Privacy Policy
1. Overview & Controller
This Privacy Policy explains how Mentisonic collects, uses, and protects your personal data when you use the Mentisonic website and application, in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG).
Data Controller
GDOELLERS INTERNATIONAL - FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
office@gdoellers.com
2. Data We Collect
2.1 Account data
Email address, first & last name, password (stored only as a one-way bcrypt hash), account status, and timestamps.
2.2 Device & session data
Device name and platform, IP address at login, session identifiers, and last-active timestamps.
2.3 Wellness assessment data
Your Dosha assessment answers and the resulting Dosha profile.
2.4 Usage & listening data
Listening sessions (tracks played, durations) and search queries.
2.5 Subscription & payment data
Subscription plan, status, billing period, renewal dates, and masked card info (last 4 digits, brand) from our payment processor. Full card numbers are never stored on our servers.
2.6 Technical & log data
Server logs containing IP address, timestamp, requested URL, and response status.
3. How We Use Your Data
| Purpose | Data used |
|---|---|
| Create and secure your account | Account data, device/session data |
| Authenticate and manage sessions | Account data, device/session data |
| Recommend frequency programmes | Wellness assessment data |
| Provide audio streaming | Usage & listening data |
| Provide AI-powered search | Search queries |
| Process subscriptions | Subscription & payment data |
| Send service emails | Account data |
| Security & abuse prevention | Technical & log data |
4. Legal Bases (Art. 6 GDPR)
- •Contract performance (Art. 6(1)(b)): account creation, authentication, streaming, subscriptions.
- •Consent (Art. 6(1)(a)): Dosha assessment, health-related recommendations, non-essential cookies.
- •Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, debugging.
- •Legal obligation (Art. 6(1)(c)): tax/commercial record retention.
5. Data Retention
- •Account data: kept while active, deleted after account removal.
- •Payment records: retained per German tax law (§ 147 AO, § 257 HGB).
- •Server logs: rotated periodically.
6. Third-Party Processors
We use service providers bound by Data Processing Agreements (Art. 28 GDPR). See our Data Processing page for the full list.
| Processor | Service | Data | Location |
|---|---|---|---|
| Mamopay | Payment processing | Name, email, payment data | UAE (Dubai) |
| AWS | Cloud hosting & storage | All backend data | USA (N. Virginia) |
| Google (Gemini) | AI search | Search queries | USA / global |
7. International Transfers
Some processors process data outside the European Economic Area (EEA). Where this happens, we rely on EU Standard Contractual Clauses (SCCs) or other Art. 46 GDPR safeguards:
- •AWS (USA): Data Processing Addendum with SCCs.
- •Google / Gemini (USA): Data Processing Addendum with SCCs; certified under the EU–US Data Privacy Framework (DPF).
- •Mamopay (UAE): SCCs under Mamopay’s Data Processing Agreement (pending written confirmation).
See the Data Processing page for full details.
8. Your Rights Under the GDPR
9. Data Security
We take appropriate technical and organisational measures (Art. 32 GDPR) to protect your data:
- •Encryption in transit: all traffic encrypted via HTTPS/TLS.
- •Passwords stored as salted bcrypt hashes never in readable form.
- •JWT-based authentication tokens.
- •No card data on our servers handled by payment processor.
- •Production access restricted to authorised personnel.
- •API rate limiting to prevent automated attacks.
- •Security event logging for incident detection.
No method of transmission or storage is 100% secure; while we strive to protect your data, we cannot guarantee absolute security.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16.
11. Changes to This Policy
We may update this Privacy Policy. The current version is always available on this page. For significant changes, we will notify registered users.