Privacy Policy

Mineral Wild LLC ("Mineral Wild," "we," "us," or "our"), a Delaware limited liability company, operates the Mineral Wild mobile application (the "App") and related websites and services. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use the App.

By using the App, you agree to the collection and use of information in accordance with this policy. Where we rely on consent as the legal basis for processing (for example, voice-input AI processing or cross-border transfer where applicable), you may withdraw your consent as described in §11.

If you are using the App from outside the United States, your information will be transferred to and processed in the United States. See §12 and the Supplemental Notice for users in the People's Republic of China at the end of this policy.

1. Information We Collect

1.1 Information You Provide

Account information: email address, username, hashed password (we never see or store your plaintext password), date you accepted the Terms of Service and Privacy Policy, your affirmation that you are at least 16 years old.
Profile information (optional): display name, bio, avatar photo, cover photo, contact email, Instagram handle, WeChat ID, other contact strings, and your home location string.
Specimen data: photos, videos, mineral identification, locality (free text and optional structured country / state / address), purchase price and currency, estimated value, acquisition date, notes, GPS coordinates if you choose to pin a location on a map, "available" flag, and other descriptive fields you choose to fill in.
Wishlist data: minerals you mark as "wanted" and optional wishlist descriptions.
Custom tags and named collections you create to organize specimens.
Mineral suggestions: suggestion details and reference photos if you contribute new minerals to the atlas.
Direct messages: text and media content of messages you send, message metadata (timestamps, conversation participants, read state), and delivery status. Media attachments (photos, videos) are stored on our cloud infrastructure.
Social interactions: follow relationships, blocked-user lists, saved listings (other users' available specimens you bookmark), and reports you file.
Voice-input audio (optional feature): when you use the voice-input feature, audio recordings are sent to a configured third-party AI service for real-time transcription and structured data extraction. Audio is processed in real time and is not retained on our servers or by the AI provider beyond the duration of the API request. Extracted text becomes user-provided specimen data once you save it.
Account security data: failed-login counts, lockout status, email-verification codes (auto-expired and purged), password-change events, OAuth provider linkage data (Apple user identifier or Google account ID), refresh-token records, and username-change history.
Activity logs: internal records of key account events (account creation, OAuth log-in, specimen additions, collection changes, listing changes) used for generating your collection timeline and for security audit.
Product-interaction analytics: app-open, session-start, mineral-view, profile-view, search, filter, share-card, and add-specimen funnel events used for launch-readiness analytics. Search queries are reported only as a 16-character SHA-256 hash of the normalized query; the raw search text does not leave your device for analytics.
Session heartbeats: while the App is in the foreground, it may send periodic heartbeat events to maintain session state and retention analytics.
Push-notification lifecycle: push type, transport provider (Firebase Cloud Messaging for Android and iOS), device platform, sent / delivered / opened timestamps, and delivery status. We do not store full push-message body text in the lifecycle table.
Feedback body and screenshots: if you submit feedback, we process the text you provide and any screenshot you attach. Anonymous feedback is automatically purged after 90 days.
Device characteristics: platform, app version, operating-system version, device model, locale, timezone, push-permission status, and a random client-installation identifier generated by the App. This is not a hardware fingerprint and may reset when the App is reinstalled.
Legal-acceptance records: when you create an account or accept an updated version of the Terms of Service or Privacy Policy, we record a tamper-evident receipt — the document version and content hash you accepted, your account identifier, the time of acceptance, the truncated IP address (last octet stripped to a /24 block), the user-agent string, and your declared client language and region. This is required by GDPR Article 7 and analogous laws as the auditable evidence that you consented to the version of the Terms in force at that moment. See §13 for the retention and pseudonymization details.

1.2 Information Collected Automatically

Device information: device type, operating system version, app version, and locale, used for crash diagnosis and compatibility.
Crash and diagnostic data: we use a third-party error-tracking service (Sentry) to collect crash reports and diagnostic data. This may include device identifiers, stack traces, and the circumstances of the error. User-generated content is excluded from these reports where technically feasible.
IP addresses: your IP address is processed for rate limiting, security (login-attempt tracking, abuse detection), short-term server logging, and country-code derivation via a self-hosted MaxMind GeoLite2 database. We do not store full IP addresses long-term in profile records; for legal-acceptance audit records (§13) we store only a truncated /24 block, and for country-code derivation the raw IP does not leave our backend.

1.3 Information We Do NOT Collect

Payment or financial-transaction data. Purchase prices and estimated values you enter for specimens are collection metadata you provide voluntarily, not payment-processing data.
Biometric data. Voice input is processed in real time by third-party AI services and is not retained or used for biometric identification or voiceprint creation.
Health data.
Real-time GPS tracking or continuous location monitoring. Specimen coordinates, when present, are values you have manually picked or typed, not values passively collected from your device.
Advertising identifiers, ad-tracking data, or cross-context behavioral profiling data.
Contacts, calendar, microphone-when-not-using-voice-input, photo library outside files you choose to upload, or any other device data we don't need for the feature you are using.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, secure, and maintain the App;
Create and manage your account and let you sign in via email/password, Apple Sign-In, or Google Sign-In;
Display your mineral collection, atlas progress, and statistics;
Enable social features (public profiles, follow system, wishlist–available matching, direct messaging, sharing cards);
Deliver direct messages and send push notifications for new messages or relevant social events;
Apply automated content moderation to user-uploaded photos and direct-message media (see §5) so that abusive or unlawful content is blocked from delivery;
Apply server-side compliance rules to "available" listings of minerals subject to trade restrictions (see Terms of Service §6.4);
Generate sharing cards and short-link landing pages when you choose to share a specimen externally;
Measure cohort retention, feature activation, search-to-detail conversion, share-card attribution, push-notification performance, and other aggregate launch-readiness metrics;
Diagnose bugs and compatibility issues by app version, platform, locale, and device characteristics;
Prevent abuse and protect analytics integrity on anonymous landing pages using Cloudflare Turnstile invisible challenges;
Attribute first-party referral flows from share cards without using third-party attribution SDKs or cross-app tracking identifiers;
Process account-deletion requests, data-export requests, and other data-subject requests;
Send important service notifications (Terms or Privacy updates, security alerts, account events you've requested);
Diagnose technical issues, improve the App, prevent abuse, and ensure platform safety;
Maintain GDPR Article 7 evidence of your acceptance of these policies (see §13).

We do not use your information for:

Targeted advertising, retargeting, or audience-based marketing;
Selling, renting, or trading your personal data to third parties;
Cross-context behavioral advertising (CCPA / CPRA "share" definition);
Training, fine-tuning, or developing AI / machine-learning / large-language models on your photos, videos, voice recordings, transcribed text, direct messages, or other content, without your explicit opt-in consent;
Automated decision-making producing legal or similarly significant effects on you. We do operate standard automated security and compliance measures (rate limiting, content filtering, the compliance rule table for is_available listings); these do not produce legal effects in the GDPR Article 22 sense, and you may contact us if you believe one was applied to you in error (Terms of Service Annex III appeal flow).

3.1 Public Features

If you enable public-profile visibility, the following information may be visible to other App users (signed-in or, where permitted, anonymous viewers):

Username, avatar, cover photo, and bio;
Collection statistics (number of specimens, number of distinct mineral species in your collection, basic aggregate metrics);
Specimens you have made is_public and that are available;
Specimens you have marked is_available (along with the optional structured locality, photos, notes, and selling_price you chose to expose);
Your wishlist, if you've enabled wishlist visibility in privacy settings;
Public mineral suggestions you have contributed and accepted into the atlas.

You control the visibility of these features through the App's privacy settings, including two independent toggles:

show_collection: controls whether your public profile, specimen list, public galleries, gallery counts, and auto-cover thumbnails surface your regular public collection to visitors.
show_available: controls whether the available-specific surfaces — available-specimen list, plaza available feed, available preview, wishlist matching, save-listing creation, contact CTA, and the visible price/currency on saved-listing rows — surface your is_available specimens to visitors and trigger fanout notifications to wishlist or saved-listing audiences.

When show_available is disabled, specimens you have marked available appear only as regular public collection (subject to show_collection), without available-specific signals such as price, contact CTA, save-listing, matching, or fanout. The privacy combination matrix:

`show_collection`	`show_available`	public collection	available-specific signals
true	true	visible	visible
true	false	visible (downgraded — no price / no contact CTA)	hidden
false	true	hidden	available-only surfaces visible
false	false	hidden	hidden

Direct contact features (the in-app private message inbox at Messages and reply-from-public-profile contact buttons) are not gated by these visibility toggles; they are governed by your account's overall messaging preferences and the platform-wide IM availability flag.

You control these toggles through the App's privacy settings.

3.2 Service Providers (Subprocessors)

We use the following third-party service providers ("subprocessors") to operate the App. Each processes personal data on our behalf under a written agreement. The table summarizes name, processing location, the categories of personal data involved, and the purpose. For the always-current list (including company-operations processors that do not handle user personal data), see our Subprocessors page, which is canonical when this table and the page differ.

Name	Location	Data Categories	Purpose
Amazon Web Services (S3, RDS, SES, Rekognition, CloudFront, ElastiCache, EC2)	United States	Identifiers, user content (photos, videos, messages), commercial information	Hosting, image and video storage and delivery, transactional email, automated image moderation for chat
Centrifugo (self-hosted on AWS EC2)	United States	Real-time WebSocket payloads (message events, presence)	Real-time direct-message delivery
Google Gemini	United States (global routing)	Audio data (voice input, not retained)	Voice-to-text transcription and mineral-data extraction (default provider)
OpenAI	United States	Audio data (voice input, not retained)	Voice transcription backup
Qwen (Alibaba Cloud)	PRC mainland (PRC users only; see Appendix)	Audio data (voice input, not retained)	Voice transcription backup for the PRC region (when distributed there)
Google Firebase Cloud Messaging	United States (global routing)	Device push tokens, message delivery metadata, sanitized notification payloads	Android and iOS push notification registration and delivery
Apple Push Notification service	United States (global routing)	iOS notification delivery metadata and sanitized notification payloads	iOS operating-system push delivery via Firebase
Google Sign-In	United States	Identifiers (Google account ID, email if granted)	Optional account authentication
Apple Sign-In	United States	Identifiers (Apple user identifier, private-relay email if elected)	Optional account authentication
Sentry	European Union	Internet/network activity (crash logs, device info; user-content scrubbed where feasible)	Error monitoring
Cloudflare (DNS + Web Analytics + CDN)	Global edge	Internet/network activity (page URLs, referrer, country; no cookies, no personal identifiers for Web Analytics)	Anonymous website analytics, DNS resolution, edge delivery
Cloudflare Turnstile	Global edge	Internet/network activity and browser challenge signals; no account email or username	Anonymous landing-page abuse mitigation
MaxMind GeoLite2	Database self-hosted on our infrastructure; MaxMind does not receive request data	None received by MaxMind. Internally, we derive a country code from request IP.	Country-code derivation for cohort analytics and abuse heuristics

When you open Mineral Wild through another user's sharing card and later create an account, we may store the first-party share_token that attributed the referral to that user. This inviter relationship is used only for product attribution and social graph integrity inside Mineral Wild; it is not shared with third-party attribution SDKs and is handled in data export and deletion workflows together with your account data.

3.3 AI Providers (Voice Input)

When you use the voice-input feature (where enabled), audio is sent to one of the providers above for real-time transcription. Audio is not retained on our servers or by the provider after the API request completes (see §1 Voice Input and §8 Data Retention).

You may withdraw consent for AI voice processing at any time by ceasing to use the voice button. If you previously enabled the feature, voice-related consent records you submitted are kept as part of the legal-acceptance audit trail (§13) but no further audio is sent to AI providers.

3.4 Legal and Safety Disclosures

We may disclose information:

In response to valid legal process (court order, subpoena, search warrant, or comparable legal request);
To investigate or address suspected violations of these Terms, the Privacy Policy, or applicable law;
To protect the rights, property, or safety of Mineral Wild, our users, or the public — including, where appropriate, proactive reporting to the U.S. Customs and Border Protection (CBP), the U.S. CITES Management Authority, the U.S. Office of Foreign Assets Control (OFAC), the FBI Internet Crime Complaint Center (IC3), the National Center for Missing & Exploited Children (NCMEC), or local law enforcement, as described in Terms of Service §6.4;
In connection with a corporate transaction (merger, acquisition, financing, or asset sale), in which case we will require any acquirer to honor this Privacy Policy or to notify you of material changes.

We do not sell, rent, trade, or "share" (as defined by the CCPA/CPRA for cross-context behavioral advertising) your personal information.

4. Photo and Video Storage and Processing

4.1 Your Photos and Videos

Photos and videos you upload (specimen photos, specimen videos, avatar, cover image, mineral-suggestion reference photos, chat-image attachments) are stored in private cloud storage and delivered through a content-delivery network (CDN) using signed URLs for sensitive paths (e.g., chat media). We generate thumbnails and reduced-resolution copies for faster loading and, for videos, extract a cover frame. EXIF metadata is stripped during processing.

4.2 Photo and Video Retention

Your photos and videos are retained while your account is active. When you delete a specimen, its photos and videos are removed from our database and our origin storage; CDN-edge caches expire residual copies within approximately 24 hours. When you delete your account, all your photos and videos (specimen, profile, mineral-suggestion drafts) are permanently deleted at the end of the 30-day grace period, subject to the limited retention items in §8.

When you use the App's sharing features (e.g., sharing a specimen card to social media, or generating a public short-link), the shared content leaves our platform. Once shared externally, the content is subject to the third-party platform's terms and is beyond our control.

5. Direct Messaging

5.1 Message Content and Moderation

The App provides a direct-messaging feature for one-on-one communication. Message content (text and media) is transmitted through our real-time messaging infrastructure (Centrifugo) and stored on our servers.

We employ automated content filtering to detect messages that violate our content policies, including but not limited to child sexual abuse material (CSAM), hate speech, sanctions-evasion language, and other prohibited content. Image attachments pass through Amazon Rekognition for automated moderation. Messages or media that trigger our content filter are blocked from delivery and the attempt is logged. We do not use message content for advertising, profiling, or training machine-learning models.

5.2 Compliance Keyword Logging

We maintain a list of compliance-sensitive keywords (for example: chrysotile, crocidolite, amosite, nephrite, bowenite, uraninite, pitchblende, terms indicating sanctions-evasion or smuggling). When these keywords appear in direct-message content, we may log the surrounding context for up to 2 years for audit and compliance-investigation purposes (see Terms of Service §6.4). We do not block messages on the basis of keyword matching alone at this time.

5.3 Administrative Access

Our administrative team may access message content in the following limited circumstances:

When reviewing a user report filed through the App's reporting feature;
When investigating suspected violations of these Terms, the Privacy Policy, or applicable law;
When required by valid legal process.

Administrative access is logged and auditable. We do not proactively monitor private conversations beyond the automated content filtering and keyword logging described above.

5.4 Push Notifications

If you enable push notifications, we use Firebase Cloud Messaging as the app-level push provider for Android and iOS. On iOS, Firebase delivers through Apple Push Notification service as the operating-system delivery layer. Notification preview content is sanitized server-side: we send the message type and a generic preview string rather than the full message body, so that intercepted push payloads do not reveal sensitive chat content. You may disable push notifications at any time through your device settings.

5.5 Message Retention and Deletion

Messages are retained as long as the conversation exists and at least one participant has not deleted it. When you delete a conversation, your view of the conversation is removed but the other participant may retain their copy. Media attachments (photos, videos) sent in messages are stored on our cloud infrastructure subject to the same retention rules, except that video attachments are hard-deleted 90 days after upload regardless of conversation state to manage storage cost.

When you delete your account, your messages are anonymized (your sender identity is removed from the message records) and retained for up to 2 years to preserve conversation context for the other participant; after 2 years, anonymized messages are permanently deleted. Media attachments you sent are deleted within 90 days of account deletion.

5.6 Data Portability

You may request a copy of your data, including your messages and media, through the App (Settings → Download My Data). We will prepare your data as a machine-readable ZIP archive (JSON + CSV + media files + a legal-receipts.json file documenting your accepted Terms / Privacy versions) and email a download link to your verified address, typically within 30 minutes. The link is valid for 7 days; the archive is auto-deleted from our storage 8 days after generation. This right is available even during the 30-day account-deletion grace period.

6. Local Device Storage of Compliance and Safety Acknowledgments

Two related categories of one-time acknowledgments are stored locally on your device, never transmitted to our servers:

(a) Compliance advisories. When you mark a specimen is_available and the request matches an advisory rule (such as radioactivity-level warnings, mercury and arsenic health advisories, or asbestos-classification awareness), we record locally that you have acknowledged that specific rule. The stored value is the short code of the acknowledged rule (for example, OFAC_BURMA_AMBER, ADVISORY_RADIOACTIVITY_HIGH) and a timestamp. No personally identifiable information is included.

(b) Contact-safety acknowledgments. When you initiate a private message from the available-specimen contact action for the first time, we record locally that you have acknowledged the contact-safety notice (an account-scoped pseudonymous local key derived from a one-way hash of your account UUID, plus an ISO timestamp). This lets the App suppress the same notice on subsequent sends from the same account on the same device. The stored value contains no readable account identifier and cannot be used to identify you in isolation.

Both categories are stored using local app storage on your device (device preferences, secure key-value storage, depending on platform). Because this storage is device-local, neither category syncs across your devices, and clearing the App's data on your device will reset the acknowledgments and cause the corresponding advisory or notice to appear again the next time the matching condition is met.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

Password hashing using a modern key-derivation function (passwords never stored in plain text);
HTTPS / TLS encryption for all data in transit;
TLS to our database and to managed Redis / cache layers;
Rate limiting on authentication and upload endpoints, account-lockout on repeated failures;
Private cloud storage with access controls; signed URLs for sensitive media (chat attachments);
Server-side EXIF stripping on image upload;
Refresh-token rotation, revocation on logout, and revocation on password change;
Automated dependency-security scanning;
Logging and alerting on anomalous login behavior, backup state, and authorization failures.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and recommend you use a strong, unique password and enable platform-level account protections (Apple ID 2FA, Google account 2FA) if you sign in via OAuth.

8. Data Retention

We retain each category of personal data only for as long as necessary to operate the App, meet legal obligations, defend legal claims, or enforce our Terms of Service. The Retention Schedule below lists specific retention periods.

8.1 Retention Schedule

Data Category	Retention Period	Basis
Account data (profile, specimens, photos, videos, collections, wishlist, custom tags, follows, blocks, saved listings)	While your account is active. Permanently deleted within 90 days after account-deletion grace period ends.	Core service provision
Direct messages (text + metadata)	While the conversation exists between participants. When both participants delete the conversation, permanently deleted within 90 days. After account deletion, your messages are anonymized and retained up to 2 years to preserve context for the other participant; permanently deleted thereafter.	Service continuity for remaining participant
Chat media attachments (photos, videos in messages)	Same as the message itself, except: videos hard-deleted 90 days after upload regardless of message state.	Storage cost + user expectation
Account activity logs (login / device / activity timeline)	12 months rolling.	Security audit + abuse investigation
Moderation records (reports filed, strikes, suspensions, bans, takedowns)	Up to 2 years from the underlying incident date (DSA Article 24).	Platform safety + repeat-offender detection
Compliance keyword hit logs (DM context surrounding flagged keywords)	Up to 2 years.	Compliance investigation + audit
Data-export audit trail (who requested a DSAR, when, request outcome)	Up to 7 years, without the personal content of the request itself.	GDPR Art 30 (records of processing) + CCPA §1798.185 audit
Data-export ZIP files	Download link valid 7 days. ZIP auto-deleted from storage 8 days after generation.	User self-service + storage hygiene
Database backups	90 days rolling.	Disaster recovery
Crash reports / error logs	30–90 days (Sentry default).	Debugging + stability tracking
`view_events` (product interaction, search hash, filter, view events)	30 days.	Cohort analytics + product quality
`landing_events` (anonymous share-card landing funnel)	30 days.	Referral attribution + funnel debugging
`push_events` (push lifecycle)	Approximately 90 days.	Delivery diagnostics + push CTR
Anonymous `app_feedback` (body + screenshot)	90 days.	Support triage + spam control
`user_sessions`	180 days.	Retention analytics + session integrity
`account_deletion_log`	2 years.	GDPR / CCPA deletion audit
Voice-input audio	Not retained. Processed in real time by the configured AI provider; discarded on completion. Extracted text becomes user-provided specimen data.	Data minimization
CDN cached content (after deletion)	Residual cached copies may persist up to ~24 hours on our content-delivery network after origin deletion.	Physical edge-cache expiry
Legal-acceptance audit trail (your acceptance of these Terms / Privacy versions)	While your account is active plus 5 years after account deletion in HMAC-pseudonymized form (no plaintext user identifier, no plaintext IP/UA) — see §13.	GDPR Art 7 evidence + GDPR Art 17(3)(e) defense-of-legal-claims basis + UK 6-year statute of limitations + Italy 10-year SoL for certain consumer claims
Anonymized listing-price archive	Indefinite, in aggregate-only form (mineral identifier, listing amount, currency, timestamp) — no user or specimen identifier. See §14.	Platform market-trend analysis

If you need your data deleted before a scheduled retention period ends, you may request erasure by contacting us (see §11). We will honor the request unless an overriding legal obligation requires continued retention, in which case we will tell you why.

9. Account Deletion

You may delete your account at any time through the App (Settings → Delete Account). Deletion enters a 30-day grace period during which you may cancel by signing back in. After the grace period ends:

Permanently deleted:

Personal information (username, email, avatar, cover photo, bio, contact strings);
All specimen records, photos, and videos (removed from database and origin storage; CDN edge caches expire within ~24 hours);
Wishlist entries and wishlist visibility settings;
Follow relationships;
Activity logs;
Custom tags and tag associations;
Named collections and collection contents;
Pending, rejected, or duplicate mineral-suggestion drafts and their attached photos;
Saved listings, blocks, and other personalized social state;
OAuth provider linkage records.

Anonymized and retained (no personal identifier):

Approved mineral suggestions whose content has been incorporated into the public atlas (your user identifier is removed; the mineral entry remains);
Reports you filed (your identity is removed; the report content is retained for platform safety and audit per the moderation-records retention period);
Direct-message records (your sender identity is removed; the message content is retained up to 2 years to preserve context for the other participant; media attachments you sent are deleted within 90 days);
Legal-acceptance audit-trail records (your user identifier is replaced with a one-way HMAC pseudonym; IP and user-agent are NULLed; document version, content hash, language, jurisdiction, and acceptance time are retained for 5 years; see §13);
Anonymized listing prices, in aggregate (mineral identifier + listing amount + currency + timestamp only; see §14).

Retained briefly by third parties:

Database backups are automatically purged on a 90-day rotation cycle.
Diagnostic data in our error-tracking service (Sentry) is automatically purged within its standard retention period (30–90 days).
Cached copies of photos and videos on our CDN may persist for up to ~24 hours after origin deletion.

10. Children's Privacy

The App is not intended for children under the age of 16. Account creation requires affirmation that you are at least 16 years old. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected personal information from a user under 16, we will close the account and delete the personal data promptly.

The Supplemental Notice for users in the People's Republic of China at the end of this policy reflects PIPL's separate threshold for "minors" (under 14) where applicable; our 16+ minimum applies in all jurisdictions and exceeds the PIPL minor threshold.

If you are a parent or legal guardian and believe a child under 16 has provided us with personal information, contact us at mineralwild@gmail.com.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you. Most of this is available self-service through Settings → Download My Data.
Correction: Request correction of inaccurate personal data. Most profile fields are user-editable in the App.
Deletion: Request deletion of your account and personal data (see §9). For deletion of specific items beyond Settings → Delete Account (e.g., partial deletion, deletion beyond the 30-day grace window, deceased-user requests), email us.
Data portability: Request your data in a structured, machine-readable format. The Settings → Download My Data export is in JSON / CSV / image-file form, suitable for portability.
Objection: Object to certain processing of your personal data, including processing based on legitimate interest.
Withdraw consent: Where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, contact us at mineralwild@gmail.com. We will respond within 30 days, except where a different statutory window applies (CCPA / CPRA: 45 days; PIPL: 15 business days). For CCPA / CPRA requests we may require identity verification proportionate to the sensitivity of the data.

11.1 California Residents (CCPA / CPRA)

If you are a California resident:

You have the right to know what personal information we collect, use, disclose, and retain;
You have the right to request deletion of your personal information;
You have the right to correct inaccurate personal information;
You have the right to opt out of the sale or sharing of your personal information — we do not sell or share your personal information for cross-context behavioral advertising, and we do not knowingly sell or share personal information of consumers under 16 years of age;
You have the right to limit the use of sensitive personal information — we do not use sensitive personal information beyond the purposes disclosed in this policy;
You have the right to non-discrimination for exercising your rights.

Categories of personal information we collect (CCPA §1798.140 categories):

Category	Examples	Source	Business Purpose
Identifiers	Email, username, IP address, OAuth provider identifiers	You / automatic	Account management, security
Internet/network activity	Device info, app version, crash logs, page-view metrics (anonymous)	Automatic	App improvement, bug fixes
User content	Photos, videos, specimen data, direct messages	You	Core App functionality
Geolocation	Specimen GPS coordinates (manually provided)	You	Map display feature
Audio data	Voice recordings (not retained)	You	Voice-input transcription
Inferences	Aggregate collection statistics	Derived from your content	Atlas progress display, social features
Sensitive personal information	Specimen GPS coordinates (precise location); voice recordings (audio data, not retained); legal-acceptance audit records (account credentials are referenced via FK only)	You / automatic	As disclosed in this policy

To exercise CCPA / CPRA rights, contact us at mineralwild@gmail.com. We will respond within 45 days, with a one-time 45-day extension permitted by §1798.130(a)(2) if reasonably necessary. A retention period of up to 7 years for the audit trail of DSAR requests themselves is maintained per §1798.185.

Data Controller: Mineral Wild LLC, a Delaware limited liability company, USA. Email: mineralwild@gmail.com. We have not yet appointed an EU representative under GDPR Article 27; if monthly EU users grow above the threshold for which an EU representative is required by enforcement practice, we will appoint one and update this policy.

Legal bases for processing (GDPR Article 6):

Processing	Legal Basis
Account creation, authentication, providing the App's core features (collection management, atlas, maps, social features, direct messaging)	Contractual necessity — Art 6(1)(b)
Public-profile visibility, display of your collection to other users, public sharing of "available" specimens	Consent — Art 6(1)(a) (toggleable in privacy settings)
Voice-input AI processing	Consent — Art 6(1)(a); separate from general Terms acceptance
Automated content moderation, automated compliance rule enforcement, abuse prevention, security logging	Legitimate interest — Art 6(1)(f) (platform safety, user safety, legal-compliance defense)
Maintaining legal-acceptance audit trail (§13)	Consent captured at the time you accept this Privacy Policy and the Terms — Art 6(1)(a); post-deletion pseudonymized retention is based on necessary for the establishment, exercise or defense of legal claims — Art 17(3)(e)
Crash and diagnostic data	Legitimate interest — Art 6(1)(f) (App stability)
Email communications about account events, policy changes, security alerts	Contractual necessity + legitimate interest
Cross-border transfer of your data to U.S. processors	Standard Contractual Clauses approved by the European Commission, plus Privacy Policy disclosure (Art 13(1)(f), Art 49(1)(a))

Your additional rights under GDPR / UK GDPR / FADP:

Right to withdraw consent — at any time, by deleting your account or by ceasing to use a specific consent-based feature. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to restriction — in the circumstances of GDPR Art 18.
Right to object — to processing based on legitimate interest, including for direct-marketing-like purposes (we do not engage in direct marketing).
Right to lodge a complaint with your local data-protection supervisory authority. A directory is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en (EU) or https://ico.org.uk/ (UK) or https://www.edoeb.admin.ch/ (Switzerland).
Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (GDPR Art 22). We do not engage in such processing in the GDPR Art 22 sense; the automated content-filter and compliance-rule outcomes are not legal-effect decisions and you may appeal them as described in Terms of Service Annex III.
Right to information if a data breach affects you.

International data transfers: Your data is transferred to and processed in the United States (and, for users where applicable, in the PRC mainland for the AI-voice transcription provider — see Appendix). Where required by GDPR, transfers to the U.S. are supported by Standard Contractual Clauses (SCCs) included in our agreements with U.S. service providers. Where SCCs are not yet in place for a specific provider, we rely on the explicit-consent derogation under GDPR Art 49(1)(a) coupled with the disclosures in this policy.

To exercise GDPR rights, contact us at mineralwild@gmail.com. We will respond within 30 days, as required by GDPR Article 12(3).

11.3 Other Jurisdictions

Users in other jurisdictions (Canada, Australia, Brazil LGPD, Japan APPI, Korea PIPA, India DPDPA, etc.) may have additional or different rights under their local law. We will honor verifiable local-law rights to the extent applicable; contact us at mineralwild@gmail.com.

12. International Data Transfers

Our primary servers are located in the United States (AWS us-east-1). If you access the App from outside the United States, your information will be transferred to and processed in the United States.

Where required by GDPR / UK GDPR or other cross-border-transfer laws, we use Standard Contractual Clauses approved by the European Commission and the equivalent UK addendum, included in our agreements with our U.S. and global service providers. Where such mechanisms are not in place for a specific feature, we rely on the explicit-consent derogation in conjunction with the disclosures in this policy.

For voice-input AI transcription, when a PRC-based provider is configured, audio is transmitted to PRC mainland infrastructure for processing (see Appendix §A.5). When a U.S.-based provider is configured, audio is transmitted to the United States.

The current list of providers and their processing locations is on our Subprocessors page.

When you create an account or accept an updated Terms of Service or Privacy Policy, we record a tamper-evident "receipt" so that, in the event of a dispute or regulatory inquiry, we can prove the exact text in force at the moment you consented. This record is required by GDPR Article 7 ("the controller shall be able to demonstrate that the data subject has consented") and analogous laws.

What is recorded:

Receipt UUID;
Document type (Terms of Service or Privacy Policy);
Document version label (for example, 2026-04-28);
Document content hash (SHA-256 of the body of the document at that version);
Document full-text URL (so the exact body can be reconstructed);
Action (accepted, or reaccepted after a material policy update);
Acceptance method (register_checkbox_submit, oauth_implicit_log, etc.);
Source (registration, oauth_login, etc.);
Time of acceptance (UTC);
Account identifier (foreign-key reference to your user record while it exists);
IP address, truncated to a /24 block (last octet stripped — this is the maximum granularity retained, in line with GDPR data-minimization);
User-agent string (truncated to ≤ 1000 characters);
Declared client language (from Accept-Language header) and optional declared region.

Retention and pseudonymization:

While your account is active, the record is linked to your user identifier (foreign-key reference).
When you delete your account, the audit-trail record is pseudonymized in place: the foreign-key reference is set to NULL, the IP address and user-agent are NULLed, and a one-way HMAC-SHA-256 pseudonym (deleted_user_hash) is stored in their place. This pseudonym uses a server-side secret that is never rotated while the receipt is active, by design; rotating the secret would break the legal-evidence chain.
The pseudonymized record is then retained for 5 years under GDPR Article 17(3)(e) ("for the establishment, exercise or defence of legal claims"). 5 years is chosen to cover the longest of the typical applicable consumer-claim limitation periods (UK 6 years, Italy 10 years for some consumer matters; we use 5 years as the cross-jurisdiction baseline at launch and may extend in specific jurisdictions if required by local law).
After 5 years, the pseudonymized record is permanently deleted.

The pseudonymized record is not linked to any other dataset and cannot be reversed without the server-side secret. Under GDPR Recital 26 a pseudonymized record is still personal data, but it is not directly identifying.

You may obtain a copy of your legal-acceptance receipts at any time via Settings → Download My Data; they are included in the export ZIP as legal-receipts.json.

14. Anonymized Listing-Price Retention

After account deletion, anonymized historical specimen listing prices — without user identifier or specimen identifier, retaining only mineral identifier, listing amount, currency, and timestamp — are retained for platform market-trend analysis. No personally identifiable information is included.

Aggregated analytical outputs derived from anonymized listing prices (annual market reports, median reference prices, market-trend write-ups) cannot be revoked once published; account deletion does not retract already-published aggregate analyses.

15. Account-Deletion Grace Period

Account-deletion requests enter a 30-day grace period during which you may cancel by signing back in. After the grace period expires, personally identifiable data is permanently deleted in accordance with §9 (compliant with the CCPA §1798.105 45-day response window). Anonymized aggregate data is retained as described in §13 (legal-acceptance audit trail) and §14 (listing-price archive).

16. Territory and Mainland China

The App is offered in jurisdictions where it is available on Apple App Store and Google Play. At launch, the App is not offered in mainland China — users in mainland China cannot install the App through Apple App Store China-region or Google Play China-region distribution. If we later distribute the App in mainland China, the Supplemental Notice in the Appendix becomes operative, and additional cross-border-transfer separate-consent flows will be presented in-app.

Users in Hong Kong SAR, Macau SAR, and Taiwan are served through their respective region App Stores under this Privacy Policy.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes — including changes to the categories of data we collect, the purposes of processing, the legal bases, third-party recipients, retention periods, or your rights — we will notify you with an in-app notice and/or by email at least 30 days before the changes take effect (where reasonably practicable). Your continued use of the App after the effective date constitutes acceptance of the updated policy. If you do not agree, you may delete your account before the effective date.

During pre-launch / TestFlight operation, or when an immediate update is necessary to comply with law, platform-review requirements, or urgent user-safety obligations, we may make the updated policy effective immediately after notice and require in-app re-acceptance before continued use. Ordinary material changes after launch will continue to follow the 30-day notice approach where reasonably practicable.

For non-material changes (typo fixes, contact-information updates, restructuring without substantive change), we may publish the update without prior notice.

18. Contact Us

If you have any questions about this Privacy Policy or wish to exercise a data-subject right:

Email: mineralwild@gmail.com Entity: Mineral Wild LLC (a Delaware limited liability company)

Appendix — Supplemental Notice for Users in the People's Republic of China

This Supplemental Notice applies to users located in the People's Republic of China ("PRC") and is provided in accordance with the Personal Information Protection Law of the PRC ("PIPL") and related regulations. This Appendix supplements the main Privacy Policy. Where any provision of this Appendix conflicts with the main Privacy Policy, this Appendix prevails for PRC users.

Note: At launch the App is not distributed in mainland China. This Supplemental Notice becomes operative if and when the App is distributed in mainland China; the disclosures below describe the practices that will apply at that time.

A.1 Personal-Information Categories

We collect and process the following categories of personal information from PRC users:

Category	Specific Data	Sensitive (PIPL)
Account information	Email address, username, hashed password, OAuth provider identifiers, legal-acceptance audit records	No (audit records reference user identifier as FK only)
Profile information	Display name, bio, avatar, cover photo, contact email, Instagram handle, WeChat ID, location text	No
Specimen data	Photos, videos, mineral identification, locality, purchase price, currency, estimated value, notes, GPS coordinates (manually selected), structured address data	GPS coordinates: Yes
Voice input	Audio recordings sent to third-party AI services for real-time transcription	Yes (biometric-related sensitive PI under PIPL Article 28)
Social interactions	Follow relationships, blocked users, saved listings, reports	No
Tags / collections	Custom tags, named collections	No
Mineral suggestions	Suggestion details and reference photos	No
Account security data	Failed-login counts, lockout status, email-verification codes, password-change events, refresh-token records, username-change history	No
Activity logs	Internal records of account events	No
Device / diagnostic	Device type, OS version, app version, crash reports, IP addresses (temporary)	No

A.2 Processing Purposes and Legal Bases

Data Category	Purpose	Legal Basis (PIPL)
Account information	Account creation and authentication	Contractual necessity (Art 13(2))
Profile information	Display your profile to other users (when public)	Consent
Specimen data	Core App functionality (collection management, atlas, map display)	Contractual necessity
Voice input	Transcription and structured data extraction	Separate consent (Art 39)
Social interactions	Follow system, wishlist matching, content moderation	Contractual necessity
Device / diagnostic	App stability, bug diagnosis, security	Legitimate interest / contractual necessity
Legal-acceptance audit trail	GDPR Art 7 / PIPL Art 14 evidence of consent	Consent (at acceptance) + necessary for legal claims (post-deletion 5y window)

A.3 Third-Party Processors

The following third-party service providers process PRC users' personal information on our behalf:

Provider	Purpose	Data Processed	Processing Location
Cloud hosting (AWS)	Photo / video / message storage and content delivery	User content	United States (CDN edge nodes globally)
Email delivery (AWS SES)	Transactional email	Email addresses, message templates	United States
Error tracking (Sentry)	Crash reporting	Crash logs, device info	European Union
Real-time messaging (Centrifugo, self-hosted on AWS EC2)	Direct-message delivery	Message events, delivery state	United States
AI service providers	Voice transcription	Voice recordings (not retained)	United States or PRC mainland (depending on configured provider)
Google Sign-In	Authentication	Google account ID, email	United States
Apple Sign-In	Authentication	Apple user identifier, optional email	United States
Cloudflare (DNS + Web Analytics + CDN)	Anonymous analytics, DNS, edge delivery	Page URLs, referrer, browser type, country (no cookies, no personal identifiers)	Global edge
Cloudflare Turnstile	Anonymous landing-page abuse mitigation	Browser challenge signals; no account email or username	Global edge
MaxMind GeoLite2	Country-code derivation	No data is sent to MaxMind; Mineral Wild processes request IP against a self-hosted database	United States

The voice-AI provider is configured by us and may change. Depending on the active provider, voice data may be processed on cloud infrastructure within the PRC mainland or transmitted to the United States. For the current list, see the Subprocessors page.

A.4 Cross-Border Data Transfer

Your personal information is stored on servers located in the United States. The following categories of personal information are transferred outside the PRC:

Account information (email, username, OAuth identifiers, legal-acceptance audit trail);
Profile information;
Specimen data (photos, videos, GPS coordinates, structured address data);
Direct messages and chat media;
Social-interaction data;
Device and diagnostic data.

Protection measures for cross-border transfers:

Encryption in transit (HTTPS / TLS); encryption at rest in private cloud storage with access controls;
Contractual obligations on third-party providers;
Rate limiting, password hashing, signed-URL access for sensitive media;
Authentication-and-authorization scoping aligned to least privilege.

By using the App, you separately consent to this cross-border data transfer. You may withdraw this consent at any time by deleting your account (see §9), though withdrawal will result in inability to continue using the App.

A.5 Voice Data and AI Processing

When the voice-input feature is active and a PRC-based AI provider is configured:

Audio is transmitted to PRC mainland cloud infrastructure for processing;
Audio is processed in real time for transcription and mineral-data extraction;
Audio is not retained on our servers or by the AI provider after the API request completes;
Extracted text (mineral names, localities, prices) is stored as specimen information on our U.S.-based servers;
We do not create voiceprints, do not perform biometric identification, and do not use voice recordings to train AI / ML models.

When a U.S.-based AI provider is configured, voice data is transmitted to and processed in the United States under the same real-time, no-retention terms.

Use of the voice-input feature requires your separate consent before first use (PIPL Art 28 + Art 29).

A.6 Your Rights Under PIPL

As a PRC user, you have the following rights:

Right to know — to know how we collect, use, and process your personal information (Art 44).
Right to access and copy — to request access to and a copy of your personal information (Art 45). Available self-service via Settings → Download My Data.
Right to correct — to request correction of inaccurate or incomplete personal information (Art 46). Most fields are user-editable in the App.
Right to delete — to request deletion of your personal information. We will proactively delete when the processing purpose has been achieved, the retention period has expired, or you withdraw consent (Art 47).
Right to withdraw consent — at any time. Withdrawal does not affect the lawfulness of processing before withdrawal (Art 15).
Right to request explanation — of our personal-information-processing rules (Art 48).
Right to portability — to transfer your personal information to a designated personal-information processor where the conditions specified by the Cyberspace Administration are met (Art 45).
Right to complain — to file a complaint with the Cyberspace Administration of China (CAC) or your local personal-information-protection authority (Art 65).

To exercise these rights, contact us at mineralwild@gmail.com. We will respond within 15 business days.

A.7 Retention Periods (PRC Users)

Same as the main Privacy Policy §8, applied per PIPL principles of purpose limitation and data minimization.

A.8 Children's Privacy (PIPL Article 28)

PIPL Article 28 classifies personal information of minors under 14 as sensitive personal information requiring additional protections including separate consent from a parent or legal guardian. The App is not intended for users under 16 in any jurisdiction; this 16+ minimum exceeds the PIPL minor threshold. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected personal information from a user under 16, we will close the account and delete the personal data promptly.

In accordance with PIPL Article 39 and applicable judicial interpretations, the following processing activities require your separate consent (not bundled with general Terms acceptance):

Cross-border data transfer — before using the App from PRC mainland, you will be asked to separately consent to the transfer of your personal information to the United States (and, where applicable, to other foreign processors);
Voice-input feature — before first use of the voice feature, you will be asked to separately consent to the processing of your voice data by third-party AI services;
Public profile display — enabling public-profile visibility requires your separate affirmative action through the App's privacy settings.

A.10 Contact and PRC Representative

For questions about this Supplemental Notice or to exercise your PIPL rights:

Email: mineralwild@gmail.com

In accordance with PIPL Article 53, a PRC-based representative will be designated before formal launch in the PRC market. This section will be updated with the representative's name and contact information at that time.

A.11 Dispute Resolution (PRC Users)

For PRC users, any dispute arising from this Privacy Policy or the processing of your personal information shall be governed by the laws of the People's Republic of China. You may file a complaint with the Cyberspace Administration of China (CAC) or your local personal-information-protection authority at any time, in addition to any rights you have under §15 of the Terms of Service.

Mineral Wild is currently in early launch. Features, availability, and this Privacy Policy may change. We will notify you of material changes as described in §17.