← Back to home

Privacy Policy

Last updated: June 25, 2026

This Privacy Policy explains how mindyOne ("mindyOne", "we", "us", or "our") collects, uses, shares, and protects personal data when you use our AI-powered business page platform and related websites, applications, and services (collectively, the "Service"). It also describes the rights you have over your personal data and how to exercise them.

Please read this Policy alongside our Terms of Service. By using the Service, you acknowledge the practices described here.

1. Scope & Who We Are

mindyOne is a multi-tenant software-as-a-service platform that gives small and medium-sized businesses an AI-powered, hosted micro-site reachable via a link and QR code. This Policy applies to two groups of people:

  • Business owners — authenticated users who create an account, complete onboarding, and manage a business page and dashboard.
  • End customers — visitors of a business owner's public page (/[slug]) who chat with the AI assistant or book appointments without creating an account.

If you have questions about this Policy or our data practices, contact us at privacy@mindyone.com.

2. Our Role: Controller vs. Processor

Our role under data-protection law (such as the EU/UK GDPR) depends on whose data is involved:

  • For business owners' data (account, billing, business profile, usage), mindyOne acts as a data controller — we decide why and how that data is processed.
  • For end-customer data that a business owner collects through their page (chat messages, booking details, contact information), mindyOne acts as a data processor on behalf of that business owner, who is the controller. The business owner is responsible for having a lawful basis to collect that data and for their own privacy notice to their customers.

Where mindyOne acts as a processor, we process end-customer data only to provide the Service to the business owner and in line with our agreement with them.

3. Information We Collect

a. Information you provide directly

  • Account data: name, email address, and password. Passwords are hashed and managed securely through Supabase Auth — we never store them in plain text. If you sign in with Google, we receive your name and email from Google.
  • Business profile: business name, description, contact details, services, pricing, working hours, holidays, timezone, language, branding, and logo.
  • Knowledge base content: documents you upload (PDF, TXT, MD) or text you add, which we process into text chunks and vector embeddings to power AI answers.
  • Support & communications: information you provide when you contact us for support or other requests.

b. End-customer data (collected on behalf of business owners)

  • Chat data: messages exchanged between an end customer and a business's AI assistant, along with derived metadata such as detected language and classified intent.
  • Booking data: customer name, email address, phone number (if provided), selected service, appointment date/time, and notes.
  • Verification data: one-time passcodes (OTPs) sent by email to confirm a booking.

c. Billing information

  • Subscriptions are processed by Lemon Squeezy, our Merchant of Record. Lemon Squeezy collects and processes your payment-card details directly under its own privacy policy; mindyOne does not see or store full card numbers. We store subscription status, plan/tier, trial and renewal dates, and the identifiers needed to link your subscription to your account.
  • If customer deposit payments are enabled by a business, those payments are processed by Stripe under its own privacy policy. (Deposit payments are disabled by default during the current phase of the Service.)

d. Information collected automatically

  • Usage & analytics: page views, feature usage, and aggregate insights (e.g., top questions, conversion, drop-off) used to operate and improve the Service.
  • Technical & log data: IP address, browser/device type, and request logs generated by our hosting provider for security and reliability.
  • Rate-limiting data: session identifiers used to apply abuse protection on the chat endpoint.

4. How We Use Information

We use the information described above to:

  • Provide, operate, maintain, and secure the Service;
  • Create and authenticate accounts and manage business pages;
  • Power AI assistant responses and document retrieval for end customers;
  • Process bookings and send transactional emails (confirmations, verification codes, reschedule/cancellation notices, owner notifications, and daily briefings);
  • Manage subscriptions, trials, and billing through our Merchant of Record;
  • Provide dashboard insights and analytics to business owners;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Respond to support requests and communicate service-related updates;
  • Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data, and we do not use end-customer chat or booking content for advertising.

If you are in the European Economic Area or the United Kingdom, we process personal data under one or more of the following legal bases:

  • Contract — to provide the Service you sign up for and perform our agreement with you.
  • Legitimate interests — to secure, analyze, and improve the Service, provided these interests are not overridden by your rights.
  • Consent — where required, for example for certain optional communications; you may withdraw consent at any time.
  • Legal obligation — to comply with applicable laws, such as tax and accounting requirements.

6. AI Processing

The Service uses third-party large-language-model and embedding APIs (currently OpenAI) to generate chat responses, classify intent, detect language, and create vector embeddings of knowledge-base content. When the AI answers a customer's question, the relevant message and retrieved business content are sent to the AI provider to generate a response.

Our AI provider processes this data under its API terms and does not use data submitted through its API to train its models. AI-generated answers can be imperfect; they do not constitute professional advice, and business owners are responsible for the information made available through their pages. The AI assistant performs no automated decision-making that produces legal or similarly significant effects about you.

7. How We Share Information & Subprocessors

We do not sell personal data. We share data only with service providers ("subprocessors") that help us run the Service, each bound by contractual confidentiality and data-protection obligations:

ProviderPurpose
SupabaseDatabase hosting, authentication, and file storage
OpenAIAI chat responses, intent/language detection, and embeddings
ResendTransactional email delivery
VercelApplication hosting, deployment, and edge delivery
Lemon SqueezySubscription billing as Merchant of Record (card processing)
StripeCustomer deposit payments, when enabled by a business
UpstashRedis-based rate limiting and abuse prevention

We may also disclose data when required by law, to enforce our agreements, to protect the rights, safety, and security of our users or the public, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you of any change in control of your personal data).

8. International Data Transfers

Our subprocessors may process data in countries outside your own, including the United States. Where personal data is transferred out of the EEA or the UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an adequacy decision, so that your data remains protected.

9. Cookies & Local Storage

We use only the cookies and local storage strictly necessary to operate the Service. We do not use advertising or cross-site tracking cookies.

  • Authentication cookies — set by Supabase Auth to keep business owners signed in and to refresh sessions.
  • Local storage — used on public pages to remember a customer's chosen language (e.g., mindy_lang_<slug>) and to remember an email's booking-verification trust within the same browser (e.g., mindy_trust_<slug>_<email>) so a verified customer isn't asked to re-verify unnecessarily.

10. Data Retention

We retain personal data for as long as needed to provide the Service and for the purposes described in this Policy. Specific retention windows by data category are defined in our Data Retention Policy. Key windows:

  • Account and business data are retained while your account is active.
  • Chat conversations and messages are retained for 12 months from the last message.
  • Booking records are retained for 24 months, then anonymised (PII removed).
  • OTP verification codes are deleted within 24 hours of creation.
  • Billing records are retained as required for accounting, tax, and legal compliance (typically 7 years).
  • When you request erasure, we delete or anonymize your personal data promptly across all systems, except where retention is required by law.

11. Data Security

We implement industry-standard technical and organizational measures to protect personal data, including encrypted connections (TLS), row-level security on database tables to isolate each tenant's data, hashed credentials, scoped access controls, and signed, expiring tokens for sensitive customer actions (such as managing a booking). No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work continuously to protect your data.

12. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion of your personal data;
  • Restriction — ask us to limit how we process your data;
  • Portability — receive your data in a portable format;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — where processing is based on consent;
  • Non-discrimination & opt-out of "sale/sharing" — for California residents under the CCPA/CPRA. We do not sell or share personal data as those terms are defined.

To exercise any of these rights, contact us at privacy@mindyone.com. We will respond within the timeframe required by applicable law. If you are an end customer of a business that uses mindyOne, please direct your request to that business (the controller of your data); we will assist them as needed. You also have the right to lodge a complaint with your local data-protection authority.

13. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Data Breach Notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals without undue delay and in accordance with applicable law.

The Service may contain links to third-party websites or services that we do not control. This Policy does not apply to those third parties, and we encourage you to review their privacy policies.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact Us

For privacy questions, data requests, or to exercise your rights, contact us at privacy@mindyone.com. For general support, contact support@mindyone.com.