Privacy

Privacy Policy

Last updated 20 May 2026 · Version 1.0

TL;DR - MindBack helps you use your phone less. Your Screen Time data never leaves your device. We store only what we need to run your account (email, profile, focus history, streaks, XP). We don’t sell or share your data, and we don’t use it for advertising. You can delete everything any time, in-app.

1. About this policy

This policy explains what MindBack collects, why, where it lives, and the rights you have over it. It covers the MindBack iOS app, the mindbackapp.com website, and the MindBack backend.

The data controller responsible for your personal data is QuantumPivot Limited, a company registered in England and Wales (“we”, “us”, “MindBack”). “You” is the person using MindBack. We are not required to appoint, and have not appointed, a statutory Data Protection Officer; privacy questions go to privacy@mindbackapp.com, a monitored mailbox for data-protection requests.

This policy sits alongside our Terms of Service. If it changes in a way that affects you, we’ll tell you in the app before the change takes effect.

2. What we collect, and why

We group your data into a few plain-English buckets.

Account data

  • Email - so you can sign in and so we can contact you about your account.
  • Username and display name - how you appear in the app.
  • Birth year - we ask for your date of birth once at sign-up, store only the year, and use it to check you’re 13+. We don’t store your birthday.

Profile data

  • Bio (optional) - whatever you write about yourself. Leave blank if you prefer.
  • Avatar emoji - the letter or emoji shown on your profile.
  • Timezone - your IANA timezone (e.g. Europe/London), used to decide when your day starts and ends for streaks and monthly resets.

Focus session data

  • Completed session metadata - for each focus session you finish: the kind (Quick Focus, preset, or scheduled block), the duration in minutes, and the start and end timestamps.
  • XP, streak counters, and achievement unlocks - calculated by our server from the session metadata above.
  • Daily activity totals - one record per day, counting focus minutes and sessions.

Social data

  • Friendships - if you add friends, we store who is connected to whom.

Support data

  • Correspondence - if you email us, we keep your message and our reply so we can help and keep a record.

On-device only - never sent to us

  • Screen Time data from Apple’s Family Controls and DeviceActivity frameworks.
  • Which specific apps you choose to block.

See section 3 for detail on how this works.

3. Family Controls and Screen Time - on-device only

MindBack uses Apple’s Family Controls, DeviceActivity, and ManagedSettings frameworks to block apps and measure screen time.

Apple’s Family Controls entitlement forbids us from exporting your Screen Time data off your device, and we don’t.

  • Your per-app screen time totals stay on your iPhone. We never transmit them.
  • Minute totals reported by DeviceActivity stay on your iPhone. The focus minutes we store on our server come from our own timers (how long your focus sessions ran), not from Apple’s Screen Time measurements.
  • Achievements that depend on screen time are calculated entirely inside an on-device extension. Our server receives only an “unlocked” flag. No numbers, no app names.

If you revoke the Family Controls permission in iOS Settings, the app’s blocking features stop working but your account is otherwise unaffected.

4. Opaque app-selection tokens

When you pick which apps to block, iOS gives MindBack an object called a FamilyActivitySelection. This contains opaque tokens - random-looking references that only mean something on your specific device.

To keep your block schedules across reinstalls, we sync these tokens to our backend (base64-encoded). To be explicit:

  • These tokens do not contain bundle IDs.
  • They do not contain app names or icons.
  • They are meaningless off your device. No one reading them - including us - can tell which apps you’ve chosen.
  • After a reinstall, tokens may no longer resolve to apps on the new device. When that happens we prompt you to re-pick your apps.

We chose this design so that even our own backend can’t see which apps you’re blocking.

5. Our legal bases for using your data

If you are in the UK or EU, data-protection law requires us to have a “legal basis” for each use of your personal data. Ours are:

  • Performance of a contract - we process your account, profile, focus session, and social data to provide MindBack to you under our Terms of Service. Without this data we cannot run your account.
  • Consent - we send push notifications, and enable optional features such as adding friends, only where you have turned them on. You can withdraw consent at any time, in the app or in iOS Settings, without affecting the lawfulness of earlier processing.
  • Legitimate interests - we use data to keep MindBack secure, prevent fraud and abuse, fix bugs, respond to support requests, and check that users meet our minimum age requirement so that we protect children and respect the digital-consent-age rules. We balance these interests against your rights and use the minimum data needed.
  • Legal obligation - we may process data where the law requires it, for example to respond to a valid legal request or to keep records we are legally required to keep.

6. Where your data lives, and international transfers

Our backend has two parts:

  • Supabase handles authentication - it stores your email and the credential material needed to sign you in. See supabase.com/privacy.
  • MongoDB, hosted on Heroku, stores your profile, session metadata, streaks, XP, achievements, and friendships.

Both are US-based by default. If you use MindBack from outside the US - including from the UK or EU - your data is transferred to and processed in the United States. Push notifications are delivered via Apple Push Notification service (APNs); see section 12.

Where we transfer personal data out of the UK or the European Economic Area, we rely on appropriate safeguards to protect it - in particular the UK International Data Transfer Agreement (or the UK Addendum) and the European Commission’s Standard Contractual Clauses with our providers, and, where a provider is certified, the EU–US / UK Data Privacy Framework. You can ask us for more information about these safeguards using the contact details in section 15.

7. How we use your data

We use your data to:

  • Sign you in and keep your session alive.
  • Show you your profile, stats, streaks, XP, achievements, and focus history.
  • Calculate streak increases and resets based on your timezone.
  • Reset monthly focus minutes on the 1st of each month in your local timezone.
  • Send notifications you’ve opted in to - scheduled session alerts, streak reminders, weekly wrap-ups.
  • Verify you’re 13 or older (using your stored birth year).
  • Keep block schedules in sync across reinstalls.
  • Let you connect with friends if you choose to.
  • Keep MindBack secure and prevent fraud and abuse.
  • Reply to you if you contact support.

We don’t sell or “share” your data (as those terms are used in US state privacy laws). We don’t share it with advertisers. We don’t use it to train machine-learning models, and we don’t use it for automated decision-making that produces legal or similarly significant effects on you.

8. How long we keep it

We keep your data for as long as your account is active.

When you delete your account:

  • We soft-delete your data immediately - it’s marked as deleted and stops being used in the product.
  • Within 30 days we hard-delete it from our active databases. This window covers App Store appeal timelines and backup rotation.
  • Your authentication record in Supabase is cancelled as part of the same flow.

We may keep a limited amount of data for longer where the law requires it, or where we need it to establish, exercise, or defend a legal claim - kept only for as long as necessary for that purpose, and in any event no longer than the applicable limitation period (generally six years in England and Wales).

You can delete your account any time from Settings → Delete Account. You’ll be asked to type DELETE to confirm. There’s no un-delete.

9. Children

MindBack is for users 13 and older only. It is a general-audience product, is not directed to children under 13 within the meaning of the U.S. Children’s Online Privacy Protection Act (COPPA), and we do not knowingly collect personal information from children under 13.

  • At sign-up we ask for your date of birth. If you’re under 13, we don’t create an account.
  • We store only the year of birth, not the full date.
  • If we discover an account belongs to someone under 13, we delete it without undue delay, and in any event within 30 days.
  • Some countries set a higher “digital consent” age (up to 16 in parts of the EU). Where that applies, users below that age should use MindBack only with a parent or guardian’s involvement.
  • We don’t offer a parental-consent flow in this version. If you’re a parent or guardian setting up screen time controls for a younger child, Apple’s built-in Screen Time in iOS Settings is the right tool.

If you believe a child under 13 has an account with us, please email privacy@mindbackapp.com.

10. Your rights (UK and EU)

You have rights over your personal data. Under the UK GDPR and the EU GDPR, these include:

  • Access - ask what we hold about you.
  • Deletion - delete your account and all associated data via Settings → Delete Account.
  • Export / portability - request a copy of your data in a machine-readable format.
  • Correction - most profile fields are editable in Settings → Edit Profile; for anything else, email us.
  • Objection and restriction - ask us to stop or limit how we use your data.
  • Withdraw consent - where we rely on your consent, turn it off in the app or at the iOS level.

How to exercise these rights

  • Deletion is self-serve. You don’t need to email us.
  • For export, access, correction, or anything else, email privacy@mindbackapp.com and we’ll respond within one month, as the law allows.

Exercising these rights is free. We may ask you to confirm your identity before we act, and in rare cases the law lets us charge a reasonable fee or decline a request that is manifestly unfounded or excessive.

11. Your rights (United States)

Depending on the U.S. state you live in - including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and a growing number of others - you may have the right to:

  • know what personal information we collect, the categories of sources, and the purposes for collecting it;
  • access and obtain a copy of that information in a portable format;
  • correct inaccurate personal information;
  • delete your personal information;
  • opt out of the sale or “sharing” of personal information, and of targeted advertising and certain profiling; and
  • not be discriminated against for exercising any of these rights.

Categories of personal information

In the category language used by U.S. state privacy laws, in the past 12 months we have collected identifiers (such as your email and a user ID), customer records (your username, display name, and optional bio), internet or other electronic activity limited to your in-app focus activity, and inferences we calculate from it (streaks, XP, achievements). We collect this from you directly and from your use of the app, we use it for the purposes in section 7, and we disclose it only to the service providers in section 12. We did not collect it for any other purpose.

Sale, sharing, targeted advertising, and sensitive data

We do not sell your personal information, we do not “share” it for cross-context behavioural advertising, and we do not use it for targeted advertising or for profiling that produces legal or similarly significant effects - as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) and similar state laws. Because none of these activities happen, there is no “Do Not Sell or Share My Personal Information” opt-out to action; you still have the right, and we honour it simply by not doing those things.

We also do not collect or process “sensitive personal information” (as defined by U.S. state privacy laws) in any way that would trigger a right to limit its use: your Screen Time data and your app selections stay on your device and are never transmitted to us (see sections 3 and 4), and we hold only your year of birth, used solely for age eligibility. We offer no financial incentives in exchange for personal information.

How to exercise your U.S. rights

To delete your data, use Settings → Delete Account. For any other request, email privacy@mindbackapp.com. We will confirm receipt within 10 business days and respond within 45 days, extendable once by a further 45 days where the law allows and we tell you why. We may need to verify your identity before acting. You may use an authorised agent to make a request for you; we will ask the agent for proof of authorisation and may still verify your identity directly.

Appeals. If we decline your request we will tell you why. You may appeal by replying to our decision within 45 days; we will respond to the appeal within 45 days (or 60 days where state law allows). If your appeal is denied and you remain unsatisfied, you may contact the Attorney General of your state. Nevada residents may submit a verified request not to sell covered information; as noted above, we do not sell personal information.

12. Third parties

We use a small number of third-party services, each acting as our processor or as an independent controller. Each is listed with what it does and what it sees:

  • Supabase (authentication). Sees: your email, password hash, auth tokens.
  • MongoDB Atlas / Heroku (database and hosting). Sees: everything in section 2 that isn’t on-device-only.
  • Apple Push Notification service (push delivery). Sees: a device token and the notification payload. See Apple’s privacy policy.

We put data-processing terms in place with our processors. We may also disclose data where we are legally required to, to enforce our Terms of Service, or in connection with a merger, acquisition, or sale of assets - in which case we will tell you and this policy will continue to apply.

We do not use any analytics SDKs in this version of MindBack. No Firebase Analytics, no Mixpanel, no Amplitude, no third-party crash reporting with user identifiers. If this changes, we’ll update this policy and tell you in-app before it takes effect.

13. How we protect your data

We use technical and organisational measures appropriate to the data we hold - including encryption in transit, hashed credentials, access controls, and the on-device-only design described in sections 3 and 4. No system is ever completely secure, so we can’t guarantee absolute security, but we work to protect your data and will notify you and the relevant regulator of a personal data breach where the law requires.

14. Changes to this policy

If we change this policy in a way that affects how we handle your data, we’ll:

  • Update the “last updated” date at the top.
  • Show a notice inside the app before the new version takes effect.
  • Keep the previous version available on request.

Small edits for clarity or typo fixes don’t trigger a notice.

15. Contact and complaints

Questions, requests, or complaints about privacy:

If you’re in the UK and think we’ve handled your data badly, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If you’re in the EU, you can complain to the data protection authority in your country. We’d appreciate the chance to address your concern first.

Thanks for trusting us with your focus.