legal · imprint & security

Who's behind the site.

The Dutch colofon required of every commercial website operating in the Netherlands, plus how we protect your knowledge in practice.

Operator

Mindola

Once the legal entity is registered with the Kamer van Koophandel, the company name, registered address, and KvK number will be published here.

Registered address

Postal address will be published here when the legal entity is registered with the KvK. In the interim, written correspondence (including service of process and notices under the Terms) can be sent care of hello@mindola.ai and a postal address will be provided on request.

KvK (Chamber of Commerce)

KvK registration number: pending - published here on incorporation.

Person responsible for content

Person responsible for the content of this site under §5 TMG / Dutch press law: published here once the legal entity is registered. For media or legal enquiries in the interim, contact press@mindola.ai.

Contact

General: hello@mindola.ai
Support: support@mindola.ai
Privacy / DPO: privacy@mindola.ai
Security: security@mindola.ai
Copyright / takedown: copyright@mindola.ai
Abuse / safety reports: /report
Press: press@mindola.ai

VAT

BTW / VAT number: pending. Cross-border EU B2C digital services are accounted for under the One-Stop Shop scheme (declared via the Dutch Belastingdienst). B2B EU customers are billed under reverse-charge with VIES-validated VAT IDs.

Supervisory authorities

Data protection: Autoriteit Persoonsgegevens (Dutch DPA), autoriteitpersoonsgegevens.nl.
Consumer protection: Autoriteit Consument & Markt (ACM), acm.nl.
Online dispute resolution: European Commission ODR platform, ec.europa.eu/consumers/odr.

Liability disclaimer

External links to third-party sites are provided for convenience. Mindola is not responsible for their content. AI outputs on the platform are generated by language models and may contain inaccuracies; see the Terms for warranty and liability scope.

Security

How we protect your knowledge in practice - not in marketing copy. If something here doesn't match what you see in the product, that's a bug; mail security@mindola.ai.

Encryption

At rest - AES-256-GCM. Sensitive fields (visitor questions, owner replies, transcribed audio, OCR text) use envelope encryption with per-row data keys, themselves encrypted by a master key in a managed KMS.
In transit - TLS 1.3 only. HSTS preloaded. No HTTP fallback anywhere.
Backups - Encrypted with the same scheme. Daily snapshots, 30-day retention, restore tested quarterly.

Isolation

Every query is filtered by userId. There is no admin-impersonation backdoor.
Lenses are scoped at the database layer to the spaces the owner explicitly attached. A misconfigured scope can't leak across users.
Visitor sessions get short-lived signed cookies (HMAC-SHA256) keyed to the lens token - replay-resistant across lenses.

Authentication

Password sign-in with bcrypt at cost 12. Reset flow uses one-time signed links with 30-minute TTL.
Google OAuth via NextAuth.
Magic-link email sign-in for accounts that prefer no password.
Sessions are HttpOnly + SameSite=Lax cookies, signed; rotated on privilege change.

Network

Hosted on Vercel; database on Neon. Both in EU regions by default.
Strict Content-Security-Policy on every route. No 'unsafe-eval' in production. frame-ancestors is locked to 'self' except on /me/* visitor pages, which are embeddable by design.
Strict Permissions-Policy: camera off, geolocation off, microphone gated by the user gesture.

Data lifecycle

Export - Settings → Export delivers a JSON archive of every capture and lens transcript. GDPR Article 20.
Delete - Settings → Danger zone removes the account row, every source row, every chunk row, every embedding, every blob, every session. GDPR Article 17. Irreversible.
Source delete - When you trash a single source, the file in object storage is also deleted (we recently fixed a bug where images survived; see the changelog).

Models

We never train any model on your data - not ours, not the vendors'.
OpenAI and Anthropic are configured with "no training on input" via their API agreements.
The API agreements (not consumer products) are the only path we use.

What we're working on

Customer-managed keys - pilot with enterprise customers.
Audit log API - read-only stream of admin actions for compliance teams.

Reporting a vulnerability

Mail security@mindola.ai. We acknowledge within one business day, ship a fix within seven days for confirmed high-severity issues, and credit researchers in the changelog if you'd like.