Privacy Policy

1. Introduction

MindBridge Hub is operated by SC Smart Continuous Development SRL, a company registered in Romania. We are committed to protecting your privacy and handling your data responsibly.

MindBridge Hub is a business-to-business (B2B) SaaS platform designed for project management, document processing, and AI-powered artifact generation. It helps teams organise client work, extract insights from uploaded documents, and generate structured deliverables.

This Privacy Policy covers all data collected through the web application at mindbridge-hub.com and explains what information we collect, how we use it, who we share it with, and what rights you have.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. Passwords are cryptographically hashed using bcrypt and are never stored in plain text. We never have access to your original password.

Organisation Data

We store your organisation (tenant) name, team member information including names, emails, and roles, as well as client names and project details that you create within the platform.

Uploaded Content

Documents you upload to the Knowledge Engine — including PDF, DOCX, TXT, CSV, XLSX, and image files — are stored securely and processed by our AI pipeline to extract insights relevant to your projects.

Generated Content

Content produced by the platform, including AI-extracted insights, generated artifacts, backlog items, operational items, and documents you create or export, is stored in association with your project.

Usage Data

We collect information about how you use the platform, including feature usage patterns, AI chat messages, artifact generation counts, and login timestamps. This helps us understand how the platform is used and where we can improve it.

Payment Information

Payment processing is handled entirely by Stripe. We never store credit card numbers, bank account details, or full payment credentials on our servers. We only store Stripe customer IDs and subscription metadata (such as plan type and billing period) to manage your subscription.

Technical Data

Our servers automatically collect standard technical information such as IP addresses, browser type and version, and device information through standard server logs.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the MindBridge Hub platform
• To process your uploaded documents using AI (Google Gemini API) for insight extraction and artifact generation
• To manage your subscription and billing through Stripe
• To send transactional emails — including account verification, password resets, team invitations, and billing notifications — via Resend
• To provide customer support when you contact us
• To improve the platform based on aggregate, anonymised usage patterns

4. AI Processing & Document Handling

When you upload documents to MindBridge Hub, they are processed through our AI pipeline to extract text, identify insights, and generate structured artifacts for your projects. Here is how that works:

• Document content is sent to Google's Gemini AI API for processing. This processing is subject to Google's AI data usage policies.
• We do not use your documents to fine-tune or train any AI models — neither our own nor third-party models.
• Extracted insights and generated artifacts are stored in our database and associated with your project.
• Original uploaded files are stored in Supabase Storage (backed by AWS S3 infrastructure) using a tenant-isolated bucket structure, meaning your files are logically separated from all other organisations.
• When enabled, the web enrichment feature uses the Brave Search API to supplement document-based knowledge with publicly available information. Only search queries are sent to Brave — no user data or document content is shared.

5. Data Storage & Security

We take the security of your data seriously and implement multiple layers of protection:

• Infrastructure: All data is stored in Supabase (PostgreSQL database and S3-backed file storage) hosted in the EU.
• Encryption: Data is encrypted in transit using TLS/HTTPS and encrypted at rest on the storage layer.
• Tenant isolation: Our multi-tenant architecture enforces strict isolation — your data is never accessible to other organisations.
• Access control: Role-Based Access Control (RBAC) enforces granular permissions within your organisation, including Owner, Admin, Member, and Viewer roles.
• Application security: We conduct regular security reviews including protection against XSS, CSRF, rate limiting, and SSRF attacks.
• Password security: All passwords are hashed using bcrypt with a cost factor of 12 and are never stored or logged in plain text.

6. Data Sharing & Third-Party Services

We share data only with the following service providers, solely for the purpose of operating the platform:

We do not sell data to any third party. We will comply with lawful government requests for data as required by applicable law, and will notify affected users where legally permitted to do so.

7. Your Rights Under GDPR

As we operate from Romania, a member state of the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Request correction of any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing of your data based on legitimate interests.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You can exercise your right to data export and account deletion directly from your Settings page within the platform. For all other requests, contact us at support@mindbridge-hub.com. We will respond within 30 days of receiving your request.

8. Data Retention

• Active account data is retained for the duration of your subscription.
• After account cancellation, your data is retained for 90 days (in case you wish to reactivate), then flagged for deletion, and permanently deleted after 180 days from the date of cancellation.
• Uploaded files follow the same retention schedule as account data.
• Anonymised, aggregate usage statistics (which cannot be linked back to any individual or organisation) may be retained indefinitely.

You can request immediate deletion of your data at any time by contacting us at support@mindbridge-hub.com.

9. Cookies & Tracking

We use essential cookies only. Specifically, we use session authentication cookies managed by NextAuth.js to keep you signed in. These cookies are strictly necessary for the platform to function and do not track your activity across other websites.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No data is shared with advertising networks.

10. Children's Privacy

MindBridge Hub is a business-to-business professional tool and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, please contact us and we will take steps to delete such information promptly.

11. International Data Transfers

While our primary data storage is in the EU, your data may be processed by sub-processors located outside the European Economic Area — for example, when document content is sent to the Google Gemini API or when the application is served through Vercel's CDN edge nodes.

Any such international transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) or adequacy decisions, as required by the GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email before the changes take effect.

Continued use of the platform after notification constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact

If you have any questions about this Privacy Policy, your data, or your rights, please contact us: