Legal

Privacy Policy

Last updated: March 18, 2026

1. Introduction

MindStash is operated by Jaydeep Sureliya, an independent software developer based in India. Your privacy matters to us. This policy explains what data we collect, how we use it, and how we protect it. We keep things simple and transparent because that is what we would want as users ourselves.

2. Data We Collect

When you use MindStash, we collect the following:

  • Account data - your email address and hashed password. If you sign in with Google, we receive your Google ID and email. We never store your Google password.
  • Content data - the thoughts, URLs, and notes you capture (limited to 500 characters per item).
  • AI metadata - categories, tags, summaries, priority scores, and urgency flags generated by our AI for your captures.
  • Chat history - messages exchanged with the AI assistant within the app, stored per session.
  • Billing data - your subscription plan, usage counts (items and messages per month), and subscription status. We do not store your credit card details. All payment data is handled by our payment partner.
  • Usage data - basic interaction events (page views, feature usage) used to improve the product. We do not use third-party analytics SDKs or tracking pixels.

3. How We Use Your Data

  • To provide and operate the MindStash service, including AI categorization, chat, and search.
  • To process your captures through AI providers for categorization, embedding generation, and surfacing.
  • To send you notification reminders, weekly digest emails, and daily briefings you have opted into.
  • To enforce plan limits and manage your subscription.
  • To improve product quality through anonymized, aggregated usage patterns.
  • To respond to your support requests.

We never sell your personal data to third parties. We never use your content to train AI models. Your data is only shared with the third-party services listed below, and only to the extent necessary to deliver the Service.

4. AI Data Processing

MindStash uses AI to power core features. Here is how your data flows through AI providers:

  • Categorization - When you capture an item, its content is sent to an AI model to determine category, tags, summary, priority, and urgency. This happens once per capture.
  • Chat - When you chat with the AI assistant, your messages and relevant context are sent to Anthropic's Claude API to generate responses. Chat history within a session is included for context but is not retained by Anthropic beyond the API call.
  • Embeddings - For semantic search (Pro plan), item content is converted into vector embeddings via OpenAI's API. The embeddings are stored in our database. OpenAI does not retain the input text.

Neither Anthropic nor OpenAI uses your data to train their models when accessed via their APIs. See their respective privacy policies for details.

5. Third-Party Services

MindStash relies on the following sub-processors:

  • Anthropic - Powers the AI chat assistant (Claude API). Subject to Anthropic's Privacy Policy.
  • OpenAI - Generates vector embeddings for semantic search. Subject to OpenAI's Privacy Policy.
  • Supabase - Database provider. Your data is stored in a PostgreSQL database hosted by Supabase in the United States.
  • Resend - Sends transactional emails (welcome emails, reminders, digests). Your email address is shared with Resend solely for this purpose.
  • Vercel - Hosts the frontend application. Standard request logs apply per Vercel's policy.
  • Railway - Hosts the backend API server.
  • Lemon Squeezy - Processes subscription payments. Your email and subscription details are shared with Lemon Squeezy to manage billing. We do not store your credit card information.

6. Data Security

We take the security of your data seriously. Here are the measures we have in place:

  • Passwords are hashed using bcrypt and never stored in plain text.
  • All data is transmitted over HTTPS/TLS encryption.
  • API routes are protected with JWT authentication and token refresh mechanisms.
  • Database access is restricted to server-side connections only, with connection pooling via Supabase.
  • Rate limiting is enforced on all API endpoints to prevent abuse.
  • User data is strictly isolated. You can only access your own items, chats, and account data.

No system is perfectly secure. If you discover a security vulnerability, please contact us at the email below and we will address it promptly.

7. Data Retention and Deletion

Your data is retained for as long as your account is active. Specifically:

  • You may delete individual items at any time from the dashboard or via the AI chat agent.
  • Chat sessions and messages are retained for your reference but can be cleared.
  • If you downgrade your plan, your existing data is never deleted. You simply hit lower monthly limits for new captures.
  • To request full account deletion, contact us at the email below. We will remove all your data within 30 days.
  • Payment event logs are retained for accounting and dispute resolution purposes.

8. Cookies and Local Storage

MindStash uses browser local storage to store your authentication token for session management. We do not use third-party tracking cookies, advertising pixels, or analytics SDKs.

9. Children's Privacy

MindStash is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Questions about this policy or your data? Email us at privacy@mindstashhq.space.