Privacy Policy

Last updated: 2026-06-30 · Effective: 2026-06-30 · Version: 2.3

This Privacy Policy describes how ZADIO EOOD (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects information when you use the MindLotus mobile application (“App”) and the MindLotus website at zadio.bg/mindlotus/ (“Site”). We are committed to full compliance with the GDPR, the ePrivacy framework, the Bulgarian LPDP, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), the Children's Online Privacy Protection Act (“COPPA”), and the U.S. Digital Millennium Copyright Act (“DMCA”) for takedown procedures (handled in the Terms of Service).

Data Protection Officer (DPO): Not appointed. Based on the nature, scope, context, and purposes of our processing, we are not required to designate a DPO under Article 37 GDPR. Privacy inquiries may be directed to app@zadio.bg.

1. Overview

MindLotus is a dual audio player for personal wellness, focus, and meditation. The App is designed to work primarily offline. We minimise data collection to what is strictly necessary for the App to function, to prevent abuse, and to improve reliability.

We do NOT:

2. Information we collect and process

2.1 Device identifier (ANDROID_ID)

We collect a device-specific identifier (Android's Settings.Secure.ANDROID_ID) to anchor the free-trial period on each device. This identifier is stored in our cloud database (Firebase Firestore) under a trial-management collection and is used to prevent trial abuse (e.g., repeated reinstallation to reset the trial on the same device).

2.2 Google account identifier (cross-device trial sync)

To enforce a single trial period per user across multiple devices, the App uses Google Sign-In to obtain your Google account identity. We do NOT store your email address, name, or profile information. We store only a one-way cryptographic hash (SHA-256) of your Google account ID — a pseudonymised value that cannot be reversed to reveal your identity. This hashed identifier is used solely to link your trial period across devices so that the remaining trial days carry over when you set up a new device.

2.3 Anonymous authentication identifier

When you access the MindLotus content library or marketplace, we create an anonymous account through Firebase Authentication. This generates a random user identifier (UID) that is not linked to your name, email, or any personal account. This UID manages your content entitlements and purchase records within the App.

2.4 Subscription, purchase, and entitlement data

When you subscribe or make an in-app purchase, Google Play processes the transaction. We receive and store a minimal set of records required to deliver the service you paid for and to let you recover your purchases at any time:

This record is persisted locally on your device (Android Preferences DataStore, app-private) and synchronised to Firebase Cloud Firestore under a single document keyed to your Firebase Authentication UID. Firebase security rules restrict read/write access to that document exclusively to the authenticated user to whom it belongs. The record contains no name, email, payment-card data, billing address, IP address, device location, or listening history.

2.4.1 Restoration after reinstall or device change — for your benefit

2.4.2 Legal basis

GDPR Article 6(1)(b) — performance of the contract under which we must continue to provide you ongoing access to the content you have paid for.

2.5 Analytics data (optional — consent-based)

If you enable analytics in the App's Settings, we collect anonymous usage data through Firebase Analytics: feature usage, screen views, navigation patterns, playback events (metadata only, never audio data), subscription-lifecycle events, and app errors. Analytics data is aggregated and anonymous. You may disable analytics at any time in Settings, and you may withdraw consent at any moment without any detriment.

2.6 Crash reports

If the App crashes, Firebase Crashlytics automatically collects device model, OS version, app version, stack trace, error details, and general device state. Crash reports do not contain personal content such as audio files or file names. Crash reporting follows your Analytics & Crash Reporting preference in Settings, except during the trial period when the Guided Testing diagnostics consent is active (§2.6.1).

2.6.1 Guided Testing diagnostics (trial period)

During the 14-day free trial, the App includes a Guided Testing feature with a clear in-app consent dialog. If you accept, Firebase Crashlytics and Firebase Analytics are enabled for the duration of your trial regardless of the general Analytics toggle. Tapping “Send test report” transmits app version, Android version, device model, the feature under test, and any error logs collected since the previous report. Diagnostic collection enabled through this consent stops automatically when the trial ends.

2.7 Push notification token

The App uses Firebase Cloud Messaging (FCM) to enable push notifications. Your device receives a registration token from Google, used solely to deliver notifications related to App updates, new content, or service announcements. We do not use this token for advertising or behavioural tracking.

2.8 Remote configuration

The App periodically checks Firebase Remote Config for operational parameters (such as trial duration and feature-availability flags). This is a server-to-app configuration check and does not transmit personal data from your device.

2.9 App integrity attestation (Google Play Integrity API / Firebase App Check)

To protect our cloud services from abuse — automated scraping of paid content, fake-traffic billing fraud, and piracy — each request the App sends to our cloud is accompanied by a short-lived attestation token from Google's Play Integrity API and verified by Firebase App Check. The attestation contains no identifying data, no request contents, and no location/IP. Tokens are short-lived and not retained. Legal basis: GDPR Art. 6(1)(f), legitimate interest (Recital 47 — fraud prevention).

2.10 Information we do NOT collect

2.11 Alarms feature (Serene tier — on-device only)

The Serene subscription tier includes an Alarms feature. Inside the App, you create each alarm explicitly by picking a time of day, days of the week, the saved audio mix to play, an optional label, and an on/off toggle. We process this configuration as follows:

3. Purposes and legal bases (GDPR Article 6)

We process personal data only where we have a valid legal basis under Article 6(1) GDPR. The table below maps each category of data to its purpose, legal basis, and retention period.

Legitimate-interests balancing test (LIA). We have conducted an LIA and concluded that our processing is necessary, proportionate, and does not override your rights because (i) data is pseudonymous or aggregated, (ii) no profiling is performed, (iii) robust security measures are in place, and (iv) you are transparently informed. A summary is available on request.

4. Data storage, security & hosting

4.1 Local storage

The App stores preferences, subscription status, entitlements, and downloaded content in app-private storage on your device. This data is accessible only to the MindLotus app and is removed when you uninstall.

4.2 Cloud storage and hosting region

Limited data is synchronised to Google Firebase. Because ZADIO EOOD is an EU-established data controller (Bulgaria) and we aim to keep personal data within the European Union by default, our Firebase project is configured as follows:

4.3 Security measures (GDPR Art. 32)

4.4 Personal data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) without undue delay and, where feasible, within 72 hours (GDPR Art. 33). High-risk breaches will also be communicated to affected data subjects without undue delay (GDPR Art. 34).

5. Third-party services & sub-processors

5.1 Google Play Services and Billing

Subscription and purchase transactions are processed by Google Ireland Limited / Google LLC. Google's privacy practices: policies.google.com/privacy.

5.2 Google Firebase

We use Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Messaging, Remote Config, Crashlytics, and (opt-in) Analytics. Data-processing terms: firebase.google.com/terms & cloud.google.com/terms/data-processing-terms. Sub-processor list: cloud.google.com/terms/subprocessors.

5.3 Plausible Analytics (website only — aggregated)

The Site at zadio.bg/mindlotus/ uses Plausible Analytics (plausible.io), an EU-hosted, privacy-friendly analytics service. Plausible sets no cookies and collects no personal data. IP addresses are hashed with a daily-rotated salt and discarded. All metrics are aggregated. See plausible.io/data-policy.

5.4 No other third parties

We do not integrate advertising networks, social-media tracking pixels, attribution SDKs, or any other third-party analytics or tracking services beyond those listed above.

5.5 Data Processing Agreement

We have entered into a Data Processing Addendum with Google under Article 28 GDPR.

6. International data transfers (GDPR Chapter V)

Some Firebase services may involve transfers outside the European Economic Area (EEA), including to the United States.

Safeguards applied:

You may request a copy of the safeguards applied by emailing app@zadio.bg.

7. Your choices and controls

7.1 Analytics opt-out

Analytics are disabled by default. You may enable or disable them any time via Settings → Analytics. Disabling is treated as a withdrawal of consent without any detriment to you.

Exception — Guided Testing consent: if you accepted the Guided Testing diagnostics consent during the trial period (§2.6.1), analytics and crash reporting remain active until the trial ends, even if the Settings toggle is off. This override ends automatically when the trial period expires.

7.2 Push notifications

Disable push notifications through your device's system settings for the MindLotus app.

7.3 Uninstall

Uninstalling the App stops all local data collection and removes all app-private data from your device. Your entitlement record intentionally remains on Firebase for the duration of the MindLotus service so that, if you reinstall or switch device, your purchases are restored automatically without you having to pay again. You may nevertheless request deletion of that cloud record at any time under §8.4.

7.4 Device permissions

On Android 12, exact-alarm permission can be revoked in Settings → Apps → MindLotus → Alarms & reminders; if revoked, the App shows a banner that links you to the settings screen and the Alarms feature gracefully degrades.

8. Data retention and deletion

8.1 Retention periods

Concrete retention periods for each category are in the table in §3. We do not retain data longer than necessary.

8.2 Local data

All locally stored data is deleted when you uninstall the App.

8.3 Cloud data

8.4 Deletion requests

Email app@zadio.bg. We process requests within 30 days (extendable by 2 months per GDPR Art. 12(3)), subject to legal-retention obligations.

8.5 Account deletion

The App uses anonymous authentication — there is no account with personal credentials to delete. Upon request, we will delete all cloud records associated with your anonymous identifiers.

9. Children's privacy

The App is not directed at children. Per Article 8 GDPR and Bulgarian LPDP Art. 25в, the minimum age for consent to information-society services in Bulgaria is 14 years. In other EU/EEA Member States the minimum age is between 13 and 16 as set by national law. In the United States we comply with COPPA (15 U.S.C. §§6501–6506); we do not knowingly collect data from children under 13. Users under 18 must have permission from a parent or legal guardian. If you believe a child has provided us with personal data, contact app@zadio.bg and we will delete it promptly.

10. Your rights

10.1 EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)

Exercise your rights: app@zadio.bg. We respond within 30 days, extendable per Art. 12(3) GDPR.

10.2 Supervisory authority — Bulgaria

You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.

10.3 California (CCPA / CPRA)

California residents have the right to know, delete, opt out of the sale or sharing of personal information (we do not sell or share), limit use of sensitive personal information (we collect none), and a non-discrimination right. Contact app@zadio.bg.

10.4 Brazil (LGPD), Quebec (Law 25), and other jurisdictions

Residents of Brazil, Quebec, and other jurisdictions with comparable data-protection laws have similar rights to access, correct, delete, anonymise, and port their data. Contact app@zadio.bg.

11. Cookies, trackers & similar technologies

This section is the cookie / tracker disclosure for both the Site and the App, issued pursuant to Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), Article 4b of the Bulgarian Electronic Communications Act, and Articles 13–14 GDPR.

11.1 Categories of trackers and legal bases

11.2 Trackers used on the Site (zadio.bg/mindlotus/)

11.3 Trackers used in the App

11.4 Managing your preferences

Site: use your browser's settings to block or delete cookies. Since we do not set non-essential cookies, most users will have nothing to delete from our domain. We honour privacy-enhancing browser signals (DNT, GPC) where technically feasible.

App: disable analytics in Settings → Analytics → Off. Disable push notifications in your device settings. Delete all local storage by uninstalling. Request cloud deletion at app@zadio.bg.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date and version number, and where appropriate notifying you through the App. Continued use after changes constitutes acceptance. Prior versions are available on request.

13. Contact

ZADIO EOOD · EIK 201209745 · VAT BG201209745 · DUNS 503679175
Registered seat: Ploshtad Han Kubrat 1, 7000 Ruse, Bulgaria
Email: app@zadio.bg · Phone: +359 879 655 188
Website: https://zadio.bg/mindlotus/
EU Online Dispute Resolution platform: ec.europa.eu/consumers/odr