Mynd
PricingTest the Beta

Privacy Policy — mynd

Effective date: August 12, 2025
Entity: mynd
Contact: contact@mynd.im

This Privacy Policy explains what data we collect, how we use it, how it’s shared, and the choices you have. It applies to the mynd marketing site (https://mynd.im), the app (https://app.mynd.im), and related services (collectively, the “Service”).

1) What we collect

A. Account & app data you provide

  • Contact and account data: name, email, password or identity from a third-party sign-in (Google), organization/team name.
  • Preferences and in-app settings.
  • Support communications.

Depending on the features you enable, mynd may request Google OAuth scopes to access:

  • Google Calendar data: calendars, event metadata and content you select (e.g., titles, descriptions, attendees, start/end times) to compute availability, create or update events you request, and surface reminders.
    Typical scopes: https://www.googleapis.com/auth/calendar.readonly (read), https://www.googleapis.com/auth/calendar.events (create/update). (These are commonly categorized by Google as sensitive and subject to verification.)

  • Gmail data (only if you enable email features): message metadata and/or content strictly for user‑requested features (e.g., summarizing threads you select, drafting emails you ask us to prepare, or applying mailbox changes you request).
    Scopes we may request: https://www.googleapis.com/auth/gmail.readonly (read), https://www.googleapis.com/auth/gmail.compose (create/manage drafts; send drafts you request), and https://www.googleapis.com/auth/gmail.modify (mark read/unread, archive, add/remove labels). We do not request https://mail.google.com/ and we do not use IMAP/SMTP.

We request the minimum permissions necessary and, where possible, use incremental auth to request scopes in context so you understand why access is needed.

C. Automatically collected technical data

  • Device and browser info, IP address, timestamps, request logs, diagnostics, and usage analytics necessary to operate and secure the Service.

D. Derived data

  • Feature usage metrics, aggregated statistics, and models that do not contain readable Google message content.

2) How we use data

  • Provide and improve user-facing features you select (e.g., availability views, event creation, email drafting/sending you request).
  • Authenticate you and operate core app flows (including Google OAuth).
  • Maintain security, prevent abuse, debug issues, and measure reliability.
  • Provide support and communicate service updates.

Google API Services User Data Policy / Limited Use. For data obtained through Google APIs (including Gmail and Calendar), we limit use to providing or improving user-facing features that are prominent in the app; we do not use this data for advertising; and we comply with Google’s “Limited Use” requirements for sensitive/restricted scopes.

Affirmative disclosure. The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In-product transparency and consent. We provide clear, contextual disclosures when requesting new permissions and will prompt you to consent to material changes in how we use Google data, consistent with Google’s policy on accurately representing identity, data requested, and purpose.

3) Human access, sharing, and transfers

  • No human reading of Gmail content except: (i) with your explicit direction, (ii) for security (e.g., investigating abuse), (iii) to comply with law, or (iv) for internal operations where the data has been aggregated and anonymized.
  • No sale of your personal information; no ads based on Google user data.
  • Service providers (processors). We use vetted subprocessors to host, store, and process data on our behalf under confidentiality and security obligations, e.g., Vercel (hosting/deployments) and Convex (application backend/database & jobs). We restrict access by role and log access.
  • No transfers of Gmail restricted-scope data to third parties except as necessary to provide or maintain the user-facing features you selected, to comply with law, or as part of a merger/acquisition with equivalent protections. (Limited Use.)

4) Data retention and deletion

  • Operational data. We retain Google-sourced content only as long as needed to deliver the feature you enabled or as required by law. Where feasible, we store only minimal structured metadata and ephemeral caches for performance.
  • User-initiated deletion. In Settings → Privacy & Data → Delete My Data, you can request deletion of Google-sourced content we hold. We begin deletion immediately and complete primary deletion within 7 days; backups and logs are purged within 30 days (or earlier where feasible).
  • Revocation. You can disconnect mynd’s access at any time in your Google Account → Security → Third-party access; you may also disconnect from within mynd. Revocation stops further access.

Push notifications (webhooks). For faster sync, we subscribe to Google push notifications for Calendar (and may enable Gmail watch). Notifications include identifiers used to fetch the latest state you request. We store minimal metadata and do not store Gmail message bodies or attachments.

5) Security

We employ industry-standard measures, including encryption in transit and at rest, least-privilege access controls, audit logging, secret rotation, and vulnerability management aligned with widely recognized application security practices. For apps that use restricted Gmail scopes and store/transmit restricted data, Google requires a Cloud Application Security Assessment (CASA) conducted by an approved assessor, renewed periodically. We follow Google’s requirements where applicable.

6) Your choices and rights

  • Access/Export/Correction/Deletion. Use in-app controls or contact us at contact@mynd.im.
  • Disconnect Google. Revoke access in mynd and/or in your Google Account as described above.
  • Regional rights. Where applicable (e.g., California, EEA/UK), you may have additional rights over your personal data. We honor verified requests consistent with applicable law.

7.1) Derived profile insights

We may compute derived, non‑content insights from headers and metadata you select (e.g., correspondent domains, frequency, reply latency) to personalize features. We do not use Google user data for advertising and adhere to Limited Use.

7) Children

The Service is not intended for children under 13 (or older age as defined by local law). We do not knowingly collect data from children.

8) International transfers

We may process data in the United States and other countries where our providers operate, with appropriate safeguards.

9) Changes

We will update this policy from time to time. Material changes will be posted on this page with a new “Effective date.”

10) Contact

contact@mynd.im