ORDŌ MIND

ORDŌ MIND — Privacy Policy

Effective: This policy takes effect when it is published at ordomind.ai/privacy and the V1.1 app first becomes installable (targeted for the V1.1 Open Alpha launch). It is not in force before then.

Quick summary (read this first)

ORDŌ MIND is built local-first. The most important data — your sessions, your transcripts when you have a G1 paired, your audio while it's being processed — stays on your device. We collect a small amount of pseudonymous data (keyed to a per-install ID, not your name or email) to keep the app running and to learn whether the product is working: app crashes (so we can fix them) and pseudonymous progression events (so we can see whether the loop is helping).

You can turn both of those off, anytime, in Settings → Privacy. (A third category, audio-derived metrics, is a planned capability for a future version — it is entirely inactive in V1.1 and collects nothing.) We do not collect your name, email address, location, contacts, messages, photos, or web browsing history. We do not sell data. We do not use ads.

Your install is identified by a per-install UUID that you can reset whenever you like. There are no accounts.

The short version of our commitments:

If you want the precise list of what we collect, what we share, where it goes, and how to exercise your rights — read on.

Who we are

Entity: ORDO MIND PTY LTD, a private company limited by shares incorporated in Australia. Privacy contact: privacy@ordomind.ai General contact: hello@ordomind.ai

We are the entity responsible for ORDŌ MIND V1.1 (the Android app) and the website at ordomind.ai. References to "we", "us", and "our" in this policy refer to ORDO MIND PTY LTD.

ORDO MIND PTY LTD's annual turnover is below the Australian Privacy Act 1988 small-business threshold of AUD $3 million. We believe this means we are not currently required to be an "APP entity" under the Privacy Act, though we acknowledge that the position is not free from doubt — section 6D(4)(b) of the Privacy Act covers organisations that provide a "health service" regardless of turnover, and an ADHD attention-and-executive-function support tool occupies a grey zone with respect to that definition. We have drafted this policy to align with the Australian Privacy Principles (APPs) as a deliberate trust commitment, and we voluntarily commit to honour the APP-style rights and complaint pathways described in this policy regardless of whether we are technically an APP entity at any given time. The statutory tort of serious invasions of privacy (effective in Australia from June 2025) applies regardless of APP-entity status, and this policy is calibrated accordingly.

Scope of this policy

This single policy covers two surfaces:

  1. The ORDŌ MIND V1.1 Android app — distributed during Open Alpha through two channels: Google Play testing tracks (Internal and Closed Testing), and a direct download of the app's installer (APK) file from ordomind.ai. A public Google Play production listing comes later. Whichever channel you install from, the app and the data practices described in this policy are identical.
  2. The website at ordomind.ai — the marketing landing page, contact form, and app download page.

Both surfaces are operated by ORDO MIND PTY LTD. The app's data practices are described in the sections below, beginning with §"What the app sends off-device". The website's data practices are described in §"Website (ordomind.ai)" near the end.

Geographic scope: ORDŌ MIND V1.1 is offered in Australia, the United States, the United Kingdom, Canada, New Zealand, and other non-EEA markets. The European Economic Area (EEA) is out of scope for V1.1. We enforce this on both distribution channels: EEA users are not given Google Play testing-track access, and the direct download at ordomind.ai asks you to confirm you are located in an offered market before the installer is provided. These are good-faith measures, not a perfect technical barrier. If you obtain and install V1.1 from within the EEA despite them, please understand that the app is not designed or intended for use there, and that this policy does not make the GDPR-specific commitments an EEA-targeted service would. When ORDŌ MIND formally launches in EEA markets, a separate privacy notice with EU-GDPR-specific commitments (including a designated EU representative under Article 27 of the EU GDPR and contact details for our Data Protection Officer where required) will be drafted.

For UK users specifically: the United Kingdom is in scope for V1.1, and the UK General Data Protection Regulation (UK GDPR) together with the Data Protection Act 2018 apply to our processing of personal data of UK residents. We have not yet separately appointed a UK representative under Article 27 of the UK GDPR or undertaken a full UK-GDPR-specific compliance pass — those are scheduled for review at the lawyer-engagement and posture re-evaluation we have planned for V2 ship-time. The substantive commitments in this policy (lawful basis for processing, transparency, data minimisation, user access and deletion rights, security, breach notification) are intended to align with the core requirements of UK data protection law. UK users may contact privacy@ordomind.ai to exercise rights under the UK GDPR. UK users may also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

What the app sends off-device

V1.1 transmits two categories of data off your device today. A third — audio-derived metrics — is described below as well, because it is planned for a future version; it is entirely inactive in V1.1. Each is described in plain language; the technical details are in the Play Data Safety declarations we filed with Google Play if you want to verify.

(Calendar data is read on-device only and never transmitted off-device; it is described in §"What the app processes locally on your device" below.)

1. Pseudonymous progression events ("how the app is used")

What: When you start, complete, or end a sprint early, when an intervention fires, when the morning gate confirms, and at a small number of other interaction points, the app sends an event to our endpoint. The event contains:

The event does not contain your name, email, location, transcript content, message content, photos, contacts, or anything that directly identifies you as an individual. We describe this data as "pseudonymous" rather than "anonymous" because the per-install UUID does correlate events for the same install over time, even though it is not tied to a real-world identity and is user-resettable. We treat pseudonymous data with the same care as personal information.

Where it goes: Our own endpoint, hosted on Cloudflare Workers + D1 (SQLite). The D1 storage is configured with a location hint of AU/APAC, so data at rest is held in Cloudflare's AU/APAC region. Cloudflare Workers themselves execute at the edge nearest the request, which means data may transit through Cloudflare's global network during processing; the at-rest storage location is what we control. Cloudflare is a service provider processing this data on our behalf (see §"Sharing").

Why: To see whether the product's intervention loop is actually working across all users — which features users complete, where they drop off, how often interventions help vs. get bypassed.

Optional: Yes. Default ON during alpha. You can turn it off during the app's first-run setup (a privacy-settings screen shown during onboarding) or anytime afterwards in Settings → Privacy → Progression metrics.

How long we keep it: Raw events are retained for 90 days, then aggregated into per-cohort-per-day rollups and the raw rows are deleted. The aggregated rollups are retained until the V1.1 product line is retired.

2. Crash reports

What: When the app crashes, a stack trace is sent to Google Firebase Crashlytics along with: the app version + build type, your device model + manufacturer, your Android OS version, memory and thread state at crash, and a small amount of crash-relevant metadata (e.g., what the user was doing when the crash happened).

The crash report does not contain transcript content, historian data, audio, or location.

Where it goes: Google Firebase Crashlytics, operated by Google LLC in the United States. Crashlytics processes this data as a service provider on our behalf (see §"Sharing").

Why: So we can fix bugs that cause the app to crash for real users.

Optional: Yes. Default ON. You can turn it off during the app's first-run setup (the same privacy-settings screen) or anytime afterwards in Settings → Privacy → Crash reporting.

How long Crashlytics keeps it: per Google's Crashlytics retention policy, documented at firebase.google.com/support/privacy. We do not control this retention; it is governed by Google's policies for the Crashlytics service. As a result, when you exercise data deletion against us, we delete the data we hold about you on our endpoint, but the corresponding crash records held by Crashlytics on Google's infrastructure remain subject to Google's retention policy until they age out.

3. Audio-derived metrics — a planned future feature, inactive in V1.1

What: A planned capability for a future version (V2) of ORDŌ MIND. When V2 audio features come online — a future release that will require a new privacy-policy version with your explicit re-acceptance — pseudonymous summaries of speech rate or pitch variance derived from G1 audio sessions may be sent to our endpoint, but only if you explicitly opt in at that time. Those summaries would be statistical aggregates that cannot reconstruct what was said.

State in V1.1: Entirely inactive. V1.1 does not compute, collect, or transmit any audio-derived data, and provides no user setting for it — there is nothing to consent to yet. This category is described here only so the policy is complete about what the product line is planned to do.

When it becomes active: Only with a future V2 release, and only under an updated privacy policy that you must explicitly accept. Until then, no audio-derived data exists.

Architectural commitment that holds regardless: Raw audio never leaves your device. Under any circumstance. Even after V2 features ship, only the on-device-computed summaries (not the audio) ever transit the network. Adding a code path that transmits raw audio would require a substantial architectural change, an ADR, and a new privacy-policy version with explicit user re-acceptance.

What the app processes locally on your device (and never sends off-device)

In addition to the categories above, the App reads and processes the following data on your device. This data stays on your device — it is not transmitted to our servers or any third party — but you should know it exists, and you can verify these claims by inspecting the App's permissions and data flows yourself.

Foreground app monitoring (the single most data-rich local capability)

To power the app-delay overlay (which inserts a delay screen when you open a configured distraction app during a focused session), the daily review surface (which shows you a summary of your day's app usage), and the onboarding reflection demo (which shows you a 7-day snapshot of your phone usage on first launch), the App continuously monitors which app is in the foreground on your device. Specifically:

This requires the PACKAGE_USAGE_STATS permission, which is a system-level permission that Android requires you to grant explicitly in Settings. The onboarding flow walks you through granting it.

This data stays on your device. It is not transmitted to our endpoint or to any third party. The only foreground-app information that leaves your device is the package name of an app that triggered an active intervention, sent as part of the pseudonymous progression event described in §"What the app sends off-device" above (and only if you have progression metrics enabled).

You can revoke the PACKAGE_USAGE_STATS permission at any time in Android Settings; the app-delay overlay and daily review will become inactive but the App will continue to function for other features.

Your installed apps — read on-device to build the distraction-app picker

When you set up the app-delay feature, the App shows you a picker so you can choose which apps to treat as "distraction apps." To build that picker, the App reads the list of apps on your device that have a launcher icon — the apps you can open from your home screen and could be distracted by. Apps without a launcher icon (background services, system-only packages) are invisible to the App: it uses Android's standard launchable-apps query and does not hold the broad "query all packages" permission, so it cannot enumerate your full installed-package list.

This list is read and used entirely on your device — it populates the picker and is never transmitted to our endpoint or to any third party, and we keep no copy of it on our servers. The only app-identity information that ever leaves your device is the package name of a specific app that triggers an active intervention, sent as part of the pseudonymous progression event described in §"What the app sends off-device" above (and only if you have progression metrics enabled).

Calendar (when granted)

When you grant the Calendar permission, the App reads your device's default calendar to display today's events on the morning gate (F1) and to power the Protection Window calendar-block lifecycle. Calendar data is held in App memory only while the morning gate is rendering or while a calendar block is active. It is never sent to any server, never stored on our endpoint, never persisted to the historian, and never shared with a third party.

You can decline the Calendar permission when the app asks for it during first-run setup, or revoke it later in Android Settings. The morning gate will fall back to a calendar-less mode and the calendar-block lifecycle will be disabled.

Audio (when paired with G1 glasses, V2 features only)

When V2 audio features come online and you opt in, audio captured by paired G1 glasses is processed on-device (wake-word detection, on-device speech-to-text). Raw audio never leaves your device. Only on-device-computed summaries (the audio-derived metrics described in §"What the app sends off-device" above — a future-V2 capability, inactive in V1.1) ever transit the network, and only once V2 features are live and you have opted in. Adding a code path that transmits raw audio would require a substantial architectural change, an ADR, and a new privacy-policy version with explicit user re-acceptance.

What the app does NOT collect

For trust, the precise architectural list of what V1.1 does not collect:

How you can check what we say

A privacy policy is only as good as your ability to hold us to it. We want to be straightforward about what you can and cannot verify independently.

What you can verify yourself:

What you cannot verify, and why:

If anything you observe does not match what this policy says, email privacy@ordomind.ai — we treat that as a bug in the policy or the app, and we want to know.

Why we collect what we collect

The data we collect is used only for:

The data is not used for:

Sharing — who else sees the data

We share data with two service providers:

  1. Google Firebase Crashlytics (Google LLC, United States) — receives crash reports if you have crash reporting enabled. Crashlytics is contractually bound by Google's terms not to use the data for unrelated purposes. Privacy details: firebase.google.com/support/privacy.
  2. Cloudflare, Inc. (United States, with AU/APAC location hint for D1 data-at-rest) — operates the Workers + D1 infrastructure that receives our pseudonymous progression metrics (and, in a future V2 release, the audio-derived metrics described above). The D1 storage location hint pins the at-rest data plane to AU/APAC; Workers themselves execute at the edge nearest the request, so data may transit Cloudflare's global network during processing. Cloudflare is contractually bound by their terms not to read the data plane content beyond what's necessary to operate the service.

These are the only third-party services that receive data from the app. ORDŌ MIND V1.1 contains no analytics SDK, no advertising SDK, and no behavioural-tracking SDK beyond Firebase Crashlytics (above). The only other third-party libraries the app uses are Google's own OAuth and Calendar libraries, which run on your device and only contact Google's APIs when you grant the Calendar permission and use the morning-gate feature — calendar data itself never leaves your device.

We do not: - Sell, license, or rent your data to advertisers, brokers, or third parties. - Share your data with researchers, partners, or other developers without separate, explicit consent (no separate consent currently exists; if it ever did, this policy would be re-versioned and you'd be asked to accept it). - Disclose your data to other ORDŌ MIND users. - Disclose your data to acquirers as part of an acquisition without re-consent or deletion (see §"Acquisition or sale of the company").

Government or law enforcement requests: We commit to narrow compliance. If we receive a legally-binding request for user data, we will provide only what is legally required, only about the specific user named in the request, and we will notify the user where legally permissible. We will not provide bulk access, will not provide speculative searches, and will not weaken our architecture to enable future requests.

Where the data goes geographically

The transit of crash reports to the United States is, on the V1.1 app surface, the principal cross-border disclosure. We disclose it here in fulfilment of APP 1.4(f) (privacy-policy disclosure of likely overseas recipients) and we apply APP 8 (cross-border disclosure of personal information) reasoning to our service-provider arrangements with Cloudflare and Google.

How long we keep it

Data type Retention
On-device historian, transcripts (when applicable), session events Retained on your device until you delete the data or uninstall the app. (Default historian retention is 90 days for transcript rows; sessions are retained until you delete them.)
Pseudonymous progression events (server-side) 90 days raw, then aggregated into per-cohort-per-day rollups; raw rows deleted. Rollups retained until V1.1 product line retirement.
Pseudonymous audio-derived metrics (server-side, once V2 features ship and you opt in) Same as progression events. No events flow in V1.1.
Crash reports (Firebase Crashlytics) Per Google's Crashlytics retention policy, beyond our direct control.
Per-install UUID Stored on your device until you reset it (Settings → Privacy → Reset my install ID) or uninstall the app. Server-side, retained as long as associated events are retained; cleared when the events are aggregated and deleted.
Tombstones for deletion requests Retained 90 days after the deletion request to handle race conditions where late-arriving events might re-create deleted rows.

How we secure it

We use industry-standard practices for the data we hold. We are a small organisation; we don't claim to have enterprise-grade security infrastructure, but we don't make security commitments we can't keep.

A note on backups and reinstalling. Your privacy preferences, your install ID, your on-device historian, and the historian's encryption passphrase are deliberately excluded from Android cloud backup and from device-to-device transfer. They do not move with you to a new device and they do not survive an uninstall. This is by design — your data and your consent decisions stay strictly local. A fresh install starts you from scratch: fresh consent prompts at first run, a fresh install ID, an empty historian.

Your rights and how to exercise them

You have the following rights with respect to data ORDO MIND PTY LTD holds about you:

Access

You can see what data the app holds about you in the app itself: your sessions, your historian data, your settings. The app provides a one-tap export (Settings → Privacy → Export my data) that generates a JSON bundle of all locally-stored data.

For server-side data (the pseudonymous events keyed to your per-install UUID), you can email privacy@ordomind.ai with your install UUID (visible in Settings → Privacy) and we will respond within 30 days with the events associated with that UUID, if any.

Correction

For locally-stored data (sessions, transcripts when applicable), you can correct or delete data directly in the app. For server-side data, the records are pseudonymous behavioural events keyed to a per-install UUID rather than to a personal identity, so traditional correction (changing factual statements about you) is not directly applicable. If you believe an event has been misrecorded, email privacy@ordomind.ai.

Deletion (and the related "Reset install ID")

ORDŌ MIND provides two related but distinct operations in Settings → Privacy. They sound similar; they are not the same.

Durability of the remote delete. The remote-delete request is durable across offline and process kill: when you press Delete my data, the old UUID is queued in encrypted local storage before the local wipe, and the DELETE call to our endpoint is attempted. If you're offline or the call fails for any reason, the UUID stays in the queue and the deletion is retried automatically on the next app launch — until it succeeds. You can trust that the delete will land eventually, even if your phone is offline when you press the button.

Tombstones. After a successful remote delete, the server retains a tombstone (UUID + delete date) for 90 days to handle race conditions where late-arriving events might re-create deleted rows. The tombstone contains no personal data — only the UUID and the delete timestamp.

Out-of-band: email privacy@ordomind.ai with your install UUID and we will honour the request within 30 days (the APP 12 reasonable-period guideline).

Opt-out of telemetry

In Settings → Privacy: - Crash reporting — toggle off to stop sending crash reports. - Progression metrics — toggle off to stop sending pseudonymous progression events.

(Audio-derived metrics have no setting in V1.1 — the feature is inactive and collects nothing. When V2 audio features ship, you will be asked to opt in under an updated privacy policy.)

You can change either of these toggles at any time. Changes take effect immediately (the next event simply doesn't fire if its category is off).

Complaints

If you believe we have breached the Australian Privacy Principles (which we voluntarily commit to despite being below the APP-entity threshold), you can: 1. Contact us at privacy@ordomind.ai. We will respond within 30 days. 2. If unsatisfied, lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Children

ORDŌ MIND V1.1 is intended for users aged 16 and older. On Google Play the app carries a 16+ age rating; if you install V1.1 by direct download from ordomind.ai, you are asked to confirm you are 16 or older before the installer is provided. We do not knowingly collect data from anyone under 16.

If you become aware that a child under 16 has installed the app and used it, please contact privacy@ordomind.ai and we will delete the associated data within 30 days.

A future product surface specifically for under-16 users (with appropriate parental-consent and school-coordination design) is not in V1.1 scope. If we ever release such a product, it will have its own privacy policy with appropriate child-safety commitments.

No automated decisions about you

V1.1 does not make automated decisions about individual users. The app's interventions (morning gate, app-delay overlay, sprint cap with break insertion, daily summary) are user-pre-authorised behaviours triggered by deterministic rules — not algorithmic decisions about who a user is, what they should see, or how they should be treated.

We will update this section if a future version introduces automated decisions of any kind. The Australian Privacy Act's automated-decision-making transparency requirements (effective 10 December 2026) apply to APP entities; we are committing here to disclose any such functionality whether or not we are an APP entity at that time.

Material changes to this policy

When we make a material change to this policy (a change to what we collect, why we collect it, who we share it with, or how long we retain it), we update the policy version number and the effective date.

In-app: the next time you open V1.1 after a material change, a non-modal banner will surface: "Our privacy policy has changed. Review and accept to continue using ORDŌ MIND." You must view the changes and acknowledge before continuing to use the app.

Non-material changes (typo fixes, contact updates, formatting changes) do not bump the version and do not fire the banner. These are tracked in a CHANGELOG.md companion to this policy.

A material change cannot retroactively alter how data already collected under a previous policy version is used. If you accepted Policy v1.0 and Policy v2.0 changes how a category is used, the data we collected from you under v1.0 continues to be governed by v1.0.

Data breaches

If we become aware of a data breach involving your personal or pseudonymous information, we will tell you. We commit to notify affected users within a reasonable period — generally no later than 30 days after we become aware of the breach, and sooner if the breach is likely to result in serious harm. A notification will describe what data was involved, what we are doing in response, and what (if anything) you can do to protect yourself.

How we will reach you. ORDŌ MIND has no user accounts, and we deliberately do not collect your email address (see §"What the app does NOT collect"). One honest consequence of that data-minimisation choice is that we cannot guarantee we are able to reach every affected person individually. If a breach occurs, we will use every channel available to us:

If you want to be certain of receiving a direct notification, you can give us a contact email at privacy@ordomind.ai; we will hold it for that single purpose — security and breach notices — and use it for nothing else. This approach — individual notice where we can, public notice where we cannot — is also the model contemplated by the Australian Notifiable Data Breaches scheme.

Where a breach affects users in jurisdictions with statutory breach-notification regimes (for example, the Notifiable Data Breaches scheme under the Australian Privacy Act for an "eligible data breach", or the UK GDPR's 72-hour ICO notification window for UK users), we will comply with the applicable regime. We make this commitment voluntarily, regardless of whether we are formally an APP entity at the time of any future breach (see §"Who we are").

We will not minimise or delay notification to protect our reputation. We have no commercial interest in your data that could outweigh your interest in knowing about a breach.

Acquisition or sale of the company

If ORDO MIND PTY LTD is acquired, sold, or transferred to another entity, your data does not transfer automatically. The acquirer will be required to either obtain your re-consent under their own privacy policy or delete your contributed data. This provision is structured to survive normal M&A processes and will be disclosed to acquirers during any transaction.

Statutory tort awareness

The Australian Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort of serious invasions of privacy, effective by 10 June 2025. This tort applies regardless of whether ORDO MIND PTY LTD is currently an APP entity.

If you believe you have suffered a serious invasion of privacy by our actions, the statutory tort gives you a direct cause of action in Australian courts independent of any complaint to us or the OAIC. The tort coexists with the rights described elsewhere in this policy — it does not replace them.

Website (ordomind.ai)

The website at ordomind.ai operates differently from the V1.1 app and has its own data-handling practices.

App download

The website offers a direct download of the ORDŌ MIND Android app as an installer (APK) file. Before the download link is shown, you are asked to confirm two things: that you are at least 16 years old, and that you are located in a market where V1.1 is offered. This confirmation is a simple on-page acknowledgement — there is no account, and we do not create a personal record of the confirmation that is tied to you. Downloading the file is an ordinary web request and appears in the server logs described below (IP address, timestamp, and so on), which are retained for 30 days. The app you install this way is the same app, governed by this same policy, as the version distributed through Google Play. Unlike the Google Play version, a directly-downloaded copy does not update itself automatically — see our Terms of Service for what that means for you.

Analytics

The website uses Cloudflare Web Analytics, a privacy-respecting analytics service that does not use cookies and does not track individuals across visits. Cloudflare Web Analytics aggregates traffic patterns (page views, referrers, browsers, country) without identifying individual visitors. Details: cloudflare.com/web-analytics.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking pixel on the website.

Contact form

If you submit the contact form (e.g., to express interest in being a beta tester), we collect the email address you provide and any message text. The form is hosted by a third-party form-processing service acting on our behalf; the specific provider is named on the contact page itself at the point of submission. We use the email address only to respond to your submission and, with your consent, to add you to a contact list for ORDŌ MIND release notifications.

You can request deletion of your contact-form submission at any time by emailing privacy@ordomind.ai from the email address you submitted.

Server logs

When you visit ordomind.ai, our hosting provider (Cloudflare Pages) records standard server log entries — IP address, user-agent string, request URL, timestamp, response status. These logs are retained for 30 days for technical operation and abuse prevention, then deleted.

No cookies

The website does not set cookies for tracking, advertising, or analytics. No cookie consent banner appears because no consent-requiring cookies are set.

Contact

For privacy-related inquiries, complaints, deletion requests, or rights exercises:

Email: privacy@ordomind.ai Postal: ORDO MIND PTY LTD's registered postal address is available on request — email privacy@ordomind.ai and we will provide it.

We will respond within 30 days (the APP 12 reasonable-period guideline) to any inquiry, even from users outside Australia.

ORDŌ MIND Privacy Policy · Version 1.0 · effective on publication at ordomind.ai/privacy at the V1.1 Open Alpha launch.