vind

last updated: june 26, 2026

privacy policy

How vind collects, uses, stores, and protects personal data for the website and app.

1. emergency situations

vind is not an emergency service and must not be used during a mental health crisis or other emergency.

if you are in immediate danger or believe you may harm yourself or others, contact your local emergency services immediately. if available in your country, you may also contact a local suicide prevention or mental health crisis service.

please also see our AI disclaimer and terms of service.

2. who we are

this privacy policy explains how vind ("vind," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use our website, applications, and related services.

vind is operated by Protek di Davide Talevi — VAT no. IT02033660438, REA AN-265397, registered in Italy. certified email (PEC): [email protected].

the data controller (in Italian, "Titolare del trattamento") is Protek di Davide Talevi. for any privacy-related request, contact us at our certified email (PEC): [email protected].

because the controller is established in the European Union (Italy), no separate Article 27 EU representative is required.

we are in the process of appointing a Data Protection Officer (DPO). until the appointment is complete, privacy requests may be sent to our certified email (PEC): [email protected].

3. personal data we collect

  • account and profile data, including email address, authentication data, subscription status, settings, language, and onboarding responses;
  • conversation and wellness-related data, including messages, reflections, session history, feedback, and information you choose to share about your emotional or wellness state;
  • derived and personalization data, including conversation summaries, recaps, themes, insights, memory objects, continuity context, and profile-style outputs;
  • payment and transaction data made available by payment processors such as Stripe;
  • device, technical, and usage data, including IP address, device type, browser metadata, logs, and service usage information;
  • communications data, including support requests and communication preferences.

4. sources of personal data

we collect personal data directly from you when you create an account, use vind, contact support, or otherwise interact with our services.

we also receive limited information from payment processors and authentication providers where necessary to provide the service.

5. how we use personal data

  • to create and manage your account and provide the core vind service;
  • to provide personalization and continuity features, including memory and live-session context;
  • to process subscriptions, billing, refunds, accounting, and related records;
  • to communicate with you about the service, security, support, and policy updates;
  • to secure the service, prevent misuse, debug issues, and improve reliability;
  • to comply with law and handle legal claims.

we process personal data only where we have a valid legal basis under the GDPR:

  • contract (Article 6(1)(b)): account, core service delivery, subscriptions, and billing;
  • explicit consent (Article 9(2)(a)): health-related and wellness content you provide, memory, continuity, and personalization that depends on it;
  • consent (Article 6(1)(a)): non-essential cookies or analytics where consent is required by applicable law;
  • legitimate interests (Article 6(1)(f)): security, fraud prevention, service reliability, and first-party product analytics where consent is not required;
  • legal obligation (Article 6(1)(c)): tax, accounting, and regulatory records.

6. health-related and other special-category data

because vind is a mental wellness and self-reflection service, information you provide and certain outputs we derive may constitute health-related or other special-category data under applicable law.

where required, we rely on explicit consent to process this data to deliver vind's wellness, memory, continuity, and personalization features.

you may withdraw consent where available in settings or by contacting us. withdrawal may limit or disable features that depend on this data.

7. automated processing, profiling, and personalization

vind uses automated systems, including AI systems, to generate responses, summaries, memory, context features, emotional or theme analysis, reminders, insights, and recommendations.

these features are used to provide and personalize the service. they are not intended to replace professional diagnosis, treatment, or crisis care.

vind does not use solely automated decision-making that produces legal effects or similarly significant effects on users.

under the EU AI Act, we inform you that you are interacting with an AI system when you use vind's conversational and voice features. AI-generated outputs are labelled or presented as such where required by law.

8. who we share personal data with

  • cloud hosting, database, infrastructure, and security providers;
  • payment processors;
  • communications, support, analytics, monitoring, and software vendors;
  • AI model and inference providers used to power conversational, voice, and reasoning features;
  • professional advisers, auditors, insurers, and legal counsel;
  • regulators, courts, law enforcement, or other authorities where required by law.

we do not sell personal data.

our primary service providers currently include Prisma Data, Inc., Railway Corp., Stripe, Inc., OpenAI, L.L.C., and Google LLC. these providers process personal data on our behalf only where necessary to provide and support vind's services and in accordance with applicable data protection laws.

9. hosting, international transfers, and retention

vind primarily hosts personal data within the European Economic Area (EEA). Some service providers may process or access personal data from outside the EEA as described below.

some service providers are established outside the European Economic Area or may access personal data from outside it.

where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, including the EU-U.S. Data Privacy Framework where applicable, Standard Contractual Clauses adopted by the European Commission, or another lawful transfer mechanism.

you may permanently delete your account from settings or by contacting us. account deletion removes or anonymizes personal data except where retention is legally required.

we retain personal data only for as long as necessary for the purposes described in this policy. indicative retention periods:

  • account and profile data: for as long as your account is active, then deleted or anonymised within 30 days after confirmed account erasure, except where law requires longer storage;
  • conversations, reflections, memory profile, and derived wellness outputs: until you delete them in settings, until account erasure, or until you withdraw consent where processing depends on consent;
  • subscription and payment records: for the duration of the relationship and up to 10 years thereafter where required for tax and accounting obligations;
  • security, audit, and compliance logs: typically up to 24 months from the event, unless a longer period is needed to establish, exercise, or defend legal claims;
  • backups: overwritten on a rolling basis; residual copies may persist for up to 90 days after deletion from live systems.

10. your rights and choices

depending on where you live, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy, withdraw consent, opt out of marketing, or lodge a complaint with a regulator.

to exercise these rights, email Protek di Davide Talevi at our certified email (PEC): [email protected]. we respond within the time limits set by applicable law (under the GDPR, normally within one month).

if you are in the European Union or Italy, you may also lodge a complaint with the Italian data protection authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) or your local supervisory authority.

california residents may have additional privacy rights under applicable law, including under the California Consumer Privacy Act (CCPA/CPRA). to exercise applicable rights, contact us at our certified email (PEC): [email protected].

11. cookies and similar technologies

we use cookies and similar technologies that are strictly necessary to operate the service, keep you signed in, and maintain security.

with your consent, we may also use analytics and marketing cookies (including third-party advertising and conversion measurement technologies, such as Meta technologies) to measure campaign performance and improve communications.

where analytics rely on consent under applicable law, we obtain that consent before processing.

where consent is legally required for non-essential cookies or trackers, we request it before they are set, and you can change your choice at any time.

a cookie banner or preference center is provided where required by applicable law.

for category-level details, retention, providers, and your controls, see our cookie policy.

12. children, security, and changes

vind is intended only for adults who are at least 18 years old.

we implement appropriate technical and organizational measures, including encryption in transit, access controls, authentication safeguards, monitoring, and secure infrastructure, designed to protect personal data.

no method of transmission or storage is completely secure.

we may update this privacy policy from time to time. if we make material changes, we will post the updated version and update the last updated date.

13. related documents