Privacy Policy - mind² ECHO

Privacy Policy

mind² ECHO — AI-Powered Meeting Analysis

Last updated: 7 May 2026

The controller responsible for the processing of personal data in the context of mind² ECHO within the meaning of the General Data Protection Regulation (GDPR) is:

Toowoxx IT GmbH
Krumbacher Str. 1
86489 Deisenhausen
Germany

Contact for privacy-related inquiries: datenschutz@toowoxx.de

2. What Data We Process

Account data: Anonymous user identifier (no email or password required)
Meeting data (transient): Transcripts and speaker labels are transmitted through our servers to AI services and are NOT stored server-side
Derived data (transient): Behavioral profiles, meeting summaries, and recommendations generated by AI — returned to your device, not stored server-side
Consent records: Your consent grants and withdrawals (stored for legal compliance)
Subscription data (if you subscribe): Your anonymous account identifier is shared with our subscription management provider (RevenueCat) to validate purchase receipts and track entitlements. Payment data itself never reaches us — it is processed by Apple or Google (see section 11).

When using mind² ECHO, the speech of all meeting participants is processed. You are responsible for informing participants about the recording and AI-powered analysis and obtaining their agreement before recording.

3. Why We Process It

To provide AI-powered meeting analysis (mind² behavioral profiles)
To fulfill our legal obligations (GDPR consent tracking)

4. Minimum Age

You must be at least 16 years old to use mind² ECHO with cloud features (Art. 8 GDPR).

5. Legal Basis

Processing	Legal Basis
AI-powered analysis (sending transcripts to AI services)	Art. 6(1)(a) GDPR — your explicit consent
Behavioral profiling (mind² profiles)	Art. 9(2)(a) GDPR — explicit consent for data of a behavioral-psychological nature
Consent documentation	Art. 6(1)(c) GDPR — legal obligation (proof of consent per Art. 7(1))
Anonymous user identifier	Art. 6(1)(b) GDPR — necessary to provide the requested cloud features
Subscription management (RevenueCat)	Art. 6(1)(b) GDPR — performance of the subscription contract

6. Behavioral Analysis and Profiling

mind² ECHO creates behavioral profiles (mind² profiles) based on your conversation contributions, describing your preferred communication style. This includes:

Behavioral dimensions (m/i/n/d scores)
Behavioral narratives and perception profiles
Communication recommendations and coaching tips

This analysis has a behavioral-psychological character but does not constitute a psychological diagnosis. The results describe HOW you communicate in a specific conversation — not WHO you are. They are based on a single conversation and may vary across different meetings.

Processing occurs exclusively with your explicit consent (Art. 6(1)(a), Art. 9(2)(a) GDPR). You can withdraw consent at any time by disabling cloud features in the app settings. This will delete your anonymous account and remove all server-side data.

7. Sub-Processors

Your data may be processed by the following third parties:

Provider	Purpose	Country	Transfer Safeguard
Mistral AI	AI-powered meeting analysis, atmosphere tracking, speaker identification, title generation	France	N/A (EU)
RevenueCat, Inc	Subscription entitlement management, purchase receipt validation, billing-period quota tracking	USA	SCCs + DPA per Art. 28
Supabase, Inc	Authentication, consent storage, edge function hosting	USA (HQ), Frankfurt (data)	SCCs + DPA per Art. 28

Only one AI provider is active at any given time. The active provider is configured server-side and may change.

8. Data Retention

Data	Retention
Account data	Until deletion by you
Meeting data	Transient only (not stored on server)
Consent records	5 years after withdrawal (legal compliance)
Deletion records	5 years (proof of erasure)

9. Your Rights

You have the following rights under GDPR:

Access (Art. 15) — Request a copy of your personal data
Rectification (Art. 16) — Correct inaccurate data
Erasure (Art. 17) — Delete your account via the in-app deletion function
Data portability (Art. 20) — Meeting data is stored on your device; you already have it
Objection (Art. 21) — Withdraw consent at any time via the app
Lodge a complaint with a supervisory authority

10. Supervisory Authority

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
https://www.lda.bayern.de

11. Subscription Billing (Apple / Google)

Subscriptions for paid features are sold and processed by Apple Inc. (on iOS) or Google Ireland Ltd. / Google LLC (on Android), acting as independent controllers for all payment data. This means:

Payment methods, billing addresses, and transaction records are collected and stored by Apple or Google, governed by their own privacy policies.
mind² ECHO and our subscription management provider (RevenueCat) receive only the receipt of a successful purchase and the resulting entitlement — never card numbers, bank details, or your billing address.
Cancellation, refunds, and payment method changes must be handled directly with Apple or Google.

References:

Apple Privacy Policy: https://www.apple.com/legal/privacy/
Google Play Privacy Policy: https://policies.google.com/privacy

12. On-Device AI Models

To enable on-device speech recognition and speaker diarization — which keeps your meeting audio entirely on your device — the app downloads pre-trained AI model files from publicly accessible third-party sources. These currently include code-hosting platforms (primarily GitHub, operated by GitHub, Inc., a Microsoft Corporation subsidiary in the USA) and websites of the open-source projects that publish the models. The set of sources may change as we add or update models.

What is transferred to the hosting provider: your device’s IP address, User-Agent, the requested file path, and the request timestamp
What is NOT transferred: meeting audio, transcripts, speaker information, or any account data
Frequency: one-time per model — files are cached locally on your device and re-downloaded only when a model is updated

Legal basis: Art. 6(1)(b) GDPR — necessary for the performance of the contract, since the on-device transcription feature cannot operate without these models. The on-device approach is itself the privacy-preserving design choice: your audio never leaves your device.

Transfer to a third country: Where the hosting provider is established outside the EU/EEA (in particular GitHub, Inc. in the USA), the transfer relies on the EU–US Data Privacy Framework where the provider is certified under it; Microsoft Corporation (parent of GitHub, Inc.) is so certified.

These hosting providers act as independent controllers for the connection metadata under their own privacy policies, not as our sub-processors.

13. Contact

For privacy-related inquiries: datenschutz@toowoxx.de