01 Who we are.
This privacy policy describes how Mindcraft Inc. ("Mindcraft," "we," "us," or "our") collects, uses, and protects personal data. We're a Delaware corporation operating from 3 Germay Drive, Unit 4 #2316, Wilmington, DE 19804, USA.
This policy applies to:
- Visitors to mindcraft.solutions and any subdomains we operate
- People who contact us through email, phone, WhatsApp, or Messenger
- Prospective clients during scoping, audit, and onboarding
- Job applicants who submit applications or referrals
Our work for paying clients is covered separately by a Data Processing Agreement (DPA) tied to the engagement. Where this policy and a DPA differ, the DPA governs that engagement.
Plain language
If you've never engaged us as a paying client, this policy is the one that applies to you. If you have, your engagement DPA — usually a separate signed document — controls.
02 What we collect.
From website visitors
When you visit our site, we automatically receive:
- IP address and approximate location (city / country)
- Browser and device info (user agent, screen size, language)
- Page views and referrers — which pages you saw, where you came from
- Cookies, where set — see our separate Cookies Policy
We do not use Google Analytics, Facebook Pixel, or behavioural advertising trackers. Our analytics provider is Plausible Analytics, which is privacy-respecting and stores no personal data.
From people who contact us
When you email, call, or message us, we collect what you choose to send: typically name, email address, phone number, company, and the contents of your message. Our communication channels (Gmail, WhatsApp, Messenger) have their own data practices independently.
From prospective clients
During audit and scoping, we may collect:
- Business information (company name, size, industry, current tools)
- Contacts at your organisation (name, role, email, phone)
- Sample documents or system access we explicitly request — under NDA
From job applicants
If you apply for a role, we collect your CV, contact info, work eligibility, and references. We may also collect feedback from interviewers and tasks/work samples you provide. Applicant data is kept separately from client data, with restricted access.
What we do not collect
We do not collect or use:
- Sensitive personal data (race, religion, sexual orientation, biometrics) — unless you volunteer it for an explicit purpose like accessibility
- Behavioural data for advertising
- Cross-site tracking signals
- Data from minors under 16 (see section 9)
03 How we use it.
We use personal data only for legitimate purposes related to running our business. Specifically:
- To provide our services — scoping, building, operating, and supporting the work clients hire us for
- To communicate with you — answering questions, sending invoices, sharing updates relevant to active engagements
- To improve our website and services — using aggregated, non-identifying analytics
- To meet legal and tax obligations — keeping records the IRS, EU DPAs, and our auditors require
- To recruit and hire — assessing applicants for open positions
What we don't do
We do not, and will not:
- Sell or rent your personal data to anyone
- Share your data with advertisers or data brokers
- Use your data to train AI models — yours or anyone else's
- Send marketing emails to people who haven't asked for them
Legal basis (for EU residents)
Our legal bases under the GDPR are:
- Contract performance — to provide services you've engaged us for
- Legitimate interests — to communicate with prospective clients, manage applications, and run analytics on our own site
- Legal obligation — to comply with tax, audit, and other legal requirements
- Consent — for marketing emails, optional cookies, or anything else you affirmatively opt into
04 Who we share with.
We share personal data only with carefully chosen subprocessors and service providers who help us run the business. We don't share with anyone for marketing or advertising purposes.
Our subprocessors
The current list of major subprocessors:
| Provider |
Purpose |
Region |
| Google Workspace |
Email, calendar, documents, internal collaboration |
USA · EU |
| Stripe |
Payment processing for invoices |
USA · EU |
| Notion |
Internal docs, project tracking |
USA |
| Plausible Analytics |
Privacy-respecting site analytics |
EU |
| Anthropic (Claude) |
AI capabilities used in client systems |
USA |
| OVH / Hetzner |
Hosting infrastructure |
EU |
| Slack |
Team communication, client support channels |
USA |
Each subprocessor has signed a data processing agreement with us that aligns with our commitments to you. Where required, EU Standard Contractual Clauses are in place.
Engagement-specific subprocessors
For specific client engagements, we may use additional subprocessors (Twilio, ElevenLabs, Customer.io, etc.) — these are listed in your engagement DPA. We notify you of changes 30 days in advance, with the right to object.
Other sharing
We may share data:
- With professional advisors — accountants, lawyers, auditors, when needed and under confidentiality
- To comply with law — when validly compelled by court order, subpoena, or law enforcement, where we cannot reasonably contest
- In connection with a transaction — if Mindcraft is acquired or merged, with notice to you
We do not respond to informal government information requests without a valid legal process.
05 How long we keep it.
We retain personal data only as long as needed for the purpose collected, plus what's required for legal/audit/tax recordkeeping.
| Data type | Retention period |
|---|
| Active client engagement data | Duration of engagement + 6 months |
| Past client engagement data | 7 years (tax/audit) then deleted |
| Prospective client communications | 24 months from last contact |
| Website analytics (aggregated) | 13 months |
| Job applicant data (not hired) | 12 months from decision |
| Backups and archives | 30 days, then permanently deleted |
You can request deletion at any time — see section 6. Where we keep data for legal reasons (e.g. tax records), we keep only what's required and restrict access.
06 Your rights.
Regardless of where you live, you have the following rights regarding your personal data:
- Access — what we have about you, in a portable format
- Correction — fix anything that's wrong
- Deletion — remove your data (subject to legal retention)
- Objection / restriction — limit how we process your data
- Portability — get your data in a machine-readable format
- Withdraw consent — for anything you previously opted into
- Complain to a supervisory authority — your local data protection regulator
How to exercise these rights
Email info@mindcraft.solutions with the subject line "Privacy request" and we'll respond within 30 days. We may need to verify your identity to prevent unauthorised disclosure.
For California residents (CCPA / CPRA)
You have additional rights under California law: to know what we collect, to delete, to opt out of sale (we don't sell), to correct, and to limit use of sensitive data (we don't process sensitive data). We do not discriminate against people who exercise these rights.
For EU/UK residents (GDPR / UK GDPR)
You can lodge a complaint with your local data protection authority — for example, the CNIL (France), ICO (UK), or DPC (Ireland). We'd appreciate the chance to address your concerns directly first.
07 International transfers.
We're a US company that works with global clients and uses subprocessors across multiple jurisdictions. Personal data may be transferred to and processed in:
- The United States — our HQ and primary operating jurisdiction
- The European Union — where some of our hosting and subprocessors are located
- Other countries — where your engagement specifies (e.g. our team members in Tbilisi)
For transfers from the EU/EEA/UK to non-adequate countries, we use EU Standard Contractual Clauses with all subprocessors. Where applicable, we have completed Transfer Impact Assessments. Documentation is available on request.
08 Security measures.
We treat security as foundational, not a checkbox. Concrete measures include:
- Encryption in transit — TLS 1.3 for all web traffic, signed certificates
- Encryption at rest — AES-256 for sensitive data at rest in our databases
- Access control — role-based permissions, MFA required for all team accounts, single sign-on where available
- Audit logging — admin actions logged and retained for 13 months
- Backup + disaster recovery — daily backups, tested quarterly, 30-day retention then permanent deletion
- Incident response — documented runbook, breach notification within 72 hours where required by law
- Security training — annual training for the whole team
- Vendor review — security and privacy reviews before onboarding any subprocessor
For regulated industries, we offer VPC deployment and additional controls — see your engagement documents.
Honest note
We're not SOC2-certified yet. We're working toward it. We can provide a security questionnaire response, our existing controls, and any reasonable third-party verification you need in the meantime.
09 Children's privacy.
Our site and services are not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, contact us at info@mindcraft.solutions and we will delete it.
10 Changes to this policy.
We'll update this policy as our practices evolve. Material changes (changes to data sharing, retention, rights) get 30 days' notice via email to people we have email addresses for, and a banner on the site. Minor edits (typo fixes, clarifications, organisational changes) are made on a rolling basis with the "last updated" date refreshed.
Past versions are archived and available on request.