Data Policy - Mindstage

Overview

This Data Policy provides detailed information about how Mindstage collects, processes, stores, and protects your data. It supplements our Privacy Policy with technical details about our data practices.

Key Principle: We believe in data minimization - we only collect what we need to provide and improve the Service.

1. Data Collection Methods

1.1 Direct Collection

Data Type	When Collected	Purpose
Account Data	Registration	User authentication and identification
Content Data	Creating scenarios/characters	Service functionality
Interaction Data	Using AI features	Personalization and improvement
Media Assets	Uploading/generating images	Visual content for scenarios

1.2 Automatic Collection

Session identifiers for anonymous users
Browser and device information via user agent strings
IP addresses for security and geographic location (country level only)
Timestamps for all user actions

2. Data Processing

2.1 AI Model Training

Important: Your personal conversations with AI characters are NOT used to train our models without explicit consent. We use aggregated and anonymized interaction patterns to improve the Service.

2.2 Content Moderation

We process content to:

Detect and prevent inappropriate content
Ensure compliance with community guidelines
Protect minors from harmful content
Prevent misuse of the Service

2.3 Analytics Processing

We analyze aggregated data to understand:

Popular scenario types and themes
Feature usage patterns
Performance metrics and errors
User engagement trends

3. Data Storage Architecture

3.1 Primary Database

Type: PostgreSQL with pgvector extension
Location: United States data centers
Encryption: AES-256 at rest, TLS 1.3 in transit
Backups: Daily automated backups, 30-day retention

3.2 Media Storage

Type: Object storage (cloud-based)
Access Control: Signed URLs with expiration
CDN: Global content delivery for performance
Retention: Active content retained indefinitely, inactive content after 90 days

3.3 Cache Layer

Type: Redis in-memory cache
Purpose: Session management and temporary data
Expiration: 24-hour default TTL

4. Data Security Measures

4.1 Technical Safeguards

Multi-factor authentication available for accounts
Rate limiting to prevent abuse
SQL injection prevention through parameterized queries
XSS protection via content security policies
CSRF tokens for form submissions
Regular security vulnerability scanning

4.2 Access Controls

Role-based access control (RBAC) for staff
Audit logs for all administrative actions
Principle of least privilege for data access
Regular access reviews and deprovisioning

4.3 Incident Response

In case of a data breach:

Immediate containment and investigation
Assessment of impact and affected users
Notification within 72 hours if required
Remediation and prevention measures
Post-incident review and improvements

5. Data Sharing and APIs

5.1 Third-Party Services

Service Type	Data Shared	Purpose
AI Providers	Prompts and content (anonymized)	Generate AI responses
CDN Provider	Public media assets	Content delivery
Email Service	Email addresses, names	Account notifications
Analytics	Anonymized usage data	Service improvement

5.2 API Access

Currently, we do not provide public API access to user data. Any future API development will include:

OAuth 2.0 authentication
Granular permission scopes
Rate limiting and quotas
Comprehensive audit logging

6. User Rights and Control

6.1 Data Access

You can access your data through:

Account settings page
Export functionality for your content
Data access request (response within 30 days)

6.2 Data Portability

Export your data in standard formats:

Scenarios and characters: JSON format
Media assets: Original image files
Account information: CSV format
Interaction history: JSON format

6.3 Data Deletion

Deletion is Permanent: When you request data deletion, we permanently remove your data from our active systems within 30 days. Some data may remain in backups for up to 90 days but will not be restored.

What gets deleted:

Account information and authentication data
All created scenarios and characters
Media assets and generated content
Interaction history and preferences

What may be retained:

Anonymized analytics data
Content that others have legitimately copied or shared
Data required for legal compliance

7. Data Retention Periods

Data Category	Active Retention	Post-Deletion
Account Data	Until account deletion	30 days
User Content	Until manually deleted	30 days
Session Data	30 days	Immediate
Analytics Data	2 years (anonymized)	N/A
Security Logs	1 year	N/A
Backup Data	30 days rolling	90 days max

8. International Data Transfers

8.1 Data Localization

Primary data storage is in the United States. For users outside the US:

Data is transferred using encrypted connections
We comply with applicable data transfer regulations
Standard contractual clauses are in place where required

8.2 Regional Compliance

GDPR (EU): Full compliance for EU users
CCPA (California): Enhanced rights for CA residents
Other Regions: We comply with local data protection laws

9. Automated Decision Making

9.1 AI-Driven Features

We use automated systems for:

Content recommendations based on interaction history
Character behavior and dialogue generation
Scenario difficulty and pacing adjustments
Inappropriate content detection and filtering

9.2 Human Oversight

You have the right to:

Request human review of automated decisions
Opt-out of certain automated features
Understand the logic behind recommendations

10. Updates and Notifications

10.1 Policy Changes

We will notify you of significant changes through:

In-app notifications
Email to registered users
Prominent notice on the Service
30-day advance notice for material changes

10.2 Transparency Reports

We publish annual transparency reports including:

Number of data requests received
Types of requests and responses
Security incidents (anonymized)
Data protection improvements

11. Contact and Support

Data Protection Officer

Email: [email protected]

Response time: Within 2 business days

Privacy Team

Email: [email protected]

Security Issues

Email: [email protected]

PGP key available upon request