Mindata Pattern

Privacy Policy

Effective date: March 20, 2026 · Last updated: March 20, 2026

This Privacy Policy explains how Mindata Labs SL collects, uses, stores, and protects your personal data when you use the Mindata Pattern mobile application. Please read it carefully. By using the App, you acknowledge that you have read and understood this Policy.

1. Data Controller

Mindata Labs SL
Paseo de la Independencia 24, 4th Floor, Office 8
50004 Zaragoza, Spain
Email: privacy@mindatapattern.app

For users in the European Union, Mindata Labs SL acts as the data controller under Regulation (EU) 2016/679 (GDPR). For California residents, this Policy also addresses rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA.

2. Information We Collect

2.1 Information you provide directly

Data	Purpose	Required
Email address	Account creation and authentication	Yes
Display name	Personalization within the App	Optional
Password	Authentication (stored as a bcrypt hash; we never store plaintext passwords)	Yes (email login)
Client measurements	Generating sewing patterns; stored as encrypted profile records linked to your account	Yes (to use core features)
Client profile names	Identifying measurement profiles within the App	Optional

2.2 Information collected automatically

Data	Purpose	Retention
Device identifier (randomly generated UUID)	Device-session binding and conflict detection	Duration of account
Device model (e.g., "iPhone 15 Pro")	Displayed in device-conflict notifications	Duration of account
Platform (iOS / Android)	Compatibility and analytics	Duration of account
App version	Debugging and minimum-version enforcement	Rolling 90 days
Pattern usage logs (design key, timestamp, success/failure, duration)	Rate limiting, abuse prevention, product analytics	Rolling 12 months
Authentication event logs (login, logout, register) including IP address and timestamp	Security monitoring and fraud prevention	Rolling 12 months

2.3 Information received from third parties

Google OAuth: When you choose "Sign in with Google", we receive your Google account email address and a unique Google identifier. We do not receive your Google password or access to other Google services.
Apple Sign In: When you choose "Sign in with Apple", we receive a unique Apple-generated identifier and, optionally, an email address (which may be an Apple-relay address). We do not receive your Apple ID password.
Apple App Store / Google Play: We receive a cryptographic receipt confirming that a valid purchase has been made. We do not receive your credit card number, billing address, or any other payment details.

2.4 Information we do NOT collect

Payment card numbers or billing information
Precise GPS location
Contacts, photos, or camera access
Browsing history or cross-app activity
Biometric data (Face ID / fingerprint data never leaves your device)
Health or medical data
Data from children under 16 years of age

3. Legal Basis for Processing GDPR

Processing activity	Legal basis (Art. 6 GDPR)
Account creation and authentication	Performance of contract (Art. 6.1.b)
Pattern generation and storage	Performance of contract (Art. 6.1.b)
Purchase verification	Performance of contract (Art. 6.1.b)
Security monitoring and fraud prevention	Legitimate interests (Art. 6.1.f)
Rate limiting and abuse prevention	Legitimate interests (Art. 6.1.f)
Aggregated product analytics	Legitimate interests (Art. 6.1.f)
Compliance with legal obligations	Legal obligation (Art. 6.1.c)

4. How We Use Your Information

Provide and operate the service: authenticate your identity, manage your session, and generate sewing patterns based on the measurements you provide.
License verification: confirm that you hold a valid, paid license before allowing access to pattern generation.
Device conflict management: enforce the one-active-device policy and notify you if your account is accessed from a different device.
Security and integrity: detect and prevent unauthorized access, abuse, and fraud.
Product improvement: analyze aggregated, anonymized usage patterns to improve app performance and prioritize new features.
Customer support: respond to your inquiries and resolve technical issues.
Legal compliance: meet our obligations under applicable law, including data retention requirements.

We do not sell your personal data. We do not use your data for advertising or share it with advertising networks.

5. Data Sharing and Disclosure

We share your data only in the following limited circumstances:

5.1 Service providers (processors)

Provider	Purpose	Location	Safeguards
Railway (PaaS)	Cloud hosting for API server, database, and cache	EU (West)	GDPR-compliant DPA
Apple Inc.	Purchase receipt verification; Sign In with Apple	USA	SCCs / Privacy Shield successor
Google LLC	Purchase receipt verification (Play Store); Google OAuth	USA	SCCs / Privacy Shield successor

All processors are bound by data processing agreements and may only process your data on our documented instructions.

5.2 Legal requirements

We may disclose your data if required by law, court order, or to protect the rights, property, or safety of Mindata Labs SL, our users, or the public.

5.3 Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified in advance, and the successor will be required to honor this Privacy Policy or obtain fresh consent.

6. International Data Transfers

Your data is primarily stored on servers located in the European Union. When data is transferred to the United States (Apple, Google), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures, and the adequacy decisions in force. A copy of the applicable transfer mechanisms can be obtained by contacting us.

7. Data Security

We implement technical and organizational measures proportionate to the risk, including:

Encryption in transit: All communications between the App and our servers use TLS 1.2 or higher.
Encryption at rest: Sensitive data fields are encrypted at the database level.
Authentication tokens: Short-lived JSON Web Tokens (15-minute expiry) with rotating refresh tokens (30-day expiry). Tokens are invalidated immediately on logout.
On-device storage: Access and refresh tokens are stored in the OS Keychain (iOS) or Android Keystore — hardware-backed secure enclaves not accessible to other apps.
Password hashing: Passwords are hashed using bcrypt with a cost factor of ≥12. Plaintext passwords are never stored or logged.
Rate limiting: API endpoints are rate-limited to prevent brute-force attacks.
Network isolation: The pattern-generation engine has no public internet access; it communicates only within our private internal network.
Access control: Production systems are accessible only to authorized personnel via SSH keys with multi-factor authentication.

Despite these measures, no system is perfectly secure. In the event of a data breach that is likely to result in a high risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.

8. Data Retention

Data category	Retention period
Account data (email, name, hashed password)	Until account deletion, then deleted within 30 days
Client measurement profiles	Until you delete them or your account
Purchase records	7 years (tax and accounting obligations under Spanish law)
Authentication and security logs	Rolling 12 months
Pattern usage logs	Rolling 12 months, then aggregated anonymously
Backup snapshots	Maximum 30 days after the original data is deleted

9. Your Rights

9.1 Rights under GDPR (EU / EEA residents) GDPR

Right of access (Art. 15): obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): ask us to restrict processing while a dispute is resolved.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
Right to object (Art. 21): object to processing based on legitimate interests.
Right to lodge a complaint: file a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es, or with the supervisory authority of your country of residence.

9.2 Rights under CCPA / CPRA (California residents) CCPA

Right to know: request disclosure of the categories and specific pieces of personal information we have collected.
Right to delete: request deletion of your personal information, subject to certain exceptions.
Right to correct: request correction of inaccurate personal information.
Right to opt out of sale/sharing: we do not sell or share personal information for cross-context behavioral advertising.
Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise any of the above rights, email us at privacy@mindatapattern.app. We will respond within 30 days (GDPR) or 45 days (CCPA). You can also delete your account directly from the App's Settings screen, which will automatically trigger data erasure.

10. Children's Privacy

Mindata Pattern is not directed to children under the age of 16 (or 13 in jurisdictions where 13 is the applicable minimum age). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@mindatapattern.app and we will delete such data promptly.

11. Cookies and Tracking Technologies

The Mindata Pattern mobile application does not use cookies, web beacons, or cross-app tracking technologies. The App does not contain any advertising SDKs or third-party analytics frameworks that track you across other apps or websites.

If you access our website at mindatapattern.app, we may use essential session cookies to serve the pages and basic server-side access logs. We do not use marketing or analytics cookies on our website.

12. Third-Party Links and Services

The App or website may contain links to third-party websites (e.g., Apple App Store, Google Play). These sites have their own privacy policies, and we are not responsible for their content or practices. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

Displaying a notice within the App before the change takes effect; and/or
Sending an email to the address associated with your account, where feasible.

The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically. Your continued use of the App after the effective date constitutes your acknowledgment of the revised Policy.

14. Contact Us

Mindata Labs SL

Paseo de la Independencia 24, 4th Floor, Office 8
50004 Zaragoza, Spain

Privacy inquiries: privacy@mindatapattern.app

General support: support@mindatapattern.app

We aim to respond to all privacy-related requests within 30 days. For complex requests, we may extend this period by an additional 60 days and will notify you accordingly.