Privacy Policy

Last updated: July 17, 2025

1. Introduction and Responsible Body (Data Controller)

Welcome to Bright Minds. We take the protection of your personal data very seriously. This Privacy Policy informs you about the nature, scope, and purpose of the collection and use of personal data on our website (www.bright-minds.io) and in connection with our services, including our online programs and the LuminaOS application.

The data controller responsible for data processing is:

Bright Minds
Tilman Resch
Knoebelstr. 30
80538 Munich
Germany

Email: info@bright-minds.io
Website: www.bright-minds.io

We treat your personal data confidentially and in accordance with the statutory data protection regulations, in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Telemedia Data Protection Act (TTDSG), as well as this privacy policy.

2. Data Collection and Processing

a) When Visiting Our Website (Server Log Files)

When you access our website, our hosting provider automatically collects and stores information in server log files, which your browser transmits to us. This includes:

  • Browser type and version
  • Operating system used
  • Referrer URL (the previously visited page)
  • Hostname of the accessing computer
  • Time of the server request
  • IP address (anonymized or shortened)

This data is not merged with other data sources. The basis for this data processing is our legitimate interest (Art. 6(1)(f) GDPR) in ensuring the security, stability, and error-free operation of our website.

b) Cookies

Our website uses cookies. Cookies are small text files that are stored on your device.

  • Essential Cookies: We use technically necessary cookies to make our website user-friendly and functional (e.g., for login sessions or shopping carts). The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) and, where applicable, § 25(2) TTDSG.
  • Non-Essential Cookies: Other cookies (e.g., for analytics, marketing) are only used with your explicit consent, which we obtain via a cookie consent banner. The legal basis for this is your consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG). You can withdraw your consent at any time through the cookie settings on our website.

c) Contacting Us (Email or Contact Form)

If you contact us via email or a contact form, the information you provide (e.g., name, email address, your message) will be stored by us to process your request and for any follow-up questions. We process this data based on Art. 6(1)(b) GDPR if your request is related to the fulfillment of a contract or for pre-contractual measures. In all other cases, the processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in effectively handling the inquiries addressed to us.

d) Account Registration and Use of Services

To use our online programs or the LuminaOS app, you must register an account. We collect data such as your name, email address, and a password. This data is necessary to provide and manage your account and deliver the services you have purchased. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

e) Data Processing within the LuminaOS Application

The LuminaOS app is designed for personal growth and involves the processing of highly personal data you provide. This includes:

  • Profile Information: Your name and email address.
  • User-Generated Content: Goals, journal entries, habit tracking data, reflections, and any other text, images, or data you input into the app.
  • AI Coach Interactions: The prompts you enter and the responses generated by "Super-me AI Coach".

This data is processed solely to provide you with the functionality of the app. The legal basis is the performance of our contract with you (Art. 6(1)(b) GDPR). We treat this data with the highest level of confidentiality.

f) AI-Powered Features

Our "Super-me AI Coach" utilizes third-party artificial intelligence models (e.g., from providers like OpenAI or Google) to provide responses. When you use this feature, the data you input into the prompt is sent to these third-party providers for processing.

  • We have data processing agreements (DPAs) in place with our AI service providers.
  • According to these agreements, your data is not used to train their public models.
  • We urge you not to enter any sensitive personal data (e.g., health information, financial details, government IDs) that you would not want a third party to process.

The legal basis for this processing is the performance of the contract (Art. 6(1)(b) GDPR), as it is an integral part of the service.

g) Newsletter

If you subscribe to our newsletter, we require your email address. We use a "double opt-in" procedure to verify that you are the owner of the email address and consent to receiving the newsletter. You can revoke your consent and unsubscribe from the newsletter at any time, for example, via the "unsubscribe" link in the newsletter. The data processing is based on your consent (Art. 6(1)(a) GDPR).

3. Data Recipients and Third-Party Transfers

We may share your data with trusted third parties to provide our services, including:

  • Hosting Providers: To host our website and database.
  • Payment Processors: (e.g., Stripe, PayPal) to handle payments. They process your payment data independently.
  • AI Service Providers: As described in section 2(f).
  • Analytics Providers: (e.g., Google Analytics) if you have given your consent.

If we transfer data to service providers in countries outside the European Union (e.g., the USA), we ensure a legally permissible level of data protection. This is typically done through the EU-U.S. Data Privacy Framework for certified US companies or by concluding EU Standard Contractual Clauses (SCCs).

4. Your Rights as a Data Subject

You have the following rights regarding your personal data under the GDPR:

  • Right of Access (Art. 15 GDPR): The right to obtain information about your personal data processed by us.
  • Right to Rectification (Art. 16 GDPR): The right to have inaccurate personal data corrected.
  • Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): The right to have your data deleted, provided there are no legal retention obligations.
  • Right to Restriction of Processing (Art. 18 GDPR): The right to request a restriction on the processing of your data.
  • Right to Data Portability (Art. 20 GDPR): The right to receive your data in a structured, common, and machine-readable format.
  • Right to Withdraw Consent (Art. 7(3) GDPR): The right to withdraw your consent at any time with future effect.
  • Right to Lodge a Complaint (Art. 77 GDPR): The right to complain to a supervisory authority. The competent authority for us is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Information about your Right to Object under Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) (public interest) or Art. 6(1)(f) GDPR (legitimate interest).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

The objection can be made form-free and should be directed to info@bright-minds.io.

5. Data Retention

We process and store your personal data only for the period necessary to achieve the purpose of storage, or as far as this is granted by European legislators or other legislators in laws or regulations to which the controller is subject.

  • Account data is stored as long as your account is active.
  • Data from contact requests is deleted once the request is fully resolved.
  • Contractual data and invoices are retained for the statutory periods required by German commercial and tax law (typically 10 years).

6. Data Security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our website uses SSL/TLS encryption for security and to protect the transmission of confidential content.

7. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with the current legal requirements or to implement changes to our services in the privacy policy. The new privacy policy will apply to your next visit.

Important Disclaimer

This is a comprehensive template based on the information provided. Data protection law is complex. It is strongly recommended that you have this document reviewed by a legal professional specializing in German and EU data protection law (DSGVO/GDPR) to ensure full compliance with your specific data processing activities.