← Back

Trust & Security

Last updated: June 19, 2026

This page is maintained by Iron Winn LLC to answer common security and privacy questions about Sound Mind. It describes current practices and controls in the app. It is not a certification or independent audit, and it is not legal advice. For the binding policy, see our Privacy Notice and Terms.

Shared Responsibility

Sound Mind is built on managed platform services. Iron Winn LLC is responsible for application-level decisions — what data is collected, how access is controlled in the app, and how user requests are handled. Our platform providers are responsible for the underlying infrastructure (hosting, database operation, payment processing, email delivery). You are responsible for safeguarding your own account credentials.

Authentication & Access

  • Sign in with email and password, or with Google.
  • Passwords are hashed by our authentication provider — Iron Winn never sees your plaintext password.
  • Sessions use short-lived access tokens with automatic refresh.
  • Per-user access controls (row-level security) restrict every database read and write to the account that owns the data.
  • Administrative operations require server-side privileged code paths; client code cannot bypass per-user access controls.

Data You Provide

Reflections, notes, and prompts you create in Sound Mind are stored in your account and are visible only to you and to our operational staff when strictly needed for support or maintenance. We do not sell personal information, and we do not use your reflection content to train third-party AI models. See the Privacy Notice for the full list of categories collected and the legal basis for each.

Hosting & Encryption

  • The app and database run on managed cloud infrastructure operated by our platform provider.
  • All traffic to and from the app uses TLS (HTTPS).
  • Stored data is encrypted at rest by the underlying managed database service.
  • Secrets and API keys are kept in a managed secrets store, never committed to source code.

Payments

Payments are processed by Paddle as the Merchant of Record. Card details are entered directly into Paddle's checkout — Iron Winn does not see, store, or transmit raw card numbers. Subscription status returned by Paddle is recorded in your account so the app can grant or revoke premium features.

Subprocessors

We rely on a small set of providers to operate the Service:

  • Supabase — managed database, authentication, and application hosting.
  • Paddle — Merchant of Record for checkout, billing, tax, and refunds.
  • Resend — transactional email delivery (account, billing, and support emails).
  • Google — optional sign-in provider (only if you choose to use it).

This list may change as the Service evolves; the current set is maintained on this page.

Cookies & Analytics

Sound Mind uses essential cookies to keep you signed in and remember preferences. We may also use privacy-friendly aggregate analytics to understand how the app is used. We do not run advertising trackers.

Retention & Deletion

You can delete your account at any time from Settings. When you delete your account, your reflection content and profile data are removed from active systems. Backups are purged on a rolling schedule. Records we are legally required to keep (for example, billing records held by Paddle) are retained for the period required by law.

Your Privacy Rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. The fastest path for most requests is your account settings. For anything else, email support@asoundmind.app and we will respond within a reasonable time. Full details are in the Privacy Notice.

Reporting a Security Issue

If you believe you've found a security vulnerability in Sound Mind, please email support@asoundmind.app with a description and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We appreciate responsible reports.

Compliance

Sound Mind does not claim any specific industry certification (such as SOC 2, ISO 27001, HIPAA, or PCI DSS). Card data handling inherits Paddle's PCI scope because Paddle is the Merchant of Record. If you have a specific compliance question for your use case, contact us and we will do our best to help.

Contact

Iron Winn LLC · support@asoundmind.app