Legal

Privacy Policy

Last updated: May 2026

Overview

Mindleaf is a stress-relief breathing app. We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

What we collect

When you use Mindleaf without an account (as a guest), we store a random device identifier on your device to track your session history locally. This identifier is not linked to your identity.

When you create an account, we collect:

  • Your email address (for authentication)
  • Your session history (which moods you selected, session duration, timestamps)
  • Your subscription status (free or Pro)

What we do not collect

  • We do not collect your name, phone number, or physical address
  • We do not track your location
  • We do not use third-party analytics or advertising SDKs
  • We do not sell, share, or rent your data to anyone
  • We do not use cookies or web tracking
  • We do not access your contacts, photos, or other device data

How we use your data

Your session data is used solely to:

  • Show your session history and reset counts
  • Provide weekly Reflect insights (Pro feature)
  • Sync your data across devices when signed in

Your email is used solely for authentication and password resets. We will never send marketing emails without your explicit consent.

Data storage & security

Your data is stored securely on Supabase (hosted on AWS). All data is protected by Row Level Security — you can only access your own data. All connections use HTTPS encryption.

Sound files are stored in a private cloud storage bucket and accessed via time-limited signed URLs.

Guest data

If you use Mindleaf without creating an account, your session history is linked to a random device token stored on your device. This data cannot be used to identify you. If you later create an account, your guest sessions are migrated to your account.

Data retention

Your data is retained for as long as your account exists. When you delete your account, all associated data (sessions, plan status, email) is permanently and immediately deleted from our servers. This action cannot be undone.

Your rights

You have the right to:

  • Access your data (visible in the app's History and Account screens)
  • Delete your data (Settings → Delete account)
  • Export your data (contact us)
  • Withdraw consent at any time by deleting your account

If you are in the EU/UK, you have additional rights under GDPR including the right to rectification and the right to lodge a complaint with a supervisory authority.

Children

Mindleaf is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Third-party services

We use the following third-party services:

  • Supabase — authentication and database hosting
  • Google Sign In — optional OAuth authentication
  • Apple Sign In — optional OAuth authentication

We do not use any advertising networks, analytics platforms, or data brokers.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you through the app. Continued use of Mindleaf after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this policy or your data:

Email us at [email protected]