Legal
Niklas Ekman Solutions, organization number 900625-0790, registered at Skinnaråsvägen 28, 19275 Sollentuna, Sweden, Sweden ("Mindpad," "we," "us," or "our") is committed to protecting your privacy and personal data.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our end-to-end encrypted note-taking service ("Service"). Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.
This Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Swedish data protection laws.
Our service consists of two separate components with different data collection practices:
Marketing Website (www.mindpad.eu): We use Google Analytics 4 (GA4) to track page views, referrers, device types, and user behavior to improve our marketing effectiveness. This requires cookies and is subject to your consent via our cookie banner. For information about how Google processes this data, see Google's Privacy Policy.
Application (app.mindpad.eu): We track concurrent usage via periodic pings (approximately every 5 minutes) containing your hashed user ID (SHA256) and timestamp. This helps us monitor service capacity and improve our service. No cookies or external analytics tools are used in the application. You may opt out of ping tracking in your account settings; opting out does not affect app functionality.
The data controller responsible for your personal data is:
Niklas Ekman Solutions
Organization Number: 900625-0790
VAT Number: SE900625079001
Registered Address: Skinnaråsvägen 28, 19275 Sollentuna, Sweden
Email: niklas@niklasekman.solutions
Our Data Protection Officer can be contacted at:
Name: Niklas Ekman
Email: niklas@niklasekman.solutions
If you have any questions or concerns about how we process your personal data, please contact our DPO.
We collect and store your email address for account authentication (passwordless login), security notifications (mandatory), and product updates (optional, you may opt out).
We store your notes in encrypted form on our servers.
How Encryption Works:
While we store your encrypted notes and encrypted private key, we cannot decrypt them because we do not have access to your encryption key.
Security Notice: The security of your data depends on the strength of your encryption key. Weak or easily guessable keys may be vulnerable to brute force attacks. You are responsible for choosing a sufficiently strong and unique encryption key.
We store your public encryption key and your encrypted private key (encrypted with your encryption key, which we never receive or store). Your encryption key is stored only in your device's memory and is cleared when you close or refresh the application.
If you lose your encryption key, we cannot recover it or decrypt your notes.
We store minimal session data required for authentication and service functionality, managed by our identity provider, Logto, on EU servers.
Marketing Website (www.mindpad.eu): We use Google Analytics 4 to collect information about how you interact with our marketing website, including pages visited, referral sources, device type, browser type, geographic location (country/city level), and time spent on pages. This data is collected only with your consent via our cookie banner and is processed by Google in accordance with their privacy policy.
Application (app.mindpad.eu): We collect usage data through periodic pings (approximately every 5 minutes while you're actively using the app) that include:
This data is stored permanently in our database for historical analytics and helps us monitor concurrent users, plan capacity, and improve service performance. You may opt out of this tracking in your account settings without affecting app functionality.
Legal Basis: Consent (for Google Analytics on marketing website) and Legitimate Interest (for ping tracking in application, with your right to object).
We do not collect or store: payment information (handled by Paddle), IP addresses or detailed device information (beyond what Google Analytics collects on our marketing site with your consent), or your encryption key.
Provide and Secure the Service: Creating and managing your account, authenticating your identity, storing your encrypted notes, enabling synchronization across devices, sending security notifications about your account, and detecting unauthorized access.
Improve Our Service: Monitoring concurrent users and service capacity through ping tracking (you may opt out in account settings), and analyzing marketing website performance through Google Analytics (subject to your cookie consent).
Communicate with You: Sending product updates and service announcements (optional, you may opt out), responding to your inquiries, notifying you of changes to our Terms or Privacy Policy, and notifying you before account deletion due to inactivity.
Comply with Legal Obligations: Complying with applicable laws and responding to valid legal requests from authorities.
Under GDPR, we process your personal data based on: Performance of Contract (providing the Service, storing encrypted notes, managing your account, authentication); Legitimate Interest (providing secure service, security communications, and ping-based usage analytics for service improvement and capacity planning, provided these interests are not overridden by your rights and you may object at any time); Legal Obligation (complying with legal requirements); and Consent (Google Analytics on our marketing website and optional marketing communications, which you may withdraw at any time).
We do not sell, trade, or rent your personal data to third parties. We share your data only with the following trusted sub-processors who assist us in operating the Service:
Sliplane.io — Provides cloud hosting infrastructure for encrypted note storage. Data is stored exclusively on EU servers (powered by Hetzner). Sliplane has a Data Processing Agreement (DPA) in place ensuring GDPR compliance.
Logto — Provides authentication services. Your email address and session data are stored on Logto's EU servers. Logto has a Data Processing Agreement (DPA) in place ensuring GDPR compliance.
Paddle.com Market Limited ("Paddle") — Acts as Merchant of Record for subscription payments. Paddle collects and processes billing information (name, address, payment details) directly. We do not receive or store your payment information.
Privacy Policy → · Terms of Service →
Google LLC — Provides analytics services (Google Analytics 4) on our marketing website (www.mindpad.eu) only. Google processes data about your interaction with our marketing site based on your cookie consent. Google is certified under the EU-U.S. Data Privacy Framework for data transfers. The application (app.mindpad.eu) does not use Google Analytics or share any data with Google.
Privacy Policy → · Google Analytics Opt-out →
All sub-processors are either located in the EU or have appropriate data transfer mechanisms in place. We have Data Processing Agreements with all sub-processors to ensure GDPR compliance.
Your account data, encrypted notes, and ping analytics are stored and processed exclusively within the European Union.
For our marketing website (www.mindpad.eu), Google Analytics may transfer data to the United States. Google is certified under the EU-U.S. Data Privacy Framework, which provides adequate protection for data transfers. You can manage or withdraw your consent for Google Analytics through our cookie banner or by using Google's opt-out tools.
We retain your personal data for as long as your account is active and as necessary to provide you with the Service.
If you do not log into your account for 18 consecutive months, your account will be considered inactive. We will send notifications to your registered email address at the following intervals before deletion:
If you do not log in before the final deletion date, we will permanently delete your email address, all your encrypted notes, your encryption keys, and all other account data.
If you delete your account through the account settings, all your data is permanently deleted immediately.
In some cases, we may be required to retain certain data for longer periods to comply with legal obligations, resolve disputes, or enforce our agreements.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
End-to-End Encryption: Your notes are protected by Ed25519 asymmetric cryptography. Your encryption key never leaves your device, ensuring we cannot decrypt your notes or encrypted private key, other users cannot access your notes, and even in a data breach, your notes remain secure and unreadable to anyone without your encryption key.
Important: The strength of your encryption depends on the strength of your encryption key. Weak or easily guessable keys may be vulnerable to brute force attacks. You are responsible for creating and maintaining a sufficiently strong encryption key. Our user interface provides guidance, but ultimate responsibility rests with you.
Infrastructure Security: Data is stored on secure EU-based servers (Sliplane.io), with regular security updates, encrypted data transmission (TLS/SSL), and access controls.
Limitations: No method of transmission or storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. If you lose your encryption key, your notes are permanently and irretrievably lost. We cannot recover, reset, or provide access under any circumstances.
As a data subject in the European Union, you have the following rights:
Access, Rectification, and Portability: You can export your data at any time through the Service (as a ZIP file containing your email, encrypted notes, encryption keys, and metadata). You can update your email address in your account settings.
Erasure: You can delete your account at any time through your account settings. All data is permanently deleted immediately.
Restrict Processing and Object: You can request that we restrict processing of your personal data or object to processing based on legitimate interests. You may opt out of ping-based usage tracking at any time in your account settings (app functionality remains unchanged). You may also opt out of marketing communications at any time.
Withdraw Consent: You can withdraw consent for marketing communications at any time, or withdraw consent for Google Analytics tracking on our marketing website through our cookie banner or browser settings. Withdrawal does not affect the lawfulness of prior processing.
Lodge a Complaint: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten), Box 8114, 104 20 Stockholm, Sweden. Website: www.imy.se | Email: imy@imy.se
Exercising Your Rights: Contact us at niklas@niklasekman.solutions or our Data Protection Officer at niklas@niklasekman.solutions. We will respond within 30 days and may request additional information to verify your identity.
We send security-related notifications to your registered email address. These are essential for protecting your account and cannot be opted out of.
We may also send product updates and service announcements. You may opt out of these at any time by clicking "unsubscribe" in any marketing email, adjusting preferences in your account settings, or contacting us at niklas@niklasekman.solutions.
Marketing Website (www.mindpad.eu): We use cookies on our marketing website for analytics purposes through Google Analytics 4. You can manage your cookie preferences through our cookie banner, which appears when you first visit our marketing site. You must provide explicit consent before we place non-essential cookies on your device.
Types of cookies we use on the marketing website:
You can also opt out of Google Analytics across all websites by installing Google's opt-out browser add-on.
Application (app.mindpad.eu): We do not use cookies or any tracking technologies in the application. The app uses ping-based usage tracking (see Section 4.5) which does not rely on cookies and can be disabled in your account settings.
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at niklas@niklasekman.solutions, and we will delete such information from our systems.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) within 72 hours of becoming aware of the breach, and notify affected users without undue delay if the breach is likely to result in a high risk to their rights.
Important: Due to our end-to-end encryption architecture, even in the event of a data breach where our servers are compromised, your encrypted notes and encrypted private key remain secure and cannot be decrypted without your encryption key. Your email address may be exposed, and we will notify you if this occurs.
The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. The "Last Updated" date at the top indicates when it was last revised. Your continued use after the effective date constitutes acceptance of the changes.
Data Controller:
Niklas Ekman Solutions
Organization Number: 900625-0790
VAT Number: SE900625079001
Skinnaråsvägen 28, 19275 Sollentuna, Sweden
Email: niklas@niklasekman.solutions
Data Protection Officer:
Niklas Ekman
Email: niklas@niklasekman.solutions
We will respond to your inquiry within 30 days.
By using the Mindpad Service, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.