Private relationship memory — household use, anti-surveillance, not therapy, not diagnostic, not a dating app — read first
BondMind is a private, single-user, on-device memory tool for the meaningful details of the people the Subscribing Customer cares about. It is NOT a therapist, counsellor, psychotherapist, psychiatrist, clinical psychologist, marriage-and-family therapist (MFT), couples counsellor, sex therapist, licensed clinical social worker (LCSW) or any other regulated mental-health / relationship-therapy professional; it does NOT diagnose, score, grade, rank, judge or opine on the quality, health, viability, attachment style, communication pattern, love-language or “red flags” of any relationship, and does NOT diagnose any mental-health condition under DSM-5-TR, ICD-11 or NICE. It is NOT a dating, matchmaking or introduction service. It is NOT a couple account, partner portal, shared inbox, chat, messaging or email platform. It is NOT an SMS / WhatsApp / iMessage / Signal / Telegram / Facebook Messenger / Instagram DM / Snapchat interception, mirroring, monitoring, forwarding, backup or decryption tool. It is NOT a surveillance, monitoring, tracking, geo-tracking, location-tracking, keystroke-logging, screen-recording, screen-mirroring, camera-mirroring, microphone-mirroring, phone-forwarding, call-recording, contacts-scraping, photos-scraping, browser-history-scraping, app-usage-monitoring, screen-time-monitoring, Bluetooth-tracking, AirTag-tracking, Find-My-Person, mSpy-style, FlexiSpy-style, XNSPY-style, Cocospy-style, Spyzie-style, Hoverwatch-style, KidsGuard-style, TheTruthSpy-style or any other “stalkerware” application under any brand. It is NOT a domestic-abuse-enabling, coercive-control, gaslighting-preparation, blackmail-preparation, revenge-porn-preparation, harassment, cyberstalking, image-based-sexual-abuse or intimate-partner-violence facilitation tool. It is NOT a public emergency service, crisis line, suicide-prevention hotline, mental-health-crisis dispatcher, domestic-violence emergency service, sexual-assault emergency service, child-safeguarding hotline, missing-persons service, private-investigator instrument, court-of-family / court-of-protection / divorce-court instrument, notarial deed, marriage or civil-partnership registration instrument, Will / probate / letter-of-wishes / advance-decision instrument or Qualified Trust Service Provider under Regulation (EU) 910/2014.
The Subscribing Customer, as the natural person recording data about other identified or identifiable natural persons (a partner, spouse, fiancé(e), family member, close friend, godchild), is the data controller for that personal data under Article 2(2)(c) GDPR (household exemption) and equivalent household / personal-use exemptions in every launch jurisdiction (UK GDPR household framing; California CCPA / CPRA personal / household exemption under Cal. Civ. Code §1798.145(a)(4); German BDSG; French, Italian, Spanish, Dutch and other EU Member-State transpositions). ML Consulting is a processor only in the narrow sense that our App code and Apple-supplied frameworks run on the Subscribing Customer's device; ML Consulting never itself sees, receives, stores, transmits, indexes, aggregates or otherwise processes the underlying content of the Subscribing Customer's memory records on its own infrastructure. The household exemption is nevertheless a limited exemption: it does NOT permit unlawful use of the App to stalk, harass, monitor, control, coerce, defame, blackmail, extort, humiliate, intimidate or otherwise cause harm to another person; it does NOT permit the compilation of records intended to support intimate-partner violence, coercive control (U.K. Serious Crime Act 2015 §76; Domestic Abuse Act 2021), stalking (U.K. Protection from Harassment Act 1997; Stalking Protection Act 2019; VAWA Reauthorization Act 2022; German Nachstellung StGB §238), image-based sexual abuse (U.K. Online Safety Act 2023; California Penal Code §647(j)(4)) or family-court proceedings pursued in bad faith; and it does NOT extend to any professional, commercial, business or organisational use — which would remove the exemption and place the Subscribing Customer under full data-controller responsibility including the Articles 13-14 GDPR notice-to-data-subjects obligation. If you are experiencing domestic abuse, coercive control or intimate-partner violence, please contact the U.K. National Domestic Abuse Helpline on 0808 2000 247, the U.S. National Domestic Violence Hotline on 1-800-799-7233, the German Hilfetelefon Gewalt gegen Frauen on 08000 116 016, the French 3919, the Italian 1522, the Spanish 016, the Australian 1800 RESPECT, the Canadian ShelterSafe network or your local equivalent — and the Coalition Against Stalkerware directory at stopstalkerware.org. If you have concerns about your own mental health, self-harm or suicide, please contact the U.K. Samaritans (116 123), the U.S. 988 Suicide & Crisis Lifeline, the German Telefonseelsorge, the French Suicide Écoute, the Italian Telefono Amico, the Spanish Teléfono de la Esperanza, the Australian Lifeline (13 11 14) or the Canadian 9-8-8.
Local notifications, widgets, App Intents, Foundation Models on-device narrative-summary and per-product price-suggestion outputs (v1.1), Vision-framework on-device receipt-OCR suggestions, per-photo SHA-256 hashes, XLSX imports and exports and PDF Pack renders are advisory only. The Subscribing Customer remains the sole trader for every payment received through every marketplace, every craft fair and every direct sale — independently of the App. CALLING 112 / 999 / 911 / 000 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm in a workshop or at a market (including burns from wax, resin, soap-lye or hot glass; fire; electrocution from tooling; slips, trips or falls; laceration from cutting tools; chemical exposure; anaphylaxis; or medical emergency).
At a glance — what you should know in 60 seconds
• We do not sell your personal data and we never will. In fact, ML Consulting collects no Customer Data on its own infrastructure at all: BondMind is a no-server, no-account, offline-first iPhone-and-iPad application, and every Customer Data category (Person profiles, Source Records — voice notes recorded with AVFoundation with SHA-256 at save, on-device Speech-framework transcripts, text notes, screenshots and photographs imported with PhotosUI limited-library, documents scanned with VisionKit; confirmed Memory Cards; Preferences; Gifts; Place Memories; Future Plans; Conversation Summaries; Documents in the Relationship Evidence Vault; Milestones; Reflection Points on the non-diagnostic Relationship Health Timeline; Occasions; Artifacts such as Occasion Brief PDFs, Legacy Timelines and Legacy Books; ReminderIntents) lives in the Subscribing Customer's own Apple iCloud (Core Data mirrored to CloudKit private database) on the Subscribing Customer's own iCloud quota. We do not use Subscriber Data to train, fine-tune, evaluate or benchmark any machine-learning model.
• BondMind is offline-first. Capture, browsing, editing, Batch production, Order quick-log, Pack generation, XLSX import and export, and every other operational flow work with zero connectivity; CloudKit syncs when your device is next online. If iCloud is unavailable (signed out or quota-full), the App runs fully locally with a passive banner and no work is lost.
• BondMind operates no server, no web portal, no App Clip surface, no operator dashboard, no third-party analytics SDK, no crash-reporting SDK, no advertising SDK, no attribution SDK, no tracking SDK and no live marketplace-API integration. Measurement is App Store Connect + MetricKit + on-device counters only. The App Store “Data Not Collected” privacy label reflects this. There is no ad model and there never will be. There are no streaks, no shareable moments, no marketing-style nudges and no anxiety-triggered notifications.
• BondMind is sold by subscription through the Apple App Store: Pro at EUR 9.99 per month or EUR 79.99 per year. A 2-week full-featured introductory trial applies, configured in App Store Connect. Post-trial the App is read-only with full XLSX + PDF export always available; your data is never held hostage. A single StoreKit 2 entitlement gate is the only check in the codebase and guards record creation and artifact generation. Read and export are never gated. All billing runs through Apple App Store In-App Purchase; ML Consulting operates no direct billing channel and does not use Stripe, PayPal, GoCardless or any other payment processor for BondMind.
• The App is NOT a therapist, counsellor, psychotherapist, MFT, LCSW or any regulated mental-health / relationship-therapy professional; NOT a dating, matchmaking or introduction service; NOT a couple account, shared inbox, chat platform or partner portal; NOT an SMS / WhatsApp / iMessage / Signal / Telegram interception, mirroring, monitoring or backup tool; NOT a surveillance, monitoring, tracking, location-tracking, keystroke-logging, screen-recording, call-recording, contacts-scraping or “stalkerware” application under any brand; NOT a domestic-abuse-enabling, coercive-control, gaslighting-preparation, blackmail-preparation, revenge-porn-preparation, harassment or cyberstalking tool; NOT a Qualified Trust Service Provider under eIDAS; NOT a Will, probate, letter-of-wishes or advance-decision instrument; NOT a court-of-family, court-of-protection or divorce-court instrument; and NOT a public emergency service. Every suggestion is a private aide-mémoire for your own decision-making, always requiring your explicit confirmation before it is saved.
• Optional Face ID / Touch ID app lock (LocalAuthentication) protects local App access on shared devices. BondMind does not include any electronic-signature surface, does not issue eIDAS qualified electronic signatures / seals / timestamps, and is not a Qualified Trust Service Provider under Regulation (EU) 910/2014. Per-photo SHA-256 hashes captured at save time and per-Pack photo-hash manifests are operational, evidentiary anchors — they are a fingerprint, not a notarisation, not an eIDAS qualified electronic seal or timestamp, and not a certified electronic signature. BondMind deliberately does not include an operator-side handover-signature surface; recipients receive PDFs and XLSX files through the iOS share sheet.
• Person profile, Source Record, Memory Card, Preference, Gift, Place Memory, Future Plan, Conversation Summary, Document, Milestone, Reflection Point, Occasion, Artifact and every other Customer Data record belongs to the Subscribing Customer. We do not share or sell this data with any third party for advertising, commercial-intelligence, marketplace-benchmarking, market-research, credit-scoring, seller-performance-scoring or claim-outcome-prediction purposes. Because BondMind has no server, we cannot share Customer Data even if we wanted to — we never receive it.
• BondMind deliberately does NOT offer: AI relationship diagnosis, scoring, grading, ranking or verdicts (the Relationship Health Timeline is a reflection surface only); AI mental-health, mood-disorder, personality-disorder, attachment-style or clinical-condition inferences under DSM-5-TR, ICD-11 or NICE; AI love-language, attachment-style, communication-pattern, compatibility-score, red-flag or green-flag verdicts; AI dating-match, matchmaking, introduction or profile-optimization suggestions; AI emotion-inference, affect-inference, honesty-inference, attraction-inference, sexual-orientation-inference, gender-inference or gender-identity-inference from photographs, voice notes or screenshots; AI facial-recognition, gait-recognition, voice-print-identification or biometric-identification of any person; AI keystroke, screen-recording, screen-mirroring, message-interception, WhatsApp / iMessage / Signal / Telegram-decryption or stalkerware determinations; AI location-tracking, geo-fencing, AirTag-tracking or Find-My-Person determinations; AI legal, tax, probate, will, family-court, divorce-court, custody, financial-remedy or child-arrangement-order determinations; AI mental-health-crisis, suicide-risk, self-harm-risk, domestic-violence-risk, coercive-control-risk, abuse-risk or safeguarding determinations. The AI helpers we do offer (Foundation Models on-device suggestion-only extraction of candidate Memory Cards from Source Records; Vision-framework on-device OCR of screenshots and documents; Speech-framework on-device transcription of voice notes; deterministic Ask Memory retrieval over the local Core Data graph with an optional Foundation Models composition step; NaturalLanguage on-device fuzzy matching) are on-device only, never autonomous, always suggestion-labelled, always source-linked, always require the Subscribing Customer's explicit confirmation before persistence, always retain the raw input, and always fall back to deterministic engines or manual entry where Foundation Models is unavailable on the device or in the locale.
• You can exercise the full set of EU GDPR rights at any time by writing to support+bondmind@mlconsulting.lt. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius. Where the only copy of your Customer Data lives in your own iCloud, many rights are exercised through Apple (iCloud account controls, Data & Privacy portal at privacy.apple.com) rather than through ML Consulting.
• BondMind is intended for individual adult consumers only. Users must be at least 18 years old, must be recording data about their own relationships and the people they care about (not third-party clients, patients, students, employees or other professional or organisational contacts), must use the App under the household exemption (Article 2(2)(c) GDPR or equivalent), and must NOT use the App to stalk, harass, monitor, control, coerce, defame, blackmail, extort, humiliate, intimidate or otherwise cause harm to any person. Where the Subscribing Customer chooses to record data about a minor (typically a partner's child, a godchild, a niece / nephew or a family member's child), the Subscribing Customer is responsible for lawful, respectful and age-appropriate use, for parental / guardian consent where required, and for compliance with Article 8 GDPR minimum-age framing, COPPA (U.S. Children's Online Privacy Protection Act) and every equivalent regime.
1. About this Privacy Policy
ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the BondMind iOS / iPadOS application (the “App”), distributed exclusively through the Apple App Store. This Privacy Policy explains what personal data the App processes — and, importantly, where that data lives, which is the Subscribing Customer's own Apple iCloud rather than any server operated by ML Consulting — when you use the App: subscribe through the Apple App Store, create a Person profile for a partner, spouse, fiancé(e), family member, close friend or godchild with the name, nickname, relationship type and any important dates you choose to record, capture a text note or a voice note with AVFoundation and receive an on-device Speech-framework transcript, import a screenshot or photograph with PhotosUI limited-library, scan a document with VisionKit and receive on-device Vision OCR, review Foundation Models on-device suggested Memory Cards (candidate facts, preferences, gifts, places, plans, promises, birthdays, allergies) and confirm, edit or discard each one, browse the Preference Graph, log a Gift, log a Place Memory, log a Future Plan, browse the non-diagnostic Relationship Health Timeline as a reflection surface only, add a document to the Relationship Evidence Vault, ask Ask Memory a natural-language question over the local index and receive a source-linked answer, generate an Occasion Brief PDF or a Legacy Timeline artifact through the iOS share sheet, enable the optional Face ID / Touch ID app lock, or opt in to Foundation Models on-device suggestions — why we process it, the legal bases on which we rely, with whom we share it (deliberately: nobody in the data plane other than Apple, for iCloud), for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.
This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the GDPR — with particular attention to Article 2(2)(c) household exemption, Article 8 children's data, Article 9 special categories, Article 21 objection and Article 88 employment context), the Republic of Lithuania Law on Legal Protection of Personal Data, Regulation (EU) 910/2014 (eIDAS) where electronic-signature claims are concerned (BondMind issues none — it is not a Qualified Trust Service Provider), Regulation (EU) 2024/1689 (the AI Act) where transparency and human-oversight obligations apply to Foundation Models on-device suggestions, Vision on-device OCR and Speech on-device transcription, the German BDSG, the UK GDPR and Data Protection Act 2018, the U.S. CCPA / CPRA and its household exemption under Cal. Civ. Code §1798.145(a)(4), the Australian Privacy Principles under the Privacy Act 1988, and the Canadian PIPEDA — all as background to why the App exists, without BondMind itself claiming to interpret or discharge any of those regimes on the Subscribing Customer's behalf.
BondMind is intended for individual adult consumers only — 18+ users recording a private, on-device memory of the people they care about, under the household exemption or its national equivalent. This Policy should be read together with the BondMind Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.
2. Controller identification
We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Because BondMind operates no server, no web portal, no App Clip surface, no account and no login, and because Customer Data lives in the Subscribing Customer's own iCloud rather than on ML Consulting infrastructure, the controller-level processing we carry out is deliberately extremely narrow — essentially, StoreKit 2 App Store Server Notifications payloads and support correspondence.
• Legal name: ML Consulting MB
• Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania
• Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)
• Website: https://mlconsulting.lt
• Privacy contact: support+bondmind@mlconsulting.lt
ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries.
Our lead supervisory authority for the purposes of the GDPR's one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (VDAI) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.
3. Scope of this Policy
This Privacy Policy applies to:
• the BondMind iOS / iPadOS application published by ML Consulting MB on the Apple App Store, including the iPhone TabView capture-first surface (Dashboard, Orders, Products, Materials, More), the iPad split-view review-cockpit surface, the AVFoundation receipt-capture layer, the Vision-framework on-device OCR layer, the NaturalLanguage on-device token-similarity fuzzy-matching layer, the PDFKit + ImageRenderer Pack pipeline, the Swift Charts dashboard, the custom pure-Apple XLSXReader / XLSXWriter module, the widget surface, the App Intent surface (LogSaleIntent, AddPurchaseIntent), the BGTaskScheduler background local-notification scheduler, the LocalAuthentication optional app-lock surface, the StoreKit 2 In-App Purchase pipeline, and — from v1.1 — the optional Foundation Models narrative layer, the optional QR-label generation and scan surface, and the optional CKShare single-partner sharing surface (introduced only under an explicit decision gate);
• user accounts — of which there are none. BondMind uses ambient iCloud identity to access the Core Data / CloudKit private database; there is no account, no login, no password, no email verification and no operator dashboard;
• the App's landing pages, help articles and documentation hosted on mlconsulting.lt that describe BondMind; and
• email and other communications you exchange with us about the App.
This Policy does NOT apply to the recipient side of Pack and export delivery. When you export a Monthly P&L Pack PDF, a Product Cost Sheet PDF, an Inventory Valuation PDF or a full-data XLSX Export from the iOS share sheet, the PDF or XLSX becomes a document under the recipient's control, processed by the recipient's own email server, document-management system, accounting software (DATEV, Xero, QuickBooks, FreshBooks, Sage, Wave, ELSTER, MTD bridging software or equivalent), or filing platform. ML Consulting has no visibility into and no processing role in the recipient's handling of that document.
Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, iCloud, CloudKit, StoreKit 2, APNs local-notification delivery, WidgetKit, App Intents, BackgroundTasks, PhotoKit, AVFoundation, Vision / VisionKit, NaturalLanguage, PDFKit, LocalAuthentication and Secure Enclave, and — from v1.1 — Core Image and Foundation Models — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.
4. Our two privacy roles — controller and processor
4.1 We act as controller (deliberately narrow — BondMind collects nothing on ML Consulting infrastructure)
We determine the purposes and means of processing for the following extremely narrow categories:
• billing and payment data returned to us by App Store Server Notifications (subscription identifier, tier, trial state, renewal state, refund state, environment, transaction identifier); Apple Inc. is the merchant of record; we do not receive your payment-card data;
• communications and support correspondence about the App;
• device, technical and telemetry data — deliberately limited: iOS / iPadOS version, device model, App version, language and timezone, visible to us only through App Store analytics reports Apple publishes to developers and MetricKit crash and hang diagnostics if you have opted in to Diagnostics and Usage Data at the OS level; no third-party analytics SDK, no crash-reporting SDK, no attribution SDK, no advertising SDK, no tracking SDK is embedded in the App;
• the internal logs we keep to comply with statutory accounting and tax retention under Lithuanian law.
4.2 We act as processor (Customer Data lives in your own iCloud — we never receive it)
Every category of Customer Data — Items, Lots, Purchases (append-only), Bins with user-owned QR labels, Listings (append-only), Sales (append-only, with per-item cost snapshot frozen at Mark-Sold entry; no marketplace API auto-imports a Sale), Trips and mileage (manual; no CoreLocation in v1.0), Marketplace fee profiles (all editable, all labelled estimates), Adjustments (append-only), Settings, AVFoundation item / receipt / bin photographs, Vision QR-scan outputs of the App's own bin labels and barcode-capture outputs (persisted as opaque SKU strings only, never resolved against any external product catalogue), and — from v1.1 — Vision receipt-OCR suggestion outputs and Foundation Models on-device summary and listing-description-draft outputs — lives in the Subscribing Customer's own Apple iCloud (Core Data mirrored to CloudKit private database). Photographs and other binary assets are stored as CKAssets on the Subscribing Customer's own iCloud quota. When iCloud is unavailable (signed out or quota-full), the App runs fully locally with a passive banner and no work is lost.
The consequence for privacy roles is unusual: for these categories, ML Consulting acts as processor on the Subscribing Customer's instructions insofar as our App code and its Apple-supplied entitlements run on the Subscribing Customer's device, but ML Consulting never itself sees, receives, stores, transmits, indexes, aggregates or otherwise processes the underlying content of that Customer Data on its own infrastructure. Apple Inc., in operating iCloud and CloudKit on behalf of the Subscribing Customer, is a separate independent controller for its own iCloud-side processing.
ML Consulting does not use Subscriber Data to train, fine-tune, evaluate or benchmark any machine-learning model, and does not disclose Subscriber Data to any third-party model provider under any circumstances — because ML Consulting never receives Subscriber Data on its own infrastructure in the first place. Vision, NaturalLanguage and Foundation Models (v1.1) are Apple's on-device frameworks; their inference runs locally and their output does not leave the device as a result of the App's use.
5. Apple App Store, iOS, iPadOS, CloudKit, Vision, NaturalLanguage, Foundation Models and platform context
Because the App is delivered through the Apple App Store, runs on Apple's iOS and iPadOS platforms and stores every Customer Data category in the Subscribing Customer's own Apple iCloud rather than on any ML Consulting server, this section makes the platform inheritance explicit. There is no web portal, no App Clip surface, no operator dashboard, no Mac Catalyst app, no Android app, no watchOS companion and no visionOS surface within the scope of the App.
5.1 App Privacy details on the App Store — “Data Not Collected”
BondMind's App Privacy details on the App Store are set to “Data Not Collected”. The App Store submission review notes explain the no-account, no-server architecture: all Customer Data lives in the customer's iCloud; the developer collects nothing.
5.2 App Tracking Transparency
BondMind does not track you across other companies' applications and websites within the meaning of Apple's App Tracking Transparency framework. We do not request the ATT permission and we do not use the iOS Identifier for Advertisers (IDFA). The App's App Store declaration is set to “Data Not Used to Track You”. We never apply seller-performance, employability, ranking, blacklist, ban-risk, review-quality, refund-risk, chargeback-risk or marketplace-behaviour profiling.
5.3 Privacy Manifest
BondMind ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App accesses, the reasons for any use of “required reason” iOS APIs (camera for AVFoundation receipt capture; photo library for PhotoKit product-photo import; Vision and VisionKit for on-device receipt OCR; NaturalLanguage for on-device fuzzy matching; Foundation Models for the v1.1 narrative layer; PDFKit for Pack render; Keychain for short secrets; LocalAuthentication for optional app lock; BackgroundTasks for local-notification scheduling; StoreKit 2 for IAP) and the third-party SDKs the App depends on — which, deliberately, is none.
5.4 iOS sandbox, Data Protection, per-receipt SHA-256 and append-only records
On-device application data is held inside the iOS application sandbox and benefits from Apple's default Data Protection. Every AVFoundation receipt photograph captured through the App is hashed with SHA-256 at save time. Financial records (PurchaseLots, Batches, Orders and StockAdjustments) are append-only after save: corrections supersede rather than overwrite, both the superseded and the superseding record remain visible, and PDF Pack exports include a hash manifest. This is a fingerprint, not a notarisation.
5.5 Ambient iCloud identity, no account, no login, no Sign in with Apple, and the optional Face ID app lock
BondMind deliberately has no account architecture. It does not present a login screen, does not ask for an email address or password, and does not use Sign in with Apple in v1.0. It relies on ambient iCloud identity for Core Data / CloudKit private-database access. Optional Face ID / Touch ID app lock is available through LocalAuthentication; biometric data never leaves the device and Apple does not provide us with your biometric template.
5.6 Vision framework — QR-scan of user-owned bin labels and barcode-to-opaque-SKU capture; no CV verdicts, no product-catalogue lookups
BondMind uses Apple's Vision framework on-device for receipt-OCR text extraction and, from v1.1, for QR-code scanning of user-owned bin labels. Vision output is a labelled suggestion the recorder confirms — no computer-vision verdicts, no “detected”, “verified”, “counted”, “damage-diagnosed”, “counterfeit-flagged” or “provenance-authenticated” claims. Below a deterministic confidence threshold, the App visibly flags the affected line as low-confidence, and no PurchaseLot, no stock change and no cost change persists from any line the recorder does not confirm.
5.7 NaturalLanguage — v1.1 only, deferred to the Foundation Models narrative layer
BondMind uses Apple's NaturalLanguage framework on-device to fuzzy-match receipt-line text to the Subscribing Customer's own Material names, using deterministic token-similarity with a disclosed threshold. Suggestions only; the recorder confirms every match.
5.8 Foundation Models — v1.1 narrative layer only, English and German, device-floor gated, rule-based parity below the floor
BondMind uses Apple's Foundation Models framework on-device to suggest candidate Memory Cards from Source Records (voice notes, text notes, screenshots, photographs, scanned documents), to compose optional Ask Memory answers from deterministically retrieved evidence, and to draft optional Occasion Brief and Legacy Timeline narratives. Every generation is source-linked; every generation is suggestion-only and must be explicitly confirmed by the Subscribing Customer before persistence; and every generation degrades gracefully to deterministic engines or manual entry where Foundation Models is unavailable on the device or in the locale. Foundation Models is Apple's on-device large-language-model framework.
5.9 AVFoundation, PhotoKit and Files — item / receipt / bin capture and XLSX import from your own files
BondMind uses AVFoundation for receipt-capture, PhotoKit only where the recorder explicitly imports an existing photograph, and the iOS Files picker for user-owned XLSX orders and materials workbook import. BondMind does not read your Contacts, Calendar, HealthKit, HomeKit, CoreLocation, NFC, Speech or RoomPlan / LiDAR — all deliberately excluded.
5.10 Custom pure-Apple XLSXReader / XLSXWriter — no third-party SDK
The XLSX import and export layer is a custom pure-Apple module built on Foundation and Compression. There is no CSV import surface and no CSV export surface anywhere in the App — deliberately, as a binding anti-scope. The XLSX module does not phone home, does not embed telemetry, and does not use any third-party dependency.
5.11 PDFKit, Swift Charts, WidgetKit, App Intents, BackgroundTasks, StoreKit 2
BondMind relies on several Apple frameworks: PDFKit + ImageRenderer (Monthly P&L Pack, Product Cost Sheet, Inventory Valuation, full-data XLSX Export — mandatory footers on every page); Swift Charts (dashboard); WidgetKit (Today's profit widget, Quick-log deep-link widget — best-effort refresh, no push); App Intents (LogSaleIntent, AddPurchaseIntent — Siri and Shortcuts); BackgroundTasks (BGTaskScheduler — best-effort local-notification scheduling); StoreKit 2 (Apple App Store IAP, 2-week introductory trial, localized product prices only).
5.12 CloudKit private database and CKShare (v1.1, decision-gated) — Customer Data in your own iCloud
Every category of Customer Data lives in the Subscribing Customer's own Apple iCloud, in the CloudKit private database for the BondMind container. From v1.1, if the decision gate passes, team-of-two workspaces are implemented via CKShare: the Subscribing Customer subscribes and creates a single CKShare per company root; a single partner accepts the share link, installs the App and joins as a co-user. CloudKit and CKShare are operated by Apple Inc. under Apple's own privacy terms.
5.13 Recipients — no accounts, no App Clip, no server; Packs and XLSX travel via the iOS share sheet
Recipients — the Subscribing Customer's own accountant, tax adviser, Steuerberater, partner, market organizer, insurance broker or any other counterparty — do not have accounts in BondMind. There is no App Clip surface and no operator dashboard. Recipients receive Pack PDFs and XLSX Exports via the iOS share sheet.
5.14 App Privacy Report
iOS 15.2 and later provide an in-operating-system App Privacy Report. BondMind is designed so that this report shows the Apple platform domains used (App Store, iCloud, CloudKit, APNs local-only) and — deliberately — nothing else. No ML Consulting server domain, no third-party analytics domain, no advertising domain, no attribution domain and no crash-reporting domain should ever appear.
6. Key terms used in this Policy
• Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• Processing — any operation performed on personal data.
• Controller — the person who determines the purposes and means of processing.
• Processor — a person who processes personal data on behalf of a controller.
• Subscribing Customer — the individual adult consumer (18+) who took out the BondMind Pro subscription and pays personally from her own pocket. Also the natural-person data controller for every category of Customer Data recorded about another person, under Article 2(2)(c) GDPR household exemption or its national equivalent.
• Item — a discrete unit of secondhand inventory the Subscribing Customer sources and lists for resale (a jacket, a book, a vinyl record, a pair of sneakers, a vintage camera, a piece of costume jewellery, a set of glasses, a lamp).
• Person profile — the top-level context for the App: a natural person the Subscribing Customer chooses to keep memory of (partner, spouse, fiancé(e), family member, close friend, godchild). Contains all Source Records, Memory Cards, Preferences, Gifts, Place Memories, Future Plans and Artifacts for that person.
• Bin — a physical storage location for Items (a bin, shelf or storage cage) with a location photograph and a user-owned QR label generated by the App via PDFKit + Core Image and scanned via Vision.
• Trip — a sourcing trip with saved route or venue, user-entered distance in miles or kilometres, per-trip spend link and optional receipt photograph; mileage cost is computed at the user-entered per-mile / per-kilometre rate. No GPS in v1.0.
• Source Record — a raw captured input (voice note, text note, screenshot, photograph, scanned document). Append-only inside the active profile. Voice notes and scanned documents carry SHA-256 at save time.
• Marketplace fee profile — an editable Marketplace-fee preset (eBay, Poshmark, Vinted, Depop, Etsy, Mercari, Vestiaire Collective, Grailed, Whatnot, Facebook Marketplace, Bonanza, ThredUp, The RealReal, Cash / fair, other) with tiered percentage, flat-below-threshold and payment-processor rules. All user-editable, all labelled “editable estimate — verify against your statement”.
• Memory Card — a structured, confirmed fact derived from a Source Record after the Subscribing Customer explicitly reviews and confirms an AI or engine suggestion. Categories include facts, preferences, promises, dates, birthdays, allergies, gift ideas, place notes, plans and reflection points.
• Adjustment — an append-only manual stock or price correction record (returned, damaged, lost, found, deleted, price change). Historical Sales are never edited.
• Artifact — a PDF assembled on-device by PDFKit in one of several types: First Memory Snapshot (onboarding demonstration), Occasion Brief (for a birthday, anniversary or trip), Legacy Timeline, Legacy Book, Anniversary Album. Every Artifact carries a mandatory footer identifying it as a private aide-mémoire generated from the Subscribing Customer's own entries and NOT as therapy, diagnosis, legal document or evidence, plus the discreet product footer “Made with BondMind for iPhone.”
• Recipient — the accountant, Steuerberater, tax preparer, spouse or any other counterparty who receives a Pack PDF or XLSX Export via the iOS share sheet. Not a user of the App.
• EntitlementGate — the single StoreKit 2 check that guards record creation and artifact generation; read and export are never gated.
• Foundation Models layer (v1.1) — the opt-in, Apple-Intelligence-device-floor-gated, English-and-German-only on-device narrative-summary and listing-description-draft layer. Prompts consume derived aggregates only; output never auto-persists.
• CKShare partner (v1.1, decision-gated) — an optional single partner the Subscribing Customer invites to co-use the workspace under CKShare.
• On-device — data stored or processed locally on the Subscribing Customer's iPhone or iPad inside the iOS application sandbox.
• Backend — BondMind has none. The App's server-side surface is Apple iCloud (CloudKit) operated by Apple Inc.
• Sub-processor — a third-party service provider that processes personal data on our behalf. BondMind deliberately depends on none for its data plane.
• EEA — the European Economic Area.
• VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate.
7. Personal data we process
This section describes the data BondMind processes. The unusual feature to hold in mind: with the narrow exceptions in section 4.1, the Customer Data below lives in the Subscribing Customer's own iCloud, not on ML Consulting infrastructure. Because BondMind has no account architecture, we do not even hold an account identifier or an email address for you unless you email us support directly.
7.1 Account and authentication data (we act as controller — deliberately none)
BondMind has no account architecture. It does not require Sign in with Apple in v1.0, does not present a login screen, does not ask for an email address or password, and does not hold an account identifier for you. Ambient iCloud identity is used only by Apple's CloudKit for the Subscribing Customer's private-database access. Where you email us support, we hold your email address only for the purpose of replying.
7.2 Device, technical and telemetry data (limited)
iOS / iPadOS version, device model, App version, language and timezone (visible to us only through App Store analytics reports); MetricKit crash and hang diagnostics if you have opted in at the OS level; on-device diagnostics counters surfaced only to you (nothing leaves the device). No third-party analytics SDK, no crash-reporting SDK, no attribution SDK, no advertising SDK, no tracking SDK.
7.3 Communications and support data
The content and metadata of any email, support ticket or in-app help message you send us, including any attachments.
7.4 Billing and payment data (Apple is the merchant of record)
App Store Server Notifications payloads: subscription identifier, tier, trial state, renewal state, refund state, environment, transaction identifier. We do not receive your payment-card data. There is no direct billing channel and no Stripe / PayPal / GoCardless / SEPA / bank-transfer path for BondMind.
7.5 Customer Data (lives in your own iCloud)
Person profiles (name, nickname, relationship type, important dates you choose to record); Source Records (voice notes captured with AVFoundation with SHA-256 at save; on-device Speech-framework transcripts; text notes; screenshots and photographs imported with PhotosUI limited-library; documents scanned with VisionKit with SHA-256 at save; optional user-confirmed places from Apple Maps look-up); confirmed Memory Cards (structured facts derived from Source Records after the Subscribing Customer explicitly reviews and confirms an AI or engine suggestion); Preferences (favorites, dislikes, allergies, dietary restrictions, sensitivities — Article 9 GDPR sensitivities may appear where the user chooses to record them and are handled with additional care); Gifts (history, budgets, occasions, reactions, duplicate-avoidance); Place Memories (cafés, restaurants, hotels, hikes, concerts with notes, ratings, photos); Future Plans (dreams, trip ideas, bucket-list items detected from repeated confirmed memories); Conversation Summaries (from imported screenshots and voice notes); Documents in the Relationship Evidence Vault (receipts, reservations, tickets, warranties); Milestones; Reflection Points on the non-diagnostic Relationship Health Timeline; Occasions; Artifacts (First Memory Snapshot PDFs, Occasion Brief PDFs, Legacy Timelines, Legacy Books, Anniversary Albums); ReminderIntents; AVFoundation voice-note and photo captures stored as CKAsset-backed binary references; Vision on-device OCR outputs; Speech on-device transcription outputs; NaturalLanguage on-device fuzzy-match outputs; Foundation Models on-device suggestion outputs; PDFKit Artifact renders.
7.6 CKShare partner data (from v1.1 if introduced)
Where the Subscribing Customer invites a single partner under v1.1 CKShare: the partner's name, iCloud identity as supplied to the CKShare zone by Apple, join timestamp, and any Customer Data entries the partner captures.
7.7 Recipient data (accountant, Steuerberater, partner, market organizer, insurance broker) — incidental
Where the Subscribing Customer enters a Recipient's email address into the iOS share sheet at Pack export, that address is handled by iOS Mail (or the chosen share-target app), not by BondMind; we do not store Recipient contact data server-side (because we have no server).
7.8 Customer-of-the-Subscribing-Customer data (incidental in Orders and receipts)
Where an Order line item records an external Order ID (typically an Etsy or marketplace order reference), a customer name or a customer address: that data is Customer Data on the Subscribing Customer's iCloud. BondMind does not send the Subscribing Customer's customer data anywhere.
7.9 Special-category and sensitive data (Article 9 GDPR — incidental)
BondMind is not designed to collect special-category data within the meaning of Article 9 GDPR. Item / receipt / bin photographs may incidentally reveal information about a previous owner (letters left inside a book), a supplier's identity, an invoice recipient's name or a delivery address. Barcode captures persist as opaque SKU strings only — the App does not resolve them against any external product catalogue. The Subscribing Customer is responsible for the lawful basis under Articles 6 and 9 GDPR for any special-category data she records. Biometric authentication (Face ID / Touch ID for optional app lock) is performed by Apple's LocalAuthentication framework and biometric data never leaves the device.
7.10 Location data (CoreLocation — deliberately excluded)
BondMind does not use CoreLocation in v1.0. Place Memories are user-confirmed via Apple Maps look-up at the moment the user chooses to attach a place to a memory — the App does not track the Subscribing Customer's location, does not track any other person's location, does not perform continuous background location tracking, and is not a Find-My-Person, Find-My-Family or geo-fencing tool. A v1.1 CoreLocation gate would be introduced only with a consciously-updated App Privacy label.
7.11 What we do not collect
To remove ambiguity, BondMind does not collect:
• the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond photographs you actively import through PhotoKit, or any HealthKit / HomeKit data;
• continuous background-location data or any CoreLocation data;
• Speech-framework voice input; Speech is deliberately excluded from v1.0;
• data from any live marketplace API (Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Shopify, WooCommerce or equivalent) — live marketplace integration is deliberately excluded from v1.0;
• behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;
• analytics, attribution or crash-reporting data through any third-party SDK — BondMind deliberately embeds none;
• any seller-performance, employability, ranking, blacklist, ban-risk, marketplace-behaviour, price-competition, refund-risk, chargeback-risk or claim-outcome-prediction profile.
8. How we collect personal data
We collect personal data in three narrow ways:
1. Directly from you — when you install or use the App on iPhone or iPad, subscribe through the Apple App Store, capture a receipt through AVFoundation, import an XLSX orders or materials workbook through the Files picker, enable the optional Face ID / Touch ID app lock, opt in to the v1.1 Foundation Models narrative layer where your device and locale are eligible, opt in to v1.1 CKShare single-partner sharing (if introduced), contact support or subscribe to a communication.
2. Automatically through your use of the App — when the App generates on-device application data (deterministic engine outputs, Pack render metadata, append-only supersede-chain metadata, per-photo SHA-256 hashes, per-Pack photo-hash manifests) necessary to deliver the service; and when Apple platform services supply data linked to your action. Aside from App Store Server Notifications payloads and any support-endpoint hits, none of this data leaves the device.
3. From Apple — when the App Store delivers an In-App Purchase result through StoreKit 2 and App Store Server Notifications, when App Store analytics reports arrive, when MetricKit publishes crash and hang diagnostics if you have opted in at the OS level, and when — for CloudKit and (v1.1 gated) CKShare — Apple operates the Subscribing Customer's iCloud on the Subscribing Customer's behalf.
9. Why we process personal data and our legal bases
For each processing activity we rely on a lawful basis under Article 6(1) GDPR.
9.1 Performance of a contract (Article 6(1)(b))
• Provide and operate the App on your iPhone and iPad, including the capture-first surface, the review-cockpit surface, the pure deterministic engines, on-device Vision receipt OCR, on-device NaturalLanguage fuzzy matching, on-device PDFKit + ImageRenderer Pack render, on-device pure-Apple XLSXReader / XLSXWriter, and the Core Data / CloudKit private-database sync to your own iCloud.
• Process payments and manage billing through Apple App Store In-App Purchase.
• Face ID / Touch ID gating of the optional app lock.
• v1.1 CKShare single-partner sharing (if introduced).
• Send service messages.
• Provide customer support and respond to enquiries.
9.2 Consent (Article 6(1)(a))
• Camera, microphone, photo-library and Files access via the iOS prompts.
• Local-notification cadence.
• Optional Face ID / Touch ID app lock.
• v1.1 Foundation Models narrative layer enablement (where the device meets the Apple Intelligence floor and the locale is English or German).
9.3 Compliance with a legal obligation (Article 6(1)(c))
• Statutory accounting and tax retention under Lithuanian law.
• Respond to data-subject requests and operate the GDPR rights workflow.
• Comply with legal, regulatory, tax and law-enforcement obligations.
9.4 Legitimate interests (Article 6(1)(f))
• CryptoKit per-photo SHA-256 hashing and append-only supersede-chain evidence integrity.
• Defend or pursue legal claims, including App Store subscription disputes, marketplace-terms disputes, insurance subrogation, product-liability investigations (GPSR / REACH / CLP / Cosmetic Products / MoCRA / NHP / TGA) and class-action investigations.
Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
10. Offline-first architecture and no-server data model — Customer Data in your own iCloud
BondMind is offline-first. Capture, browsing, memory-card confirmation, timeline review, Ask Memory search, artifact generation and every other operational flow work with zero connectivity; on-device budgets are cold-launch under 2 seconds, quick-log sheet under 300 ms, recipe cost recompute under 100 ms, dashboard under 500 ms at 5,000 orders, OCR suggestion under 4 seconds per receipt page, XLSX parse 1,000 rows under 20 seconds and PDF Pack render under 3 seconds on an A15 device. If iCloud is unavailable, the App runs fully locally with a passive banner and no work is lost.
BondMind operates no ML-Consulting-hosted backend. No EU-resident managed Postgres, no signed-URL object storage, no server-side AI, no private GPU boundary, no RFC 3161 trusted-timestamp authority, no third-party analytics SDK, no crash-reporting SDK. Customer Data lives in the Subscribing Customer's own iCloud, which is operated by Apple Inc. under Apple's own privacy terms and Apple's own data-residency choices for iCloud.
11. Subscribing Customers, sole-trader responsibility and Recipients
BondMind is operated on a single-Subscribing-Customer model. The Subscribing Customer — an individual adult consumer paying personally from her own pocket — subscribes through the App Store, creates Person profiles for the people she cares about, captures Source Records, reviews and confirms suggested Memory Cards, browses her Preference Graph and Shared Experiences Map, logs Gifts and Future Plans, browses the non-diagnostic Relationship Health Timeline as a reflection surface, generates Artifacts (Occasion Brief PDFs, Legacy Timelines) and shares Artifacts to herself or to a family member she chooses through the iOS share sheet. There is no couple account, no partner portal, no shared inbox, no chat, no social graph and no counterparty account of any kind.
11.1 Household exemption, third-party data-subject rights, and lawful, non-abusive use
Every Memory Card, every Ask Memory answer, every Occasion Brief and every Legacy Timeline is a private aide-mémoire for the Subscribing Customer's own decision-making — not therapy, not diagnosis, not a legal document, not evidence. Because BondMind processes intimate data about identified or identifiable third parties (a partner, spouse, family member or close friend), the Subscribing Customer is the natural-person controller for that data under Article 2(2)(c) GDPR (household exemption) or its national equivalent. The household exemption is limited: it does NOT permit unlawful use of the App to stalk, harass, monitor, control, coerce, defame, blackmail, extort, humiliate, intimidate or otherwise cause harm to another person; it does NOT permit any use of the App that would breach the U.K. Serious Crime Act 2015 §76 (controlling or coercive behaviour in an intimate or family relationship), U.K. Domestic Abuse Act 2021, U.K. Protection from Harassment Act 1997, U.K. Stalking Protection Act 2019, U.K. Online Safety Act 2023, U.K. Malicious Communications Act 1988, U.K. Communications Act 2003, VAWA Reauthorization Act 2022, U.S. state anti-stalking and revenge-porn statutes, California Penal Code §647(j)(4), German StGB §238 (Nachstellung) or equivalent regimes; and it does NOT extend to any professional, commercial, business or organisational use of the App — which would remove the exemption. The Subscribing Customer is also responsible for observing every applicable consent, notice and confidentiality obligation toward the natural persons whose data she chooses to record, and for observing every applicable child-protection, age-of-consent and family-court obligation where the data concerns a minor.
11.2 Anti-stalkerware, anti-coercive-control, anti-surveillance and safe-use guidance
BondMind is deliberately designed with no message interception, no location tracking, no keystroke logging, no screen recording, no screen mirroring, no contacts scraping and no photo-library scraping surfaces. There is no covert-mode, no “hide app icon”, no “disguise as another app” and no “bypass parental controls” feature. If you are the person whose data is being recorded in someone else's BondMind and you have reasonable concerns that this is happening without your knowledge or against your interests, please contact one of the domestic-abuse, sexual-violence or safeguarding resources listed above, and consult the Coalition Against Stalkerware directory at stopstalkerware.org for guidance on identifying and removing stalkerware from an at-risk device. The App Store Guideline 5.6 (Data & Family Sharing) prohibits stalking apps; if you believe BondMind is being misused for stalking, harassment, coercive control or intimate-partner violence against you, please report the misuse to Apple through the App Store and to your local authorities, and please contact ML Consulting at support+bondmind@mlconsulting.lt.
11.3 Recipients — no accounts, no App Clip, no server; Artifacts travel via the iOS share sheet
Recipients of any PDF Artifact the Subscribing Customer chooses to share (a partner or spouse receiving an Anniversary Legacy Timeline; a family member receiving a Memory Snapshot; a printer preparing a Legacy Book) do not have accounts in BondMind. There is no App Clip surface and no operator dashboard. Recipients receive Artifact PDFs via the iOS share sheet; once a PDF leaves your device, it is a document under the Recipient's control, processed by the Recipient's own email server, cloud storage, printer or filing system. ML Consulting has no visibility into and no processing role in the Recipient's handling of that PDF. The Subscribing Customer is responsible for the consent, sensitivity and confidentiality context of anything she chooses to share.
11.4 Consumer-protection responsibility toward the sole trader's customers
The Subscribing Customer remains the seller under EU Directive 2011/83/EU (Consumer Rights Directive), the U.K. Consumer Rights Act 2015, U.S. state UDAP / FTC Act §5, Canadian federal / provincial consumer-protection statutes, the Australian Consumer Law and equivalents. BondMind is not the seller and is not liable to the sole trader's customers.
11.5 Recipients — no accounts, no App Clip, no server
Recipients do not have accounts in BondMind. There is no App Clip surface and no operator dashboard. Recipients receive Pack PDFs and XLSX Exports via the iOS share sheet; once a document leaves your device, it is under the Recipient's control, processed by their own email server, DMS or accounting software.
12. Recipients of personal data
We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell Material, PurchaseLot, Product, Recipe, Batch, Channel, Order, OrderLine, StockAdjustment, receipt photograph or Pack data with any third party for advertising, commercial-intelligence, marketplace-benchmarking, market-research, credit-scoring, seller-performance-scoring or claim-outcome-prediction purposes. Because BondMind has no server, no third-party analytics SDK, no crash-reporting SDK, no advertising SDK, no attribution SDK, no tracking SDK and no direct billing channel, this list is deliberately extremely short.
Categories of recipients:
• Apple Inc. and Apple Distribution International Limited — App Store distribution, App Store In-App Purchase (StoreKit 2), App Store Server Notifications, ambient iCloud identity, iCloud, CloudKit private database, CKShare zones (v1.1 if introduced), APNs local-notification delivery, WidgetKit, App Intents, BackgroundTasks, PhotoKit, AVFoundation, PDFKit, ImageRenderer, Swift Charts, LocalAuthentication and Secure Enclave, Vision framework, VisionKit (v1.1), NaturalLanguage framework, Foundation Models framework (v1.1), Core Image (v1.1), MetricKit and every other Apple platform service on which the App depends. Independent controller for App Store-side, iCloud-side and Apple-platform-side processing.
• Recipients of Pack PDFs and XLSX Exports (accountant, Steuerberater, partner, market organizer, insurance broker, product-liability insurer, banker, any other counterparty) — receive Pack PDFs and XLSX Exports sent from the Subscribing Customer's iPhone or iPad via the iOS share sheet; process those documents on their own systems (email, DATEV, Xero, QuickBooks, FreshBooks, Sage, Wave, ELSTER, MTD bridging software). No BondMind account, no App Clip, no server-side portal. Independent controllers under their own professional, contractual, marketplace-terms, insurer and confidentiality duties. Not sub-processors of ML Consulting.
• Professional advisers to ML Consulting (lawyers, accountants, auditors) — legal, tax, audit and employment advice on a need-to-know basis. Independent controllers under their own duties of confidence.
• Authorities, courts and regulators — where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI), Lithuanian State Tax Inspectorate (VMI), U.K. Information Commissioner's Office (ICO), HMRC, Trading Standards, Irish Data Protection Commission (DPC), German BfDI and Land DPAs, BZSt and Finanzamt, French CNIL and DGCCRF, Italian Garante, Spanish AEPD, Australian OAIC and ATO, U.S. FTC, IRS, CPSC and state attorneys general, Canadian OPC, CRA and Health Canada, and equivalents. Independent controllers acting under their statutory powers.
• Successor entity — in the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy. Independent controller after the transaction closes.
References in the App and in this Policy to Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Craftybase, Inventora, DaWanda-legacy, Zibbet-legacy, Shopify, WooCommerce, PayPal, Stripe (as marketplace payment processor), HMRC, IRS, BZSt, Finanzamt, ATO, CRA, DATEV, ELSTER, ICAEW, ACCA, AICPA, CIMA, CIOT, Steuerberaterkammer, Bundessteuerberaterkammer and equivalent tax-adviser and accountancy bodies are descriptive only. None of those bodies endorses, certifies, audits, accredits or warrants the App or any Pack, and none is a partner, sub-processor, recipient or party to this Policy by virtue of being named.
A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. For BondMind specifically, the sub-processor list is deliberately empty: Apple Inc. is an independent controller for every Apple platform service on which the App depends, and ML Consulting engages no third-party data-plane sub-processor for BondMind.
13. International data transfers
ML Consulting MB is established in Lithuania. Because BondMind has no server and no ML-Consulting-hosted backend, the international-transfer question turns on Apple's iCloud residency for the Subscribing Customer's Apple Account and on the App Store's processing of billing data — both of which are choices made by Apple, not by ML Consulting.
For the narrow controller-level data ML Consulting itself processes, we keep data in the European Union by default. Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:
• European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;
• the European Commission's Standard Contractual Clauses (Module Two and Module Three), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom, and supplementary measures consistent with the European Data Protection Board's recommendations;
• additional technical measures including TLS 1.2 or higher for data in transit and Apple's iCloud encryption at rest, plus contractual and organisational measures appropriate to the sensitivity of sole-trader financial data; and
• any other lawful transfer mechanism under Articles 46 to 49 GDPR.
14. Automated decision-making, on-device ML and Foundation Models — no backend AI
14.1 No solely-automated decisions with legal or similarly significant effects
We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, the recorder or Subscribing Customer is meaningfully involved in the outcome.
14.2 Explicit AI exclusions
BondMind does NOT offer:
• AI accounting, bookkeeping, tax, VAT, income-tax, self-employment-tax, self-assessment, MTD, Schedule C / SE, BAS / IAS, DAC7 / 1099-K / 1099-DA / IRC §6050W / UK Digital Platform Reporting reconciliation, IR35 or off-payroll-working determinations, computations or advice;
• AI HGB §257 / AO §146 / §147 / GoBD / Companies Act 2006 / IRC §6001 record-keeping-compliance attestations;
• AI valuation, price-comps, “what's it worth”, sold-listing prediction or dynamic-pricing determinations; AI counterfeit-goods, trademark or copyright determinations; AI CITES / cultural-goods (UNIDROIT 1995 / UNESCO 1970) determinations; AI product-safety (GPSR / U.K. GPSR 2005 / CPSIA / CCPSA) determinations on used goods; AI condition-grading, authenticity-verification, provenance-authentication verdicts; AI UPC / EAN / ISBN / catalogue-lookup determinations;
• AI Digital Services Act (DSA), Platform-to-Business Regulation, DAC7 or Digital Markets Act marketplace-operator determinations;
• AI marketplace-terms interpretation (Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Shopify, WooCommerce and equivalents);
• AI antitrust, competition-law, Kartellverbot, Bundeskartellamt, CMA, FTC or ACCC determinations;
• AI sanctions / PEP / ultimate-beneficial-owner / source-of-funds / 5AMLD / 6AMLD / OFAC / EU Consolidated / U.K. OFSI determinations;
• AI insurance underwriting or claims determinations by any insurer;
• AI pricing advice, market-price predictions, competitor-pricing recommendations or dynamic-pricing suggestions beyond the disclosed cost + target-margin formula that the Subscribing Customer sets;
• AI computer-vision “detected”, “verified”, “counted”, “damage-diagnosed”, “counterfeit-flagged”, “provenance-authenticated” or “photo-genuineness” verdicts;
• AI seller-performance, employability, ranking, blacklist, ban-risk, review-quality, refund-risk, chargeback-risk, marketplace-behaviour or claim-outcome-prediction profiles; or
• Any AI feature that requires transmission of Customer Data off-device to a third-party model provider. Vision, NaturalLanguage and Foundation Models are Apple's on-device frameworks; there is no ML-Consulting-hosted backend model and no Anthropic / OpenAI / Whisper / Google / Meta model in the BondMind data plane.
14.3 On-device Vision, NaturalLanguage and PhotoKit — suggestion-only
The App uses on-device Vision framework receipt OCR, on-device NaturalLanguage token-similarity fuzzy matching, and on-device PhotoKit access. These run locally on your iPhone or iPad and the input is not transmitted to any third-party AI provider as a result of these features. Every extracted value is a labelled suggestion — the recorder confirms every line before it becomes an evidentiary PurchaseLot; below the confidence threshold, the App visibly flags the affected line, and no PurchaseLot, no stock change and no cost change persists from any line the recorder does not confirm.
14.4 v1.1 Foundation Models narrative layer — opt-in, English and German only, device-floor gated
From v1.1, BondMind will offer an optional Foundation Models on-device narrative layer with three components: monthly plain-language summary; per-product price suggestion computed from the disclosed cost + target-margin math; and anomaly narration on the disclosed flags. The layer is gated at three levels — availability (Apple Intelligence device floor; below the floor rule-based parity is shown), language (English and German only; in other locales rule-based parity is shown) and per-generation confirmation. Prompts consume derived aggregates only — never raw records.
14.5 Deterministic on-device engines (not AI)
The core computational engines are DETERMINISTIC and not AI at all: the weighted-average-cost engine (over non-superseded lots); the fixed-in-dimension unit-conversion engine (g↔kg × 1000, ml↔l × 1000, m↔cm × 100; cross-dimension ml↔g only via the Material's user-entered density factor; absent factor → conversion refused with explanation, never guessed); the product-unit-cost engine; the fee-computation engine per Channel (base × (feePct + paymentPct) + feeFixed + paymentFixed + perOrderExtra, half-up rounding at cent applied once at order level); the profit and margin engines; the price-creep flag at 1.15 × prior weighted-average cost and total ≥ €5; the low-stock flag at manual reorder threshold; and the dashboard reconciliation invariant enforced by property-based tests. These engines are pure, unit-tested Swift code; their output is fully explainable by inspection of the code and the Customer Data.
14.6 EU AI Act readiness
We design and operate the App's on-device AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the AI Act), including transparency (raw input always retained alongside any structured output; the recorder always confirms; the AI-drafted suggestion carries a “Suggestion — review before use” label), logging and human-oversight requirements. None of the current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.
15. How long we keep personal data
We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. Because Customer Data lives in the Subscribing Customer's own iCloud, BondMind cannot itself delete Customer Data from your iCloud — you (and Apple) do that.
• Account and authentication data — none retained on ML Consulting infrastructure by default (BondMind has no account).
• Device, technical and telemetry data — where visible to us at all, retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.
• Communications and support correspondence — up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, investigation, regulatory matter or legal claim.
• Billing, accounting and tax records — up to 10 years from the end of the relevant accounting period, in line with Lithuanian law.
• Customer Data on the Subscribing Customer's own iCloud — retained on the Subscribing Customer's iCloud for as long as the Subscribing Customer keeps it (typically for many years, given the App's design for long-term relationship memory and legacy archives). Post-trial the App is read-only with full XLSX + PDF export always available; data is never held hostage. On App deletion the on-device store is removed by iOS. On the Subscribing Customer's use of the “Erase all data” Settings flow, the App wipes the local store + the private CloudKit zone after typed confirmation.
• v1.1 CKShare partner data (if introduced) — a partner's Customer Data entries remain in the Subscribing Customer's zone if the Subscribing Customer removes the partner. A partner leaving the share does not touch company data.
• Backups (Apple iCloud backup) — Apple's iCloud backup rotation applies; ML Consulting does not operate a separate backup and does not restore deleted accounts.
16. Security and personal-data breaches
16.1 Article 32 measures
We implement and maintain appropriate technical and organisational measures to protect personal data — particularly the narrow controller-level data we hold — against unauthorised access, accidental loss, destruction, alteration or disclosure (Article 32 GDPR). For BondMind specifically, these measures include: iOS application-sandbox isolation and Apple's default Data Protection; per-photo SHA-256 hashing of AVFoundation receipt captures at save time; append-only supersede-chain evidence integrity on PurchaseLot, Batch, Order, OrderLine and StockAdjustment; the optional Face ID / Touch ID app-lock; Keychain-scoped short secrets; watermarking and version-stamping on every Pack, mandatory disclosure and product footers on every Pack page, and a per-Pack hash manifest; the Privacy Manifest declaration; and — for the Customer Data itself — Apple's iCloud in-transit and at-rest encryption on the Subscribing Customer's own iCloud.
16.2 Notification of personal-data breaches
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons in respect of the narrow controller-level data we hold, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Because Customer Data lives in the Subscribing Customer's own iCloud, an iCloud-side security incident is handled by Apple under Apple's own breach-notification obligations.
16.3 Reporting a suspected breach to us
If you suspect a security incident or unauthorised access affecting your App Store subscription, App Store Server Notifications payloads, biometric-verification metadata or any Pack PDF or XLSX Export you generated, please notify us at support+bondmind@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email.
17. Your rights as a data subject
Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law. Because Customer Data lives in your own iCloud, several of these rights are exercised most efficiently through Apple (iCloud account controls, Data & Privacy portal at privacy.apple.com) rather than through ML Consulting.
• Right of access (Article 15) — confirm whether we process personal data about you and obtain a copy. Note that ML Consulting itself holds only the narrow controller-level data described in section 4.1; the bulk of your Customer Data lives in your own iCloud.
• Right to rectification (Article 16) — have inaccurate personal data corrected and incomplete data completed. In the App itself, financial records are append-only after save — corrections supersede and both remain visible.
• Right to erasure (Article 17) — have personal data erased where the conditions apply. For Customer Data on your own iCloud, use the App's in-Settings “Erase all data” flow.
• Right to restriction of processing (Article 18) — restrict our processing while we verify contested data or deal with an objection.
• Right to data portability (Article 20) — receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-Settings full-data XLSX Export at any time.
• Right to object (Article 21) — object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.
• Rights related to automated decision-making (Article 22) — not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. See section 14 and the explicit AI exclusions.
• Right to withdraw consent (Article 7(3)) — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint (Article 77) — complain to our lead supervisory authority, the VDAI in Vilnius, or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place.
17.1 How to exercise your rights
You can exercise the rights above by sending an email to support+bondmind@mlconsulting.lt with the words “Privacy request — BondMind” in the subject line. For rights that concern data in your own iCloud, we may redirect you to Apple's Data & Privacy portal at privacy.apple.com.
We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests.
18. Regional rights notices
18.1 Lithuania — VDAI, Labour Code, accounting and tax law
Where the Subscribing Customer operates from the Republic of Lithuania, the Republic of Lithuania Law on Legal Protection of Personal Data applies in addition to the GDPR; the Republic of Lithuania Labour Code, Law on Financial Accounting, Law on Tax Administration and Law on Value Added Tax apply independently of the App.
18.2 Germany and Austria — BfDI / Land DPAs, BDSG, AO, HGB, GoBD, UStG, Kleinunternehmerregelung, DAC7 implementation into German law
Where the Subscribing Customer operates from Germany or Austria (the DE / AT launch storefronts), the GDPR, BDSG, Abgabenordnung (AO — including §146 record-keeping and §147 retention), Handelsgesetzbuch (HGB — including §257 retention), the GoBD principles, Umsatzsteuergesetz (UStG) including the Kleinunternehmerregelung §19 small-business threshold, Steuerberatungsgesetz (StBerG), Produkthaftungsgesetz, Chemikaliengesetz, Gefahrstoffverordnung, Kosmetikverordnung, ZUGFeRD / XRechnung / EN 16931 e-invoicing and the Austrian equivalents (BAO, UStG 1994, UGB) apply independently of the App.
18.3 United Kingdom — UK GDPR, ICO, HMRC self-assessment, Digital Platform Reporting Regulations 2023
If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply. The UK supervisory authority is the Information Commissioner's Office (ICO). The HMRC self-assessment regime, the £1,000 trading allowance, Making Tax Digital where thresholds are met, the U.K. Digital Platform Reporting Regulations 2023 (implementing DAC7 into U.K. law — the marketplaces are the reporting platforms, BondMind is not), the U.K. Trade Marks Act 1994, the U.K. Dealing in Cultural Objects (Offences) Act 2003, the U.K. General Product Safety Regulations 2005 (which apply to used goods sold in the course of a commercial activity), the U.K. Electrical Equipment (Safety) Regulations 2016, the U.K. Toys (Safety) Regulations 2011 and the Consumer Rights Act 2015 apply to U.K. resellers independently of the App.
18.4 Republic of Ireland, France, Italy, Spain, Netherlands, Belgium and other EU Member States
Where the Subscribing Customer operates from another EU Member State, the GDPR and the relevant national data-protection, tax and consumer-protection laws apply. The relevant national data-protection authority is the supervisory authority for processing in that Member State.
18.5 United States — CCPA / CPRA, IRS 1099-K / 1099-DA / IRC §6050W, Schedule C, CPSC, state marketplace-facilitator laws
If you are a California resident, the CCPA / CPRA gives you the rights described in the corresponding section of this Policy. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. The IRS 1099-K and 1099-DA regimes, IRC §6001 record-keeping obligations, IRC §6050W third-party settlement organisation reporting rules, state marketplace-facilitator laws (California CDTFA and equivalents in New York, Michigan, Washington, Illinois, Texas and other states), the U.S. Trademark Counterfeiting Act, the U.S. Consumer Product Safety Improvement Act (CPSIA — including lead-content limits on used children's goods), state e-waste laws for used electronics and the U.S. National Labor Relations Act apply to U.S. resellers independently of the App. Similar privacy rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Washington and other US states.
18.6 Canada, Australia and other jurisdictions
Where the Subscribing Customer operates from Canada (PIPEDA and provincial private-sector privacy laws; CRA record-keeping; Consumer Packaging and Labelling Act; Consumer Product Safety Act; Health Canada NHP) or Australia (Privacy Act 1988 and Australian Privacy Principles; ATO record-keeping and BAS regime; Australian Consumer Law; TGA cosmetics rules), the relevant national laws apply independently of the App. Similar frameworks apply in Switzerland (revFADP), Norway (Personopplysningsloven), Japan (APPI — deferred launch market) and other jurisdictions.
18.7 Global Privacy Control
On the App's landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.
19. Children
BondMind is intended for business users (B2B) only and is not designed for use by minors. Users must be at least 18 years old and must be the sole trader (or the sole trader's authorised delegate). Apple's App Store age rating reflects the relevant minimum age. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Subscribing Customer to investigate and, where appropriate, erase the data.
20. Cookies and similar technologies
The BondMind iOS / iPadOS App does not use analytics, advertising, profiling or marketing cookies. The App uses on-device storage (the iOS application sandbox, the Keychain, Core Data with CloudKit private-database mirroring, UserDefaults) to deliver its features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC.
The App's landing pages on mlconsulting.lt use only strictly-necessary cookies. No analytics or advertising cookies are set. Because there is no direct billing channel and no Stripe billing pages for BondMind, there are no third-party payment cookies to disclose either.
21. Communications
21.1 Service messages
We send transactional service messages (App Store billing notices via Apple, support replies, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.
21.2 Direct marketing
Where we send commercial marketing emails about BondMind, we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive. You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+bondmind@mlconsulting.lt or by updating your preferences.
21.3 Operational notifications — not tax advice, not statutory-deadline advice
Local-notification cadence, widgets, App Intent invocations and PDF Pack completeness-check flags are operational reminders configured by you. They are best-effort and depend on Apple's platform services. They are NOT tax-filing deadlines, NOT VAT-return deadlines under HMRC MTD / BZSt / Finanzamt / ATO / CRA / VMI, NOT an accountant's or Steuerberater's opinion, NOT a court order, NOT a Qualified Trust Service Provider attestation, NOT a marketplace-terms interpretation, NOT a product-safety notice under GPSR / REACH / CLP / Cosmetic Products / MoCRA / NHP / TGA, NOT a fire alarm, NOT an intrusion alarm, NOT a calibrated instrument reading and NOT a 112 / 999 / 911 / 000 dispatch. CALL 112 / 999 / 911 / 000 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER FIRST whenever any person is in apparent danger of death or serious harm in the workshop or at a market.
22. Changes to this Policy
22.1 Routine updates
We may update this Policy from time to time, for example to reflect new features (v1.1 Foundation Models narrative layer, v1.1 QR labels, v1.1 CKShare single-partner sharing if introduced), regulatory developments, Apple platform changes (Foundation Models version updates, iOS 26+ RecognizeDocumentsRequest availability) or operational changes. The latest version is always published on the App's App Store listing and at mlconsulting.lt/bondmind/privacy.
22.2 Material changes
Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law, by Apple App Store policy or to address a security risk — by in-app notice and, where we have your email address, by email. Non-material changes take effect on posting.
22.3 Versioning
Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing. The Foundation Models model version in use at any given time (v1.1 onward) is disclosed in the App's release notes.
23. Contact us
For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.
• Controller: ML Consulting MB
• Address: Vilnius, Republic of Lithuania
• Legal entity code: 306991112
• Privacy contact (email): support+bondmind@mlconsulting.lt
• Website: https://mlconsulting.lt
• Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt
© 2026. All rights reserved.
