MyndFlare

Privacy Policy

Last updated: 16 April 2026 (version 2026-04-16)

This privacy policy explains, in line with GDPR Art. 13, how we process personal data when you use MyndFlare.

1. Controller

[Company Name]
[Address]
[Email]

2. Data We Process

  • Account data: name, email, hashed password (bcrypt via better-auth).
  • Profile data: avatar, preferred locale, tone preference.
  • Content data: projects, conversations, messages, uploaded files, snippets, sources, grab-bag items.
  • Rolling summaries and RAG embeddings: short conversation summaries and 1536-dim vector embeddings we generate to provide conversation context. These are derived from your messages and stored only within your own projects.
  • Usage data: token counts per request (for quota, analytics, and cost tracking).
  • API keys (optional, BYOK): if you provide your own LLM provider keys, they are encrypted at rest with AES-256-GCM. They are decrypted in memory only for the duration of a single request.
  • Consent records: when you sign up, we store a consent record — privacy / terms / age-16+ accepted, policy version, IP address, user agent, and timestamp (GDPR Art. 7(1) accountability).
  • Audit log: security-relevant events (account deletion, data export, consent, admin actions) are written to an internal audit log including the actor's ID and IP address.
  • Technical data: IP address, user agent, timestamps.

3. Purposes and Legal Basis

  • Providing the service (GDPR Art. 6(1)(b) — contract performance).
  • Account and security management including the audit log (GDPR Art. 6(1)(f) — legitimate interest in detecting and investigating abuse).
  • Email verification, password reset, and account-deletion confirmation emails (GDPR Art. 6(1)(b)).
  • Recording consent (GDPR Art. 6(1)(c) / Art. 7).

4. Recipients / Processors

To provide the service, your prompts, attachments, and conversation context are forwarded to the selected LLM provider:

  • OpenAI, L.L.C. (ChatGPT) — USA
  • Anthropic, PBC (Claude) — USA
  • Google LLC (Gemini) — USA
  • Mistral AI (Mistral) — France

Other processors: Vercel (hosting), Neon (database), AWS/S3 (file storage), SMTP provider (email delivery).

5. International Transfers

Transfers to the USA are based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

6. Security Measures (Art. 32)

  • TLS in transit (HSTS enforced; Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy headers).
  • Passwords hashed; minimum 10 characters required.
  • BYOK API keys encrypted at rest with AES-256-GCM.
  • Uploaded files stored privately; accessed only via short-lived signed URLs.
  • Admin and sensitive actions recorded in an audit log.

7. Retention

  • Account data, content, and RAG embeddings are retained until account deletion. After deletion, all personal data is removed within 30 days.
  • Consent records are retained for the duration of the account plus 12 months, to demonstrate compliance with Art. 7(1).
  • Audit log entries are retained for 12 months for security investigation, then automatically purged.
  • Email-verification tokens expire and are purged automatically.

8. Your Rights

Under GDPR you have the right to:

  • Access (Art. 15) — use "Export all my data" on your profile to download a complete machine-readable JSON copy of your account.
  • Rectification (Art. 16) — edit your profile directly in the app.
  • Erasure (Art. 17) — use "Delete account" in the Danger Zone of your profile; a confirmation email is sent and all data is removed within 30 days (audit-log references are retained in anonymised form).
  • Restriction (Art. 18) — contact us.
  • Data portability (Art. 20) — the "Export all my data" ZIP contains a structured JSON file suitable for import elsewhere.
  • Object (Art. 21) — contact us.
  • Withdraw consent (Art. 7(3)) — at any time, effective prospectively.
  • Lodge a complaint (Art. 77) with the supervisory authority in your EU member state.

Contact: privacy@myndflare.com.

9. Cookies

MyndFlare uses only strictly necessary cookies for authentication and language preference. No tracking, analytics, or advertising cookies are set. See the Cookie Policy for the full list.

10. Automated Decision-Making

MyndFlare does not use your data for automated decision-making with legal effect (GDPR Art. 22). The LLM responses you see are generated on your request and are not used to evaluate you.

11. Changes to This Policy

We may update this policy. The current version is identified above. Material changes will trigger a re-consent prompt the next time you sign in.