or share personal information, there is no need to opt out, but you may still contact us at hello@mindwobble.com if you have questions.

8A.5 Your rights under US state privacy laws

Depending on your state of residence, you may have the right to:

  • Know and access the categories and specific pieces of personal information we have collected about you.
  • Delete personal information we have collected from you, subject to certain exceptions.
  • Correct inaccurate personal information we hold about you.
  • Portability — receive a copy of your personal information in a portable, readily usable format. You can generate a data export directly from your account settings in the App.
  • Opt out of sale or sharing — we do not sell or share personal information, so no opt-out action is required.
  • Limit use of sensitive personal information — we use sensitive personal information (including health data) only to provide the Service you requested.
  • Non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, email us at hello@mindwobble.com. We will verify your identity using the email address associated with your account and respond within the timeframe required by applicable law (generally 45 days, extendable by a further 45 days with notice).

8A.6 Authorised agents

If you are in California, you may designate an authorised agent to submit a request on your behalf. We may require written proof that the agent is authorised to act on your behalf, and we may still need to verify your identity directly.

8A.7 Appeals

If we decline a privacy request, you may appeal by emailing hello@mindwobble.com with "Privacy rights appeal" in the subject line. We will respond to appeals within the timeframe required by applicable law. If your appeal is denied, we will inform you of any further complaint routes available under your state's law, including how to contact your state attorney general where applicable.

8A.8 Consumer health data

Several US states — including Washington (My Health Data Act) and Connecticut (CTDPA) — have specific provisions for consumer health data. The protections we apply to consumer health data are described in Section 2A. We process consumer health data only with your consent, we do not sell it, and we do not use it for advertising.

8B. Additional Privacy Rights — Australia and New Zealand

If you are located in Australia or New Zealand, this section describes how your local privacy laws apply alongside the general rights in Section 8.

8B.1 Australia — Privacy Act 1988 and the Australian Privacy Principles

Mind Wobble is committed to handling personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) to the extent they apply to our collection and handling of personal information about individuals in Australia.

What we collect and why: The categories of personal information we collect and our purposes for collection are described in Sections 1 and 2. We collect personal information directly from you when you use the Site or App, and in some cases from service providers as described in Section 1.3.

Disclosure to overseas recipients (APP 8): We disclose personal information to service providers located outside Australia, including in the United States (Supabase, Google, OpenAI, Cloudflare, Sentry), the United Kingdom (Paddle), and the European Union (Brevo, Rybbit). Details of these providers and the data they receive are set out in Section 4.1. We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs through contractual and technical safeguards including data processing agreements, encryption, and access controls as described in Section 6 and Section 2A.5.

Access and correction (APP 12 and APP 13): You can access and correct most of your personal information directly through the App's account settings. You can also generate a data export from your account settings. For requests we cannot fulfil through self-service, email us at hello@mindwobble.com. We will respond within a reasonable period (generally within 30 days). If we refuse a request, we will give you a written notice explaining why and how you can complain.

Complaints (APP 1): If you believe we have breached the APPs, you can lodge a complaint by emailing hello@mindwobble.com. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Sensitive information (APP 3): Health-related information collected through the App is sensitive information under the Privacy Act 1988. We collect this information only with your consent, as described in Section 2 and Section 2A. You can withdraw your consent at any time.

8B.2 New Zealand — Privacy Act 2020 and the Health Information Privacy Code 2020

Mind Wobble is committed to handling personal information in accordance with the information privacy principles (IPPs) of the New Zealand Privacy Act 2020 and, where applicable, the Health Information Privacy Code 2020 (HIPC) to the extent they apply to our collection and handling of information about individuals in New Zealand.

Health information (HIPC): Because Mind Wobble collects information about your mental and physical health and wellbeing, much of the personal information we process may be health information under the HIPC. The HIPC applies additional rules to health information, including restrictions on how it can be collected, used, stored, and disclosed. We collect health information directly from you, use it only for the purposes described in Section 2 and Section 2A, and do not disclose it except as set out in Section 4.

Access and correction (IPP 6 and IPP 7): You have the right to access your personal information and to request correction of any information that is inaccurate, incomplete, or misleading. You can access most of your information through the App's account settings and data export feature. For other requests, email us at hello@mindwobble.com. We will respond within 20 working days. If we refuse a request, we will explain why and advise you of your right to complain to the Privacy Commissioner.

Cross-border disclosure (IPP 12): We disclose personal information to service providers outside New Zealand as described in Section 4.1 and Section 9. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient is subject to privacy protections comparable to those under New Zealand law, through contractual safeguards including data processing agreements.

Complaints: If you believe we have breached the Privacy Act 2020 or the HIPC, you can lodge a complaint by emailing hello@mindwobble.com. We will acknowledge your complaint within 7 days and aim to resolve it within 20 working days. If you are not satisfied with our response, you can complain to the Office of the Privacy Commissioner (OPC) at privacy.org.nz.

9. International Data Transfers

Mind Wobble operates using service providers and infrastructure that may process personal data in countries outside your country of residence, including outside the United Kingdom.

In particular, personal data processed through the Site or App may be stored in or accessed from countries such as the United States and other jurisdictions where our service providers operate.

For example:

  • Supabase hosts App data through its cloud infrastructure. For any transfer of App data to a country outside the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses attached to the Supabase Data Processing Addendum, together with the technical and organisational measures described in Section 6 and Section 2A.5.
  • Google (primary AI provider) may process data submitted to AI features in the United States or other countries where Google or its service providers operate. We have entered into Google's Data Processing Addendum, which incorporates EU Standard Contractual Clauses and the UK Addendum where applicable. Google LLC is also an active participant in the EU-U.S. Data Privacy Framework and the UK Extension, which provides an additional UK adequacy route for personal data transferred to Google LLC in the United States.
  • OpenAI (fallback AI provider) may process data submitted to AI features in the United States or other countries where OpenAI or its service providers operate. For any transfer of App data to a country outside the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses attached to OpenAI's Data Processing Addendum, together with the technical and organisational measures described in Section 6 and Section 2A.5. Unlike some of our other US-based providers, OpenAI is not certified under the EU-U.S. Data Privacy Framework or the UK Extension to it; we therefore rely solely on these contractual safeguards for transfers to OpenAI OpCo, LLC.
  • Cloudflare may process limited technical data (including IP address, user agent, and challenge telemetry) in the United States or other countries where Cloudflare operates. Cloudflare Inc. is an active participant in the EU-U.S. Data Privacy Framework and the UK Extension, and the transfer is also covered by the EU Standard Contractual Clauses and the UK Addendum attached to the Cloudflare Data Processing Addendum.
  • Sentry (Functional Software Inc.) hosts error monitoring and diagnostic data in the United States. We rely on the UK Addendum to the Standard Contractual Clauses attached to the Sentry Data Processing Addendum for this transfer, together with technical measures designed to minimise collection of directly identifying information through Sentry. Functional Software Inc. is also an active participant in the EU-U.S. Data Privacy Framework and the UK Extension.
  • Paddle and other providers may also process personal data internationally depending on their infrastructure and operations, subject to the safeguards described above.

Where we make or permit a restricted international transfer of personal data, we take steps intended to ensure that the data remains protected in accordance with applicable data protection law.

Depending on the circumstances, these steps may include:

  • relying on an adequacy regulation or adequacy decision where one is available;
  • putting in place approved transfer mechanisms such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other relevant standard contractual clauses;
  • carrying out transfer risk assessments or equivalent data protection assessments where required; and
  • implementing supplementary contractual, technical, or organisational safeguards where appropriate.

You can contact us at hello@mindwobble.com if you would like more information about the safeguards we use for international transfers of your personal data.

10. Age Restriction

The Site, the App, and all AI-powered features are intended only for adults aged 18 or over.

We do not knowingly collect personal data from, or provide services to, anyone under the age of 18. If we become aware that we have collected personal data from a person under 18, we will take reasonable steps to suspend or close the relevant account and delete the personal data, unless we are required to retain some of it for legal, security, or regulatory reasons.

If you believe that a person under 18 has provided personal data to us or is using the Site or App, please contact us at hello@mindwobble.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, features, data practices, service providers, legal requirements, or other operational or regulatory developments.

When we make changes, we will update the "Effective date" at the top of this Privacy Policy. If we make material changes, we will take reasonable steps to bring those changes to your attention, such as by posting a prominent notice on the Site or App, notifying registered users in-app, or contacting users by email where appropriate.

Your continued use of the Site or App after an updated Privacy Policy takes effect means that the updated Privacy Policy will apply to your future use of the services. Where required by law, we will seek your consent or provide any additional notice before applying material changes to the way we process your personal data.

12. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or want to contact us about privacy or data protection matters, you can contact us at:

Mind Wobble Limited
Email: hello@mindwobble.com