Privacy Policy
Last updated: 2026-06-30 · Effective: 2026-06-30 · Version: 2.3
This Privacy Policy describes how ZADIO EOOD (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects information when you use the MindLotus mobile application (“App”) and the MindLotus website at zadio.bg/mindlotus/ (“Site”). We are committed to full compliance with the GDPR, the ePrivacy framework, the Bulgarian LPDP, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), the Children's Online Privacy Protection Act (“COPPA”), and the U.S. Digital Millennium Copyright Act (“DMCA”) for takedown procedures (handled in the Terms of Service).
Data Protection Officer (DPO): Not appointed. Based on the nature, scope, context, and purposes of our processing, we are not required to designate a DPO under Article 37 GDPR. Privacy inquiries may be directed to app@zadio.bg.
1. Overview
MindLotus is a dual audio player for personal wellness, focus, and meditation. The App is designed to work primarily offline. We minimise data collection to what is strictly necessary for the App to function, to prevent abuse, and to improve reliability.
We do NOT:
- display advertisements;
- use advertising tracking SDKs or identifiers (no AAID/IDFA);
- sell, rent, or share your personal data with third parties for marketing;
- collect, access, or upload your personal audio files;
- perform profiling or automated decision-making within the meaning of Article 22 GDPR.
2. Information we collect and process
2.1 Device identifier (ANDROID_ID)
We collect a device-specific identifier (Android's Settings.Secure.ANDROID_ID) to anchor the free-trial period on each device. This identifier is stored in our cloud database (Firebase Firestore) under a trial-management collection and is used to prevent trial abuse (e.g., repeated reinstallation to reset the trial on the same device).
2.2 Google account identifier (cross-device trial sync)
To enforce a single trial period per user across multiple devices, the App uses Google Sign-In to obtain your Google account identity. We do NOT store your email address, name, or profile information. We store only a one-way cryptographic hash (SHA-256) of your Google account ID — a pseudonymised value that cannot be reversed to reveal your identity. This hashed identifier is used solely to link your trial period across devices so that the remaining trial days carry over when you set up a new device.
2.3 Anonymous authentication identifier
When you access the MindLotus content library or marketplace, we create an anonymous account through Firebase Authentication. This generates a random user identifier (UID) that is not linked to your name, email, or any personal account. This UID manages your content entitlements and purchase records within the App.
2.4 Subscription, purchase, and entitlement data
When you subscribe or make an in-app purchase, Google Play processes the transaction. We receive and store a minimal set of records required to deliver the service you paid for and to let you recover your purchases at any time:
- your active subscription tier (Awakened, Aligned, or Serene);
- subscription status (active/inactive) and expiration date;
- purchase tokens (anonymised transaction identifiers returned by Google Play);
- the list of marketplace item IDs you have unlocked;
- the timestamp of the last synchronisation between your device and our servers.
This record is persisted locally on your device (Android Preferences DataStore, app-private) and synchronised to Firebase Cloud Firestore under a single document keyed to your Firebase Authentication UID. Firebase security rules restrict read/write access to that document exclusively to the authenticated user to whom it belongs. The record contains no name, email, payment-card data, billing address, IP address, device location, or listening history.
2.4.1 Restoration after reinstall or device change — for your benefit
2.4.2 Legal basis
GDPR Article 6(1)(b) — performance of the contract under which we must continue to provide you ongoing access to the content you have paid for.
2.5 Analytics data (optional — consent-based)
If you enable analytics in the App's Settings, we collect anonymous usage data through Firebase Analytics: feature usage, screen views, navigation patterns, playback events (metadata only, never audio data), subscription-lifecycle events, and app errors. Analytics data is aggregated and anonymous. You may disable analytics at any time in Settings, and you may withdraw consent at any moment without any detriment.
2.6 Crash reports
If the App crashes, Firebase Crashlytics automatically collects device model, OS version, app version, stack trace, error details, and general device state. Crash reports do not contain personal content such as audio files or file names. Crash reporting follows your Analytics & Crash Reporting preference in Settings, except during the trial period when the Guided Testing diagnostics consent is active (§2.6.1).
2.6.1 Guided Testing diagnostics (trial period)
During the 14-day free trial, the App includes a Guided Testing feature with a clear in-app consent dialog. If you accept, Firebase Crashlytics and Firebase Analytics are enabled for the duration of your trial regardless of the general Analytics toggle. Tapping “Send test report” transmits app version, Android version, device model, the feature under test, and any error logs collected since the previous report. Diagnostic collection enabled through this consent stops automatically when the trial ends.
2.7 Push notification token
The App uses Firebase Cloud Messaging (FCM) to enable push notifications. Your device receives a registration token from Google, used solely to deliver notifications related to App updates, new content, or service announcements. We do not use this token for advertising or behavioural tracking.
2.8 Remote configuration
The App periodically checks Firebase Remote Config for operational parameters (such as trial duration and feature-availability flags). This is a server-to-app configuration check and does not transmit personal data from your device.
2.9 App integrity attestation (Google Play Integrity API / Firebase App Check)
To protect our cloud services from abuse — automated scraping of paid content, fake-traffic billing fraud, and piracy — each request the App sends to our cloud is accompanied by a short-lived attestation token from Google's Play Integrity API and verified by Firebase App Check. The attestation contains no identifying data, no request contents, and no location/IP. Tokens are short-lived and not retained. Legal basis: GDPR Art. 6(1)(f), legitimate interest (Recital 47 — fraud prevention).
2.10 Information we do NOT collect
- personal identity in readable form (your name, email, profile from Google Sign-In are used transiently and never stored — only an irreversible hash is retained);
- location data (GPS, IP geolocation, network-based location);
- contacts or call logs;
- camera or microphone recordings;
- advertising identifiers (AAID / IDFA);
- your personal audio files or their metadata;
- browsing history outside of the App;
- your Alarms configuration (time, days, label, chosen mix) — stored exclusively in app-private storage on your device and never uploaded; see §2.11;
- biometric, health, or any “special category” data (Article 9 GDPR).
2.11 Alarms feature (Serene tier — on-device only)
The Serene subscription tier includes an Alarms feature. Inside the App, you create each alarm explicitly by picking a time of day, days of the week, the saved audio mix to play, an optional label, and an on/off toggle. We process this configuration as follows:
- Storage. Your alarm list is stored in a JSON file inside the App's private, sandboxed storage on your device. It is not synchronised to Firebase Cloud Firestore, Firebase Cloud Storage, or any other server. It does not leave your device.
- Scheduling. Each enabled alarm is registered with the Android system via
AlarmManager.setAlarmClock()— the same API used by the device's built-in Clock app. The required permissions areSCHEDULE_EXACT_ALARM(Android 12) andUSE_EXACT_ALARM(Android 13+); MindLotus uses them solely for user-scheduled Alarms, which is one of the use cases expressly allow-listed by Google's August 2023 exact-alarm policy. - Firing. When an alarm fires, a foreground service of type
mediaPlaybackplays your chosen saved mix on a dedicated audio session (USAGE_ALARM) and shows a high-importance notification with a “Dismiss” action. The service stops on dismiss or when the mix finishes. - Re-arming after reboot. The
RECEIVE_BOOT_COMPLETEDpermission is used to re-schedule your enabled Alarms after a device restart or time-zone change. No network access, no analytics, no other background work is performed at boot. - Data minimisation. We do not collect, transmit, log, or analyse your alarm times, labels, days, or chosen mixes. Anonymous Analytics (only if you have opted in) may count “alarm created” / “alarm fired” events with no personally identifying or content data attached.
- Legal basis. GDPR Art. 6(1)(b) — performance of the contract under which we deliver the Serene feature set you have paid for.
3. Purposes and legal bases (GDPR Article 6)
We process personal data only where we have a valid legal basis under Article 6(1) GDPR. The table below maps each category of data to its purpose, legal basis, and retention period.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Device identifier (ANDROID_ID) | Trial anchoring; anti-abuse | Art. 6(1)(f) legitimate interest | 24 months from last activity |
| SHA-256 Google account hash | Cross-device trial sync | Art. 6(1)(b) contract | 24 months from last activity |
| Anonymous Firebase UID | Key under which entitlement document is stored | Art. 6(1)(b) contract | Service duration; deletable on request (§8.4) |
| Entitlement record (item IDs + tokens) | Restore purchases after reinstall / device change | Art. 6(1)(b) contract | Service duration; deletable on request (§8.4) |
| Subscription status / expiration | Deliver subscription features | Art. 6(1)(b) contract | Subscription duration + dispute window |
| Financial-transaction records (invoices) | Bookkeeping & tax | Art. 6(1)(c) legal obligation (BG Accounting Act, Art. 12) | 10 years |
| Analytics data | Improve features & UX | Art. 6(1)(a) consent | 14 months (Firebase default) |
| Crash reports | Stability & debugging | Art. 6(1)(f) legitimate interest | 90 days (Firebase default) |
| Guided Testing diagnostics | Trial-period evaluation | Art. 6(1)(a) explicit consent | Trial duration; reports 90 days |
| FCM token | Transactional push notifications | Art. 6(1)(f) legitimate interest | Until refresh / uninstall |
| Remote Config | Service administration | Art. 6(1)(f) legitimate interest | Not stored by us |
| App Check / Play Integrity attestation | Block scraping, fraud, piracy | Art. 6(1)(f) legitimate interest (Recital 47) | Not stored; tokens short-lived |
| Alarms configuration (Serene tier) | Schedule and fire user-created wake-ups | Art. 6(1)(b) contract | On-device only; deleted on alarm delete or uninstall |
Legitimate-interests balancing test (LIA). We have conducted an LIA and concluded that our processing is necessary, proportionate, and does not override your rights because (i) data is pseudonymous or aggregated, (ii) no profiling is performed, (iii) robust security measures are in place, and (iv) you are transparently informed. A summary is available on request.
4. Data storage, security & hosting
4.1 Local storage
The App stores preferences, subscription status, entitlements, and downloaded content in app-private storage on your device. This data is accessible only to the MindLotus app and is removed when you uninstall.
4.2 Cloud storage and hosting region
Limited data is synchronised to Google Firebase. Because ZADIO EOOD is an EU-established data controller (Bulgaria) and we aim to keep personal data within the European Union by default, our Firebase project is configured as follows:
- Cloud Firestore (entitlements, subscription status, trial anchors) — region
eur3, the EU multi-region, replicated across Belgium and the Netherlands. All Firestore personal data is stored and processed inside the EU. - Firebase Cloud Storage (content delivery for marketplace audio) — region
europe-west3(Frankfurt, Germany), inside the EU. - Firebase Authentication — anonymous UID is consumed and stored within the EU regions above.
- FCM, Firebase Analytics (opt-in only), Firebase Crashlytics — these services do not support regional selection. Data may be processed by Google in the U.S. and other countries. Such transfers are protected by the safeguards in §6.
4.3 Security measures (GDPR Art. 32)
- App-private storage for all local data;
- Encryption in transit (HTTPS/TLS 1.2+);
- Encryption at rest (Firebase-managed AES-256);
- Firebase security rules (per-principal access);
- Principle of least privilege for administrative access;
- Pseudonymisation (SHA-256) of Google account identifier;
- Data minimisation — no names, emails, phone numbers, or precise location.
4.4 Personal data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) without undue delay and, where feasible, within 72 hours (GDPR Art. 33). High-risk breaches will also be communicated to affected data subjects without undue delay (GDPR Art. 34).
5. Third-party services & sub-processors
5.1 Google Play Services and Billing
Subscription and purchase transactions are processed by Google Ireland Limited / Google LLC. Google's privacy practices: policies.google.com/privacy.
5.2 Google Firebase
We use Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Messaging, Remote Config, Crashlytics, and (opt-in) Analytics. Data-processing terms: firebase.google.com/terms & cloud.google.com/terms/data-processing-terms. Sub-processor list: cloud.google.com/terms/subprocessors.
5.3 Plausible Analytics (website only — aggregated)
The Site at zadio.bg/mindlotus/ uses Plausible Analytics (plausible.io), an EU-hosted, privacy-friendly analytics service. Plausible sets no cookies and collects no personal data. IP addresses are hashed with a daily-rotated salt and discarded. All metrics are aggregated. See plausible.io/data-policy.
5.4 No other third parties
We do not integrate advertising networks, social-media tracking pixels, attribution SDKs, or any other third-party analytics or tracking services beyond those listed above.
5.5 Data Processing Agreement
We have entered into a Data Processing Addendum with Google under Article 28 GDPR.
6. International data transfers (GDPR Chapter V)
Some Firebase services may involve transfers outside the European Economic Area (EEA), including to the United States.
Safeguards applied:
- EU-U.S. Data Privacy Framework (DPF): Google LLC is certified under the DPF (adequacy decision C(2023) 4745 of 10 July 2023). Transfers to Google LLC therefore benefit from an adequacy decision of the European Commission.
- Standard Contractual Clauses (SCCs): for transfers not covered by adequacy, we rely on the European Commission's SCCs (Implementing Decision (EU) 2021/914).
- Supplementary measures: strong encryption in transit and at rest, strict access controls, and pseudonymisation.
You may request a copy of the safeguards applied by emailing app@zadio.bg.
7. Your choices and controls
7.1 Analytics opt-out
Analytics are disabled by default. You may enable or disable them any time via Settings → Analytics. Disabling is treated as a withdrawal of consent without any detriment to you.
Exception — Guided Testing consent: if you accepted the Guided Testing diagnostics consent during the trial period (§2.6.1), analytics and crash reporting remain active until the trial ends, even if the Settings toggle is off. This override ends automatically when the trial period expires.
7.2 Push notifications
Disable push notifications through your device's system settings for the MindLotus app.
7.3 Uninstall
Uninstalling the App stops all local data collection and removes all app-private data from your device. Your entitlement record intentionally remains on Firebase for the duration of the MindLotus service so that, if you reinstall or switch device, your purchases are restored automatically without you having to pay again. You may nevertheless request deletion of that cloud record at any time under §8.4.
7.4 Device permissions
- Audio/media file access — load your own audio files;
- Internet & network state — subscription validation, content delivery, Firebase services;
- Foreground service (media playback) — background audio playback and (Serene tier only) playing a saved mix when a user-scheduled Alarm fires;
- Notifications — push notifications (runtime request on Android 13+) and the user-visible Alarm notification when a Serene-tier alarm rings;
- Wake lock — maintain audio playback when the screen is off;
- Exact alarms (
SCHEDULE_EXACT_ALARMon Android 12;USE_EXACT_ALARMon Android 13+) — Serene tier only; used solely to fire user-created Alarms at the exact wall-clock time you picked. No personal data is collected, transmitted, or stored as a result of this permission; the alarm schedule lives only in app-private storage on your device. See §2.11. - Receive boot completed — Serene tier only; used solely to re-arm your Alarms after a device reboot or time-zone change, so that wake-ups continue to fire after a restart. No code runs in the background other than the one-shot rescheduler.
On Android 12, exact-alarm permission can be revoked in Settings → Apps → MindLotus → Alarms & reminders; if revoked, the App shows a banner that links you to the settings screen and the Alarms feature gracefully degrades.
8. Data retention and deletion
8.1 Retention periods
Concrete retention periods for each category are in the table in §3. We do not retain data longer than necessary.
8.2 Local data
All locally stored data is deleted when you uninstall the App.
8.3 Cloud data
- Entitlement records are retained for the duration of the MindLotus service (no automatic TTL). Deletable on request.
- Financial-transaction records are retained for 10 years under the Bulgarian Accounting Act, Art. 12.
- Trial anchor and subscription-status records are retained for the periods set out in §3.
8.4 Deletion requests
Email app@zadio.bg. We process requests within 30 days (extendable by 2 months per GDPR Art. 12(3)), subject to legal-retention obligations.
8.5 Account deletion
The App uses anonymous authentication — there is no account with personal credentials to delete. Upon request, we will delete all cloud records associated with your anonymous identifiers.
9. Children's privacy
The App is not directed at children. Per Article 8 GDPR and Bulgarian LPDP Art. 25в, the minimum age for consent to information-society services in Bulgaria is 14 years. In other EU/EEA Member States the minimum age is between 13 and 16 as set by national law. In the United States we comply with COPPA (15 U.S.C. §§6501–6506); we do not knowingly collect data from children under 13. Users under 18 must have permission from a parent or legal guardian. If you believe a child has provided us with personal data, contact app@zadio.bg and we will delete it promptly.
10. Your rights
10.1 EEA, UK, and Switzerland (GDPR / UK GDPR / FADP)
- Right of access (Art. 15);
- Right to rectification (Art. 16);
- Right to erasure / “right to be forgotten” (Art. 17);
- Right to restrict processing (Art. 18);
- Right to data portability in JSON format (Art. 20);
- Right to object (Art. 21) — to processing based on legitimate interests;
- Right to withdraw consent at any time (Art. 7(3));
- Right not to be subject to automated decision-making (Art. 22) — we perform none;
- Right to lodge a complaint with a supervisory authority (Art. 77).
Exercise your rights: app@zadio.bg. We respond within 30 days, extendable per Art. 12(3) GDPR.
10.2 Supervisory authority — Bulgaria
You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.
10.3 California (CCPA / CPRA)
California residents have the right to know, delete, opt out of the sale or sharing of personal information (we do not sell or share), limit use of sensitive personal information (we collect none), and a non-discrimination right. Contact app@zadio.bg.
10.4 Brazil (LGPD), Quebec (Law 25), and other jurisdictions
Residents of Brazil, Quebec, and other jurisdictions with comparable data-protection laws have similar rights to access, correct, delete, anonymise, and port their data. Contact app@zadio.bg.
11. Cookies, trackers & similar technologies
This section is the cookie / tracker disclosure for both the Site and the App, issued pursuant to Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), Article 4b of the Bulgarian Electronic Communications Act, and Articles 13–14 GDPR.
11.1 Categories of trackers and legal bases
| Category | Purpose | Consent required? | Used by us? |
|---|---|---|---|
| Strictly necessary | Technical delivery of a service the user explicitly requested | No | Minimal |
| Functional / preferences | Remember language, region, display preferences | Yes, unless strictly necessary | No |
| Analytics | Measure audience and app usage | Yes (opt-in) | In-app only, opt-in — Firebase Analytics. Site: Plausible (cookieless, aggregated) |
| Advertising / marketing | Targeted advertising, frequency capping, profiling | Yes | No — ever |
| Social media / third-party embeds | Widgets, pixels, external services | Yes | No |
11.2 Trackers used on the Site (zadio.bg/mindlotus/)
- No first-party cookies are set.
- No third-party advertising or cross-site tracking is loaded.
- Plausible Analytics (privacy-friendly, cookieless, aggregated) is loaded; it sets no cookies and stores no personal data. See §5.3.
- Fonts use the operating system's native font stack — no external font CDN is contacted.
- Server access logs may briefly retain IP address and user-agent for security/anti-abuse on a legitimate-interest basis (Art. 6(1)(f)). Logs are typically retained for 14 days.
11.3 Trackers used in the App
- App-private local storage (preferences, subscription state, downloaded content). Removed on uninstall. Required for the App to function (Art. 6(1)(b)).
- Firebase SDKs (Authentication, Firestore, Cloud Storage, Cloud Messaging, Remote Config, Crashlytics, Analytics). Purposes and legal bases as set out in §2.
- Firebase Analytics is strictly opt-in and disabled by default.
11.4 Managing your preferences
Site: use your browser's settings to block or delete cookies. Since we do not set non-essential cookies, most users will have nothing to delete from our domain. We honour privacy-enhancing browser signals (DNT, GPC) where technically feasible.
App: disable analytics in Settings → Analytics → Off. Disable push notifications in your device settings. Delete all local storage by uninstalling. Request cloud deletion at app@zadio.bg.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date and version number, and where appropriate notifying you through the App. Continued use after changes constitutes acceptance. Prior versions are available on request.
13. Contact
ZADIO EOOD · EIK 201209745 · VAT BG201209745 · DUNS 503679175
Registered seat: Ploshtad Han Kubrat 1, 7000 Ruse, Bulgaria
Email: app@zadio.bg · Phone: +359 879 655 188
Website: https://zadio.bg/mindlotus/
EU Online Dispute Resolution platform: ec.europa.eu/consumers/odr