Privacy Policy

MINDCHAT PRIVACY POLICY

Last updated: October 16, 2025

INTRODUCTION

LUDOMATIQUE SASU (hereinafter “we”, “us”, or “LUDOMATIQUE”), registered with the Chaumont Trade and Companies Register under number 992 243 857, intra-community VAT number FR45992243857, whose registered office is located at 19 rue Saint Jean, 52000 Chaumont, FRANCE, operates the MindChat service (the “Service”).

We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and French data protection law.

Data Controller: LUDOMATIQUE SASU is the data controller responsible for your personal data collected through the Service.

1. DATA WE COLLECT

1.1. Account and Authentication Data

When you create an account, we collect:

  • Email address (required for account creation and communication)
  • Password (encrypted and never stored in plain text)
  • Account creation date
  • Email verification status

Legal basis: Performance of contract (Article 6(1)(b) GDPR) Storage duration: Duration of your account + 30 days after deletion

1.2. Profile and Subscription Data

  • User role (anonymous_wanderer, curious_mind, essential_spirit, passionate_scholar, patron)
  • Stripe customer ID (if you have a paid subscription)
  • Stripe subscription ID (if active)
  • Subscription status and plan details
  • Last update date

Legal basis: Performance of contract (Article 6(1)(b) GDPR) Storage duration: Duration of subscription + 10 years (tax compliance requirement)

1.3. Payment and Billing Data

When you subscribe to a paid plan, we collect through Stripe:

  • Billing address (name, street, postal code, city, country)
  • Phone number (optional)
  • Tax ID/VAT number (for business customers in EU)
  • Payment method details (managed by Stripe, we never see full card numbers)
  • Transaction history
  • IP address at time of purchase

Legal basis:

  • Performance of contract (Article 6(1)(b) GDPR)
  • Legal obligation for tax compliance (Article 6(1)(c) GDPR)

Storage duration: 10 years (French legal requirement for accounting records)

Third-party processor: Stripe Inc., certified PCI-DSS Level 1. See Stripe’s Privacy Policy

1.4. Usage Data

We track your usage of the Service to enforce subscription limits:

  • Number of messages sent per day
  • Authors accessed
  • Date and time of usage

Legal basis: Performance of contract (Article 6(1)(b) GDPR) Storage duration:

  • Daily message counts: 24 hours (rolling window)
  • Author access history: Duration of account
  • Historical logs: 90 days

1.5. Conversation Data

  • Messages you send to AI chatbots (prompts, questions)
  • AI-generated responses you receive

Legal basis:

  • Performance of contract (Article 6(1)(b) GDPR)
  • Legitimate interest for service improvement (Article 6(1)(f) GDPR)

Storage duration:

  • For registered users: Duration of account (accessible in your history)
  • For anonymous users: 24 hours
  • Anonymized analytics data: 3 years

Important: We may use anonymized conversation data to improve our Service quality. You can opt out by contacting us.

1.6. Technical and Analytics Data

  • IP address (for security, fraud prevention, and tax compliance)
  • Browser type and version
  • Device type (desktop, mobile, tablet)
  • Operating system
  • Referring website
  • Pages visited and time spent
  • Language preference

Analytics provider: PostHog (EU-hosted, GDPR-compliant) Legal basis: Legitimate interest (Article 6(1)(f) GDPR) for service improvement and security Storage duration:

  • Raw IP addresses: 90 days
  • Anonymized analytics: 2 years

Your choice: You can opt out of analytics tracking through our cookie consent banner.

1.7. Cookies

We use cookies for:

  • Essential cookies: Authentication, session management (cannot be disabled)
  • Analytics cookies: Usage statistics via PostHog (can be disabled)

See our Cookie Policy for details on managing cookie preferences.

2. HOW WE USE YOUR DATA

We use your personal data to:

2.1. Provide the Service

  • Create and manage your account
  • Authenticate you securely
  • Enable conversations with AI chatbots
  • Store your conversation history (for registered users)
  • Enforce usage limits based on your subscription tier

2.2. Process Payments

  • Handle subscriptions and billing
  • Generate invoices
  • Detect and prevent fraud
  • Comply with tax regulations (French and EU)

2.3. Communicate with You

  • Send transactional emails (account verification, password reset, receipts)
  • Notify you of important Service updates
  • Respond to your support requests

Marketing communications: We do not currently send marketing emails. If this changes, you will have the right to opt out.

2.4. Improve the Service

  • Analyze usage patterns (anonymized)
  • Improve AI model quality (anonymized conversation data)
  • Fix bugs and technical issues
  • Develop new features
  • Comply with legal obligations (tax records, accounting)
  • Respond to legal requests from authorities
  • Enforce our Terms of Service
  • Protect against fraud and abuse

3. DATA SHARING AND TRANSFERS

3.1. Third-Party Service Providers

We share your data with trusted service providers:

ProviderPurposeData SharedLocation
SupabaseAuthentication, databaseEmail, account data, conversationsEU (Frankfurt)
StripePayment processingBilling info, payment dataEU & US (adequacy decision)
PostHogAnalyticsUsage statistics, anonymized behaviorEU
OpenAIAI responsesYour messages (anonymized)US (Standard Contractual Clauses)
VercelHostingTechnical logs, IP addressesEU & US (adequacy decision)

All third-party processors are carefully selected and bound by data processing agreements compliant with GDPR Article 28.

3.2. International Transfers

Some service providers are located outside the European Economic Area (EEA):

  • Stripe, Vercel: Rely on EU-US Data Privacy Framework adequacy decision
  • OpenAI: Standard Contractual Clauses (SCCs) approved by the European Commission

We ensure appropriate safeguards are in place for all international transfers.

We may disclose your data if required by law, court order, or governmental authority, or to protect our legal rights.

3.4. No Selling of Data

We never sell your personal data to third parties.

4. YOUR RIGHTS UNDER GDPR

As a data subject in the EU, you have the following rights:

4.1. Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

4.2. Right to Rectification (Article 16)

You can correct inaccurate or incomplete data. You can update most information directly in your profile settings.

4.3. Right to Erasure / “Right to be Forgotten” (Article 17)

You can request deletion of your account and personal data.

Important exceptions:

  • We must retain billing and transaction data for 10 years (French legal obligation)
  • Anonymized analytics data may be retained for statistical purposes

4.4. Right to Restriction of Processing (Article 18)

You can request we limit processing of your data in certain circumstances.

4.5. Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format (JSON) and transfer it to another service.

4.6. Right to Object (Article 21)

You can object to processing based on legitimate interest (e.g., analytics, marketing).

4.7. Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw it at any time.

4.8. Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection authority:

  • France: CNIL (Commission Nationale de l’Informatique et des Libertés) - www.cnil.fr
  • Other EU countries: See edpb.europa.eu

4.9. How to Exercise Your Rights

Contact us at: contact@mindchat.world

We will respond within 1 month (extendable to 3 months for complex requests).

5. DATA SECURITY

We implement appropriate technical and organizational measures to protect your data:

5.1. Technical Measures

  • Encryption in transit: All communications use HTTPS/TLS
  • Encryption at rest: Database encryption via Supabase
  • Password hashing: Bcrypt algorithm with salt
  • Access control: Role-based access, principle of least privilege
  • Regular backups: Automated daily backups with encryption
  • Security monitoring: Sentry error tracking, automated alerts

5.2. Organizational Measures

  • Data protection by design and by default
  • Limited employee access to personal data (need-to-know basis)
  • Data processing agreements with all processors
  • Regular security audits and updates
  • Incident response plan

5.3. Data Breach Notification

In case of a data breach likely to result in high risk to your rights, we will notify:

  • The relevant supervisory authority (CNIL) within 72 hours
  • Affected users without undue delay

6. DATA RETENTION

Data TypeRetention PeriodLegal Basis
Account dataDuration of account + 30 daysContract performance
Conversation historyDuration of account (or 24h for anonymous)Contract performance
Usage tracking24-90 daysContract performance
Payment/billing data10 years after transactionLegal obligation (French tax law)
Tax compliance data10 years after last purchaseLegal obligation
Analytics data2 years (anonymized)Legitimate interest
Technical logs90 daysSecurity & legitimate interest

After the retention period, data is automatically deleted or anonymized.

7. CHILDREN’S PRIVACY

The Service is not intended for children under 16 years old. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at contact@mindchat.world and we will delete it promptly.

Parents/guardians: If you discover your child has created an account, contact us to request deletion.

8. AUTOMATED DECISION-MAKING AND PROFILING

8.1. AI-Generated Content

The Service uses AI to generate conversation responses. This is not considered “automated decision-making” under GDPR Article 22 as it does not produce legal effects or similarly significantly affect you.

8.2. Fraud Detection

We may use automated tools to detect fraudulent transactions. If a transaction is flagged, a human will review it before taking action.

8.3. No Profiling for Marketing

We do not use your data for automated profiling or targeted advertising.

9. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect changes in:

  • Our data practices
  • Legal or regulatory requirements
  • Service features

Notification: We will notify you of material changes by:

  • Email (to your registered email address)
  • Prominent notice on the Service

Your consent: Continued use of the Service after changes constitutes acceptance. If you disagree, you may delete your account.

Version history: Previous versions are available upon request.

10. CONTACT US

Data Protection Officer

LUDOMATIQUE SASU does not currently have a dedicated DPO (not required under GDPR for our size). For all data protection inquiries:

Email: [data-protection@mindchat.world] (to be configured) Postal address: LUDOMATIQUE SASU Data Protection Inquiries 19 rue Saint Jean 52000 Chaumont FRANCE

Response time: We aim to respond within 5 business days for general inquiries, and within 1 month for rights requests (as required by GDPR).

11. SPECIFIC INFORMATION FOR EU RESIDENTS

We process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Account, Service delivery, subscriptions
  • Legal obligation (Article 6(1)(c)): Tax compliance, accounting records
  • Legitimate interest (Article 6(1)(f)): Analytics, fraud prevention, service improvement
  • Consent (Article 6(1)(a)): Optional analytics cookies, marketing (if any)

11.2. Data Protection Authority

France: CNIL - 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 Website: www.cnil.fr Phone: +33 1 53 73 22 22

11.3. Cross-Border Transfers

When we transfer data outside the EEA, we rely on:

  • Adequacy decisions (Article 45): For countries deemed adequate by the EU Commission
  • Standard Contractual Clauses (Article 46): For other transfers
  • Your explicit consent (Article 49): In specific cases where you are informed

12. CALIFORNIA RESIDENTS (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of sale (we do not sell data)
  • Right to deletion
  • Right to non-discrimination

Note: MindChat primarily serves EU users. CCPA rights are provided out of courtesy but may not apply if you are not a California resident.

13. GLOSSARY

  • GDPR: General Data Protection Regulation (EU) 2016/679
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Controller: The entity that determines the purposes and means of processing personal data (LUDOMATIQUE SASU)
  • Data Processor: An entity that processes personal data on behalf of the controller (e.g., Stripe, Supabase)
  • Data Subject: The individual to whom personal data relates (you)
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)

SUMMARY TABLE: YOUR DATA AT A GLANCE

What We CollectWhyHow LongYour Control
Email, passwordAccount accessAccount duration + 30 daysDelete account
Subscription detailsBilling, limits10 years (tax law)Cancel subscription
Messages & conversationsService deliveryAccount duration (or 24h)Delete account
Payment info (via Stripe)Payments, invoicing10 years (tax law)Contact Stripe
Usage statisticsImprove Service2 years (anonymized)Opt-out of analytics
IP address, deviceSecurity, analytics90 daysUse VPN, opt-out

This Privacy Policy was last updated on October 1, 2025 and is effective immediately.

If you have any questions about this Privacy Policy or our data practices, please contact us at contact@mindchat.world.