Privacy Policy
Effective: 9 May 2026 · Last updated: 10 May 2026 (raised minimum age from 14 to 18)
This Privacy Policy explains how Antony White trading as Color Mindful ("we", "us") collects, uses, and protects personal data when you use Color Mindful at colormindful.com.
We are the data controller responsible for your personal data. This policy is written in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
- Trading name: Color Mindful
- Owner: Antony White
- Business address: Flat 21 Press House, Crest View Drive, Orpington, BR5 1FE, United Kingdom
- Contact: hello@colormindful.com
- ICO Registration Number: CSN1995086
2. What data we collect
| Category | What | When |
|---|---|---|
| Account data | Email address, hashed password | When you sign up |
| Profile data | Optional display name | If you set one |
| Activity data | Which images you've opened, your colouring progress (which regions are filled with which colour), thumbnails of your in-progress artwork | As you colour |
| Payment data | Last 4 digits of card, billing country (collected by Stripe, not us). We never see your full card number. | When you make a purchase |
| Subscription data | Active/inactive status, renewal date | If you subscribe |
| Technical data | Browser type, screen size, device type, anonymised performance metrics | When you use the app |
| Image popularity events | Anonymous record of which images were opened or completed (image ID + timestamp). Includes a one-way daily-rotated hash of your IP and user-agent solely to estimate the count of unique daily visitors. The hash auto-rotates every day so it cannot be used to track an individual across days. No cookies, no localStorage identifier, no user ID — these events are not linked to your account. | When you open or complete an image |
| Voluntary feedback | If you rate an image 1-5 stars or leave an optional comment after completing it: the rating, the optional comment text (max 500 chars), the image ID, and a timestamp. Not linked to your account or any identifier. | Only if you choose to submit it |
| Communications | Emails you send us, support requests | When you contact us |
We do not collect:
- Tracking data for advertising
- Location data beyond country (for VAT)
- Social media activity
- Contacts or address books
3. Why we collect it (lawful basis)
We process your personal data on the following lawful bases under UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing the Service (auth, sync, colouring) | Contract (Article 6(1)(b)) — necessary to fulfil our agreement with you |
| Processing payments | Contract |
| Customer support and communication | Contract / Legitimate interests |
| Sending essential service emails (password resets, payment receipts) | Contract |
| Detecting fraud and abuse | Legitimate interests (Article 6(1)(f)) — security |
| Marketing emails about new packs or features | Consent (Article 6(1)(a)) — only if you opt in |
| Anonymous image popularity counts and approximate daily visitor counts to decide which images to keep, replace, or create more of | Legitimate interests (Article 6(1)(f)) — necessary to improve the Service. Minimal data collected; no individual tracking; balanced against your reasonable expectations. |
| Voluntary feedback you submit on images | Consent (Article 6(1)(a)) — submitting the form is the consent. You choose whether to send it. |
You can withdraw consent for marketing emails at any time via the unsubscribe link in those emails or by contacting us.
4. Who we share data with
We share data only with the third-party providers we need to run the Service:
- Google Firebase (hosting, authentication, database) — Google LLC. Personal data may be processed on Google Cloud servers in the EU. Google is GDPR-compliant via Standard Contractual Clauses.
- Stripe (payment processing) — Stripe Payments UK Ltd / Stripe Inc. Stripe collects card details directly; we receive only payment status, last 4 digits, and billing country. Stripe is PCI-DSS compliant.
- Cloudflare (DNS and edge security for our domains) — Cloudflare Inc.
We do not sell your data to anyone, ever.
We may disclose data if legally required (court order, regulatory request) or to enforce our Terms or protect rights, property, or safety of users or the public.
5. Where your data is stored
Your data is primarily stored in Google Cloud's eu-west region (UK/Ireland). Some technical metadata may be processed in other regions covered by Google's Standard Contractual Clauses for cross-border transfers.
We have technical and organisational measures in place to protect your data, including:
- HTTPS for all connections
- Encryption at rest in Firestore
- Limited access to admin tools (only the owner has admin keys)
- Password hashing via Firebase Auth (bcrypt)
No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours of becoming aware, in line with UK GDPR Article 33.
6. How long we keep data
| Data | Retention |
|---|---|
| Account data | While your account is active, plus 30 days after closure for backup recovery |
| Colouring progress | Same as account |
| Payment records | 6 years (HMRC tax records requirement) |
| Subscription history | 6 years (HMRC) |
| Communications (emails) | 3 years from last reply |
| Anonymised analytics | Indefinitely |
After retention periods expire, data is deleted or anonymised.
7. Your rights
Under UK GDPR you have the following rights:
- Right of access: request a copy of the personal data we hold about you
- Right to rectification: request correction of inaccurate data
- Right to erasure ("right to be forgotten"): request deletion of your data, subject to lawful retention requirements
- Right to restrict processing: request we stop processing your data temporarily
- Right to data portability: request your data in a machine-readable format
- Right to object: object to processing based on legitimate interests
- Right to withdraw consent: for any processing based on consent
To exercise any of these rights, email hello@colormindful.com. We will respond within 30 days.
You also have the right to complain to the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
8. Cookies
We use cookies and similar technologies. See our Cookie Policy for details.
9. Children and minors
The Service is not intended for or directed at users under 18 years old. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at hello@colormindful.com and we will delete it.
10. Marketing
We will not send you marketing emails unless you have explicitly opted in (e.g. ticked a box at signup or contacted us asking to be added).
If you opt in, you can unsubscribe at any time from any email or by contacting us. We do not share your contact details with third parties for their marketing.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent change. Material changes will be notified by email to active account holders at least 14 days before they take effect.
12. Contact
For privacy-related questions or requests, contact us at hello@colormindful.com.
For unresolved complaints, you may also contact the UK Information Commissioner's Office at https://ico.org.uk.