Privacy Policy

Last updated: February 2026

This Privacy Policy ("Policy") describes how I12Y Ltd ("Company", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Mendus application ("App") and related services ("Services"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, modification, retrieval, use, disclosure, or erasure.
"Data Controller" means I12Y Ltd, which determines the purposes and means of Processing Personal Data.
"Data Processor" means a third party that processes Personal Data on behalf of the Data Controller.
"Conflict Analysis" means the AI-powered analysis of relationship conflicts provided through the App's Mindful Mirror, Two-Way Bridge, and Evidence Vault features.
"Scoring" means the numerical assessment (0–85 scale) generated by our AI to evaluate communication, empathy, and resolution aspects of a conflict.
"User Content" means conflict descriptions, feelings, desired outcomes, and screenshots that you provide to the App for analysis.

2. Data We Process

We process the following categories of Personal Data to provide and improve our Services.

2.1 Data You Provide Directly

Account information: email address, display name, profile picture (via Google or Apple Sign-In)
Conflict descriptions: text you enter describing relationship situations, your feelings, and desired outcomes
Partner invitations: email addresses of partners you invite to Two-Way Bridge mode
Screenshots: images of conversations you upload to Evidence Vault for AI analysis. These images may contain messages from other people — you are responsible for ensuring you have the right to share this content. We process screenshots solely for conflict analysis and do not retain them after the analysis is complete.
Subscription data: payment method type and subscription status (payment details are processed by Apple/Stripe and never stored by us)
Feedback and support requests: any communications you send to our support team

2.2 Data Collected Automatically

Device information: device type, operating system, browser type, screen resolution
Usage data: features used, session duration, interaction patterns (collected via Google Analytics 4 and Amplitude with anonymized IP)
Error and crash data: stack traces and device state at time of error (collected via Sentry, anonymized)
Push notification tokens: device tokens for delivering notifications (via Firebase Cloud Messaging)
Authentication tokens: session tokens for maintaining your login state

3. Children's Privacy

The App is not intended for children under 13 years of age (or under 16 in the EU/EEA). We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact us at privacy@mendus.app, and we will promptly delete such data.

If we discover that we have collected Personal Data from a child under the applicable minimum age, we will take immediate steps to delete the data and terminate the associated account.

4. Purposes of Processing

We process your Personal Data for the following purposes:

Providing AI-powered conflict analysis through Mindful Mirror, Two-Way Bridge, and Evidence Vault features
Generating conflict scores and identifying communication patterns, blind spots, and areas for improvement
Facilitating partner invitations and two-sided conflict analysis
Managing your account, subscription, and authentication
Sending transactional communications (OTP codes, partner invitation emails, subscription confirmations)
Monitoring and improving App performance, stability, and user experience
Detecting and preventing fraud, abuse, and security threats
Complying with legal obligations and responding to lawful requests from authorities

5. Legal Basis for Processing

We process your Personal Data based on the following legal grounds under Article 6 of the GDPR:

Consent (Art. 6(1)(a)): Analytics data collection, push notifications, and optional communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Services you requested — account management, AI conflict analysis, partner invitations, and subscription management.
Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, error tracking, and service improvement. We have conducted balancing tests to ensure our interests do not override your rights.
Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements applicable to our business.
Explicit Consent for Sensitive Data (Art. 9(2)(a)): Conflict descriptions may contain information about emotional states or relationship dynamics that could constitute special category data under GDPR. By voluntarily submitting this content for analysis, you provide explicit consent to its processing. You may withdraw consent at any time by deleting the analysis from your history.

Automated Processing (Art. 22): Our App uses artificial intelligence to analyze conflict descriptions and generate scores (0–85 scale) and verdicts. These results are informational and advisory only — they do not produce legal effects or similarly significantly affect you within the meaning of GDPR Article 22. No decisions regarding your account access, subscription status, or service availability are made based on AI-generated scores. You are free to agree or disagree with the analysis results.

6. Data Storage and Security

Your Personal Data is stored on Supabase infrastructure located in the European Union (Frankfurt, Germany). We implement appropriate technical and organizational measures to protect your data:

Encryption at rest: AES-256 encryption for all stored data
Encryption in transit: TLS 1.2+ for all data transmissions
Access controls: Role-based access with principle of least privilege
Database security: Row-Level Security (RLS) policies enforced at the database level
Regular backups: Automated encrypted backups with point-in-time recovery
Audit logging: All data access and modifications are logged

Data Retention: We retain your Personal Data for as long as your account is active and for up to 30 days after account deletion. After this period, your data is permanently and irreversibly deleted from our systems and backups. We may retain anonymized analytics data (such as aggregated usage statistics from Google Analytics and Amplitude) that cannot identify you.

Partner Analysis Data: If you participated in a Two-Way Bridge analysis as a respondent and delete your account, your responses will be disassociated from your identity, but the analysis may remain accessible to the person who invited you.

7. Third-Party Data Processors

We share your Personal Data with the following categories of third-party processors, each bound by Data Processing Agreements (DPAs):

OpenAI (USA): Processes conflict descriptions and screenshots for AI analysis. OpenAI does NOT use API data for model training (per their API Data Usage Policy). Data transferred under EU-US Data Privacy Framework (DPF).
Supabase (EU, Frankfurt): Database hosting, authentication, and serverless functions. Data remains within the EU.
Vercel (USA/EU): Web application hosting and edge functions. Data transfers protected under EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).
Google Analytics 4 (USA): Anonymous usage analytics with IP anonymization enabled. Transfer under EU-US DPF.
Amplitude (USA): Anonymous usage analytics with device identifiers. No personal data beyond usage patterns. Transfer under EU-US DPF.
Sentry (USA): Error monitoring with anonymized stack traces. No Personal Data transmitted beyond device metadata. Transfer under SCCs.
Stripe (USA): Web payment processing. Mendus never stores payment card details. Transfer under EU-US DPF.
Apple (USA): iOS app distribution and in-app purchases. Subject to Apple's privacy policy. Transfer under SCCs.
Firebase (USA): Push notifications and crash reporting. Device tokens only, no user content. Transfer under EU-US DPF.
Resend (USA): Transactional email delivery (OTP codes, partner invitations). Email address and message content only. Transfer under SCCs.

We do not sell, rent, or trade your Personal Data to any third party. We do not use your data for advertising purposes.

8. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

Right of Access (Art. 15): Request a copy of all Personal Data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): Request deletion of your Personal Data ("right to be forgotten").
Right to Restriction (Art. 18): Request that we limit how we process your data.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interest.
Right to Withdraw Consent: Withdraw consent at any time for consent-based processing.
Right to Lodge a Complaint: File a complaint with your local Data Protection Authority.

To exercise any of these rights, contact us at privacy@mendus.app. We will respond within 30 days. You can also manage your analytics preferences in the App's Profile settings.

9. Cookies and Similar Technologies

Mendus does NOT use traditional HTTP cookies. Instead, we use the following technologies:

localStorage: Stores your language preference, theme settings, analytics consent choice, and authentication session tokens. This data remains on your device and is not transmitted to our servers except as necessary for authentication.
Session tokens: Short-lived tokens that maintain your login state. These are renewed automatically and expire when you log out.
Analytics identifiers: Google Analytics 4 uses a client-side identifier to track anonymous usage patterns. This identifier is reset when you clear your browser data or revoke analytics consent. Amplitude uses a device identifier for anonymous event tracking.

We do NOT use advertising cookies, tracking pixels, or the Identifier for Advertisers (IDFA). We do NOT participate in any advertising networks or cross-site tracking.

10. Communications

We send only transactional communications necessary for the operation of the Services:

One-time passwords (OTP) for email authentication
Partner invitation emails when you invite someone to Two-Way Bridge mode
Subscription confirmation and renewal notices
Important service announcements (security incidents, Terms changes)

We do NOT send marketing emails, promotional offers, or newsletters. We do NOT share your email address with any marketing service.

11. Third-Party Links

The App may contain links to third-party websites or services (such as Apple App Store, Google Play Store, or our support pages). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any Personal Data to them.

12. Dispute Resolution

If you have concerns about our data processing practices, we encourage you to contact us first at privacy@mendus.app. We will investigate and attempt to resolve your complaint within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus or your local Data Protection Authority.

This Policy is governed by the laws of the Republic of Cyprus, without regard to conflict of law provisions.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

We will display a prominent notice within the App before the changes take effect.
We will send an email notification to the address associated with your account.
We will update the "Last updated" date at the top of this Policy.
We will maintain an archive of previous versions available upon request.

Your continued use of the App after changes take effect constitutes acceptance of the updated Policy. If you do not agree with the changes, you should stop using the App and request deletion of your data.

14. Contact Information

Data Controller: I12Y Ltd Registration number: HE 442933 Registered address: Nicosia, Cyprus

For privacy-related inquiries: privacy@mendus.app

For general support: support@mendus.app

15. Additional Rights for US Residents

If you are a resident of the United States, you may have additional rights under state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states.

Right to Know: You may request disclosure of the categories and specific pieces of Personal Data we have collected about you.
Right to Delete: You may request deletion of your Personal Data, subject to certain exceptions.
Right to Opt-Out of Sale: We do NOT sell your Personal Data. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Correct: You may request correction of inaccurate Personal Data.
Right to Limit Use of Sensitive Data: We process conflict descriptions and feelings which may constitute sensitive data. This processing is performed solely to provide the Services you requested.

To exercise these rights, contact us at privacy@mendus.app or use the data management features in the App. We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.

For California residents: In the preceding 12 months, we have collected the categories of data described in Section 2. We have not sold any Personal Data. We have disclosed Personal Data to the service providers listed in Section 7 for business purposes only.

16. Additional Rights for Ukraine Residents

If you are a resident of Ukraine, your Personal Data is additionally protected under the Law of Ukraine "On Protection of Personal Data" (No. 2297-VI). You have the following additional rights:

Right to know the location of the database containing your Personal Data
Right to receive information about the conditions of access to your Personal Data
Right to protect your Personal Data from unlawful processing and accidental loss
Right to file complaints with the Ukrainian Parliament Commissioner for Human Rights regarding violations of your data protection rights
Right to use legal remedies in case of violation of data protection legislation

Your Personal Data is stored within the EU (Frankfurt, Germany) as described in Section 6. Cross-border data transfers are conducted in compliance with Ukrainian data protection requirements.

17. Additional Rights for Canada Residents

If you are a resident of Canada, your Personal Data is additionally protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Consent: We obtain your meaningful consent before collecting, using, or disclosing your Personal Data. You may withdraw consent at any time, subject to legal or contractual restrictions.
Purpose limitation: We collect Personal Data only for the purposes identified in Section 4 of this Policy.
Access: You have the right to access your Personal Data and to challenge its accuracy.
Safeguards: We protect your Personal Data with security safeguards appropriate to the sensitivity of the information, as described in Section 6.
Accountability: We are accountable for compliance with these principles. For privacy inquiries, contact us at privacy@mendus.app.

For inquiries or complaints regarding our privacy practices under Canadian law, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.