Política de Privacidade

1. Introduction

Mindex ("we", "us", "our") operates the Mindex platform (usemindex.dev), an AI-powered knowledge base service. Mindex is based in Brazil.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018) and the European General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).

By accessing or using the Mindex platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, you must not use the service.

2. Data We Collect

We collect the following categories of personal data:

• Account data: email address, hashed password (bcrypt), authentication provider information (if you sign in via OAuth providers such as Google or GitHub), display name, and account creation timestamp.
• Content data: documents you upload to the platform, including text content, metadata, file names, and any data derived from processing those documents (such as embeddings, tags, and graph relationships).
• Usage data: API request logs, feature usage patterns, timestamps, IP addresses, request frequency, and error logs.
• Technical data: browser type and version, device information, operating system, session data, and cookies necessary for authentication and service operation.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service provision and maintenance: to provide, operate, maintain, and improve the Mindex platform.
• Document processing: to process and index your documents, including chunking, embedding generation, knowledge graph construction, and semantic indexing.
• AI-powered enrichment: automatic tagging, relationship discovery, and semantic linking of your content using artificial intelligence.
• Analytics and monitoring: service analytics, performance monitoring, and usage tracking (including Google Analytics).
• Communication: account notifications, security alerts, service updates, and responses to your inquiries.
• Billing and payment processing: processing payments and managing subscriptions via Stripe. We do not store your payment card details; Stripe handles all payment data directly.
• Legal compliance: to comply with applicable laws, regulations, and legal processes.

The legal bases for processing under LGPD (Art. 7) and GDPR (Art. 6) include: performance of a contract, legitimate interests, consent, and compliance with legal obligations.

4. Third-Party AI Processing

Your document content is sent to third-party AI providers for processing. This is a core and essential part of how Mindex operates.

The following third-party AI providers may process your content:

• OpenAI— embedding generation, document enrichment, and content analysis.
• Anthropic— document enrichment, automatic tagging, and content analysis.
• Google AI— embedding generation and content processing.

Purpose: these providers are used for generating embeddings, auto-tagging, auto-linking, and other AI enrichment features that are core to the Mindex service.

Data is transmitted to these providers via encrypted API connections (TLS/HTTPS). We select providers that commit to not using customer data for model training; however, we do not control the internal data retention policies or practices of these third-party providers. We cannot guarantee their internal practices beyond their published policies. We strongly encourage you to review each provider's privacy policy independently.

By using Mindex, you expressly consent to this processing. If you do not agree to your content being processed by third-party AI providers, do not upload content to the platform.

5. International Data Transfer

Your data may be transferred to and processed in countries outside Brazil, including the United States and countries within the European Union, where our infrastructure providers and AI services operate.

These international transfers comply with LGPD Chapter V (International Transfer of Personal Data) and GDPR Chapter V (Transfers of Personal Data to Third Countries or International Organisations). We rely on standard contractual clauses, adequacy decisions, and other legally recognized transfer mechanisms where applicable.

Where required, we implement supplementary measures to ensure an adequate level of protection for your personal data during international transfers.

6. Data Retention and Deletion

• Your personal data is retained for as long as your account remains active or as needed to provide you with the service.
• You may request deletion of your data at any time by contacting [email protected].
• Upon receiving a valid deletion request, we will remove your account, documents, embeddings, graph relationships, and all associated personal data from our active systems.
• Deletion is permanent and irreversible. Once your data is deleted, it cannot be recovered.
• Backups may retain copies of your data for up to 30 calendar days following the deletion request, after which the data will be permanently purged from backup systems.
• We may retain anonymized, aggregated data that cannot be used to identify you for analytical and statistical purposes.

7. Your Rights

Under LGPD (Art. 18) and GDPR (Art. 15–22), you have the following rights regarding your personal data:

• Right of access: request a copy of your personal data held by us.
• Right of correction: request correction of inaccurate or incomplete personal data.
• Right of deletion: request deletion of your personal data, subject to legal retention obligations.
• Right of portability: request your data in a structured, commonly used, and machine-readable format.
• Right to revoke consent: withdraw your consent to data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to information: know which public and private entities your data has been shared with.
• Right of opposition: object to processing of your personal data in certain circumstances, including processing based on legitimate interests.
• Right to review automated decisions: request human review of decisions made solely on the basis of automated processing that affect your interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 15 business days as required by LGPD or within 30 calendar days as required by GDPR, whichever applies to your situation.

8. Cookies and Tracking

We use the following types of cookies and tracking technologies:

• Essential cookies: session management (httpOnly refresh_token cookie) and authentication. These cookies are strictly necessary for the operation of the service and cannot be disabled.
• Analytics: Google Analytics with anonymized IP addresses for usage pattern analysis and service improvement.

We do not use third-party advertising cookies. We do not sell, rent, or share your personal data with advertisers or data brokers.

9. Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Passwords hashed with bcrypt using industry-standard cost factors.
• JWT (JSON Web Token) authentication with short-lived tokens (15 minute TTL).
• HTTPS (TLS) enforced on all connections.
• API keys stored as SHA-256 cryptographic digests; raw keys are never persisted.
• Role-based access control (RBAC) within organizations.
• Rate limiting on authentication endpoints and API requests to prevent brute-force and abuse.
• Regular security reviews and monitoring of infrastructure and application layers.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Mindex is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you are under 18, do not use the service or provide any personal data.

If you believe that a minor has provided us with personal data, please contact us immediately at [email protected], and we will take steps to delete such data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material changes will be communicated via email to registered users at least 15 days before taking effect. Continued use of the service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related inquiries, data subject requests, or complaints regarding the processing of your personal data, please contact us:

• Email: [email protected]
• Data Controller: Mindex, Brazil.

If you are not satisfied with our response, you have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD) or your local supervisory authority under GDPR.