Privacy policy

Last updated: 2026-06-19

This policy describes how Mind Guard 365 (“we”, “us”) collects, uses and shares information when you use the Mind Guard 365 mobile application (“App”) and the marketing website at mindguard365.com (“Site”). It is written for users in the United Kingdom and aligns with UK GDPR and the Data Protection Act 2018.

1. Who is responsible

Mind Guard 365 is operated by Mind Guard 365 Ltd, which is the data controller for the App and Site. Our company and governance details are on our company page. For privacy questions or requests use privacy@mindguard365.com.

2. Information we collect

2.1 Account and profile

An account is required to use the App. We process identifiers needed to authenticate you (for example email address or tokens issued by our auth provider) and profile fields you choose to provide such as display name, date of birth, country and preferences related to goals, schedules, notifications, gamification and security.

2.2 Mental wellbeing data you enter

When you use the App we process the wellbeing information you choose to enter, including:

• Mood check-ins and how you rate your day
• Notes and journal text you write
• Tags and causes you attach to a check-in (for example what helped or what was hard)
• Programme and exercise progress, reflections and sleep entries
• Usage data such as which tools you open and when (to power your patterns and insights)

This data is synchronised to your private account on our backend so it follows you across devices, and a copy is cached on your device for offline use. Because it relates to your mental wellbeing we treat it as sensitive and handle it with extra care (see section 2a).

2a. Special category data

Some of what you enter (such as mood, notes and tags about how you feel) may be special category data concerning health under UK GDPR. We only process it to provide the wellbeing features you ask for. Our condition for processing it is your explicit consent, given when you choose to use the App and enter this information; you can withdraw it at any time by deleting the data or your account. We do not use this content for advertising and we do not share it for advertising.

2.3 Purchases and entitlements

When you buy or trial a subscription through Google Play or the App Store, Apple or Google processes payment data. We receive limited purchase and entitlement metadata from our own subscription service after Apple or Google confirms the purchase so we can unlock features in the App. We do not receive your full card number.

2.4 Diagnostics and security

We use error and performance reporting (Sentry) to collect crash logs, device and app version metadata and related diagnostic data to keep the App reliable and secure.

2.5 App analytics

We use Google Analytics for Firebase in the App to understand aggregate usage (for example screens viewed, feature interactions such as check-ins or tools completed and app opens). Events do not include journal text or other wellness content you enter. Google may process device identifiers, app version and technical data as described in Google's privacy policy.

2.6 Advertising

The App may show ads through Google Mobile Ads (AdMob). Google may use identifiers such as the advertising ID, and technical data including your IP address, to deliver, personalise and measure ads. From around August 2026 Google may also use IP addresses for measurement and ad personalisation for users in the UK, the European Economic Area and Switzerland. We request non-personalised ads by defaultand apply a child-appropriate content rating, and in the UK/EEA/Switzerland we use Google's consent flow (Google User Messaging Platform) to obtain consent where required. The merged Android manifest for the App may include permissions such as READ_PHONE_STATEwhere required or declared by the advertising SDK for fraud prevention or measurement. You can limit ad personalisation in your device settings, and change your choice at any time from the App's privacy options.

For details of how Google uses the information it receives from sites and apps that use its services, see How Google uses information from sites or apps that use our services and Google's advertising technologies.

2.7 Local storage and notifications

We cache some data on your device (for example profile or check-ins before they sync to your account) so the App keeps working offline. If you enable reminders we schedule local notifications; content may be processed on-device.

2.8 Website

The Site is largely informational. We use Google Analytics on the Site to understand aggregate traffic (for example pages viewed, approximate location derived from IP, browser type and referral source). Google may set cookies or use similar technologies, and may use your IP address for measurement, as described in Google's privacy policy and How Google uses information from sites or apps that use our services. Standard server or CDN logs may also include IP address, user agent and request metadata. We do not use the Site to collect the same structured wellbeing data as the App unless we clearly ask for it on a form.

We use Google Consent Mode so that Google Analytics only sets analytics cookies on the Site after you accept them. When you first visit, a cookie banner lets you accept or reject analytics cookies, and until you accept, Google Analytics runs in a cookieless mode that does not store identifiers on your device. You can change your choice at any time using the Cookie settings link in the footer. Strictly necessary cookies needed to run the Site are always set.

2.9 Mind library referral page

If you arrive via our Mind library partner page at /from-mind/, the URL may include a referral identifier (orcha_uid). We log page visits and optional actions (email capture or store button clicks) to measure referral funnel performance. If you enter your email we send you an invite or sign-in link using the same address. If you later register in the App with that same email we link your account to the referral for aggregate reporting to our Mind library partner. We do not put the referral identifier in the email link itself. We report pseudonymous monthly aggregates to Mind; we do not sell your email to third parties for marketing.

3. How we use information

• Provide, operate and improve the App and Site
• Authenticate users, sync data and restore access across devices
• Process purchases, trials and premium access
• Show ads where applicable and measure their delivery
• Measure aggregate App and Site usage to improve features
• Detect abuse, fix bugs and improve stability
• Meet legal obligations and respond to lawful requests

4. Legal bases (UK GDPR)

Where UK GDPR applies we rely on one or more of the following:

• Contract: providing the App and features you request
• Legitimate interests: securing the service, debugging, App and Site analytics that do not override your rights and direct marketing only where permitted
• Consent: where we ask for it (for example optional marketing or non-essential cookies on the Site if we add them later)
• Explicit consent (special category data): for the mental wellbeing content you enter, our condition under UK GDPR Article 9 is your explicit consent, which you can withdraw at any time
• Legal obligation: where the law requires processing

5. Sharing and processors

We use trusted service providers who process data on our instructions:

• Supabase (database, authentication and related infrastructure)
• Cloudflare Worker (Mind Guard) (subscription verify, entitlements and admin portal)
• Google (Firebase Analytics / Mobile Ads) (App usage analytics, advertising and related services)
• Sentry (error and crash monitoring; we configure it to scrub journal text, email and other personal content from reports)
• Cloudflare (hosting and delivery of the marketing site and admin tooling)
• Resend (delivery of authentication and account emails on our behalf)
• Google Analytics 4 (aggregate website traffic measurement)
• Apple and Google (app distribution and payment processing for store purchases)

Providers may process data in countries outside the UK. Where required we use appropriate safeguards such as the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

We do not sell your personal information in the conventional sense. We do not share wellness journal content for advertising.

6. Retention

We keep information only as long as needed for the purposes above, including legal, tax and dispute resolution needs. In short:

• Account, check-ins, notes, tags and programme progress: kept while your account is active
• Deleted accounts: scheduled for permanent erasure 30 days after you request deletion (a grace period so you can restore by mistake)
• Diagnostics / crash data: retained for a limited period for stability and security
• Server and CDN logs: retained for a short period

You may delete local data from the App where the feature is offered. When you delete your account in the App we schedule permanent erasure after 30 days; you may restore the account by signing in and choosing restore before that date. See our account deletion page for steps. Contact us if you need help with cloud-held data tied to your account.

7. Your rights

Subject to UK law you may have the right to:

• Access, rectify or erase personal data
• Restrict or object to certain processing
• Data portability where applicable
• Withdraw consent where processing is consent-based
• Lodge a complaint with the ICO (ico.org.uk)

Contact privacy@mindguard365.com to exercise your rights. We may need to verify your identity.

8. Children and young people

Mind Guard 365 is intended for people aged 13 and over. We ask you to confirm your age in our terms; we do not run intrusive age verification. We do not knowingly collect personal information from children under 13, and if you believe a younger child has provided data, contact us and we will take appropriate steps.

Because a wellbeing app may be accessed by people aged 13to 17, we have considered the ICO Age Appropriate Design Code (the Children's Code). We aim to apply its principles through high-privacy defaults, collecting only what we need, not selling personal data and not serving personalised advertising to users who may be minors. We assess this in our DPIA (see section 10).

9. Users in the United States

If you use Mind Guard 365 from the United States, the following also applies:

• Your choices (CCPA/CPRA and similar state laws): you may request access to, correction of or deletion of your personal information, and you may appeal a decision. We do not sell your personal information and we do not share it for cross-context behavioural advertising; you do not need to opt out of a sale that we do not make.
• Under-16s: we do not knowingly sell or share the personal information of consumers under 16.
• HIPAA: Mind Guard 365 is a direct-to-consumer self-help app. Mind Guard 365 Ltd is not a HIPAA covered entity or business associate, and we do not process protected health information (PHI) on behalf of any healthcare provider, plan or clearinghouse.

10. Data protection impact assessment

Because we process sensitive mental wellbeing data, we maintain a Data Protection Impact Assessment (DPIA) that records the risks of this processing and how we mitigate them. We review it when we make material changes to the service.

11. Medical disclaimer

Mind Guard 365 offers self-help and educational tools. It is not a medical device and does not replace professional advice, diagnosis or treatment. It does not diagnose, treat or monitor any health condition. If you are in crisis use local emergency services or a trusted helpline; see our safety and crisis support page.

12. Changes

We may update this policy from time to time. We will post the new date at the top and, where appropriate, provide additional notice in the App or by email.