Privacy Policy
Last updated: April 2026
This notice describes how MindPath BI (“we,” “us”) collects, uses, and shares personal information when you use our customer service platform, and explains your privacy rights.
For privacy questions or to exercise your rights, email josef@mindpathbi.com.
1. What Data We Collect
Depending on how you use the service, we may process:
- Conversation and thread data — Messages, subjects, channels, timestamps, and related metadata associated with customer conversations (email, chat, or messaging threads).
- Contact and account information — Names, email addresses, phone numbers, job titles, channel identifiers, tags, and similar fields used to identify and serve customers.
- Usage data — Information about how the product is used (feature usage, session or audit events needed for security and operations), consistent with your organization’s configuration.
- AI interaction data — Content submitted to AI-assisted features (Copilot, summaries, suggested replies, classification), plus technical metadata needed to run those features safely and improve quality where permitted by contract and law.
- Integration credentials — OAuth tokens and API keys for third-party services you connect, stored encrypted at rest.
We collect this data from you, your organization, connected integrations you or your admin authorize, and automated systems (message ingestion and AI processing pipelines).
2. How We Use Your Information
We use personal information to:
- Deliver the service — Operate accounts, routing, inbox, Client 360, workflows, notifications, and integrations.
- Provide AI-assisted customer service — Generate summaries, drafts, routing hints, and similar assistive outputs grounded in your organization’s data and settings.
- Analytics and improvement — Understand product usage and reliability in aggregate or per-tenant ways as configured.
- Send service-related notices — Deliver transactional emails, support messages, and security alerts.
- Comply with legal obligations — Respond to lawful requests, enforce our terms, and protect rights and safety.
We do not use your data to run third-party advertising for unrelated companies. We process data as described in our agreements with your organization and as required by applicable law.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data on the following legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Service delivery (inbox, Client 360, workflows) | Performance of contract | Art. 6(1)(b) |
| AI-assisted features (Copilot, classification, summaries) | Performance of contract | Art. 6(1)(b) |
| Account and billing management | Performance of contract | Art. 6(1)(b) |
| Security monitoring and audit logs | Legitimate interest (security) | Art. 6(1)(f) |
| Product analytics (aggregate) | Legitimate interest (improvement) | Art. 6(1)(f) |
| Tax, legal, and regulatory compliance | Legal obligation | Art. 6(1)(c) |
| Marketing communications (if applicable) | Consent | Art. 6(1)(a) |
4. Data Sharing
- We do not sell your personal information.
- We may use subprocessors (hosting, email delivery, AI providers, observability tools) strictly to provide the service. A current list is maintained on our Subprocessors page.
- We do not share your data with third parties for advertising purposes.
- We may disclose information if required by law or to protect rights, safety, and security.
5. International Data Transfers
- Primary processing: Application data is hosted in the European Union (OVH, France).
- US subprocessors: Certain subprocessors (Sentry for error tracking, GitHub for CI/CD) are located in the United States. Transfers to these subprocessors are governed by the EU Standard Contractual Clauses (SCCs).
- AI processing: AI inference via Google Gemini may be processed in the US or EU. Google’s data processing terms apply.
- We do not currently participate in the EU-US Data Privacy Framework (DPF). This section will be updated if certification is obtained.
- For full transfer details, see our Data Processing Addendum.
6. Cookies & Analytics
This website uses Vercel Web Analytics, a privacy-friendly analytics service. It collects anonymous, aggregated page-view data. It does not use cookies, does not collect personal information, does not track you across websites, and is fully compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner.
The MindPath BI application uses only essential session cookies required for authentication. We do not use advertising cookies, cross-site tracking, or fingerprinting on any of our properties.
Do Not Track: We do not respond to “Do Not Track” browser signals because no uniform standard for processing these signals has been adopted. Regardless, our tracking practices are minimal as described above.
7. Your Rights
Depending on where you live, you may have the following rights:
| Right | GDPR | Description |
|---|---|---|
| Access | Art. 15 | Understand what data we hold about you. |
| Rectification | Art. 16 | Request correction of inaccurate personal data. |
| Erasure | Art. 17 | Request deletion, subject to legal and contractual limits. |
| Restriction | Art. 18 | Request restriction of processing in certain circumstances. |
| Portability | Art. 20 | Receive certain data in a structured, machine-readable form. |
| Object | Art. 21 | Object to processing based on legitimate interest. |
To exercise your rights, email josef@mindpathbi.com or use the in-product privacy tools your organization enables. We may need to verify your identity and coordinate with your organization’s administrator.
8. Additional Disclosures for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights.
| Category | Sources | Business Purpose | Sold? |
|---|---|---|---|
| Identifiers (name, email, phone) | You, your organization, integrations | Service delivery, account management | No |
| Commercial information (orders, invoices via ERP sync) | Connected integrations | Client 360, business context for support | No |
| Internet/electronic activity (usage, audit logs) | Automated collection | Security, operations, analytics | No |
| Inferences (AI classification, sentiment, urgency) | AI processing pipelines | AI-assisted customer service | No |
Your California rights include:
- Right to know — Request the categories and specific pieces of personal information we hold.
- Right to delete — Request deletion, subject to legal and contractual exceptions.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt-out of sale — We do not sell personal information.
- Right to limit use of sensitive information — We use sensitive information only as needed to provide the service.
- Non-discrimination — We will not discriminate against you for exercising any of these rights.
- Authorized agent — You may designate an authorized agent to make requests on your behalf; we may require verification of the agent’s authority.
9. Children
The Service is not directed to persons under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.
10. Third-Party Integrations
Our platform integrates with third-party services including Meta (WhatsApp Business), Google (Gmail), Microsoft (Outlook), and others. When you connect these services:
- We only request permissions necessary for the features you use.
- You can disconnect any integration at any time from your settings page.
- Your use of those integrations is also subject to the respective third-party terms of service.
11. Data Security
We implement industry-standard security measures including:
- Encryption of sensitive credentials at rest using Fernet symmetric encryption.
- HTTPS for all data in transit.
- HMAC-SHA256 signature verification for webhook payloads.
- Role-based access control and multi-tenant data isolation.
12. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Upon termination:
- Days 0–30: Export and migration window — you can request a full data export.
- Days 31–60: Staged deletion queue.
- Days 61–90: Final purge and certificate workflow.
| Data Category | Active Retention | Archive Period | Deletion Method |
|---|---|---|---|
| Thread messages | Duration of contract | 30 days post-termination | Pseudonymize then purge |
| Contact data | Duration of contract | 30 days | Hard delete + storage purge |
| Audit logs | 3 years | 1 year archive | Automated purge |
| Access logs | 1 year | 6 months archive | Automated purge |
| AI embeddings | Duration of contract | Purged with source | Vector delete |
| Knowledge Base documents | Duration of contract | 30 days | Storage + vector purge |
| API keys (hashed) | Until revoked | 90 days post-revocation | Hard delete |
| Session tokens | Until expiry | None | Auto-expire |
13. Data Subject Access Requests
You may submit a data subject access request (DSAR) for access, deletion, rectification, or portability. Our response targets:
- Acknowledgment: Within 3 business days.
- Completion: Within 30 days for standard requests.
- If an extension is needed, we will communicate before day 30 where legally allowed.
14. Changes
We may update this notice from time to time. The “Last updated” date at the top will change when we do; material changes may be communicated through the product or your organization.
15. Contact Us
If you have questions about this Privacy Policy, please contact us at josef@mindpathbi.com.