Data controller
Ezequiel Migueles, natural person resident in Madrid, Spain. Contact: contact@minthra.app. Minthra is a non-commercial hobby project — no DPO is required, the Controller is directly reachable for all privacy matters.
What data we collect
Account identifiers: email, username, internal user ID (CUID), OAuth subject identifier from Google/Apple/Discord (Apple may provide a private-relay email).
Credentials and sessions: bcrypt-hashed password (we never see plaintext); refresh tokens stored as HMAC hashes for up to 30 days with User-Agent and IP address per session.
Optional profile data: first name, last name, locale, display name, bio, avatar URL, banner URL, location, social media URLs — only if you fill them in.
Your content: paint shelf entries, projects (including photos), recipes.
Behavioral data (minimal): lastSeenAt timestamp; admin audit log (admin actions only — we do NOT track user behavior).
Transient: one-time codes (OTP) for email verification and password reset, valid 15 minutes then discarded.
OAuth providers and scopes
Google: email, profile. Apple: email, name (private relay supported). Discord: identify, email. We don't read your inbox, contacts, or anything else.
Why we process this data (GDPR Art. 6)
We process your data under the contract to provide you the Service (Art. 6(1)(b)) — account creation, content storage, and transactional email; our legitimate interests (Art. 6(1)(f)) for session security and abuse prevention; legal obligations (Art. 6(1)(c)); and your consent (Art. 6(1)(a)) for optional profile fields and uploads. We do NOT rely on consent for cookies or analytics beyond strictly necessary — see Cookie Policy.
Processors (who else handles your data)
AWS S3, EU region — object storage for uploaded images. Hostinger (EU – Lithuania) — SMTP for transactional email (verification codes, password resets, security alerts). Receives recipient email + message content. Hosting: the Service is hosted on a private Kubernetes cluster operated directly by the Controller (EU). No third-party hosting provider is involved. We do NOT use: analytics services, error tracking (e.g., Sentry), payment processors, push-notification providers, or advertising/marketing services.
International transfers
Data is stored in the EU/EEA. If a processor is located outside the EEA, transfers are protected by Standard Contractual Clauses under GDPR Chapter V.
Retention and deletion
Active accounts: data retained while account is active. Refresh tokens: max 30 days per session. OTP codes: 15 minutes. Soft-deleted content kept as a tombstone for cross-device sync then purged. Account deletion lifecycle: ACTIVE → PENDING_DELETION (30-day grace, cancellable) → anonymized → 90-day legal hold → PURGED.
Your rights (GDPR Arts. 15–22)
Access, rectification, erasure, restriction, data portability, objection, withdraw consent. Write to contact@minthra.app — we respond within one month (extendable by two months for complex requests). You may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.
Security
bcrypt password hashing, HMAC-hashed refresh tokens, httpOnly + Secure + SameSite=Strict cookies on web, TLS in transit, encryption at rest where the underlying providers support it.
Children
The Service is not directed at children below the age of digital consent (16 EU baseline, 14 in Spain). Don't create an account without parental consent if you're younger.
Changes
Material changes announced in-app or by email.