MindMapVault Privacy & GDPR Notice

Last updated: April 10, 2026

This notice explains what personal data MindMapVault processes, why it is processed, and what rights users have under the GDPR and similar privacy laws.

MindMapVault is designed to minimize data collection. The service is built so that mind map plaintext and decryption keys are intended to stay on the client side, not on the server.

1. Controller

Controller: MindMapVault

Current contact: admin@mindmapvault.com

If a formal company name, postal address, or VAT/business registration is added later, this notice should be updated before or at that time.

2. Core privacy approach

MindMapVault aims to:

• collect only the minimum data needed to operate the service;
• avoid selling personal data;
• avoid using personal data for advertising profiling;
• avoid storing readable mind map contents on the server;
• keep security and anti-abuse processing limited to what is operationally necessary.

MindMapVault does not sell customer data.

3. Data categories processed

Depending on how the service is used, MindMapVault may process:

Account data

• username;
• optional email address, if the user provides one;
• optional profile fields such as first name or last name, if the user provides them.

Encrypted application data

• encrypted vault metadata;
• encrypted blobs and encrypted version history related to mind maps;
• storage and account-level metadata needed to run the service.

Billing data

If paid plans are used:

• subscription status;
• plan/tier information;
• billing/customer identifiers returned by payment providers;
• limited billing-related operational records.

MindMapVault should not store full payment card details directly. Those should remain with the payment processor.

Security and operational data

• authentication and refresh tokens;
• request metadata reasonably needed for security, rate limiting, fraud prevention, debugging, and service reliability;
• server logs and diagnostics;
• anti-abuse verification data, including Cloudflare Turnstile result handling.

Feedback/contact data

If a user submits the feedback form:

• name, if provided;
• email address, if provided;
• subject and message;
• page URL;
• timestamp.

Website preference data

On the public site, the service may store minimal browser-side data such as:

• theme preference;
• cookie/banner dismissal state;
• technical verification state needed for anti-abuse protection.

4. Purposes and legal bases

MindMapVault processes personal data for the following purposes:

To provide the service

Examples:

• creating and maintaining user accounts;
• authenticating users;
• storing and serving encrypted vault data;
• enforcing storage limits and subscription tier rules.

Typical legal basis: contract performance.

To secure the service

Examples:

• detecting abuse and spam;
• operating rate limiting and anti-bot measures;
• preserving service integrity, availability, and incident response.

Typical legal basis: legitimate interests.

To handle payments

Examples:

• subscription lifecycle handling;
• billing reconciliation;
• fraud prevention related to paid service operation.

Typical legal basis: contract performance and legal obligations where applicable.

To respond to support or feedback messages

Examples:

• answering contact requests;
• reviewing user feedback;
• improving support workflows.

Typical legal basis: legitimate interests, and in some cases steps requested by the user before entering a contract.

To comply with legal obligations

Examples:

• accounting and tax records;
• lawful requests from public authorities where legally required.

Typical legal basis: legal obligation.

5. Newsletter and blog plans

MindMapVault may introduce:

• an email newsletter;
• a product blog or update feed on the marketing site.

If a newsletter is launched, the intended rule is:

• newsletter subscriptions should be opt-in only;
• marketing emails should not be sent without a valid consent basis where consent is required;
• every newsletter should include an unsubscribe mechanism;
• newsletter mailing tools, if added, must be listed in this notice.

If blog features later include comments, subscriptions, or user submissions, this notice should be updated before or when those features go live.

6. Recipients and processors

MindMapVault may use service providers that act as processors or infrastructure providers, for example:

• hosting/infrastructure providers;
• object storage providers;
• payment processors;
• email or newsletter providers, if added later;
• anti-abuse/security infrastructure such as Cloudflare Turnstile;
• monitoring and logging infrastructure, if used.

Processors should only receive data reasonably necessary for their function.

7. International transfers

Some providers may process data outside the user’s home jurisdiction, including outside the EEA/UK.

Where cross-border transfers occur, the aim is to rely on a valid transfer mechanism, such as:

• adequacy decisions;
• Standard Contractual Clauses;
• or another lawful safeguard recognized by applicable law.

This section should be updated as the final provider list becomes stable.

8. Retention

MindMapVault aims to keep retention practical and minimal:

• account data: retained while the account is active and for a reasonable period after deletion where needed for security, dispute handling, or legal compliance;
• encrypted vault data: retained while the account/service requires it, subject to deletion flows and backup cycles;
• billing records: retained as needed for accounting, tax, and legal obligations;
• support and feedback messages: retained only as long as reasonably useful for handling the request and improving the service;
• logs and security records: retained for limited operational/security periods rather than indefinitely.

Precise retention windows should be tightened as operations mature.

9. User rights

Subject to applicable law, users may have rights to:

• access their personal data;
• rectify inaccurate data;
• erase data;
• restrict processing;
• object to certain processing;
• data portability;
• withdraw consent where processing is based on consent;
• lodge a complaint with a supervisory authority.

Requests can be sent to: admin@mindmapvault.com

10. Whether data must be provided

Some data is necessary to operate the service, such as:

• username/login-related data;
• authentication-related data;
• encrypted service data needed for storage and sync;
• billing-related data for paid plans.

Optional fields, such as reply email in feedback forms or profile fields, generally do not need to be provided unless the user chooses to provide them.

11. Automated decision-making

MindMapVault does not intend to use personal data for automated decision-making that produces legal or similarly significant effects on users.

Basic security automation, spam filtering, and anti-abuse controls may still be used for operational protection.

12. Cookies and similar storage

MindMapVault aims to avoid non-essential marketing cookies.

Current browser-side storage on the public site is intended to stay minimal and limited to:

• theme preference;
• essential notice state;
• anti-abuse/security verification support;
• technically necessary session or authentication handling where applicable.

If analytics, advertising, or newsletter tracking tools are added later, this notice and the user-facing consent behavior should be updated before or when that happens.

13. Children

MindMapVault is not intended for children under the age required by applicable law to use the service independently.

14. Changes to this notice

This notice may be updated as the service evolves, especially when:

• newsletter tooling is introduced;
• blog features are added;
• providers change;
• business entity/contact details are finalized.

Material updates should be reflected in the website or release notes where appropriate.