Minds
·Minds Team

Privacy Policy for Minds

Effective Date: May 31, 2026

Privacy Policy for Minds

Effective Date: May 31, 2026

This privacy policy provides information about the nature, scope, and purpose of the processing of personal data within the platform operated by Art of X UG (haftungsbeschränkt) (hereinafter "we" or "us").

1. Data Controller

The controller within the meaning of the GDPR and other national data protection laws is:

Art of X UG (haftungsbeschränkt)
Köpenicker Straße 145
10997 Berlin
Germany

Email: [email protected]

2. Data Protection Officer

The external Data Protection Officer can be reached as follows:

Prof. Dr. Norman Uhlmann
h3ko Innovations GmbH
Pappelallee 64
16359 Biesenthal
Germany

Email: [email protected]

3. General Information on Data Processing

The subject of data protection is personal data. This refers to all information relating to an identified or identifiable natural person (the "data subject"). Personal data of users is generally only processed to the extent necessary to provide a functional platform and its content and services.

Obligation to Provide Data

The provision of personal data is neither legally nor contractually required. However, without providing the necessary data (such as email address and name for registration), we cannot offer you access to our services. Data marked as mandatory during registration or use is required for contract fulfillment. Failure to provide this data means the relevant services cannot be used. The provision of optional data is voluntary and does not affect your ability to use core services.

4. What Data is Processed and For What Purpose

a. Provision of the Website and Creation of Logfiles (Hosting)

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing computer. This data is stored in the server's logfiles. The following data is collected:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • Browser used and, if applicable, the computer's operating system

This data is processed to ensure smooth connection establishment and comfortable use of the website, as well as to evaluate system security and stability. The legal basis for data processing is Art. 6 Para. 1 S. 1 lit. f GDPR. The legitimate interest follows from the purposes for data collection listed above.

The services of DigitalOcean, LLC, 101 6th Ave, New York, NY 10013, USA, are used for website hosting. Our infrastructure is hosted in the Frankfurt (Germany) region within the EU. A data processing agreement (DPA) has been concluded with DigitalOcean. Through this agreement, DigitalOcean ensures that data is processed in accordance with the GDPR and that the rights of data subjects are guaranteed. Further information can be found in DigitalOcean's privacy policy: https://www.digitalocean.com/legal/privacy-policy.

Cloudflare (CDN, DNS & Security)

Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA, is used for content delivery (CDN), DNS management, DDoS protection, and web application security. When you access our website, your requests are routed through Cloudflare's network. In this process, Cloudflare may process your IP address, request headers, and other connection metadata to deliver content, protect against attacks, and optimize performance.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring the security, availability, and performance of our website. A data processing agreement (DPA) has been concluded with Cloudflare. Data transfer to the USA is covered by Cloudflare's participation in the EU-US Data Privacy Framework and supplemented by Standard Contractual Clauses (SCCs). Further information: https://www.cloudflare.com/privacypolicy/.

b. Registration and Use of an Account (Authentication & Database)

To use the platform, creating a user account is required. The following data is collected:

  • Name
  • Email address
  • Password (stored in encrypted form)

This data is necessary to manage the account and enable access to the services. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

For authentication and user database management, the services of Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992, are used. Supabase provides the backend infrastructure for the platform. Data storage, including the database, authentication, storage, and AI-related embeddings, takes place in the Northern EU region (Stockholm, eu-north-1). A data processing agreement (DPA) has been concluded with Supabase. Further information on data protection at Supabase can be found here: https://supabase.com/privacy.

c. AI-Powered Features

For the provision of AI-powered features, the following services are used:

OpenAI (Text Generation, Embeddings, Image Analysis)

OpenAI OpCo, LLC, 3180 18th St, San Francisco, CA 94110, USA, is used for text generation, creation of embeddings from user content, voice transcription (Whisper), and image analysis.

When these features are used, the relevant data (e.g., text inputs or content to be analyzed) is sent to OpenAI's servers for processing. We do not transmit any personal data to OpenAI beyond what is necessary for the function, and we store the results generated by OpenAI in our system hosted on Supabase (see above).

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with OpenAI. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at OpenAI can be found here: https://openai.com/policies/privacy-policy.

Anthropic (Text Generation with Claude Models)

Anthropic PBC, 548 Market St, PMB 87430, San Francisco, CA 94104, USA, is used for advanced text generation using Claude AI models. When these features are used, your text inputs and prompts are transmitted to Anthropic's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Anthropic. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Anthropic can be found here: https://www.anthropic.com/legal/privacy.

Google AI (Text Generation with Gemini Models)

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is used for text generation and AI-powered features using Gemini models. When these features are used, your text inputs and prompts are transmitted to Google's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Google. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Google can be found here: https://policies.google.com/privacy.

ElevenLabs (Voice Processing)

ElevenLabs Inc., 20-22 Wenlock Road, London, N1 7GU, United Kingdom, is used for voice synthesis (text-to-speech) and voice transcription (Scribe v1). When you use voice features, audio data is transmitted to ElevenLabs for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). A data processing agreement has been concluded with ElevenLabs. Data transfer to the United Kingdom is covered by the EU Commission's adequacy decision for the UK (Decision 2021/1772), ensuring an adequate level of data protection. Further information: https://elevenlabs.io/privacy.

Black Forest Labs (Image Generation)

Black Forest Labs GmbH, services via api.bfl.ai, is used for AI image generation (Flux models). When you generate images, your text prompts are transmitted to BFL servers for processing. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As Black Forest Labs is based in Germany, data remains within the EU. A data processing agreement has been concluded with Black Forest Labs. Further information: https://blackforestlabs.ai/privacy-policy/.

Replicate (AI Model Infrastructure)

Replicate, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, is used as infrastructure for running AI image generation models (including Flux models from Black Forest Labs). When you generate images, your text prompts are transmitted to Replicate's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Replicate. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Replicate can be found here: https://replicate.com/privacy.

Langfuse (AI Observability & Prompt Management)

Langfuse GmbH, Residenzstraße 27A, 80333 München, Germany, is used for managing AI prompts, tracking AI interactions, and system observability. This helps us improve service quality and debug issues. Technical metadata about AI interactions is processed.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring service quality, debugging issues, and improving our AI features. As Langfuse is based in Germany, data remains within the EU. A data processing agreement has been concluded with Langfuse. Further information: https://langfuse.com/docs/data-security-privacy.

Deepgram (Speech-to-Text)

Deepgram, Inc., 548 Market St, Suite 25104, San Francisco, CA 94104, USA, is used for real-time voice transcription (speech-to-text) using the Nova-3 model. When you use voice features, your audio data is streamed to Deepgram's servers for transcription. Deepgram processes audio in real time and does not retain audio recordings after transcription is complete.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as voice transcription is a core component of the voice features offered. A data processing agreement has been concluded with Deepgram. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://deepgram.com/privacy.

Fish Audio (Voice Synthesis & Cloning)

Hanabi AI Inc. (operating as Fish Audio), 131 Continental Dr, Suite 305, Newark, DE 19713, USA, is used for text-to-speech voice synthesis and voice cloning. When you use voice features, text is sent to Fish Audio for speech synthesis. If you create a voice clone, audio samples you provide are transmitted to Fish Audio for voice model training.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as voice synthesis and cloning are core components of the voice features offered. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://fish.audio/privacy.

d. Content in Flows and Training of Minds (User Content)

The heart of the platform is the processing of content created by users in "Flows" (collaborative workspaces) and shared with "Minds" (AI assistants; previously referred to as "Sparks"). This can include voice recordings, texts, images, or other creative works ("User Content").

This data is processed for the following purposes:

  • Training a Personal AI Model ("My Mind"): User Content is used to create and train a personal AI model based on individual contributions.
  • Training General AI Models: If explicit consent (opt-in) has been given, User Content is also used to be incorporated into our larger, general AI models. These models may be used for commercial purposes and made available to customers. Important Note for Team Users: Content created as part of a team account or in shared team flows is fundamentally excluded from this regulation and will under no circumstances be used for training general AI models.

The processing of User Content for training personal AI models is based on Art. 6 Para. 1 lit. b GDPR (contract fulfillment). The processing for training general AI models is exclusively based on explicit consent in accordance with Art. 6 Para. 1 lit. a GDPR.

d2. Group Grounding and Public Distribution Data

For the Group Grounding feature and related group-level functionality (synthetic panels, group covers, audience simulation, marketplace groups), the platform ingests and processes publicly available statistical and distribution data to ground synthetic groups of Minds in plausible real-world distributions. The categories of data processed include:

  • Aggregate demographic and population statistics (e.g. age, gender, occupation, education, geography distributions) sourced from public statistical offices, census-style datasets, and comparable open data sources.
  • Industry, market, and labour-market benchmarks sourced from publicly available reports, market-research summaries, and trade publications.
  • Public web content retrieved through our web-search provider (Tavily, see Section 4.g) when you explicitly request grounding from a public source (e.g. a public profile page, company website, or news article that you submit as input).
  • Technical metadata about the grounding request itself (your account identifier, the requested distribution parameters, the timestamp, and the resulting group configuration) so that the configuration is reproducible and auditable.

This processing serves the purpose of generating realistic, statistically grounded synthetic groups for research, simulation, and creative work. No personal data of identifiable natural persons is generated, profiled, targeted, or stored as part of the distribution data itself; the data is processed in aggregate, statistical form. Where you submit inputs that may contain personal data of third parties (e.g. a link to a public profile), you are responsible for the lawfulness of that submission and warrant that you have all necessary rights and consents (see Section 4 of our Terms of Service).

The legal bases for this processing are:

  • Art. 6 Para. 1 lit. b GDPR (contract fulfillment) for processing your account identifier, the grounding configuration, and the search inputs you submit, as these are necessary to deliver the Group Grounding feature you have requested.
  • Art. 6 Para. 1 lit. f GDPR (legitimate interest) for the ingestion and caching of publicly available aggregate statistics. Our legitimate interest lies in providing a robust, reproducible, and statistically meaningful grounding feature; the source data is already public and aggregate, and our interest is not overridden by the rights of data subjects, since no identifiable natural persons are processed.
  • In addition, processing of aggregate statistics for synthetic-research purposes is supported by § 27 BDSG (processing for scientific or statistical purposes), to the extent applicable.

Retention: Aggregate distribution datasets are cached for the duration of their usefulness as ground-truth references and are refreshed when source data updates; group configurations are retained for the duration of the user's account plus 30 days after deletion (see Section 5). Inputs submitted to the web-search provider are retained according to that provider's terms (see Section 4.g).

Sub-processors involved in Group Grounding include the AI providers listed in Section 4.c (for generating grounded outputs), Tavily (Section 4.g, for public web search when used), and our hosting and database providers (Section 4.a–b).

e. Payment Processing

If paid services are used, payment data is processed for the purpose of contract fulfillment. Processing is based on Art. 6 Para. 1 lit. b GDPR.

Payment processing is carried out through the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. No credit card data is stored; it is directly forwarded to Stripe. Stripe is a certified partner and is subject to strict data protection and security standards. A data processing agreement has been concluded with Stripe. Further information on data protection at Stripe can be found at: https://stripe.com/privacy.

f. Mobile App Services (iOS/Android)

When you use Minds through our mobile applications (iOS/Android), the following additional services and device features are used:

Firebase Cloud Messaging (Push Notifications)

Google LLC (Firebase), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is used to deliver push notifications to your device. When you enable push notifications, a device token (a unique identifier for your device) is generated and stored on our servers to route notifications. No message content beyond the notification payload is shared with Firebase.

The legal basis for this processing is Art. 6 Para. 1 lit. a GDPR (consent), as push notifications are only sent after you explicitly grant permission. You can revoke this consent at any time by disabling notifications in your device settings. A data processing agreement has been concluded with Google. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://firebase.google.com/support/privacy.

RevenueCat (In-App Purchases)

RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA, is used to manage in-app purchases and subscriptions on mobile devices. RevenueCat processes an anonymized user identifier, purchase receipts, and subscription status. No personal data such as name or email is shared with RevenueCat.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as in-app purchase management is required to provide paid services. A data processing agreement has been concluded with RevenueCat. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://www.revenuecat.com/privacy.

Native Authentication (Apple/Google Sign-In)

When you sign in using Apple Sign-In or Google Sign-In on mobile devices, an identity token is issued by Apple or Google and exchanged with our authentication service (Supabase) to create or link your account. We receive only the information you authorize (typically name and email address). No credentials are stored on our servers; authentication is handled via secure token exchange.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

Device Permissions

The mobile app may request access to the following device capabilities:

  • Microphone: Required for voice mode (real-time conversations). Audio is streamed to Deepgram for transcription and is not stored on our servers.
  • Camera: Used for capturing images to upload as content for AI analysis. Images are processed only when you explicitly initiate a capture.
  • Photo Library: Used to select existing images or files for upload. Only files you explicitly select are accessed and uploaded.

Each permission is requested only when you first use the relevant feature. You can revoke any permission at any time through your device settings. The legal basis for this processing is Art. 6 Para. 1 lit. a GDPR (consent).

g. Additional Data Processing Services

The platform uses additional specialized services to enhance functionality. These services process only the inputs needed for the feature you request.

Tavily AI, services via api.tavily.com, is used to provide web search capabilities within the platform. When you use search features, search queries, submitted URLs, and public page snippets may be transmitted to Tavily for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as web search is a feature of the services offered. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://tavily.com/privacy.

Firecrawl (Web Extraction and Screenshots)

Firecrawl, operated by SideGuide Technologies, Inc., is used to retrieve, extract, and in some cases visually analyze public web pages or screenshots when you submit links or request web/source analysis. Processed data may include submitted URLs, page content, screenshots, and technical metadata.

The legal basis is Art. 6 Para. 1 lit. b GDPR for requested source analysis and Art. 6 Para. 1 lit. f GDPR for source quality, security, and debugging. Data transfer to the USA is based on standard contractual clauses. Further information: https://www.firecrawl.dev/privacy-policy.

Apify (Social and Video Source Extraction)

Apify Technologies s.r.o., Czech Republic, is used for public social-media, web, and video transcript/content extraction when you provide a URL or request source collection for a Mind. Processed data may include submitted URLs, public profile/post/video metadata, transcripts, and extraction logs.

The legal basis is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

Serper (Search API)

Serper is used for public search, image/video search, and source discovery when you request those features. Search terms and result metadata are transmitted.

The legal basis is Art. 6 Para. 1 lit. b GDPR. Data transfer to third countries is based on standard contractual clauses where required.

OCR.space (Optical Character Recognition)

OCR.space API, operated by A9t9 software GmbH, Nordstr. 8, 87561 Oberstdorf, Germany, is used to extract text from uploaded images and documents when OCR functionality is required. Image data is transmitted for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As A9t9 software GmbH is based in Germany, data remains within the EU. Further information: https://ocr.space/privacypolicy.

Public API, MCP, Browser Extension, and External Clients

When you use our public API, MCP server, browser extension, widgets, or third-party clients that connect to Minds (for example ChatGPT, Claude, OpenRouter, Open WebUI, or LibreChat), we process API keys, OAuth authorization codes/access tokens, scopes, request metadata, tool calls, prompts, content, widget/session identifiers, and audit logs required to authenticate, route, secure, and deliver the integration.

The legal basis is Art. 6 Para. 1 lit. b GDPR and Art. 6 Para. 1 lit. f GDPR for security and audit logging. Third-party clients chosen by you may independently process your data under their own terms.

Google Calendar Integration

If you connect Google Calendar, we use the Google Calendar API to sync calendar events and related metadata. We request the calendar.events scope, store access/refresh tokens, create webhook channels, read future event metadata and attendees, create related Minds, and may update event descriptions with Mind links when enabled. Data includes calendar IDs, event IDs, titles/descriptions/times, attendee names/emails, webhook identifiers, token scopes/expiry, and sync status.

The legal basis is Art. 6 Para. 1 lit. a GDPR (consent) and Art. 6 Para. 1 lit. b GDPR (contract fulfillment). You may disconnect the integration in settings; tokens, webhook channels, and synced events are deleted subject to backup retention.

Twilio (SMS, WhatsApp, and Voice Calls)

Optional messaging and phone features use Twilio Inc. for SMS, WhatsApp sender management, phone number provisioning, and voice call media streams. Data may include assigned phone numbers, caller/sender numbers, message metadata/content, call metadata, and call audio streams. Voice calls may also be processed by Deepgram and Fish Audio as described above.

The legal basis is Art. 6 Para. 1 lit. b GDPR; where consent is required for call recording, voice cloning, or similar features, Art. 6 Para. 1 lit. a GDPR applies.

h. Communication via Email

For sending platform-related emails (e.g., registration confirmations, password resets), the service Resend is used, offered by Resend Inc., 548 Market St PMB 95453, San Francisco, CA 94104-5401, USA. Resend processes the email address on our behalf.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment) for transactional emails. A data processing agreement (DPA) has been concluded with Resend. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information can be found in Resend's privacy policy: https://resend.com/legal/privacy-policy.

i. Cookies

Cookies, local storage, and similar technologies are used on the website and in the app. Necessary storage is used for login, security, language, consent, session, and core app functions. Non-essential analytics or marketing cookies and comparable device storage are used only with consent.

For users in Germany, access to or storage of information on the end device is based on § 25 TDDDG where applicable. The related personal-data processing is based on Art. 6 Para. 1 lit. a GDPR for consent-based analytics and marketing, and on Art. 6 Para. 1 lit. f GDPR for strictly necessary security, fraud-prevention, and service functions. You can change or revoke consent at any time through our cookie settings. The browser can also be configured to reject or delete cookies, although some core functions may then be unavailable.

j. Web Analytics with Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analytics tool is based on your consent according to Art. 6 Para. 1 lit. a GDPR. You can change or revoke this consent at any time through our cookie settings.

We have activated IP anonymization on this website. As a result, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA.

We have concluded a data processing agreement with Google.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

More information on Google Analytics' handling of user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.

k. Product Analytics with PostHog

We use the product analytics service PostHog, provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

PostHog helps us understand how users interact with our platform and may include session replay. Persistent analytics cookies, localStorage persistence, analytics user identification, and session replay are used only with analytics consent. Without analytics consent, PostHog is configured without persistent analytics cookies; limited cookieless or in-memory events may be processed for product reliability, abuse prevention, and aggregated service improvement where lawful.

The legal basis for consent-based analytics is Art. 6 Para. 1 lit. a GDPR. For limited security, reliability, and abuse-prevention processing that is strictly necessary for the service, the legal basis is Art. 6 Para. 1 lit. f GDPR. You can change or revoke consent in cookie settings.

We have concluded a data processing agreement with PostHog. Data is processed in the EU region. Further information can be found in PostHog's privacy policy: https://posthog.com/privacy.

l. A/B Testing with Convoy Labs

We use Convoy Labs for A/B testing of AI agent configurations to optimize the quality and performance of our AI features. When you interact with AI features, technical metadata about the interaction (such as which model configuration was used and response quality metrics) may be processed by Convoy Labs.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in optimizing and improving the quality of our AI features. A data processing agreement has been concluded with Convoy Labs. Data transfer to the USA is based on the EU Commission's standard contractual clauses. No personally identifiable information beyond technical interaction metadata is shared with Convoy Labs.

m. Conversion Tracking with TikTok Pixel

We use the TikTok Pixel, a conversion tracking tool provided by TikTok Information Technologies UK Limited and TikTok Technology Limited ("TikTok"). The TikTok Pixel allows us to track user actions and measure the effectiveness of our advertising campaigns on TikTok.

The TikTok Pixel collects data about your interactions with our website (e.g., page views, registrations) and transmits it to TikTok. The TikTok Pixel is only activated with your explicit consent for marketing cookies (Art. 6 Para. 1 lit. a GDPR). You can revoke your consent at any time.

Data transfer to third countries is secured by the EU Commission's standard contractual clauses. More information on TikTok's data processing: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

n. Conversion Tracking with X Pixel

We use the X Pixel (formerly Twitter Pixel), a conversion tracking tool provided by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA ("X"). This tool helps us measure the success of our advertising on X.

The X Pixel tracks actions on our website and transmits them to X. The X Pixel is only activated with your explicit consent for marketing cookies (Art. 6 Para. 1 lit. a GDPR). You can revoke your consent at any time.

Data transfer to the USA is secured by the EU Commission's standard contractual clauses. More information on X's data processing: https://twitter.com/en/privacy.

5. Storage Duration and Data Deletion

Personal data is stored for the following periods:

Data CategoryRetention PeriodReason
Account data (name, email)Duration of account + 30 days after deletionContract fulfillment and account recovery
User Content (Flows, Minds)Duration of account + 30 days after deletionContract fulfillment
Group Grounding configurations and inputsDuration of account + 30 days after deletionContract fulfillment
Aggregate distribution datasets (no personal data)Refreshed periodically; cached as long as required for the featureLegitimate interest / statistical purpose
Server logfiles90 daysSecurity and debugging
Payment records10 years after transactionGerman tax law (§ 147 AO)
Consent records3 years after withdrawalProof of consent (Art. 7 GDPR)
Content moderation, illegal-content notices, appeals, and decision recordsUp to 3 years; longer where required for legal claimsLegal compliance, abuse prevention, rights enforcement
Analytics data14 monthsService improvement
AI interaction logs90 daysQuality assurance and debugging
API keys, OAuth/MCP tokens, and integration audit logsDuration of account or until revoked; audit/security logs up to 3 yearsContract fulfillment, security, abuse prevention
Google Calendar tokens, webhook channels, and synced event metadataUntil disconnect or account deletion + 30 daysConsent / contract fulfillment
SMS/WhatsApp/voice metadata and assigned phone numbersDuration of feature use/account + 30 days; provider records per provider/legal retentionContract fulfillment, abuse prevention
Submitted URLs, web extraction results, screenshots, and source-search metadataDuration of related Mind/Flow/Group + 30 days unless cached as non-personal aggregate source dataContract fulfillment and reproducibility
Backup data30 days after deletion from active systemsDisaster recovery

Right to Deletion: The deletion of the account and all associated data can be requested at any time. This can be done directly in the settings under /settings/preferences. After such a request, personal data and user content are permanently removed from active systems within 30 days. Backup data is purged according to our backup retention schedule. The data will no longer be used for training new models, and all reasonable technical steps will be taken to remove it from existing models as well.

6. Automated Decision-Making and Profiling

Our platform uses AI-powered features that may involve automated processing of your data:

AI-Assisted Features

When you use our AI features (Flows, Minds, Group Grounding), your inputs are processed by AI models to generate outputs. This processing:

  • Does not constitute automated decision-making with legal or similarly significant effects under Art. 22 GDPR
  • Is used solely to provide the creative and conversational services you request
  • Does not result in decisions that produce legal effects or significantly affect you
  • Remains under your control—you decide how to use any AI-generated outputs

Personalization

If you create a personal AI model ("My Mind"), the system analyzes your uploaded content to create a personalized AI assistant. This is based on your explicit request and consent (Art. 6 Para. 1 lit. a and b GDPR). You can delete your personal model at any time.

Content Moderation, Notices, and Appeals

We may use automated systems and human review to detect content that violates our Terms of Service or applicable law, including harmful, illegal, infringing, abusive, or security-risk content. Flagged content may be reviewed by our team.

When users or third parties submit illegal-content notices, rights complaints, moderation appeals, or objections, we process the information needed to assess and document the request. This can include reporter contact details, account identifiers, URLs/content IDs, submitted reasons and evidence, moderation decision records, timestamps, and follow-up communications.

The legal basis is Art. 6 Para. 1 lit. c GDPR where processing is required by law, Art. 6 Para. 1 lit. f GDPR for service integrity, abuse prevention, legal defense, and rights enforcement, and Art. 6 Para. 1 lit. b GDPR where moderation is necessary to perform or enforce the user agreement. Moderation and notice records are generally retained for up to 3 years unless a longer period is required to establish, exercise, or defend legal claims.

Your Rights Regarding Automated Processing

You have the right to:

  • Obtain human intervention in decisions that significantly affect you
  • Express your point of view and contest decisions
  • Request information about the logic involved in automated processing
  • Opt out of non-essential automated processing

To exercise these rights, contact us at [email protected].

7. EU AI Act Transparency and AI-Generated Content

7.1 AI System Disclosure

The Minds platform is an AI-powered platform within the scope of Regulation (EU) 2024/1689 (the "EU AI Act"). Article 50 transparency obligations apply from 2 August 2026. Until that date, this section describes our current disclosures, contractual obligations, and readiness measures for AI transparency.

7.2 Notification of AI Interaction

Before or at the time of your first interaction with any Mind or AI assistant, we inform you that you are interacting with an AI system, not a natural person. This notification is provided through in-app disclosures, onboarding screens, and labelling within the user interface. We process your account identifier, interaction timestamp, and acknowledgement metadata where needed to document that this notification has been delivered.

7.3 Labelling and Machine-Readable Marking

Minds labels AI-generated outputs in the product interface and stores generation metadata such as content type, creation timestamp, model/provider identifier where technically available, and output context. We are preparing machine-readable marking and provenance metadata for exported text, audio, and image outputs in line with Art. 50(2) EU AI Act, to the extent technically feasible and supported by the relevant format/provider by 2 August 2026.

We do not use this metadata for profiling or marketing. It is used to disclose AI origin, support auditability, preserve context for shared/exported outputs, and respond to user or regulatory transparency requests.

7.4 Synthetic Content Disclosure

Where Minds simulate the communication style, voice, likeness, or behaviour of real or fictional persons, or where group-grounded panels generate aggregate-style outputs, the resulting output is synthetic. We disclose the artificial origin of such content through visible labels and, where technically feasible, metadata/provenance information. To support this disclosure, we process Mind configuration data, group-grounding configuration, generation logs, and output metadata.

7.5 Legal Basis

Until the relevant EU AI Act transparency obligations apply on 2 August 2026, transparency and provenance-readiness processing is based on Art. 6 Para. 1 lit. b GDPR where needed to provide the service and Art. 6 Para. 1 lit. f GDPR for accountability, security, and misuse prevention. From 2 August 2026, where processing is required to comply with Art. 50 EU AI Act, the legal basis will be Art. 6 Para. 1 lit. c GDPR.

7.6 Data Processed for AI Transparency Purposes

Data CategoryPurposeRetention
AI interaction notification recordsProof that AI-system disclosure was providedDuration of account plus 3 years
Generation metadata and available provenance dataAI-origin labelling, export context, and auditabilityAs long as the content exists on the platform, plus 1 year
Mind persona/configuration dataSynthetic-content disclosure and misuse preventionDuration of account plus 3 years
Group-grounding configuration (distribution parameters, sources used)Synthetic-output disclosure for group-grounded outputsDuration of account plus 3 years
Content generation logs (model, timestamp, type)Auditability, debugging, and regulatory accountability3 years from content creation

7.7 Your Rights

In addition to your GDPR rights (see Section 8), you may request confirmation of whether a specific output was generated by AI and what generation/provenance metadata is available. Where transparency processing relies on legitimate interests, you may object under Art. 21 GDPR. Processing that is legally required after the EU AI Act obligations apply cannot be opted out of.

8. Rights of the Data Subject

Data subjects have the following rights regarding their personal data:

  • Right to Access (Art. 15 GDPR)
  • Right to Rectification (Art. 16 GDPR)
  • Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
  • Right to Restriction of Processing (Art. 18 GDPR)
  • Right to Data Portability (Art. 20 GDPR)
  • Right to Object (Art. 21 GDPR)

There is also the right to withdraw consent at any time with effect for the future (Art. 7 Para. 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

To exercise these rights, the contact address mentioned above can be contacted.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, there is the right to lodge a complaint with a supervisory authority, in particular in the Member State of residence, place of work, or place of the alleged infringement, if it is believed that the processing of personal data violates the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
Phone: +49 30 13889-0
Email: [email protected]
Website: https://www.datenschutz-berlin.de

10. Data Security

All necessary technical and organizational security measures are taken to protect personal data from loss and misuse. Data is stored in a secure operating environment that is not accessible to the public. Data transmission is encrypted using SSL technology.

11. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to future visits.