Privacy Policy

Last updated: April 22, 2026

1. Introduction

Welcome to MiN8T. This Privacy Policy (the "Policy") explains how MiN8T Inc. ("MiN8T,""we,""us," or "our") collects, uses, discloses, and protects your personal information when you access or use the MiN8T platform, including our website, email editor, APIs, Plugin SDK, and all related services (collectively, the "Service").

MiN8T is a professional email template editor that enables individuals and teams to design, build, and export responsive email templates. We provide integrations with over 108 Email Service Providers (ESPs), AI-assisted content generation, brand management tools, list cleaning, DMARC monitoring, and collaborative editing capabilities.

This Policy applies to all users of the Service, including visitors to our website, registered account holders, team members invited to a workspace, and developers integrating with our Plugin SDK or API. It does not apply to the practices of companies we do not own or control, or to individuals we do not employ or manage.

By creating an account, accessing the Service, or clicking "I Agree," you acknowledge that you have read and understood this Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree with any part of this Policy, you must not use the Service.

This Policy should be read in conjunction with our Terms of Service, which govern your use of the Service.

2. Information We Collect

We collect information in several ways: directly from you when you provide it, automatically when you use the Service, and from third-party sources when you connect external accounts. The types of information we collect are described in detail below.

2a. Account Information

When you register for an account, we collect the following personal information:

Name: Your first name and last name, used to personalize your account and for team collaboration features.
Email Address: Your email address, which serves as your primary login identifier and is used for account verification, password recovery, service notifications, and billing communications.
Password: Your password is cryptographically hashed using bcrypt before storage. We never store your password in plaintext and cannot retrieve your original password.
Job Function: Your professional role or job function, collected optionally to help us tailor the Service to your needs.
Phone Number(s): Optionally provided for account recovery or two-factor authentication purposes.
Profile Photo: An optional profile image you upload for display within team workspaces and collaboration features.
Logo Color: A color preference associated with your account, used for visual identification when a profile photo is not provided.
Account Preferences: Settings you configure, including your preferred locale (language/region), theme preference (light or dark mode), and email notification preferences.

2b. Billing Information

When you subscribe to a paid plan or purchase pay-as-you-go credits, payment processing is handled entirely by Stripe, our PCI-DSS compliant payment processor.

Important: MiN8T does not collect, process, store, or have access to your full credit card number, debit card number, or bank account details. All payment card data is transmitted directly from your browser to Stripe's servers and never touches MiN8T infrastructure.

We receive and store only the following billing-related information from Stripe:

Stripe Customer ID: A unique identifier linking your MiN8T account to your Stripe customer profile.
Subscription Status: Your current plan tier (Free, Professional, Business, or Enterprise) and subscription status (active, canceled, past due).
Payment Method Summary: The last four digits and brand of your payment card (e.g., "Visa ending in 4242"), used solely for display in your billing settings.
Invoice History: Records of charges, refunds, and credits associated with your account.

2c. Usage Data

We operate our own internal analytics engine to understand how users interact with the Service. We do not use Google Analytics or any third-party behavioral tracking platform. Our analytics system collects the following:

Editor Events: Actions taken within the email editor, such as template_created, template_opened, block_added, block_moved, block_deleted, editor_opened, editor_closed, module_saved, and export_completed.
Page Views: Which pages and features you visit within the application, along with navigation patterns.
Session Duration: How long you actively use the Service per session, measured via our internal session tracking.
Feature Adoption: Which features you use (e.g., AI content generation, brand guidelines, ESP integrations), helping us prioritize development and improvements.
Performance Metrics: Web vitals and performance data including page load times, interaction responsiveness, and rendering performance, used to optimize the Service.

Our analytics engine assigns each session an analytics session ID (stored in browser local storage as analytics_session_id) to correlate events within a single session. This identifier is not shared with any third party.

Do Not Track: We honor the Do Not Track (DNT) browser signal. When DNT is enabled, our analytics engine will not collect usage events or session data. You may also opt out of analytics tracking at any time through your account settings.

2d. Device & Technical Data

When you access the Service, we automatically collect certain technical information from your device and connection:

IP Address: Your Internet Protocol address, used for security purposes (session validation, rate limiting, abuse prevention) and for approximate geographic location determination.
User Agent: Information about your browser type, version, and operating system, used for compatibility optimization and security monitoring.
Country Detection: We use GeoIP lookup (based on your IP address) to determine your approximate country of origin. This data is stored as a country code (e.g., "US") and country name (e.g., "United States") alongside your session record. We do not perform city-level or street-level geolocation.
Device Type: Whether you are accessing the Service from a desktop, tablet, or mobile device, used to optimize the user interface.
Session Information: For each authenticated session, we store a session token (JWT), the IP address and user agent from which the session was created, the session's expiration time, and the timestamp of your last activity within that session.

2e. User-Generated Content

The Service is designed to help you create and manage email content. In the course of using the Service, you may create or upload the following types of content, all of which are stored on our servers:

Email Templates: The email designs you create within the editor, stored as both HTML (the rendered email) and JSON (the structured, editable representation). Templates include all text, styling, layout, and structure data.
Images & Media: Files you upload to the Asset Library for use in your email templates, including PNG, JPG, GIF, and WebP images. These files are hosted on our content delivery network (CDN) infrastructure.
CSV Email Lists: If you use our list cleaning service, you may upload CSV files containing email addresses and associated data for validation and hygiene purposes.
Brand Guidelines: Brand assets and configuration you define, including brand colors, typography preferences, logo files, and style rules that can be applied to templates.
Team Comments: Comments and annotations you leave on templates during collaborative editing, including the comment text, timestamp, and your identity as the commenter.
Saved Modules: Reusable content blocks you save to your library for insertion into future templates.

You retain full ownership of all content you create or upload. Please refer to our Terms of Service for details on intellectual property rights and our limited license to host and display your content within the Service.

2f. Integration Data

When you connect your MiN8T account to third-party services, we collect and store certain data necessary to maintain those integrations:

ESP OAuth Tokens: When you authorize an ESP integration (such as Brevo, Mailchimp, Klaviyo, HubSpot, ActiveCampaign, or any of our 108+ supported platforms), we receive and securely store OAuth access tokens and refresh tokens that allow us to act on your behalf within that platform. These tokens are encrypted at rest and are used only to perform actions you explicitly initiate, such as exporting a template to your ESP account.
Synced Contacts & Lists: When you use an ESP integration that involves syncing contact lists, we may temporarily process contact data to facilitate the sync. We do not permanently store ESP contact data beyond what is necessary to complete the requested operation.
DMARC Reports: If you use our DMARC monitoring feature, we receive and process DMARC aggregate and forensic reports sent to your configured reporting address. These reports contain information about email authentication results for your domain(s).
Email on Acid Results: If you use the email client testing feature, we transmit your template HTML to Email on Acid for rendering across email clients. Rendered screenshots and compatibility results are stored temporarily for your review.

2g. Cookies & Local Storage

We use cookies and browser storage mechanisms to maintain your session, remember your preferences, and operate the Service. We do not use third-party advertising or tracking cookies.

Cookies:

x_token — An authentication cookie containing your session token, used to maintain your logged-in state across page loads. This is a strictly necessary cookie required for the Service to function.

Local Storage (browser):

x_token — A copy of your authentication token stored in localStorage as a fallback mechanism for session persistence.
refresh_token — A token used to obtain a new session token when your current session expires, allowing seamless session renewal without requiring you to log in again.
min8t_user_profile — A cached copy of your user profile data (name, email, preferences) to reduce network requests and improve page load performance.
template_filter_state — Your most recent filter and sort preferences in the template listing view, so these persist between visits.
grid_visible_columns — Your column visibility preferences for data grid views.
search_tags — Recently used search tags and filters for quick access.
analytics_session_id — A randomly generated session identifier used by our internal analytics engine to group events within a single browsing session. This ID is not shared with third parties. It is cleared when you close your browser or opt out of analytics.

Session Storage (browser):

oauth_state — A CSRF protection token generated during OAuth flows with ESP integrations or social login providers, used to validate that the OAuth callback originated from a request you initiated.
oauth_esp — The identifier of the ESP platform you are currently connecting to via OAuth, ensuring the callback is routed to the correct integration handler.
oauth_return_to — The URL you should be redirected to after completing an OAuth authorization flow.
redirectUrl — A temporary redirect URL stored during authentication flows to return you to your intended destination after logging in.

All session storage items are automatically cleared when you close the browser tab or window. Local storage items persist until you log out, clear your browser data, or we update the storage schema (in which case outdated keys are removed automatically).

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To provide, operate, and maintain the Service, including rendering your email templates, processing your editor actions, hosting your uploaded assets, facilitating ESP integrations, and enabling team collaboration features.
Account Management: To create and manage your account, authenticate your sessions, process your subscription and billing through Stripe, and communicate with you about your account status, billing events, and service-related matters.
Product Improvement & Analytics: To understand how users interact with the Service, identify areas for improvement, measure feature adoption, and optimize performance. Our internal analytics engine processes this data. You may opt out of analytics collection at any time through your account settings or by enabling Do Not Track in your browser.
AI Feature Improvement: When you use AI-powered features (such as AI content generation or AI-assisted design), we may use anonymized, aggregated data derived from AI interactions to improve the quality and relevance of our AI models. Individual template content is never used to train AI models without your explicit consent. AI processing is performed through our internal AI service with rate limiting, content moderation, and token tracking.
Security & Fraud Prevention: To detect and prevent unauthorized access, abuse, fraud, and other malicious activity. This includes monitoring login attempts, enforcing rate limits, validating session tokens, and tracking IP addresses associated with suspicious activity.
Communication: To send you transactional emails (account verification, password resets, billing receipts, security alerts) and, if you have opted in, product updates and feature announcements. You can control email notification preferences in your account settings.
Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, and to enforce our Terms of Service and other agreements.
Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical support when you contact us.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the limited circumstances described below.

4a. Service Providers

We share information with third-party service providers who perform services on our behalf, subject to contractual obligations that require them to protect your information:

Stripe: Our payment processor receives your billing information to process subscriptions, charges, and refunds. Stripe operates as an independent data controller for payment data and is PCI-DSS Level 1 compliant. See Stripe's Privacy Policy for details on how they handle payment data.
ESP Platforms (User-Initiated): When you explicitly connect an ESP integration and initiate an action (such as exporting a template), we transmit the necessary data (e.g., your template HTML) to the connected ESP platform. We only share data with ESPs that you have authorized, and only in response to actions you initiate. Each ESP has its own privacy policy governing how it handles data received from MiN8T.
Email on Acid: When you use email client testing, your template HTML is sent to Email on Acid for rendering. No personal information beyond the template content is shared.

If you choose to register or log in using a social authentication provider (Google, Facebook, Microsoft, or Apple), we exchange information with that provider only during the authentication flow. Specifically:

We receive your name and email address from the social login provider to create or link your MiN8T account.
We do not receive or store your social media password, contacts, posts, or other social data.
We do not share your MiN8T usage data, template content, or any other information back to the social login provider.
After the initial authentication, the social login provider is not contacted again unless you explicitly initiate a new login using that provider.

4c. Google API Services User Data — Limited Use Disclosure

MiN8T uses Google API Services solely to let you import data from your own Google Sheets into email templates (for example, to populate product rows, personalised content, or AMP-for-Email lists). Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4c.i. Data Accessed

When you connect a Google account to MiN8T for the Sheets integration, we request the minimum OAuth scopes needed to list and read your spreadsheets:

https://www.googleapis.com/auth/drive.readonly — read-only access to your Google Drive file list, used only to show you a picker of spreadsheets you can connect to MiN8T. We do not list or read non-spreadsheet files.
https://www.googleapis.com/auth/spreadsheets.readonly — read-only access to the specific spreadsheet(s) you choose to link. We can read the values in those sheets and their metadata (sheet names, column headers). We cannot write to, modify, or delete your sheets.
OAuth profile data — during the initial Google consent flow, Google returns a short-lived ID token containing your Google account's email address so we can associate the integration with your MiN8T account. We do not request or receive your Google password, contacts, calendar, photos, YouTube, or any other Google product data.

4c.ii. Data Usage

Data from your Google Sheets is used solely to provide the user-facing feature you requested:

The Drive file list is used to render the spreadsheet-picker UI when you click "Connect a Google Sheet". The list is fetched on demand and is not stored.
The contents of the specific spreadsheet you select are converted into an amp-list JSON payload that your email template uses to render dynamic rows at send time. The first row of the sheet is treated as column headers (variable names); remaining rows are treated as data items.
We do not use Google user data to train generalised AI or machine-learning models. We do not use Google user data to serve advertising. We do not use Google user data for any purpose other than providing and improving the Sheets integration feature inside MiN8T itself.
Human access to Google user data is limited to (a) with your explicit consent, (b) where required by law, (c) where necessary for security investigations, or (d) where aggregated and anonymised for internal operations — all consistent with the Limited Use requirements.

We do not share, sell, transfer, license, or otherwise disclose Google user data to any third party. The only exceptions are:

Infrastructure providers that operate MiN8T (our hosting provider — Google Cloud Platform — and our managed Cloud SQL database). These act as data processors on our behalf under Google's own contractual terms; they do not use the data for their own purposes.
Where we are legally compelled to disclose data by a valid subpoena, court order, or equivalent legal process.

We never share Google user data with advertising networks, marketing brokers, analytics vendors, or other third parties.

4c.iv. Data Storage & Protection

OAuth tokens (access tokens and refresh tokens) are encrypted at rest using AES-256 before being written to our database. Decryption keys are held in a separate secrets management system and are never committed to source code.
Spreadsheet contents are fetched from Google on demand each time your template is rendered or exported. We cache the fetched rows in memory for a short, configurable TTL (default: 5 minutes) so that rapid repeat renders don't trigger excessive Google API calls. Cached rows are never written to persistent storage.
All traffic between MiN8T and Google APIs is transmitted over TLS 1.2+. Traffic between you and MiN8T is likewise TLS-encrypted end-to-end.
Access to Google user data within MiN8T is scoped to the user who authorised the connection. We enforce row-level access controls so that one MiN8T user cannot read another user's Google-derived data.
We maintain SOC-2-style internal controls: audit logging of administrative access, least-privilege production access, mandatory code review for changes touching Google integration code, and periodic security reviews.

4c.v. Data Retention & Deletion

OAuth tokens are retained only while the integration is actively connected to your MiN8T account. You can disconnect the integration at any time from Settings → Data Sources in MiN8T. On disconnection, we immediately call Google's token revocation endpoint and delete the stored tokens from our database.
You can also revoke MiN8T's access directly from your Google account at myaccount.google.com/permissions. Revoking there immediately invalidates the tokens we hold.
Cached spreadsheet rows are discarded automatically when their TTL expires (default 5 minutes). There is no mechanism to preserve cached rows past the TTL.
If you delete your MiN8T account entirely, we revoke all active Google integrations and purge all stored tokens, cached rows, and any derived metadata within 30 days of the deletion request, consistent with our overall data retention policy.
To request deletion of specific Google-derived data without deleting your account, email privacy@min8t.com and we will respond within 30 days.

4d. Analytics

Our analytics system is entirely internal. We built and operate our own analytics engine rather than relying on third-party analytics platforms such as Google Analytics. This means:

Your usage data is processed on our own infrastructure and is never transmitted to third-party analytics or advertising companies.
We do not create advertising profiles based on your usage patterns.
We honor the Do Not Track (DNT) browser signal. When DNT is enabled, our analytics engine does not collect event or session data from your browser.
You may opt out of analytics collection at any time through your account settings, independent of your DNT browser setting.

4e. Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to:

Comply with a subpoena, court order, or other legal process.
Cooperate with law enforcement or other governmental agencies in an investigation of criminal or civil activity.
Enforce our Terms of Service or other agreements.
Protect the rights, property, or safety of MiN8T, our users, or the public.
Prevent fraud, security threats, or technical issues.

Where permitted by law, we will make reasonable efforts to notify you of any legal demand for your data before complying, unless we are legally prohibited from doing so or believe that notification would create a risk of harm to any person.

4e. Business Transfers

If MiN8T is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. In such an event:

We will provide at least thirty (30) days' prior written notice to you via email before your information is transferred to a new entity or becomes subject to a different privacy policy.
You will have the opportunity to delete your account and data before the transfer takes effect.
Any acquiring entity will be required to honor the commitments made in this Policy with respect to information collected prior to the transfer.

4f. We Never Sell Your Data

MiN8T does not sell, rent, lease, or trade your personal information to any third party for monetary or other valuable consideration. This applies to all categories of personal information we collect, without exception.

We have never sold personal information in the past and have no plans to do so in the future. Our business model is based entirely on subscription fees and pay-as-you-go credits for premium features, not on monetizing user data.

5. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Account Data: Your account information (name, email, preferences) is retained for the duration of your account. When you delete your account, we retain your data for an additional thirty (30) days to allow for account recovery in case of accidental deletion. After this grace period, your account data is permanently deleted from our systems.
Email Templates & Modules: Your templates, modules, and saved blocks are retained until you explicitly delete them or until your account is deleted. Template version history is maintained for the lifetime of the template to support undo/redo and version comparison features.
Uploaded Images & Assets: Files uploaded to the Asset Library are retained until you delete them or until your account is deleted. Assets referenced in exported templates may remain on our CDN to ensure those emails continue to render correctly in recipients' inboxes.
Email Verification Tokens: Tokens generated for email verification and password reset are automatically expired and purged after ninety (90) days.
DMARC Reports: DMARC aggregate and forensic reports are retained for ninety (90) days by default. You may configure a longer or shorter retention period in your DMARC monitoring settings.
Analytics Data: Usage analytics data (events, page views, session durations) is retained for twelve (12) months, after which it is permanently deleted or irreversibly anonymized.
Session Records: Authentication sessions automatically expire based on their configured expiration time. Expired session records are purged during routine cleanup processes.
CSV Lists: Email lists uploaded for list cleaning are retained only for the duration of the cleaning process plus seven (7) days to allow you to download results, after which they are permanently deleted.
Billing Records: Invoice and payment records are retained for seven (7) years to comply with tax and financial reporting obligations.

6. Your Rights & Choices

We respect your right to control your personal information. Depending on your jurisdiction, you may have some or all of the following rights. Regardless of where you are located, we strive to honor these requests for all users.

6a. Access & Portability

You have the right to access the personal information we hold about you and to receive a copy in a portable format. Specifically:

You can view and download your profile information, account settings, and preferences at any time from your account dashboard.
You can export any email template as HTML or JSON through the editor's export functionality, giving you a complete, portable copy of your work.
You can export email lists as CSV files using the list management features.
For a comprehensive data export encompassing all personal information we hold about you, contact us at privacy@min8t.com and we will respond within thirty (30) days.

6b. Correction

You have the right to correct inaccurate personal information. You can update your name, email address, job function, phone number, profile photo, and other account details at any time through your account settings. If you believe we hold other inaccurate information about you that you cannot correct through the interface, contact us at privacy@min8t.com.

6c. Deletion

You have the right to request deletion of your account and associated personal information. You can initiate account deletion from your account settings. When deleting your account, please note:

If you are the owner of a workspace, you must first transfer ownership to another team member or delete the workspace before your account can be deleted.
Your account data will be retained for thirty (30) days after deletion to allow for recovery in case of accidental deletion. After this period, deletion is permanent and irreversible.
Templates, images, and other content stored in shared workspaces may be retained for other team members' continued use, unless you delete the content individually before deleting your account.
Certain information may be retained as required by law (e.g., billing records for tax compliance) or for legitimate business purposes (e.g., fraud prevention logs).

6d. Analytics Opt-Out

You can opt out of our internal analytics tracking at any time by:

Navigating to your account settings and disabling the analytics tracking option.
Enabling the Do Not Track (DNT) signal in your web browser. Our analytics engine respects this signal and will not collect usage data when it is active.

Opting out of analytics does not affect the functionality of the Service. You will still be able to use all features normally.

You can manage cookies and local storage through your browser settings:

Most browsers allow you to refuse cookies, delete existing cookies, and clear local storage data. Note that blocking the x_token cookie will prevent you from maintaining a logged-in session.
You can clear specific localStorage keys (such as analytics_session_id or template_filter_state) through your browser's developer tools without affecting your authentication.
Session storage items are automatically cleared when you close the browser tab or window.

6f. Communication Preferences

You can control what communications you receive from MiN8T:

Email Notifications: You can enable or disable email notifications (such as product updates and feature announcements) through the email notification toggle in your account settings.
Transactional Emails: Certain emails are necessary for the operation of the Service and cannot be opted out of. These include account verification emails, password reset emails, billing receipts, security alerts, and legally required notices (such as changes to this Policy).

8. CCPA Rights (California)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Right to Know:

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. This Policy is intended to satisfy this disclosure requirement. For a personalized data disclosure, contact us at privacy@min8t.com.

Right to Delete:

You have the right to request deletion of your personal information, subject to certain exceptions under the CCPA (such as completing a transaction, detecting security incidents, or complying with legal obligations). See Section 6c for details on how to exercise this right.

Right to Opt-Out of Sale:

MiN8T does not sell your personal information. We have never sold personal information and do not intend to do so. Because we do not sell personal information, there is no need to opt out of such sales. However, if this practice ever changes, we will update this Policy and provide a prominent "Do Not Sell My Personal Information" link.

Right to Non-Discrimination:

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, provide a different level of quality, or suggest that you will receive a different level of service for exercising your privacy rights.

Authorized Agents:

You may designate an authorized agent to make requests on your behalf under the CCPA. To do so, you must provide the agent with written permission and verify your own identity directly with us. We may deny requests from agents who cannot demonstrate proper authorization. Authorized agent requests should be sent to privacy@min8t.com.

Categories of Information Collected (CCPA Disclosure):

Identifiers: Name, email address, IP address, account identifiers.
Commercial Information: Subscription tier, payment history, PAYG credit balances.
Internet Activity: Editor usage events, page views, session duration, feature interactions (via our internal analytics engine).
Geolocation Data: Approximate country-level location derived from IP address via GeoIP lookup.
Professional Information: Job function (if provided).
Inferences: Feature usage patterns used to personalize the Service (e.g., frequently used editor tools).

9. Children's Privacy

The Service is not directed to individuals under the age of sixteen (16) and is designed for professional and business use. We do not knowingly collect, solicit, or maintain personal information from anyone under 16 years of age.

If we become aware that we have collected personal information from a child under 16, we will take steps to promptly delete that information from our servers. If you are a parent or guardian and believe that your child under 16 has provided personal information to MiN8T, please contact us immediately at privacy@min8t.com so we can take appropriate action.

In jurisdictions where the minimum age for consent to data processing is higher than 16, we comply with the applicable local age requirement.

10. Security

We take the security of your personal information seriously and implement industry-standard technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

Encryption in Transit:

All data transmitted between your browser and MiN8T servers is encrypted using HTTPS with TLS (Transport Layer Security). We enforce HTTPS across all endpoints and do not support unencrypted HTTP connections.

Encryption at Rest:

Sensitive data stored on our servers, including webhook secrets and integration tokens, is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), a widely recognized military-grade encryption standard.

Password Security:

User passwords are hashed using bcrypt with an appropriate work factor before storage. Bcrypt is a one-way hashing algorithm, meaning your original password cannot be derived from the stored hash. We never store, log, or transmit passwords in plaintext.

Rate Limiting & Abuse Prevention:

We implement rate limiting across all API endpoints and authentication flows to prevent brute-force attacks, credential stuffing, and denial-of-service attempts.

PCI Compliance:

Payment processing is handled by Stripe, which maintains PCI-DSS Level 1 compliance, the highest level of certification in the payment card industry. Because payment card data never touches our servers, MiN8T is not subject to PCI-DSS scope requirements.

Access Controls:

Access to production systems and user data is restricted to authorized personnel on a need-to-know basis. We use role-based access controls within team workspaces (owner, editor, viewer) to ensure users can only access and modify data appropriate to their role.

Security Reviews:

We conduct regular security reviews of our codebase, infrastructure, and dependencies. We monitor for known vulnerabilities in our dependencies and apply patches promptly.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and enable available security features.

11. International Data Transfers

MiN8T Inc. is based in the United States and our primary servers and infrastructure are located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following mechanisms to ensure that transfers of personal data outside the EEA are adequately protected:

Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses as a lawful mechanism for transferring personal data from the EEA to the United States. These clauses impose contractual obligations on the data recipient to protect your data to EEA standards.
Adequate Safeguards: We implement supplementary technical and organizational measures alongside SCCs, including data encryption in transit and at rest, access controls, and regular security assessments.
Data Processing Agreements: Where required, we enter into Data Processing Agreements (DPAs) with business customers that include SCCs and specify the categories of data transferred, the purposes of processing, and the technical safeguards in place. Contact legal@min8t.com to request a DPA.

Our third-party service providers (such as Stripe) maintain their own compliance programs for international data transfers. We require all sub-processors to provide adequate data protection safeguards before sharing any personal data with them.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make changes, we will:

Update the "Last updated" date at the top of this Policy.
For material changes (such as new categories of data collection, new third-party sharing, or changes to your rights), provide at least thirty (30) days' prior notice via email to the address associated with your account before the changes take effect.
For non-material changes (such as formatting updates, clarifications, or corrections), we may update the Policy without prior notice.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you should stop using the Service and delete your account before the changes take effect.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Previous versions of this Policy are available upon request by contacting privacy@min8t.com.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

Privacy Inquiries:privacy@min8t.com — For data access requests, deletion requests, privacy complaints, and general privacy questions.
Legal Department:legal@min8t.com — For Data Processing Agreement (DPA) requests, legal questions, subpoena and law enforcement inquiries, and regulatory correspondence.
Data Protection Officer:CTO@min8t.com — Our Chief Technology Officer serves as our Data Protection Officer (DPO) for GDPR purposes. EEA and UK users may contact the DPO directly for data protection matters.
Phone: +1 (306) 250-5020 — Available Monday through Friday, 9:00 AM to 5:00 PM Central Standard Time (CST).

Mailing Address:

MiN8T Inc.
Attn: Privacy Team
1209 Orange Street
Wilmington, DE 19801
United States

We aim to respond to all privacy-related inquiries within thirty (30) days. For GDPR-related requests from EEA or UK residents, we will respond within the legally required timeframe of one (1) calendar month, with the possibility of a two (2) month extension for complex requests (in which case we will notify you of the extension and the reasons for it).

Read our Terms of Service|Create an account