Privacy Policy

Last updated: 23 May 2026

This policy explains what we collect, why, and the rights you have. Questions go to privacy@mindola.ai.

1. Who we are

Mindola acts as data controller for customer information and as processor for visitor data. For inquiries, contact security@mindola.ai.

2. Legal frameworks

We comply with the GDPR, Dutch UAVG, EU AI Act (Article 50 transparency from 2 Aug 2026), the ePrivacy Directive, the Digital Services Act, the DSM Copyright Directive, the Consumer Rights Directive, and Dutch portrait-rights law.

3. What we collect and why

Account data

• Identity: email, hashed password, name, avatar
• Billing: Stripe ID, plan, invoices
• Usage counters: daily request limits

Your knowledge

• Captures and derived embeddings (legal basis: contract)
• Voice-cloning samples are "biometric data" and require explicit, standalone consent

Visitor data

• Chat messages, voice calls (streamed, not persisted), session IDs, IP, user agent
• Transcripts retained 12 months by default

4. Voice as biometric data (GDPR Article 9)

A standalone consent page records a timestamped receipt and SHA-256 hash. A revoke button in your dashboard deletes the model from ElevenLabs within 24 hours. The original sample is deleted after training; only the model ID is retained.

5. AI disclosure (EU AI Act Article 50)

A non-dismissable "AI version of [Owner]" badge appears in the chat header, an audio cue plays on voice calls, and a deepfake notice appears in the footer when a persona resembles a real person. The platform always discloses its AI nature.

6. Age gating

The digital-consent age in the Netherlands is 16. Visitors under 16 are blocked, and we offer no parental-consent flows.

7. What we never do

• Train external models on customer data
• Sell data to brokers or ad networks
• Share authored content beyond explicitly attached spaces

8. Subprocessors

We keep a version-tracked list of subprocessors and give 30 days' advance notice of additions; customers may object on documented grounds.

All model vendors have signed agreements excluding customer content from training.

9. Your rights (GDPR)

• Access / rectification: edit fields in-app; contact us for others
• Article 17 (erasure): Settings → Danger zone deletes account, sources, embeddings, and voice model
• Article 20 (portability): Settings → Export delivers a JSON archive
• Article 21 (objection): object to legitimate-interest processing

We respond within 30 days (7-day internal target); submit via /contact or privacy@mindola.ai.

10. International transfers

EU hosting (Vercel, Neon). Non-EEA transfers use Standard Contractual Clauses and the UK IDTA where applicable.

11. Cookies & tracking

First-party (always set): session, CSRF token, theme preference, signed conversation cookie. No cross-site tracking.

Third-party (consent required): Google Analytics 4 (_ga, _ga_*, up to 2 years), loaded under Consent Mode v2 with analytics storage denied by default, IP anonymization enabled, and no pre-checked boxes.

12. Security & breach notification

Breaches are reported to the Dutch Autoriteit Persoonsgegevens within 72 hours (Art. 33); affected individuals are notified without undue delay if the risk is high (Art. 34).

13. Reporting abuse or illegal content

Under DSA Art. 16, submit via /report or copyright@mindola.ai. We acknowledge within 24 hours and act within 5 business days.

14. Changes

Material updates bump the "last updated" date and email affected customers. Older versions are retained in git.

15. Complaints

You can lodge a complaint with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or your local authority.