Privacy Policy

Information you provide directly

We may collect personal information that you provide when you register, pay for access, contact us, or use the Services. Depending on how you use the Services, this may include your name, email address, account authentication data, billing and transaction information (payment card details are processed by Stripe, not stored by Mindstream), and support messages you send to us.

Information collected automatically

When you use our website, extension, or backend services, we may collect technical and usage information needed to operate and secure the Services, such as IP address, browser/device information, operating system, timestamps, request logs, diagnostic logs, and approximate location inferred from IP address. We do not collect GPS location.

Information from third parties

We do collect some information from third parties when necessary to provide the Services, including Google OAuth account/profile information, Gmail API data that you authorize us to access, and Stripe billing/payment status and transaction metadata.

We process personal information to:

• create and manage user accounts
• authenticate users and maintain sessions
• verify paid access or entitlements
• provide the Chrome extension and backend features
• generate and display prioritized action items
• provide support and respond to requests
• process billing workflows
• monitor reliability, security, and abuse prevention
• improve performance and usability of the Services
• comply with law and enforce our terms

What Gmail data we access

• message metadata (for example sender, recipient, subject line, timestamps, and thread identifiers)
• message content/body text for emails processed to generate action items
• Mindstream does not intentionally process Gmail attachments as part of the current action-item feature unless explicitly stated in-product in a future update
• when you click "Draft follow-up" on a deal in the extension, Mindstream creates a draft reply message in your Gmail Drafts folder for you to review. If you click "Draft follow-up" again on the same deal, Mindstream may delete its own previously-created draft for that deal and replace it with a fresh one so you do not accumulate stale drafts. Mindstream only ever deletes drafts that Mindstream itself created.

Why we use Gmail data

We use Gmail API data only to provide and improve the user-facing functionality you request in Mindstream, such as retrieving emails for analysis and generating/displaying prioritized action items in the extension UI. Once you authorize Gmail access, the extension may also periodically process your recent emails in the background (approximately every 30 minutes) to keep your action items up to date without requiring manual refresh.

Drafts: Mindstream-only writes, never send

The Gmail authorization Mindstream requests includes permission to create, modify, and delete draft messages in your Gmail. Mindstream uses this permission ONLY to manage follow-up draft replies that Mindstream itself created at your explicit request (when you click the "Draft follow-up" button on a deal card in the extension). Mindstream never reads, modifies, or deletes drafts you composed yourself.

Specifically: when you click "Draft follow-up" on a deal, Mindstream creates a new draft reply in your Drafts folder. If you click "Draft follow-up" again on the same deal later, Mindstream may replace its previously-created draft for that deal by deleting the stale Mindstream-created draft and creating a fresh one — so you always see the latest suggested reply and do not accumulate stale drafts for the same thread. Mindstream tracks the draft IDs it creates in its own database so it only ever touches those specific drafts.

Mindstream does not call any Gmail send API and does not send email on your behalf under any circumstance. You always review the generated draft in Gmail and send it yourself. If Mindstream ever needs to send email (for example, for a future feature), that would require a separate feature release, an updated Privacy Policy, and explicit user consent.

Google API Limited Use commitments

• We use Gmail API data only to provide or improve user-facing features in Mindstream.
• We do not use Gmail API data for advertising.
• We do not sell Gmail API data.
• We do not use Gmail API data to train generalized or non-personalized AI/ML models for Mindstream.
• We limit transfers of Gmail API data to service providers/processors needed to operate the requested feature (for example hosting/infrastructure providers and an AI processing provider).
• We retain Gmail-related data only as long as necessary to provide the service, secure the system, comply with law, and handle legitimate operational needs.

Our use of information received from Google APIs is subject to the Google API Services User Data Policy, including the Limited Use requirements.

User controls and revocation

• You choose whether to grant Gmail access in the extension.
• You can disconnect/sign out in the extension.
• You can revoke the app’s access in your Google account permissions.

Storage and deletion of Gmail-derived data

• The extension may temporarily store authentication tokens/session information locally in Chrome extension storage to keep you signed in.
• Mindstream may store generated outputs and related service records needed to provide the feature and support your account.
• When you request account deletion, we delete or de-identify Gmail-derived data in active systems, except where retention is required for legal, security, fraud-prevention, or backup integrity reasons. Residual copies in backups/logs may persist for a limited period before deletion/rotation.

We may share personal information with vendors and service providers that help us operate the Services. Depending on the feature you use, this may include Google (Google OAuth and Gmail API), Supabase, Render, Cloudflare, Stripe, and OpenAI (AI processing).

• We may also share information to comply with legal obligations and lawful requests.
• We may share information to protect the rights, safety, and security of Mindstream, our users, or others.
• We may share information in connection with a merger, financing, acquisition, or sale of assets.
• We do not sell personal information.

We may use cookies and similar technologies on the website to operate the site, remember preferences, and support basic analytics/security functions. We do not use Gmail API data for targeted advertising. If we add additional analytics or tracking tools in the future, we will update this Privacy Notice.

Mindstream offers AI-assisted features that generate prioritized action items from email data you authorize us to process.

To provide these features, we may send relevant input data (which may include email metadata and email content/body text, or transformed excerpts of that data) to OpenAI through API-based services solely to generate the requested outputs for you.

We use OpenAI as a service provider/processor for this feature. We do not use Gmail API data for advertising, and we do not use Gmail API data to train generalized or non-personalized AI/ML models for Mindstream. OpenAI handling of API-submitted data is governed by OpenAI’s then-current API terms and privacy documentation.

We currently offer sign-in using Google OAuth. If you choose to sign in with Google, we may receive limited account/profile information from Google (such as your name, email address, and account identifiers) needed to authenticate you and provide the Services. We do not currently offer Facebook, X, or other social network login options.

We keep personal information only for as long as needed for the purposes described in this Privacy Notice, unless a longer retention period is required or permitted by law. Retention may vary based on the type of data, account status, legal obligations, fraud prevention, and operational needs. When we no longer need personal information, we delete it, de-identify it, or securely isolate it until deletion is feasible.

We use reasonable technical and organizational safeguards designed to protect personal information, including access controls, encryption in transit, monitoring, and security practices appropriate to the nature of the data.

For the extension and backend, this may include token/session handling controls and backend access restrictions. Where applicable in our Supabase-backed systems, we use row-level security (RLS) and service-side authorization checks to limit access.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Mindstream is not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided personal information to us, please contact us at [email protected] and we will take reasonable steps to investigate and delete the data if appropriate.

Depending on where you live, you may have rights regarding your personal information, including the right to request access, correction, deletion, or a copy of certain data, and to appeal certain decisions where applicable. You may also have the right to withdraw consent for processing that is based on consent.

To exercise your rights, contact [email protected]. We may need to verify your identity before completing your request.

Some browsers offer a Do-Not-Track (DNT) setting. Because there is not yet a uniform standard for responding to DNT signals, we do not currently respond to DNT signals. If that changes, we will update this Privacy Notice.

Residents of certain U.S. states (including California and others with applicable privacy laws) may have additional rights regarding access, deletion, correction, portability, and opt-out rights, subject to legal exceptions.

Categories of personal information (past 12 months)

• Identifiers (for example name, email, account identifiers, IP address): YES
• Customer records/personal information categories (contact and account information): YES
• Protected classifications under state/federal law: NO (unless voluntarily provided and applicable)
• Commercial information (purchase/transaction records and billing status): YES
• Biometric information: NO
• Internet or other network activity (logs, browser/device usage data): YES
• Geolocation data: YES (approximate location inferred from IP only; no GPS collection)
• Audio/visual information: NO (unless voluntarily submitted for support)
• Professional/employment information: NO (unless voluntarily provided)
• Education information: NO (unless voluntarily provided)
• Inferences: YES, to the extent user-facing action prioritization outputs or service analytics infer priorities/preferences from authorized inputs
• Sensitive personal information: We do not intentionally collect or use sensitive personal information for purposes requiring a separate right to limit, except as may be incidentally contained in user-provided or Gmail-authorized content

Sales and sharing

• We do not sell personal information.
• We do not use Gmail API data for targeted advertising.
• We may disclose personal information to service providers/processors for business purposes described in this notice.

To submit a privacy rights request, email [email protected] with enough detail for us to identify your account and request. We may ask for additional information to verify your identity and authority. You may designate an authorized agent where permitted by law.

We may update this Privacy Notice from time to time. When we do, we will update the Last updated date at the top of this page. If changes are material, we may provide additional notice through the website, extension, or email when appropriate.

Mindstream Limited (Mindstream AI)

Email: [email protected]

Mailing address (if you prefer to contact us by mail)

• 3 Sugar Street
• Office B3, 12/F., Causeway Bay Comm Building
• Causeway Bay, Hong Kong

To request access to, correction of, or deletion of personal information we hold about you, email [email protected] and include your account email, the type of request (access, correction, deletion), and enough detail for us to understand and process your request. We may request identity verification before acting on your request and will respond within the timeframe required by applicable law.