This Privacy Policy describes how Zadio EOOD (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects information when you use the MindLotus mobile application (“App”). We are committed to full compliance with the GDPR, the ePrivacy framework, and the Bulgarian Law on Personal Data Protection (LPDP).
Data Protection Officer (DPO): Not appointed. Based on the nature, scope, context, and purposes of our processing, we are not required to designate a DPO under Article 37 GDPR. Privacy inquiries may be directed to mindlotus.app@gmail.com.
MindLotus is a dual audio player for personal wellness and meditation. The App is designed to work primarily offline. We minimise data collection to what is strictly necessary for the App to function, to prevent abuse, and to improve reliability.
We do NOT:
We collect a device-specific identifier (Android’s Settings.Secure.ANDROID_ID) to anchor the free-trial period on each device. This identifier is stored in our cloud database (Firebase Firestore) under a trial-management collection and is used to prevent trial abuse (e.g., repeated reinstallation to reset the trial on the same device).
To enforce a single trial period per user across multiple devices, the App uses Google Sign-In to obtain your Google account identity. We do NOT store your email address, name, or profile information. We store only a one-way cryptographic hash (SHA-256) of your Google account ID — a pseudonymised value that cannot be reversed to reveal your identity. This hashed identifier is used solely to link your trial period across devices so that the remaining trial days carry over when you set up a new device.
When you access the MindLotus content library or marketplace, we create an anonymous account through Firebase Authentication. This generates a random user identifier (UID) that is not linked to your name, email, or any personal account. This UID manages your content entitlements and purchase records within the App.
When you subscribe or make an in-app purchase, Google Play processes the transaction. We receive and store a minimal set of records required to deliver the service you paid for and to let you recover your purchases at any time:
hooponopono_man);Where the data is stored. This record is persisted locally on your device (Android Preferences DataStore, app-private) and synchronised to Firebase Cloud Firestore under a single document keyed to your Firebase Authentication UID — collection user_entitlements, document ID = your UID. Firebase security rules restrict read/write access to that document exclusively to the authenticated user to whom it belongs.
What the entitlement record does NOT contain. No name, email, payment-card data, billing address, IP address, device location, listening history, or other directly identifying information. Only: your Firebase UID, the list of unlocked item IDs, the Google Play purchase tokens, and the last-sync timestamp.
Restoration is performed through two parallel, independent channels:
BillingClient.queryPurchasesAsync) and re-unlocks them. This channel works reliably even if your Firebase identifier has changed (for example, because Android assigns a new anonymous UID after a reinstall).user_entitlements document and merges any unlocks into your local library. This channel adds purchase metadata (tokens, timestamps) that Google Play does not return.You may also manually trigger restoration at any time via Settings → Restore Purchases.
Because Google Play already holds the authoritative record of your ownership tied to your Google account, restoration is reliable even if our Firebase record is unavailable. The Firebase record is an additional safety net that speeds up restoration and keeps purchase metadata for support, auditing, and accounting purposes.
GDPR Article 6(1)(b) — performance of the contract under which we must continue to provide you ongoing access to the content you have paid for. Without this record, we would be unable to honour that contractual obligation after a reinstall.
The entitlement record is retained for the duration of the MindLotus service. It is not subject to any automatic deletion policy, time-to-live (TTL), or scheduled purge. You may nevertheless request immediate deletion at any time (see Section 8.4). Once the Firebase record is deleted, the Firebase-side fast-restore channel will no longer be available for you; however, your purchases remain recoverable through Google Play’s own record of ownership.
If you enable analytics in the App’s Settings, we collect anonymous usage data through Firebase Analytics:
Analytics data is aggregated and anonymous. It does not include your audio files, file names, or listening content. You may disable analytics at any time in Settings, and you may withdraw consent at any moment without any detriment. See Section 7.
If the App crashes, Firebase Crashlytics automatically collects device model, operating-system version, app version, stack trace, error details, and general device state. Crash reports do not contain personal content such as audio files or file names.
The App uses Firebase Cloud Messaging (FCM) to enable push notifications. Your device receives a registration token from Google, used solely to deliver notifications related to App updates, new content, or service announcements. We do not use this token for advertising or behavioural tracking.
The App periodically checks Firebase Remote Config for operational parameters (such as trial duration and feature-availability flags). This is a server-to-app configuration check and does not transmit personal data from your device.
To protect our cloud services (Firebase Cloud Firestore, Firebase Cloud Storage) from abuse — such as automated scraping of paid content, fake-traffic billing fraud, and piracy of purchased audio/video files — each request that the App sends to our cloud is accompanied by a short-lived attestation token produced by Google’s Play Integrity API and verified by Firebase App Check. The attestation confirms only that the request originates from a genuine, untampered installation of MindLotus obtained through Google Play. It does NOT include:
The attestation is produced by Google Play Services on your device and sent directly to Google’s verification servers; Zadio EOOD receives back only a signed, opaque token and the verdict (“verified” or “not verified”). Tokens are short-lived and are not retained after verification. This processing is performed on the legal basis of our legitimate interest (GDPR Art. 6(1)(f)) in preventing fraud and abuse of our systems, as expressly recognised in Recital 47 GDPR.
We process personal data only where we have a valid legal basis under Article 6(1) GDPR. The following table maps each category of data to its purpose, legal basis, and retention period.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Device Identifier (ANDROID_ID) | Trial anchoring; anti-abuse | Art. 6(1)(f) legitimate interest | 24 months from last activity |
| SHA-256 Google account hash | Cross-device trial sync | Art. 6(1)(b) contract performance | 24 months from last activity |
| Anonymous Firebase UID | Key under which your entitlement document is stored | Art. 6(1)(b) contract performance | Duration of the MindLotus service; deletable on request (§8.4) |
| Entitlement record (unlocked item IDs + purchase tokens) | Restore your purchases after uninstall/reinstall or device change | Art. 6(1)(b) contract performance | Duration of the MindLotus service; deletable on request (§8.4) |
| Subscription status / expiration | Deliver subscription features | Art. 6(1)(b) contract performance | Duration of the Subscription + dispute-resolution period |
| Financial-transaction records (invoices, accounting) | Bookkeeping and tax | Art. 6(1)(c) legal obligation (BG Accounting Act, Art. 12) | 10 years |
| Analytics data | Improve features & UX | Art. 6(1)(a) explicit consent | 14 months (Firebase default) |
| Crash reports | Stability & debugging | Art. 6(1)(f) legitimate interest | 90 days (Firebase default) |
| FCM token | Transactional push notifications | Art. 6(1)(f) legitimate interest | Until refresh or uninstall |
| Remote Config | Service administration | Art. 6(1)(f) legitimate interest | Not stored by us |
| App Check / Play Integrity attestation | Block scraping, billing fraud, and piracy | Art. 6(1)(f) legitimate interest (Recital 47) | Not stored; tokens are short-lived |
Balancing test for legitimate interests. We have conducted a legitimate-interests balancing test (LIA) and concluded that our processing is necessary, proportionate, and does not override your rights because (i) data is pseudonymous or aggregated, (ii) no profiling is performed, (iii) robust security measures are in place, and (iv) you are transparently informed. A summary of the LIA is available on request.
The App stores preferences, subscription status, entitlements, and downloaded content in app-private storage on your device. This data is accessible only to the MindLotus app and is removed when you uninstall the App.
Limited data is synchronised to Google Firebase. Because Zadio EOOD is an EU-established data controller (Bulgaria) and we aim to keep personal data within the European Union by default, our Firebase project is configured as follows:
eur3, the EU multi-region, physically replicated across Belgium (europe-west1) and the Netherlands (europe-west4). All Firestore personal data is stored and processed inside the EU.eur or europe-west3 (Frankfurt, Germany), i.e. within the European Union.The App is offered globally, but the personal data of all users — regardless of country of residence — is anchored in the European Union to the maximum extent technically possible. This keeps the processing inside the jurisdiction of the GDPR and the Bulgarian Law on Personal Data Protection (LPDP) by default.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) without undue delay and, where feasible, within 72 hours (GDPR Art. 33). High-risk breaches will also be communicated to affected data subjects without undue delay (GDPR Art. 34).
Subscription and purchase transactions are processed by Google Ireland Limited / Google LLC. Google’s privacy practices: policies.google.com/privacy.
We use Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Messaging, Remote Config, Crashlytics, and (opt-in) Analytics. See Google’s data-processing terms: firebase.google.com/terms and cloud.google.com/terms/data-processing-terms. Current sub-processor list: cloud.google.com/terms/subprocessors.
We do not integrate advertising networks, social-media tracking pixels, attribution SDKs, or any other third-party analytics or tracking services beyond those listed above.
We have entered into a Data Processing Addendum with Google under Article 28 GDPR.
Some Firebase services may involve transfers outside the European Economic Area (EEA), including to the United States.
Safeguards applied:
You may request a copy of the safeguards applied by emailing mindlotus.app@gmail.com.
Analytics are disabled by default. You may enable or disable them any time via Settings → Analytics. Disabling is treated as a withdrawal of consent without any detriment to you.
Disable push notifications through your device’s system settings for the MindLotus app.
Uninstalling the App stops all local data collection and removes all app-private data from your device. Your entitlement record (Firebase UID + list of unlocked Marketplace item IDs + Google Play purchase tokens) intentionally remains on Firebase for the duration of the MindLotus service so that, if you reinstall the App or switch device, your purchases are restored automatically without you having to pay again (see Section 2.4.1). You may nevertheless request deletion of that cloud record at any time under Section 8.4; Google Play’s own record of your purchases is unaffected by any such deletion and will continue to enable Play-side restoration.
Concrete retention periods for each category are in the table in Section 3. We do not retain data longer than necessary.
All locally stored data is deleted when you uninstall the App.
Cloud-stored data is retained for the periods set out in the Section 3 table. In particular:
Email mindlotus.app@gmail.com. We process requests within 30 days (extendable by 2 months per GDPR Art. 12(3)), subject to legal-retention obligations.
The App uses anonymous authentication — there is no account with personal credentials to delete. Upon request, we will delete all cloud records associated with your anonymous identifiers.
The App is not directed at children. Per Article 8 GDPR and Bulgarian LPDP Art. 25в, the minimum age for consent to information-society services in Bulgaria is 14 years. In other EU/EEA Member States the minimum age is between 13 and 16 as set by national law. In all cases:
We do not knowingly collect data from children below the applicable age of digital consent without verified parental consent. Contact mindlotus.app@gmail.com if you believe a child has provided us with personal data.
Exercise your rights: mindlotus.app@gmail.com. We respond within 30 days, extendable per Art. 12(3) GDPR.
You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.
California residents: right to know, delete, opt-out of sale/share (we do not sell or share), limit use of sensitive PI (we collect none), and non-discrimination. Contact mindlotus.app@gmail.com.
Residents of Brazil: similar rights to access, correct, delete, anonymise, and port. Contact mindlotus.app@gmail.com.
The App does not use cookies. Our website (mindlotus.app) does not use advertising, analytics, or cross-site tracking cookies. See full details in our Cookie Policy.
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last Updated” date and, where appropriate, notifying you through the App. Continued use after changes constitutes acceptance. Prior versions available on request.
Zadio EOOD · EIK 201209745 · VAT BG201209745
Registered seat: Ploshtad Han Kubrat 1, 7000 Ruse, Bulgaria
Email: mindlotus.app@gmail.com
Website: https://mindlotus.app