Mendro Logo

Mendro

Privacy Policy

Last updated: March 31, 2026

1. Overview

Mendro processes personal data in accordance with applicable privacy laws, including the GDPR for users in the EEA, UK, and Switzerland and relevant US privacy laws where applicable. This policy explains how we process personal data when you use the Mendro mobile app, visit our website, contact us, or otherwise interact with the service.

2. Controller and Contact

Controller:

Dennis Zink

Im Bannhölzle 10

72160 Horb am Neckar

Germany

Contact:

Email: support@mendro.ai

3. Scope of This Policy

This policy applies to Mendro mobile app usage, account creation and login, reflection sessions, journaling, subscriptions, support interactions, legal and settings screens, and visits to the Mendro website. Some processing only applies if you use a specific feature, such as voice, subscriptions, or optional analytics.

4. Categories of Personal Data

  • Account data: email address, authentication identifiers, profile values, onboarding answers, language or settings preferences.
  • Reflection and journal data: prompts, reflections, journal entries, goals, session content, and other inputs you choose to provide.
  • Technical and device data: app version, device metadata, crash or diagnostic context, IP-derived network context, log data, and security events.
  • Subscription and transaction data: entitlement status, plan information, store purchase metadata, and subscription lifecycle events from app stores and subscription infrastructure.
  • Support and communications data: messages you send to support, bug reports, and related correspondence.
  • Website usage data: technically necessary request data, pages visited, referral information, and any information you submit through website contact or download flows.
  • Optional analytics data: product usage events and related analytics identifiers when you explicitly enable analytics.

5. Sources of Data

  • Directly from you: when you sign up, write reflections, use journaling or voice features, contact support, or change settings.
  • Automatically from your device or browser: when you use the app or website, including technical logs, device information, and local storage state.
  • From service providers and platforms: such as app stores, subscription providers, hosting providers, and analytics providers.
  • From safety and security systems: when misuse, fraud, account protection, or service-abuse signals need to be assessed.

6. Purposes and Legal Bases (GDPR)

  • Contract performance (Art. 6(1)(b) GDPR): account creation, authentication, delivery of reflection and journaling features, website access, subscriptions, customer support, and account management.
  • Consent (Art. 6(1)(a) GDPR): optional analytics, optional session replay or similar telemetry in analytics tools if enabled, and processing of sensitive reflection-related content where consent is the relevant basis.
  • Legitimate interests (Art. 6(1)(f) GDPR): service security, abuse prevention, fraud detection, debugging, service reliability, internal administration, and defending legal claims.
  • Legal obligations (Art. 6(1)(c) GDPR): tax, accounting, consumer law, regulatory, and compliance obligations.
  • Where special-category or comparable sensitive data is processed, Mendro relies on explicit consent and/or another applicable legal basis or exception under Art. 9 GDPR where legally available.

7. Reflection Data and Sensitive Content

Mendro is built for personal self-reflection. Depending on what you choose to enter, your journal entries, prompts, voice inputs, reflections, and support messages may contain sensitive information, including mental-health-related or other highly personal content. Please do not submit information you do not want processed for the operation of the service. If sensitive data is processed, we treat it with heightened care and only as needed to provide the service, maintain safety, comply with law, or where you have given relevant consent.

8. AI Processing and Automated Safety Systems

Mendro uses automated systems, including AI providers, to process reflection content, generate responses, support journaling and product features, and maintain service functionality. This can include sending selected text, voice, prompt, and context data to processors that help us provide the service. We also use automated safeguards to detect misuse, abuse, fraud, or serious safety risks. In limited cases, these systems can temporarily restrict features or accounts. You may contact support to request review of a restriction.

9. Local Storage, Cookies, and Similar Technologies

The app uses device-local storage and secure device storage to keep the service working, for example to store analytics consent state, authentication-related state, and locally cached session content. The website may use technically necessary cookies or similar technologies to operate pages, remember essential preferences, protect security, and document consent choices. Optional analytics technologies should only be active after the relevant consent choice where legally required.

10. Recipients and Processors

We do not sell personal data. We share data only where needed for service operation, legal obligations, or security.

This can include:

  • hosting and infrastructure providers
  • authentication, database, and storage providers
  • AI processing providers used to generate product responses and structure reflection content
  • app stores and subscription infrastructure
  • analytics providers where you have opted in
  • support, email, legal, compliance, and security providers

11. International Transfers

If personal data is transferred outside the EEA, UK, or Switzerland, we use appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms.

12. Retention

  • Account and reflection data stored on our systems: retained while your account is active and as needed to provide the service.
  • Locally cached app content on your device: retained until it is overwritten, removed by app actions, or deleted when you clear app data or delete the app.
  • Account deletion: production data is deleted or anonymized after account deletion, with limited backup retention up to 30 days unless longer retention is legally required.
  • Subscription, finance, and tax records: retained for statutory retention periods, which can be up to 10 years where applicable.
  • Security, fraud, and abuse-prevention records: retained only as long as reasonably needed for those purposes and legal defense.
  • Optional analytics data: retained according to our configured analytics retention periods and provider capabilities, and no new optional analytics data is collected after consent is withdrawn.

13. EEA, UK, and Swiss Rights

You may request access, rectification, deletion, restriction, portability, and objection. You may also withdraw consent at any time for consent-based processing. Where required, we may ask for information needed to verify your identity before completing a request. You can lodge a complaint with a competent supervisory authority.

14. US Privacy Rights, Including California

US users may request access, deletion, and correction where applicable under relevant state laws. California residents may also request information about categories, sources, business purposes, and disclosures of personal information. Mendro does not sell personal information and does not share personal information for cross-context behavioral advertising based on the current product design. To submit a request, use our support contact.

15. Children

The service is not directed to children and requires users to be at least 16 years old. If you believe a person under 16 has submitted personal data, contact us and we will review and delete it where required.

16. Security

We use technical and organizational measures such as encryption in transit, role-based access controls, access restriction, masked analytics replay settings where configured, and incident response processes. No service is absolutely secure, but we continuously improve safeguards appropriate to the nature of the data we process.

17. Analytics Consent

Optional analytics is disabled by default. In the app, it is only enabled after your explicit opt-in in the legal or settings area and can be withdrawn there at any time. On the website, optional analytics is only activated after the relevant cookie consent choice and can be changed later through the consent settings. When analytics is enabled, Mendro may process analytics events, pseudonymous identifiers, and configured telemetry such as masked session replay or network telemetry for product improvement and diagnostics. Withdrawing consent stops future optional analytics collection but does not automatically erase all previously collected analytics data where retention is otherwise permitted.

18. Policy Updates

We may update this policy for legal, technical, product, or operational reasons. The current version is available in the app and on this page. Material changes will be communicated through appropriate channels where required.

19. Contact and Complaints

Privacy contact:

support@mendro.ai

Address:

Dennis Zink

Im Bannhölzle 10

72160 Horb am Neckar

Germany

Rights requests may require identity verification before completion.

You may also contact your competent data protection authority or other competent regulator where applicable.