Privacy Policy

Last updated: 2026-05-15

This policy describes how Minima collects, uses, shares, and retains personal information when you use our website, our applications, and our developer API. It is written to be specific enough to be useful and short enough to be read.

For details about how Minima uses your content with AI — including our position on training — see the Data Use page. For our security controls, see Security. For our contractual commitments, see the Terms of Service.

"Minima" refers to Minima Technologies, Inc., a corporation incorporated in the State of Delaware, United States, and the entity operating the Minima platform. For the purposes of the EU and UK GDPR, Minima Technologies, Inc. is the controller of personal data described in this policy, except where we act as a processor on your behalf (for example, when an organization administrator manages member accounts).

You can reach our privacy lead at privacy@minima.dev. If you are in the EEA or the UK and need a representative under Article 27 of the GDPR, contact us at the same address and we will direct you to our appointed representative.

Depending on how you use Minima, we collect some or all of the following:

• Account identifiers. User ID, email, hashed password, OAuth subject from Google, Apple, or GitHub, and display name.
• Authentication artifacts. Sessions, refresh tokens, hashed API keys, passkey credentials, and 2FA secrets.
• Profile and organization data. Profiles, organizations, memberships, roles, permissions, and groups.
• User content. Files, folders, sketches, code, node graphs, knob states, custom agent logic, and collaborative document state (Yjs).
• Uploaded media. Audio, image, and video assets you import into Minima from your local filesystem or cloud storage providers.
• AI prompts and outputs. Messages you send to the AI, model responses, intermediate "thinking" traces, and conclusions.
• Vector embeddings. Numerical representations of your content used for search and retrieval.
• Settings and UI state. Theme, layout, sidebar widths, open files, recent items, and keyboard shortcut overrides.
• Usage and billing. Credit transactions, subscriptions, rate-limit counters, and Stripe customer IDs.
• Telemetry and analytics. Product analytics events and error or crash reports, where you have consented.
• Device and connection metadata. IP address, user agent, approximate location derived from IP, and device identifiers on mobile.
• Communications. Transactional and lifecycle emails, and support correspondence you send us.
• Sync state. Pending operations, content hashes, document versions, and last-modified information used by the sync engine.

We do not collect the following from you in the ordinary course of using Minima:

• Microphone, camera, webcam, or screen-capture streams. Minima's audio engine synthesizes output; it does not record from your input devices.
• Biometric identifiers such as faceprints, fingerprints, or voiceprints.
• Precise GPS or device-level geolocation.
• Information from people we know to be under the applicable age of digital consent (see "Children" below).
• Raw payment card numbers. Card data is collected directly by Stripe; we receive a token, not the card itself.
• Special-category personal data under Article 9 of the GDPR (health, race, political opinion, religion, sexual orientation, and similar).
• Government-issued identification documents.

If we ever introduce a feature that needs any of these — for example, voice input to the AI — we will update this policy and ask for fresh consent.

For users in the EEA and the UK, we rely on the following lawful bases under Article 6 of the GDPR:

• Contract. To provide the service you signed up for: account management, sync, rendering, AI features, and billing.
• Legitimate interests. To keep the platform secure, prevent abuse, debug defects, and improve reliability — balanced against your rights and freedoms.
• Consent. For non-essential cookies and analytics, marketing emails, and any opt-in to use your content to train AI models.
• Legal obligation. To meet tax, accounting, and anti-fraud obligations.

We aim to keep personal data only as long as we need it. Default retention periods:

• Account record: while the account is active, and for 30 days after a deletion request to allow recovery from accidental deletion.
• User content (files, folders, projects): until you delete it or your account is deleted.
• AI conversation history: 12 months by default; configurable in settings; deletable at any time.
• Intermediate "thinking" traces: 30 days.
• Audit and security logs: 12 months, used for incident investigation.
• Payment and invoice records: 7 years, as required by US, EU, and UK tax law. This obligation survives an erasure request.
• Telemetry events: 13 months in PostHog, less where feasible.
• Backups: rotate on a schedule aligned with the primary retention. After an erasure request, deleted records are removed from backups on the next rotation cycle. Until then, they may persist in encrypted backup snapshots.

We share personal data only with vendors who help us operate Minima. Each is bound by a data processing agreement. Categories of recipient include:

• Infrastructure: Convex (on AWS), Fly.io, Cloudflare.
• AI model providers: Anthropic, OpenAI, Google.
• Payments: Stripe.
• Email delivery: Loops for transactional and lifecycle email.
• Product analytics: PostHog, where you have consented.
• OAuth providers: Google, Apple, GitHub — receiving only the minimum scopes needed to identify you.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. If that ever changes, we will provide a "Do Not Sell or Share" link and honor browser opt-out signals such as Global Privacy Control.

Minima is operated from the United States, and many of our vendors are US-based. When personal data is transferred from the EEA, the UK, or other jurisdictions with restricted-transfer regimes, we rely on appropriate safeguards.

EEA to US: we rely on the 2025 EU Standard Contractual Clauses, plus the EU–US Data Privacy Framework where the recipient is self-certified, and we maintain transfer impact assessments for each recipient.

UK to anywhere: we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, applying the "data protection test" introduced by the Data (Use and Access) Act 2025.

Brazil: we rely on the EU–Brazil mutual adequacy decision (effective 2026-01-27) for EU-to-Brazil flows, and on Brazilian Standard Contractual Clauses for transfers from Brazil to the United States.

Subject to local law, you have the following rights over your personal data. We honor them globally, regardless of where you live.

• Access a machine-readable export of your account, files, settings, AI conversations, and billing history.
• Rectify inaccurate information directly in your profile, or with our help.
• Erase your account and the personal data associated with it. Tax-record retention is the only carve-out.
• Port your data, in JSON and Yjs binary, using the same export endpoint.
• Restrict certain processing — for example, pausing AI features for your account.
• Object to processing based on legitimate interests, including profiling.
• Withdraw consent for analytics, marketing emails, training, or any other consent-based processing.
• Non-discrimination. Exercising a privacy right will never gate your access to the core service.
• Honor Global Privacy Control. The Minima web client recognizes the GPC browser signal as a valid opt-out of sale and sharing.

To exercise any of these rights, email privacy@minima.dev from the address on your account, or use the privacy panel inside the app where the right is supported there.

Minima sets only strictly-necessary cookies and similar storage by default — those required for sign-in, session continuity, and basic security. These cannot be disabled without breaking the service.

Optional product analytics (PostHog) and marketing pixels are gated behind an opt-in consent banner in the EU, the UK, Brazil, and other jurisdictions where consent is required. You can review and change your choices at any time from the privacy panel.

Minima is intended for adults — typically professional and hobbyist musicians, 3D artists, and game designers. The service is offered to users aged 16 or older in the EEA and the UK, and 13 or older elsewhere. We do not knowingly collect personal data from anyone below those ages and do not run targeted advertising to anyone under 18.

If you believe a child has created an account, contact privacy@minima.dev and we will investigate and delete it where appropriate.

Minima uses AI to help you make creative work. The model's outputs are creative artifacts that you accept, edit, or discard. We do not use AI to make decisions that have legal or similarly significant effects on you — for example, we do not use AI to decide whether to grant you credit, suspend your account, or hire you. If we ever introduce such a use, we will disclose it here and offer a meaningful human review path.

We will update this policy as the product evolves and as the law changes. Material changes will be announced in the product and by email at least 30 days before they take effect, and the "Last updated" date at the top will reflect the most recent revision.