---
title: "Privacy Policy for Minds | Minds"
canonical_url: "https://getminds.ai/legal/dataprivacy"
last_updated: 2026-05-09
meta:
  description: "Effective Date: May 9, 2026"
  "og:description": "Effective Date: May 9, 2026"
  "og:title": "Privacy Policy for Minds | Minds"
  "twitter:description": "Effective Date: May 9, 2026"
  "twitter:title": "Privacy Policy for Minds | Minds"
---

May 9, 2026·Minds Team

# **Privacy Policy for Minds**

Effective Date: May 9, 2026

# Privacy Policy for Minds

**Effective Date: May 9, 2026**

This privacy policy provides information about the nature, scope, and purpose of the processing of personal data within the platform operated by **Art of X UG (haftungsbeschränkt)** (hereinafter "we" or "us").

## 1. Data Controller

The controller within the meaning of the GDPR and other national data protection laws is:

**Art of X UG (haftungsbeschränkt)** Goethestr. 59 10625 Berlin Germany

Email: [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai)

## 2. Data Protection Officer

The external Data Protection Officer can be reached as follows:

Prof. Dr. Norman Uhlmann h3ko Innovations GmbH Pappelallee 64 16359 Biesenthal Germany

Email: [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai)

## 3. General Information on Data Processing

The subject of data protection is personal data. This refers to all information relating to an identified or identifiable natural person (the "data subject"). Personal data of users is generally only processed to the extent necessary to provide a functional platform and its content and services.

### Obligation to Provide Data

The provision of personal data is neither legally nor contractually required. However, without providing the necessary data (such as email address and name for registration), we cannot offer you access to our services. Data marked as mandatory during registration or use is required for contract fulfillment. Failure to provide this data means the relevant services cannot be used. The provision of optional data is voluntary and does not affect your ability to use core services.

## 4. What Data is Processed and For What Purpose

### a. Provision of the Website and Creation of Logfiles (Hosting)

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing computer. This data is stored in the server's logfiles. The following data is collected:

- IP address of the requesting computer
- Date and time of access
- Name and URL of the retrieved file
- Website from which access is made (referrer URL)
- Browser used and, if applicable, the computer's operating system

This data is processed to ensure smooth connection establishment and comfortable use of the website, as well as to evaluate system security and stability. The legal basis for data processing is Art. 6 Para. 1 S. 1 lit. f GDPR. The legitimate interest follows from the purposes for data collection listed above.

The services of **DigitalOcean, LLC**, 101 6th Ave, New York, NY 10013, USA, are used for website hosting. Our infrastructure is hosted in the Frankfurt (Germany) region within the EU. A data processing agreement (DPA) has been concluded with DigitalOcean. Through this agreement, DigitalOcean ensures that data is processed in accordance with the GDPR and that the rights of data subjects are guaranteed. Further information can be found in DigitalOcean's privacy policy: https://www.digitalocean.com/legal/privacy-policy.

#### Cloudflare (CDN, DNS & Security)

**Cloudflare, Inc.**, 101 Townsend St, San Francisco, CA 94107, USA, is used for content delivery (CDN), DNS management, DDoS protection, and web application security. When you access our website, your requests are routed through Cloudflare's network. In this process, Cloudflare may process your IP address, request headers, and other connection metadata to deliver content, protect against attacks, and optimize performance.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring the security, availability, and performance of our website. A data processing agreement (DPA) has been concluded with Cloudflare. Data transfer to the USA is covered by Cloudflare's participation in the EU-US Data Privacy Framework and supplemented by Standard Contractual Clauses (SCCs). Further information: https://www.cloudflare.com/privacypolicy/.

### b. Registration and Use of an Account (Authentication & Database)

To use the platform, creating a user account is required. The following data is collected:

- Name
- Email address
- Password (stored in encrypted form)

This data is necessary to manage the account and enable access to the services. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

For authentication and user database management, the services of **Supabase Inc.**, 970 Toa Payoh North #07-04, Singapore 318992, are used. Supabase provides the backend infrastructure for the platform. Data storage, including the database, authentication, storage, and AI-related embeddings, takes place in the Northern EU region (Stockholm, `eu-north-1`). A data processing agreement (DPA) has been concluded with Supabase. Further information on data protection at Supabase can be found here: https://supabase.com/privacy.

### c. AI-Powered Features

For the provision of AI-powered features, the following services are used:

#### OpenAI (Text Generation, Embeddings, Image Analysis)

**OpenAI OpCo, LLC**, 3180 18th St, San Francisco, CA 94110, USA, is used for text generation, creation of embeddings from user content, voice transcription (Whisper), and image analysis.

When these features are used, the relevant data (e.g., text inputs or content to be analyzed) is sent to OpenAI's servers for processing. We do not transmit any personal data to OpenAI beyond what is necessary for the function, and we store the results generated by OpenAI in our system hosted on Supabase (see above).

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with OpenAI. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at OpenAI can be found here: https://openai.com/policies/privacy-policy.

#### Anthropic (Text Generation with Claude Models)

**Anthropic PBC**, 548 Market St, PMB 87430, San Francisco, CA 94104, USA, is used for advanced text generation using Claude AI models. When these features are used, your text inputs and prompts are transmitted to Anthropic's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Anthropic. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Anthropic can be found here: https://www.anthropic.com/legal/privacy.

#### Google AI (Text Generation with Gemini Models)

**Google LLC**, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is used for text generation and AI-powered features using Gemini models. When these features are used, your text inputs and prompts are transmitted to Google's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Google. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Google can be found here: https://policies.google.com/privacy.

#### ElevenLabs (Voice Processing)

**ElevenLabs Inc.**, 20-22 Wenlock Road, London, N1 7GU, United Kingdom, is used for voice synthesis (text-to-speech) and voice transcription (Scribe v1). When you use voice features, audio data is transmitted to ElevenLabs for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). A data processing agreement has been concluded with ElevenLabs. Data transfer to the United Kingdom is covered by the EU Commission's adequacy decision for the UK (Decision 2021/1772), ensuring an adequate level of data protection. Further information: https://elevenlabs.io/privacy.

#### Black Forest Labs (Image Generation)

**Black Forest Labs GmbH**, services via api.bfl.ai, is used for AI image generation (Flux models). When you generate images, your text prompts are transmitted to BFL servers for processing. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As Black Forest Labs is based in Germany, data remains within the EU. A data processing agreement has been concluded with Black Forest Labs. Further information: https://blackforestlabs.ai/privacy-policy/.

#### Replicate (AI Model Infrastructure)

**Replicate, Inc.**, 340 S Lemon Ave #4133, Walnut, CA 91789, USA, is used as infrastructure for running AI image generation models (including Flux models from Black Forest Labs). When you generate images, your text prompts are transmitted to Replicate's servers for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Replicate. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Replicate can be found here: https://replicate.com/privacy.

#### Langfuse (AI Observability & Prompt Management)

**Langfuse GmbH**, Residenzstraße 27A, 80333 München, Germany, is used for managing AI prompts, tracking AI interactions, and system observability. This helps us improve service quality and debug issues. Technical metadata about AI interactions is processed.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring service quality, debugging issues, and improving our AI features. As Langfuse is based in Germany, data remains within the EU. A data processing agreement has been concluded with Langfuse. Further information: https://langfuse.com/docs/data-security-privacy.

#### Deepgram (Speech-to-Text)

**Deepgram, Inc.**, 548 Market St, Suite 25104, San Francisco, CA 94104, USA, is used for real-time voice transcription (speech-to-text) using the Nova-3 model. When you use voice features, your audio data is streamed to Deepgram's servers for transcription. Deepgram processes audio in real time and does not retain audio recordings after transcription is complete.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as voice transcription is a core component of the voice features offered. A data processing agreement has been concluded with Deepgram. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://deepgram.com/privacy.

#### Fish Audio (Voice Synthesis & Cloning)

**Hanabi AI Inc.** (operating as Fish Audio), 131 Continental Dr, Suite 305, Newark, DE 19713, USA, is used for text-to-speech voice synthesis and voice cloning. When you use voice features, text is sent to Fish Audio for speech synthesis. If you create a voice clone, audio samples you provide are transmitted to Fish Audio for voice model training.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as voice synthesis and cloning are core components of the voice features offered. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://fish.audio/privacy.

### d. Content in Flows and Training of Minds (User Content)

The heart of the platform is the processing of content created by users in "Flows" (collaborative workspaces) and shared with "Minds" (AI assistants; previously referred to as "Sparks"). This can include voice recordings, texts, images, or other creative works ("User Content").

This data is processed for the following purposes:

- **Training a Personal AI Model ("My Mind"):** User Content is used to create and train a personal AI model based on individual contributions.
- **Training General AI Models:** If explicit consent (opt-in) has been given, User Content is also used to be incorporated into our larger, general AI models. These models may be used for commercial purposes and made available to customers. **Important Note for Team Users:** Content created as part of a team account or in shared team flows is fundamentally excluded from this regulation and will under no circumstances be used for training general AI models.

The processing of User Content for training personal AI models is based on Art. 6 Para. 1 lit. b GDPR (contract fulfillment). The processing for training general AI models is exclusively based on explicit consent in accordance with Art. 6 Para. 1 lit. a GDPR.

### d2. Group Grounding and Public Distribution Data

For the **Group Grounding** feature and related group-level functionality (synthetic panels, group covers, audience simulation, marketplace groups), the platform ingests and processes publicly available statistical and distribution data to ground synthetic groups of Minds in plausible real-world distributions. The categories of data processed include:

- **Aggregate demographic and population statistics** (e.g. age, gender, occupation, education, geography distributions) sourced from public statistical offices, census-style datasets, and comparable open data sources.
- **Industry, market, and labour-market benchmarks** sourced from publicly available reports, market-research summaries, and trade publications.
- **Public web content** retrieved through our web-search provider (Tavily, see Section 4.g) when you explicitly request grounding from a public source (e.g. a public profile page, company website, or news article that you submit as input).
- **Technical metadata** about the grounding request itself (your account identifier, the requested distribution parameters, the timestamp, and the resulting group configuration) so that the configuration is reproducible and auditable.

This processing serves the purpose of generating realistic, statistically grounded synthetic groups for research, simulation, and creative work. **No personal data of identifiable natural persons is generated, profiled, targeted, or stored** as part of the distribution data itself; the data is processed in aggregate, statistical form. Where you submit inputs that may contain personal data of third parties (e.g. a link to a public profile), you are responsible for the lawfulness of that submission and warrant that you have all necessary rights and consents (see Section 4 of our Terms of Service).

The legal bases for this processing are:

- **Art. 6 Para. 1 lit. b GDPR (contract fulfillment)** for processing your account identifier, the grounding configuration, and the search inputs you submit, as these are necessary to deliver the Group Grounding feature you have requested.
- **Art. 6 Para. 1 lit. f GDPR (legitimate interest)** for the ingestion and caching of publicly available aggregate statistics. Our legitimate interest lies in providing a robust, reproducible, and statistically meaningful grounding feature; the source data is already public and aggregate, and our interest is not overridden by the rights of data subjects, since no identifiable natural persons are processed.
- In addition, processing of aggregate statistics for synthetic-research purposes is supported by **§ 27 BDSG** (processing for scientific or statistical purposes), to the extent applicable.

**Retention:** Aggregate distribution datasets are cached for the duration of their usefulness as ground-truth references and are refreshed when source data updates; group configurations are retained for the duration of the user's account plus 30 days after deletion (see Section 5). Inputs submitted to the web-search provider are retained according to that provider's terms (see Section 4.g).

**Sub-processors involved in Group Grounding** include the AI providers listed in Section 4.c (for generating grounded outputs), Tavily (Section 4.g, for public web search when used), and our hosting and database providers (Section 4.a–b).

### e. Payment Processing

If paid services are used, payment data is processed for the purpose of contract fulfillment. Processing is based on Art. 6 Para. 1 lit. b GDPR.

Payment processing is carried out through the payment service provider **Stripe Payments Europe, Ltd.**, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. No credit card data is stored; it is directly forwarded to Stripe. Stripe is a certified partner and is subject to strict data protection and security standards. A data processing agreement has been concluded with Stripe. Further information on data protection at Stripe can be found at: https://stripe.com/privacy.

### f. Mobile App Services (iOS/Android)

When you use Minds through our mobile applications (iOS/Android), the following additional services and device features are used:

#### Firebase Cloud Messaging (Push Notifications)

**Google LLC** (Firebase), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is used to deliver push notifications to your device. When you enable push notifications, a device token (a unique identifier for your device) is generated and stored on our servers to route notifications. No message content beyond the notification payload is shared with Firebase.

The legal basis for this processing is Art. 6 Para. 1 lit. a GDPR (consent), as push notifications are only sent after you explicitly grant permission. You can revoke this consent at any time by disabling notifications in your device settings. A data processing agreement has been concluded with Google. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://firebase.google.com/support/privacy.

#### RevenueCat (In-App Purchases)

**RevenueCat, Inc.**, 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA, is used to manage in-app purchases and subscriptions on mobile devices. RevenueCat processes an anonymized user identifier, purchase receipts, and subscription status. No personal data such as name or email is shared with RevenueCat.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as in-app purchase management is required to provide paid services. A data processing agreement has been concluded with RevenueCat. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://www.revenuecat.com/privacy.

#### Native Authentication (Apple/Google Sign-In)

When you sign in using Apple Sign-In or Google Sign-In on mobile devices, an identity token is issued by Apple or Google and exchanged with our authentication service (Supabase) to create or link your account. We receive only the information you authorize (typically name and email address). No credentials are stored on our servers; authentication is handled via secure token exchange.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

#### Device Permissions

The mobile app may request access to the following device capabilities:

- **Microphone:** Required for voice mode (real-time conversations). Audio is streamed to Deepgram for transcription and is not stored on our servers.
- **Camera:** Used for capturing images to upload as content for AI analysis. Images are processed only when you explicitly initiate a capture.
- **Photo Library:** Used to select existing images or files for upload. Only files you explicitly select are accessed and uploaded.

Each permission is requested only when you first use the relevant feature. You can revoke any permission at any time through your device settings. The legal basis for this processing is Art. 6 Para. 1 lit. a GDPR (consent).

### g. Additional Data Processing Services

The platform uses additional specialized services to enhance functionality:

#### Tavily (Web Search)

**Tavily AI**, services via api.tavily.com, is used to provide web search capabilities within the platform. When you use search features, your search queries are transmitted to Tavily for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as web search is a feature of the services offered. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://tavily.com/privacy.

#### OCR.space (Optical Character Recognition)

**OCR.space API**, operated by A9t9 software GmbH, Nordstr. 8, 87561 Oberstdorf, Germany, is used to extract text from uploaded images and documents when OCR functionality is required. Image data is transmitted for processing.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As A9t9 software GmbH is based in Germany, data remains within the EU. Further information: https://ocr.space/privacypolicy.

### h. Communication via Email

For sending platform-related emails (e.g., registration confirmations, password resets), the service **Resend** is used, offered by Resend Inc., 548 Market St PMB 95453, San Francisco, CA 94104-5401, USA. Resend processes the email address on our behalf.

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment) for transactional emails. A data processing agreement (DPA) has been concluded with Resend. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information can be found in Resend's privacy policy: https://resend.com/legal/privacy-policy.

### i. Cookies

Cookies are used on the website. These are small text files stored on the end device. Some of the cookies used are so-called "session cookies." They are automatically deleted after the visit ends. Other cookies remain stored on the end device until they are deleted. These cookies make it possible to recognize the browser on the next visit.

Processing is based on Art. 6 Para. 1 lit. f GDPR from the legitimate interest in user-friendly website design, as well as on Art. 6 Para. 1 lit. a GDPR if corresponding consent has been given (e.g., for analytics cookies). The browser can be configured to be informed about cookie placement and to allow cookies only on a case-by-case basis.

### j. Web Analytics with Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analytics tool is based on your consent according to Art. 6 Para. 1 lit. a GDPR. You can change or revoke this consent at any time through our cookie settings.

We have activated IP anonymization on this website. As a result, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA.

We have concluded a data processing agreement with Google.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

More information on Google Analytics' handling of user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.

### k. Product Analytics with PostHog

We use the product analytics service **PostHog**, provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

PostHog helps us understand how users interact with our platform (e.g., which features are used most frequently) and includes session replay capabilities to improve the user experience and product quality. We have configured PostHog to process data in a privacy-friendly manner, with data hosted in the EU region.

The legal basis for this processing is your consent according to Art. 6 Para. 1 lit. a GDPR. You can revoke this consent at any time by adjusting your preferences in the cookie settings (under "Analytics"). If you decline analytics cookies, PostHog tracking and session replay will be disabled.

We have concluded a data processing agreement with PostHog. Data is processed in the EU region. Further information can be found in PostHog's privacy policy: https://posthog.com/privacy.

### l. A/B Testing with Convoy Labs

We use **Convoy Labs** for A/B testing of AI agent configurations to optimize the quality and performance of our AI features. When you interact with AI features, technical metadata about the interaction (such as which model configuration was used and response quality metrics) may be processed by Convoy Labs.

The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in optimizing and improving the quality of our AI features. A data processing agreement has been concluded with Convoy Labs. Data transfer to the USA is based on the EU Commission's standard contractual clauses. No personally identifiable information beyond technical interaction metadata is shared with Convoy Labs.

### m. Conversion Tracking with TikTok Pixel

We use the **TikTok Pixel**, a conversion tracking tool provided by TikTok Information Technologies UK Limited and TikTok Technology Limited ("TikTok"). The TikTok Pixel allows us to track user actions and measure the effectiveness of our advertising campaigns on TikTok.

The TikTok Pixel collects data about your interactions with our website (e.g., page views, registrations) and transmits it to TikTok. The TikTok Pixel is **only activated with your explicit consent** for marketing cookies (Art. 6 Para. 1 lit. a GDPR). You can revoke your consent at any time.

Data transfer to third countries is secured by the EU Commission's standard contractual clauses. More information on TikTok's data processing: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

### n. Conversion Tracking with X Pixel

We use the **X Pixel** (formerly Twitter Pixel), a conversion tracking tool provided by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA ("X"). This tool helps us measure the success of our advertising on X.

The X Pixel tracks actions on our website and transmits them to X. The X Pixel is **only activated with your explicit consent** for marketing cookies (Art. 6 Para. 1 lit. a GDPR). You can revoke your consent at any time.

Data transfer to the USA is secured by the EU Commission's standard contractual clauses. More information on X's data processing: https://twitter.com/en/privacy.

## 5. Storage Duration and Data Deletion

Personal data is stored for the following periods:

| Data Category | Retention Period | Reason |
| --- | --- | --- |
| Account data (name, email) | Duration of account + 30 days after deletion | Contract fulfillment and account recovery |
| User Content (Flows, Minds) | Duration of account + 30 days after deletion | Contract fulfillment |
| Group Grounding configurations and inputs | Duration of account + 30 days after deletion | Contract fulfillment |
| Aggregate distribution datasets (no personal data) | Refreshed periodically; cached as long as required for the feature | Legitimate interest / statistical purpose |
| Server logfiles | 90 days | Security and debugging |
| Payment records | 10 years after transaction | German tax law (§ 147 AO) |
| Consent records | 3 years after withdrawal | Proof of consent (Art. 7 GDPR) |
| Analytics data | 14 months | Service improvement |
| AI interaction logs | 90 days | Quality assurance and debugging |
| Backup data | 30 days after deletion from active systems | Disaster recovery |

**Right to Deletion:** The deletion of the account and all associated data can be requested at any time. This can be done directly in the settings under [/settings/preferences](https://getminds.ai/settings/preferences). After such a request, personal data and user content are permanently removed from active systems within 30 days. Backup data is purged according to our backup retention schedule. The data will no longer be used for training new models, and all reasonable technical steps will be taken to remove it from existing models as well.

## 6. Automated Decision-Making and Profiling

Our platform uses AI-powered features that may involve automated processing of your data:

### AI-Assisted Features

When you use our AI features (Flows, Minds, Group Grounding), your inputs are processed by AI models to generate outputs. This processing:

- **Does not constitute automated decision-making** with legal or similarly significant effects under Art. 22 GDPR
- Is used solely to provide the creative and conversational services you request
- Does not result in decisions that produce legal effects or significantly affect you
- Remains under your control—you decide how to use any AI-generated outputs

### Personalization

If you create a personal AI model ("My Mind"), the system analyzes your uploaded content to create a personalized AI assistant. This is based on your explicit request and consent (Art. 6 Para. 1 lit. a and b GDPR). You can delete your personal model at any time.

### Content Moderation

We may use automated systems to detect content that violates our Terms of Service (e.g., harmful content, policy violations). Flagged content may be reviewed by our team. You have the right to contest any moderation decision by contacting us.

### Your Rights Regarding Automated Processing

You have the right to:

- Obtain human intervention in decisions that significantly affect you
- Express your point of view and contest decisions
- Request information about the logic involved in automated processing
- Opt out of non-essential automated processing

To exercise these rights, contact us at [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai).

## 7. EU AI Act Transparency and AI-Generated Content

### 7.1 AI System Disclosure

The Minds platform constitutes an AI system within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the "EU AI Act"). This section explains how we process personal data in connection with our obligations under the EU AI Act, and how these interact with your rights under the General Data Protection Regulation (GDPR).

### 7.2 Notification of AI Interaction (Art. 50(1) EU AI Act)

Before or at the time of your first interaction with any Mind or AI assistant, we inform you that you are interacting with an AI system, not a natural person. This notification is provided through in-app disclosures, onboarding screens, and labelling within the user interface. We process your account identifier and interaction timestamp to record that this notification has been delivered.

### 7.3 Machine-Readable Marking of AI-Generated Content (Art. 50(2) EU AI Act)

We mark all AI-generated content (text, audio, and images) in a machine-readable format as artificially generated or manipulated. To fulfil this obligation, we process the following data:

- Content metadata (type, creation timestamp, generating model identifier).
- Provenance markers and watermarks embedded in the output.
- Your user identifier, to the extent it is associated with the generated content.

This marking is embedded at the point of generation and is designed to persist when content is shared or exported from the platform.

### 7.4 Synthetic Content Disclosure (Art. 50(4) EU AI Act)

Where Minds simulate the communication style, voice, or likeness of real individuals, or where group-grounded panels generate aggregate-style outputs that could be mistaken for statements of identifiable individuals, the resulting content constitutes synthetic content (commonly referred to as "deep fakes") within the meaning of Art. 50(4) of the EU AI Act. We disclose the artificial origin of such content through visible labels in the user interface and machine-readable provenance metadata. To support this disclosure, we process the Mind configuration data (including the identity or persona being simulated) and the group-grounding configuration alongside the generated content metadata.

### 7.5 Legal Basis

The processing described in Sections 7.2 through 7.4 is carried out on the basis of Art. 6(1)(c) GDPR (compliance with a legal obligation to which the controller is subject). The legal obligation arises from Art. 50(1), (2), and (4) of the EU AI Act, which require providers of AI systems to ensure transparency toward users and to mark AI-generated content appropriately.

### 7.6 Data Processed for AI Transparency Purposes

The following categories of data are processed specifically for EU AI Act compliance:

| Data Category | Purpose | Retention |
| --- | --- | --- |
| AI interaction notification records | Proof of Art. 50(1) compliance | Duration of account plus 3 years |
| Content provenance metadata and watermarks | Art. 50(2) machine-readable marking | As long as the content exists on the platform, plus 1 year |
| Mind persona/configuration data | Art. 50(4) synthetic content disclosure | Duration of account plus 3 years |
| Group-grounding configuration (distribution parameters, sources used) | Art. 50(4) synthetic content disclosure for group-grounded outputs | Duration of account plus 3 years |
| Content generation logs (model, timestamp, type) | Auditability and regulatory accountability | 3 years from content creation |

This data is not used for profiling, marketing, or purposes unrelated to AI Act compliance.

### 7.7 Your Rights

In addition to your rights under the GDPR (see Section 8), you have the following rights in relation to AI-generated content transparency:

- **Right to know**: You may request confirmation of whether content you have received or generated on the platform has been marked as AI-generated, and details of the provenance metadata applied.
- **Right to access provenance information**: You may request a copy of the machine-readable provenance metadata associated with specific AI-generated content.
- **Right to object**: Where AI transparency processing relies on a legal basis other than legal obligation, you may object to such processing in accordance with Art. 21 GDPR. Please note that processing required by Art. 50 of the EU AI Act is a legal obligation and cannot be opted out of.

To exercise these rights, contact us at [privacy@getminds.ai](https://getminds.ai/mailto:privacy@getminds.ai).

## 8. Rights of the Data Subject

Data subjects have the following rights regarding their personal data:

- **Right to Access** (Art. 15 GDPR)
- **Right to Rectification** (Art. 16 GDPR)
- **Right to Erasure** ("Right to be Forgotten") (Art. 17 GDPR)
- **Right to Restriction of Processing** (Art. 18 GDPR)
- **Right to Data Portability** (Art. 20 GDPR)
- **Right to Object** (Art. 21 GDPR)

There is also the right to **withdraw** consent at any time with effect for the future (Art. 7 Para. 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

To exercise these rights, the contact address mentioned above can be contacted.

## 9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, there is the right to lodge a complaint with a supervisory authority, in particular in the Member State of residence, place of work, or place of the alleged infringement, if it is believed that the processing of personal data violates the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

**Berliner Beauftragte für Datenschutz und Informationsfreiheit** Friedrichstr. 219 10969 Berlin Germany Phone: +49 30 13889-0 Email: [mailbox@datenschutz-berlin.de](https://getminds.ai/mailto:mailbox@datenschutz-berlin.de) Website: https://www.datenschutz-berlin.de

## 10. Data Security

All necessary technical and organizational security measures are taken to protect personal data from loss and misuse. Data is stored in a secure operating environment that is not accessible to the public. Data transmission is encrypted using SSL technology.

## 11. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to future visits.