Privacy Policy

1. Who we are

ReportKaart is operated by themindful.nl, based in the Netherlands. We help expat parents translate Dutch school report cards into English using AI.

For privacy questions, contact us at hello@themindful.nl.

2. What data we process

When you use ReportKaart, we process the following personal data:

• Your Google account info — name and email address (provided via Google Sign-In)
• Your child's name — as entered by you when adding a child profile
• Report card images — photos or scans you upload for translation
• Translated report data — the structured translation (subjects, ratings, comments)
• Chat messages — questions you ask about your child's report

3. Your child's data (special protection)

We recognise that school report cards contain data about children, which requires extra care under the General Data Protection Regulation (GDPR), including Article 8 on children's consent.

• We do not collect data directly from children. Only a parent or guardian can create an account and upload report cards.
• Report card images are processed in memory and never stored on our servers. The image is sent to the AI model, the text is extracted, and the image is immediately discarded.
• Translated reports are saved to your database record so you can view them later, and optionally to your personal Google Drive — a folder you own and control.
• We never sell, share, or use your child's data for advertising or profiling.

4. Legal basis for processing (GDPR Art. 6)

• Consent (Art. 6(1)(a)) — By signing in and uploading a report card, you consent to us processing that data to provide the translation service.
• Contract performance (Art. 6(1)(b)) — Processing is necessary to deliver the service you requested (translating your child's report).

5. Third-party services

We use the following third-party services to operate ReportKaart:

• Supabase (EU region) — authentication and database. Stores your profile and translated report data.
• Groq — AI inference. Report card images and text are sent to Groq's API for OCR and translation. Groq does not retain input data after processing.
• Google Drive API — if you connect Google Drive, translated reports are saved as Google Docs in your personal Drive. We only access files we create.
• Vercel — hosting. Serves the application; does not store your personal data.

6. How long we keep your data

• Report card images: Discarded immediately after OCR processing. Never stored.
• Translated reports: Stored in our database until you delete them or delete your account.
• Chat messages: Not stored. Chat history exists only in your browser session.
• Account data: Retained while your account is active. Deleted upon request.

7. Your rights under GDPR

As a data subject in the EU/EEA, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion of your account and all associated data
• Data portability — receive your data in a structured format (your reports are already in your Google Drive)
• Withdraw consent — stop using the service at any time; we will delete your data upon request
• Lodge a complaint — with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

To exercise any of these rights, email hello@themindful.nl.

8. Cookies

ReportKaart uses only essential cookies required for authentication (Supabase session). We do not use analytics cookies, tracking pixels, or advertising cookies. No cookie consent banner is needed because we only use strictly necessary cookies (GDPR Art. 5(3) ePrivacy Directive exemption).

9. Security measures

• All data in transit is encrypted via HTTPS/TLS
• Database access is protected by Row Level Security (RLS) — users can only access their own data
• Google OAuth for authentication — we never handle passwords
• Google Drive scope limited to drive.file — we can only access files we create
• Rate limiting on all API endpoints to prevent abuse

10. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via the app. The "last updated" date at the top reflects the most recent revision.