Privacy Policy

Account information: When you sign in with Google OAuth, we receive your name, email address, and profile picture from Google. We store this to create and manage your account.

User-generated content: All memories, notes, imported documents, chat histories, flashcards, and any other content you add to MindStore ("Your Content") is stored on our servers to provide the Service.

Usage data: We collect anonymized, aggregated analytics (page views, feature usage, session counts) via Plausible Analytics. Plausible does not use cookies, does not track individuals across sites, and is GDPR-compliant by design.

API keys: If you provide third-party API keys (OpenAI, Gemini, etc.) via the Settings page, they are encrypted at rest using AES-256 before storage. We do not transmit your API keys to any party other than the designated AI provider.

Technical data: Server logs may capture IP addresses, browser user-agent strings, and request timestamps for security, debugging, and abuse prevention. These are retained for up to 30 days.

We use the information we collect to:

• Provide, operate, and improve the Service
• Authenticate your identity and maintain your session
• Process and store Your Content for retrieval and AI features
• Send transactional communications (e.g. password resets, billing receipts) — no marketing emails without explicit consent
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity
• Comply with legal obligations

We do not sell your personal data. We do not use your stored memories or content to train AI models. We do not share your data with advertisers.

You retain full ownership of Your Content. We claim no intellectual property rights over it.

To provide AI features (chat, semantic search, embeddings), your content is sent to third-party AI providers you configure (e.g. Google Gemini, OpenAI). This transmission is governed by the provider's own privacy policy. We transmit only the minimum content necessary to fulfil the request.

If you use MindStore's default AI provider configuration, content may be processed by Google Gemini APIs. See Google's Privacy Policy.

You can delete Your Content at any time from within the Service. Upon deletion, content is removed from our primary database. Backups are purged on a rolling 30-day cycle.

We share data only in these limited circumstances:

• Infrastructure providers: Vercel (hosting), Supabase (database), and other processors who are contractually bound to handle data securely and only for purposes we specify.
• AI providers: Only the content you explicitly direct through AI features, to providers you configure.
• Legal requirements: If required by law, court order, or to protect the rights, safety, and property of MindStore, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to you.

We use industry-standard safeguards including TLS encryption in transit, AES-256 encryption for sensitive fields at rest, and database access controls with least-privilege principles.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

In the event of a data breach that materially affects you, we will notify you by email within 72 hours of becoming aware, to the extent required by applicable law.

We use a single session cookie for authentication (HttpOnly, Secure, SameSite=Lax). No advertising cookies. No cross-site tracking. No third-party analytics cookies.

Plausible Analytics is cookieless and does not fingerprint individual users.

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of personal data we hold about you.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and all associated data.
• Portability: Export Your Content in a machine-readable format (available via the Export feature in the app).
• Objection / Restriction: Object to or restrict certain processing.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise these rights, email privacy@mindstore.org. We respond within 30 days.

We retain your account data and content for as long as your account is active. If you delete your account, we remove your personal data from active systems within 30 days and from backups within 90 days.

We may retain anonymized, aggregated analytics data indefinitely as it cannot identify you.

The Service is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

MindStore operates globally. Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards (Standard Contractual Clauses or equivalent) are in place for any cross-border transfers required by applicable law.

We may update this Privacy Policy. For material changes, we will notify you by email or a prominent notice in the app at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

For privacy questions, data requests, or complaints:

Email: privacy@mindstore.org

If you are located in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.