Privacy Policy

Last updated: 2026-04-29

Draft notice: This privacy policy is a working draft for the closed beta. The final version will be published before public launch. Reach out to support@maind.dev with questions.

1. Controller

The controller responsible for data processing on this site is listed in our Imprint.

2. Data we collect

2.1 Account data

  • Email address (sign-up, sign-in, transactional mail)
  • OAuth provider identifier when you sign in via GitHub or Google
  • Hashed API keys (we never store the plaintext key)

2.2 Usage telemetry — three-tier consent

maind operates a three-tier consent model. You control which tier applies to your account in dashboard settings:

  • Tier 1 (always on): Anonymous aggregate counts of tool calls, used for billing, abuse-prevention, and capacity planning. No per-call payloads, no user identifiers in analytics.
  • Tier 2 (opt-in): Anonymized feedback signals (success / error categories) per tool, used to improve lessons.
  • Tier 3 (opt-in): Pseudonymous client metrics for deeper debugging — opt-in, revocable at any time, retention 30 days.

2.3 Marketing-site analytics

This marketing site uses Vercel Analytics, which is cookieless and does not track individuals across sessions.

3. Processors

We use the following sub-processors to deliver maind. Each is bound by a Data Processing Agreement:

  • Supabase (database, authentication, edge functions) — region: EU-West / Ireland.
  • Resend (transactional email) — sender: noreply@maind.dev.
  • Vercel (hosting for marketing site and dashboard).
  • Anthropic — only when you explicitly use Anthropic-powered features in the dashboard.

4. Legal basis

  • Art. 6 (1) (b) GDPR — performance of contract (account, dashboard, MCP-server access).
  • Art. 6 (1) (a) GDPR — consent (Tier 2 and Tier 3 telemetry).
  • Art. 6 (1) (f) GDPR — legitimate interest (anonymous aggregate counts for abuse-prevention).

5. Your rights

Under GDPR you have the right to access, rectify, erase, port, and object. Email support@maind.dev to exercise any of these.

6. Retention

  • Account data: until account deletion.
  • Tier-1 aggregate counts: 24 months, then aggregated further.
  • Tier-3 pseudonymous metrics: 30 days, then deleted.

7. Contact

Privacy questions: support@maind.dev.