Bildmind Privacy Policy

1. Controller

Bildmind is a project for language learning, integration and the automation of educational processes.

Controller: Dmytro Movchan, founder of Bildmind, Germany.

For privacy requests, account deletion or the exercise of your rights, contact: info@bildmind.com.

If Bildmind is later registered as a separate legal entity, the controller details will be updated on this page and in the Impressum.

2. Scope

This policy applies to bildmind.com, the related app, learning features, test or pilot programs, contact requests and functions that help learners, teachers, mentors or educational organizations work with learning materials.

3. Personal data we may process

Depending on how you use Bildmind, the following categories of data may be processed:

• Account data: email address, username or display name, password hash, email verification status and account creation date.
• Learning data: learning languages, vocabulary, words, translations, examples, levels, test results, repetitions, progress statistics, assigned word sets or learning tasks.
• Group, class and mentoring data: group membership, invitations, learner-teacher or learner-mentor relationships and assigned learning materials.
• Contact data: messages sent by email or contact forms and information required to respond to the request.
• Technical and security data: IP address, device and browser information, access times, technical logs, session data and anti-abuse signals.
• Operational metrics: aggregated technical counters and service health indicators. Metrics must not contain raw prompts, artificial intelligence responses, email addresses, usernames or direct user identifiers in metric labels.
• Artificial intelligence feature data: text or learning material intentionally submitted by the user to an enabled feature, generated examples, explanations and technical metadata.

4. Purposes

• creating and protecting user accounts;
• providing vocabulary, tests, repetitions and progress tracking;
• supporting teachers, mentors, groups and pilot programs;
• responding to user and organization requests;
• maintaining security and preventing errors, abuse and unauthorized access;
• technical monitoring of stability, errors, cache, learning sessions, complaints, reviews and artificial intelligence failures;
• improving the product where this does not override user rights;
• complying with legal obligations where applicable.

5. Legal bases

Where the EU General Data Protection Regulation applies, processing may be based on:

• performance of a contract or pre-contractual steps where data is required to create an account and provide app functions;
• legitimate interests for security, technical support, stability and protection against abuse;
• consent for optional features that require a separate permission;
• legal obligation where retention or disclosure is required by law.

6. Artificial intelligence and human control

Bildmind may use artificial intelligence tools to generate learning examples, explanations, hints or to automate repetitive educational processes. These tools are intended to support learners, teachers and mentors; they do not replace human responsibility for learning decisions.

The artificial intelligence provider may be OpenAI API if the respective features are enabled. Bildmind keeps internal provider documentation for OpenAI, including the Data Processing Addendum, service terms, subprocessor references and documented data sharing settings.

As of 7 June 2026, Bildmind documentation records that optional OpenAI sharing for model improvement, evaluations, fine-tuning and input/output sharing is disabled. API call logging in the organization settings is also documented as disabled.

Bildmind does not claim Zero Data Retention or OpenAI European data residency unless such settings are separately confirmed in the provider settings or a contract. Only the minimum data required for the specific learning request should be sent to artificial intelligence features.

Users should not submit confidential documents, medical data, financial data, passwords or other sensitive information to artificial intelligence features unless such processing has been separately agreed.

7. Technical providers and data transfers

Bildmind uses or may use external technical providers for the website, app, database, email, backups and artificial intelligence features. According to Bildmind documentation, the key providers are:

• Fly.io: infrastructure for the website, backend and database. The internal documentation records the FRA / Frankfurt, Germany region for bildmind-website, bildmind-api and bildmind-db. The Fly.io Data Processing Agreement is stored in the Bildmind GDPR documentation.
• Cloudflare R2: private backup storage for database backups in the bildmind-pilot-db-backups bucket with EU jurisdiction. A Data Processing Addendum and subprocessor references are stored. A lifecycle rule deletes backups after 10 days.
• Namecheap / PrivateEmail: email hosting for info@bildmind.com, including support, privacy requests, account deletion requests and technical/legal correspondence. The provider documentation includes a Data Processing Addendum, email terms, privacy policy and data protection contact.
• OpenAI API: may be used for artificial intelligence features if enabled. OpenAI acts as a technical provider for learning requests within the relevant feature. Bildmind stores documentation about data processing, subprocessors, sharing settings and retention.

These providers must use data only to provide the respective technical service. Bildmind does not sell users' personal data to advertisers or data brokers.

If data is transferred outside the European Economic Area, Bildmind applies appropriate legal and technical safeguards where required by applicable law.

8. Cookies, sessions, logs and metrics

Bildmind may use technically necessary cookies, session tokens or similar mechanisms for login, security and stable service operation.

Operational metrics are used for technical monitoring and are protected by Basic Auth. According to the internal documentation, they are aggregated technical counters and must not contain raw prompts, artificial intelligence responses, email addresses, usernames or direct user identifiers in metric labels.

If analytics or marketing tools that require separate consent are added in the future, users will receive an appropriate notice or choice.

9. Retention and deletion

Personal data is kept only as long as needed for account operation, learning features, legal obligations, security or user requests.

• Account and learning data are kept while the account is active or while needed to provide the service.
• After account deletion, personal data is deleted or anonymized unless there is a legal reason to keep it longer.
• Security logs are kept for a limited time required for diagnostics, security and abuse prevention.
• Database backups in Cloudflare R2 are private and, according to the current backup policy, are automatically deleted after 10 days.
• Artificial intelligence telemetry may store technical metadata such as request status, errors, latency, token usage and service data. Raw prompts and raw artificial intelligence responses should not be stored in this telemetry table. The current internal retention period is 180 days, provided that the purge process is configured and running.
• Artificial intelligence development logs that may contain raw prompts or responses must be disabled in the public launch environment and used only for development where necessary.

Users can request account deletion through the app where available or by emailing info@bildmind.com.

10. Schools, groups and minors

Bildmind may be used in learning or pilot programs with teachers, mentors or educational organizations. Access to group or learning data should be limited to persons who need it for the learning process.

Minors should use Bildmind only in a controlled educational or family-supported context. If the user is under 16 and processing is based on consent, permission or authorization from a parent, legal guardian, school, teacher or educational organization is required depending on the concrete use case.

Bildmind is not designed to intentionally collect medical data, political or religious beliefs, biometric data, financial information, identity documents, passwords or other sensitive data that is not required for language learning.

11. User rights

You may have rights to information, access, correction, deletion, restriction, objection, data portability and withdrawal of consent where applicable. Contact info@bildmind.com. We may ask you to verify your identity to protect your account.

12. Complaint to a supervisory authority

If you believe that your personal data is processed in violation of data protection law, you may complain to a competent supervisory authority. For the private sector in Bavaria, this is usually the Bayerisches Landesamt für Datenschutzaufsicht. You may also contact the authority at your place of residence or work.

13. Security

Bildmind uses technical and organizational measures to protect personal data, including access limitation, protected password storage, session control, security logs, backups, private backup storage, authentication for metrics, restricted access to internal tools and gradual infrastructure improvement.

Backups must not be stored in public repositories. Access keys, mailboxes and API keys must be protected. API keys must not be placed in frontend code or public repositories.

No system can guarantee absolute security, but Bildmind aims to process personal data responsibly, proportionally and only where needed.

14. Changes

Bildmind may update this policy if product features, providers, legal requirements or processing practices change. The current version is always published on this page.

15. Contact

For questions about this policy, personal data or account deletion, contact: info@bildmind.com.