MindFrame

Legal

Privacy Policy

Effective: April 3, 2026 · Last updated: April 3, 2026

MindFrame ("we", "us", or "our") is operated by VaultSpark Studios LLC. This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and your rights in relation to that data. By using MindFrame at usemindframe.com you agree to the practices described here.

1. Who We Are

VaultSpark Studios LLC is the data controller responsible for your personal data.

Data controller: VaultSpark Studios LLC
Contact: privacy@usemindframe.com

2. What Data We Collect

We collect the minimum data needed to provide MindFrame's services:

2.1 Account data

  • Email address (required to create an account)
  • Password (hashed; we never see your plain-text password)
  • Display name (optional — you may use a pseudonym)

2.2 Cognitive session data

  • Challenge answers, confidence ratings, and reasoning text you enter during sessions
  • Session scores — accuracy, calibration, and AI-scored reasoning quality
  • Mode selections and session duration
  • Coach session messages (multi-turn conversations with the AI coach)

2.3 Usage and analytics data

  • Pages visited and features used (collected via PostHog, an analytics platform)
  • Device type, browser, and approximate geographic region
  • Feature flag assignment (A/B test variants)

2.4 Payment data

Payment details (card numbers, billing address) are processed exclusively by Stripe and are never stored on MindFrame servers. We receive only a Stripe customer ID and subscription status.

2.5 Technical data

  • Authentication tokens (managed by Supabase; stored in secure httpOnly cookies or localStorage)
  • Theme preference (localStorage key mf-theme)
  • Cookie consent status (localStorage key mf-cookie-consent)
  • Push notification subscription token (if you opt in)

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our legal basis for processing personal data is:

PurposeLegal basis
Providing the MindFrame serviceContract (Art. 6(1)(b) GDPR)
Analytics and product improvementLegitimate interests (Art. 6(1)(f)) — only after consent via cookie banner
Sending transactional emails (receipts, password resets)Contract
Sending drip / marketing emailsConsent (Art. 6(1)(a)) — you may opt out at any time
Legal compliance and fraud preventionLegal obligation (Art. 6(1)(c))

4. How We Use Your Data

  • To create and manage your account
  • To deliver training sessions, calculate scores, and surface analytics
  • To power the AI Coach — your session history is passed to Claude (Anthropic) to generate personalised coaching feedback. This data is never used to train Anthropic's models.
  • To generate your Cognitive Fingerprint, Cognitive Twin, and aggregate reports
  • To send transactional emails (receipts, password resets, verification links)
  • To send coaching digests, streak reminders, and re-engagement emails (you may opt out)
  • To prevent abuse, fraud, and unauthorised access
  • To comply with legal obligations

5. Third-Party Services

We use the following third-party services to operate MindFrame. Each is bound by its own privacy policy and, where required, a Data Processing Agreement with us:

ServicePurposeData shared
SupabaseAuthentication and PostgreSQL databaseAccount data, session data
RailwayAPI server hostingAll server-side data (processed in-transit)
VercelWeb app hosting and edge CDNRequest logs (IP, headers)
Anthropic (Claude)AI scoring, coaching, and daily intentionChallenge answers, reasoning text, session history
StripePayment processingEmail, billing address
PostHogProduct analyticsUsage events, device info (with your consent)
ResendTransactional and marketing emailEmail address, name
Upstash (Redis)Caching and real-time featuresCached AI responses (no PII)

We do not sell your data to any third party. We do not share your data with advertisers.

6. Data Retention

  • Account data: retained until you delete your account
  • Session and cognitive data: retained until you delete your account
  • Coach messages: retained until you delete your account; cross-session memory uses only the last 3 sessions for context
  • Analytics events (PostHog): retained for 24 months by PostHog
  • Email logs (Resend): retained for 30 days
  • Payment records: retained for 7 years as required by financial regulations
  • Server logs: retained for 30 days on Railway and Vercel

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of access

Request a copy of all data we hold about you

Right to rectification

Correct inaccurate data

Right to erasure

Delete your account and all associated data (see below)

Right to restriction

Ask us to limit how we process your data

Right to portability

Receive your data in a structured, machine-readable format

Right to object

Object to processing based on legitimate interests

Right to withdraw consent

Withdraw marketing consent at any time

Right to lodge a complaint

File a complaint with your local data protection authority

To exercise any of these rights, email privacy@usemindframe.com. We will respond within 30 days.

8. Account Deletion

You may delete your account at any time from your profile settings. Upon deletion:

  • All session data, cognitive scores, achievements, and coach conversations are permanently deleted
  • Your email address and account are removed from our systems within 30 days
  • Financial records required by law are retained for 7 years
  • Anonymised, aggregated analytics (no PII) may remain in aggregate statistics

9. Cookies and Tracking

We use cookies and similar technologies. For full details, see our Cookie Policy.

  • Essential cookies: authentication tokens (Supabase), theme preference — these are required and cannot be disabled
  • Analytics cookies: PostHog usage events — only collected with your consent (via the cookie banner)

10. Children's Privacy

MindFrame is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data, we will delete it promptly. If you believe a child under 13 has registered, please contact privacy@usemindframe.com.

11. International Transfers

MindFrame is hosted on infrastructure in the United States (Railway, Vercel, Upstash). If you are accessing MindFrame from the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate protection for such transfers.

12. Security

We implement appropriate technical and organisational measures to protect your data:

  • Passwords are hashed using bcrypt; we never store plain-text passwords
  • All data in transit is encrypted with TLS 1.2 or higher
  • Database access is restricted to authorised services only
  • Authentication uses short-lived JWT tokens managed by Supabase
  • Redis cache stores no personally identifiable information

For our full security posture, see our Security Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the MindFrame website before the change takes effect. The "Last updated" date at the top of this page indicates when the most recent changes were made.

14. Contact

For privacy questions, data access requests, or complaints:
privacy@usemindframe.com
VaultSpark Studios LLC

Related policies

Terms of ServiceCookie PolicyData Processing AgreementSecurity PolicyAccessibility