Mind Lab Toolkit (MinT)

MinT Privacy Policy

Mind Lab Toolkit

Service Provider: MINDAI PTE. LTD.

Version: v1.0

Published: 23 April 2026

Effective: [ ] 2026

PLEASE READ CAREFULLY. This Privacy Policy describes how MINDAI PTE. LTD., a private limited company incorporated in the Republic of Singapore with its registered office at 152 Beach Road, #11-05, Gateway East, Singapore 189721 ("Mindai", "we", "us"), collects, uses, discloses, transfers, retains and protects personal data when you register for and use MinT (Mind Lab Toolkit). It supplements, and is incorporated into, the MinT Terms of Service. By creating an account or using MinT, you acknowledge this Privacy Policy.

KEY COMMITMENTS — (1) MinT is a developer- and enterprise-facing training infrastructure and parameter platform; we do NOT use your Customer Data, Training Data, or Training Outputs to train Mindai's own or any third party's models without your prior, separate, express written consent. (2) We collect only the personal data necessary to provide, secure, and bill the Service. (3) Where personal data is transferred across borders, we apply the legal mechanisms required by the applicable jurisdiction (PDPA, GDPR, PIPL).

Article 1 — Definitions

Capitalised terms used in this Privacy Policy and not otherwise defined have the meanings given in the MinT Terms of Service. In addition:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as such term is defined under applicable data protection laws (including PDPA, GDPR, UK GDPR, and PIPL).
  • "Sensitive Personal Information" means data categories afforded heightened protection under applicable data protection laws (e.g., "Special Category Data" under GDPR; "敏感个人信息" under PIPL; "sensitive personal data" under PDPA).
  • "Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, transfer, deletion, and anonymisation.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Subprocessor" means any third party engaged by Mindai to process Personal Data on Mindai's behalf in connection with the Service.
  • "Customer Data" means data uploaded, submitted, generated, or processed through MinT by you, as defined in the MinT Terms of Service. Customer Data may incidentally contain Personal Data of your end users; in such case, you are the controller and Mindai is the processor of such Personal Data.

Article 2 — Scope and Roles

2.1 Scope

This Privacy Policy applies to Personal Data that Mindai processes (a) about you as a registered user of MinT (e.g., your account information, billing information, usage logs); and (b) on your behalf, where your Customer Data contains Personal Data of your end users.

2.2 Roles

(a) For Personal Data described in Section 2.1(a) (your own account, billing and usage data), Mindai acts as the data controller (PDPA "organisation"; GDPR "controller"; PIPL "个人信息处理者"). (b) For Personal Data contained within Customer Data that you upload to MinT, Mindai acts as the data processor / data intermediary (PDPA "data intermediary"; GDPR "processor"; PIPL "受托人"), and you act as the controller. The Data Processing Agreement (DPA) governs the processor-side relationship.

2.3 Out of Scope

This Privacy Policy does not cover (a) Personal Data processed by you when you act as a controller in your own product or service; (b) data processed by third-party Base Models or vendors you elect to integrate; or (c) websites or services not owned or controlled by Mindai.

Article 3 — Categories of Personal Data We Collect

3.1 Account Information

Name, email address, organisation/company name, billing address, telephone number (optional), authentication credentials, role/title, and (where you choose to provide) profile information.

3.2 Identity-Verification Information (Enterprise tier or where required by law)

Business registration documents, authorised representative ID information, and beneficial owner information, where required for KYC/KYB or compliance with sanctions and export-control screening.

3.3 Billing and Payment Information

Billing entity, tax identifier (e.g., GST/VAT/USCC), invoicing address, payment-method tokens, and transaction history. Mindai does not store full payment-card numbers; payment processing is handled by PCI-DSS compliant payment service providers.

3.4 Usage and Telemetry Data

API request metadata (timestamp, endpoint, response code, request size), training-job identifiers, GPU-hour consumption, dashboard interactions, and feature-usage statistics. Used to operate, secure, debug, and improve the Service.

3.5 Device and Connection Data

IP address, browser type, operating system, device identifier, language preferences, and time-zone settings. Collected via standard server logs and cookies/similar technologies.

3.6 Communications

Records of your communications with our support team, in-product feedback, survey responses, and bug reports.

3.7 Customer Data Containing Personal Data (processor capacity)

Where you upload datasets, prompts, or evaluation samples that contain Personal Data of your end users, such data is Customer Data processed by Mindai solely on your documented instructions and in accordance with the DPA.

3.8 Sensitive Personal Information

Mindai does not actively solicit Sensitive Personal Information from you for the operation of the Service. If your Customer Data contains Sensitive Personal Information, you must (a) ensure you have obtained any heightened consents required under applicable law; (b) inform Mindai before uploading; and (c) comply with the additional handling requirements set out in the DPA.

Article 4 — How We Use Personal Data

We process Personal Data for the following purposes:

  • Provide and operate the Service: account registration and management; provisioning of compute resources; orchestration of training jobs; storage of model artifacts; access to dashboards, APIs, and SDKs.
  • Billing and payment: invoice generation, payment processing, refunds, dunning, and tax compliance.
  • Security, fraud prevention, and abuse detection: monitoring for unauthorised access, anomalous traffic, account takeover, prohibited use, and incident response.
  • Service improvement: aggregated and de-identified analytics on feature usage, performance, and reliability. Such analytics do not re-identify individual users.
  • Customer support: responding to inquiries, troubleshooting, and providing technical assistance.
  • Compliance with legal obligations: tax record-keeping, export-control and sanctions screening, response to lawful regulatory or court orders.
  • Communications: service notices, security alerts, billing notifications, product updates (you may opt out of non-essential marketing communications at any time).
  • Where you have given separate consent: research and development purposes specifically described to you and accepted by you in writing.

No solely automated decision-making. Mindai does not engage in solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR. Where you configure your own use of MinT to perform automated decision-making on your end users, you remain solely responsible, as controller, for compliance with applicable rules on automated decisions and profiling (including transparency, human review, and the right to contest).

Article 5 — Customer Data and the No-Training Commitment

Mindai does not use your Customer Data, Training Data, or Customer Model Outputs (model weights, checkpoints, LoRA adapters, and other training artifacts) to train, fine-tune, evaluate, benchmark, or otherwise improve Mindai's own or any third party's AI models, except where you have provided prior, separate, express, and revocable written consent.

This is a plain-language summary. The legally binding form of this commitment (including the definition of Customer Model Outputs, the narrow exceptions, and Mindai's return/deletion obligations) is set out in Section 3.4 of the Data Processing Addendum ("DPA"), which prevails in the event of any inconsistency with this Section. In practice: (a) Customer Data uploaded to MinT is processed solely on your documented instructions to operate the Service; (b) Customer Model Outputs belong to you and are not accessed, copied, or used by Mindai for any purpose other than executing your training jobs and providing the Service; (c) usage telemetry used to operate and improve the Service is aggregated, de-identified, and never includes the substantive content of your Customer Data or Customer Model Outputs; (d) Mindai personnel access to Customer Data is restricted to the minimum necessary for support, security, or legal-compliance purposes, subject to confidentiality obligations and audit logging.

Article 6 — Legal Basis for Processing

Where applicable data protection law requires identification of a legal basis for processing, Mindai relies on the following:

  • Performance of a contract: to provide the Service requested by you under the MinT Terms of Service (GDPR Article 6(1)(b); PDPA contractual necessity).
  • Legitimate interests: to secure the Service, prevent fraud and abuse, conduct internal audits, and improve the Service in ways that do not override your fundamental rights and freedoms (GDPR Article 6(1)(f)).
  • Compliance with legal obligation: to satisfy tax, accounting, sanctions, anti-money-laundering, and other regulatory obligations applicable to Mindai (GDPR Article 6(1)(c)).
  • Consent: where required by law or where you have provided separate consent for a specific purpose (GDPR Article 6(1)(a); PIPL consent basis; PDPA deemed/explicit consent).

Where Mindai relies on consent, you may withdraw such consent at any time without affecting the lawfulness of processing prior to withdrawal.

Article 7 — Sharing and Disclosure

Mindai does not sell Personal Data. We share Personal Data only with the following categories of recipients and only to the extent necessary:

  • Subprocessors: cloud infrastructure providers, payment processors, communications providers, security and abuse-detection vendors, and customer-support tooling. The current list of Subprocessors is published at the URL set out in Section 17 and may be updated from time to time.
  • Mindai Affiliates: under appropriate intra-group data transfer arrangements consistent with this Privacy Policy.
  • Professional advisors: lawyers, auditors, accountants, insurers, under confidentiality obligations.
  • Successors in interest: in the event of a merger, acquisition, financing, reorganisation, or sale of assets, where Personal Data may be transferred subject to confidentiality undertakings.
  • Authorities: where compelled by lawful regulatory, court or law-enforcement order, or where reasonably necessary to protect the rights, property, or safety of Mindai, our users, or the public. Mindai will, where legally permitted, give prior notice to affected customers.

Article 8 — Subprocessors

Mindai engages a limited number of Subprocessors to deliver the Service (e.g., cloud compute, object storage, content delivery, analytics, payment, and email). Mindai requires Subprocessors, by written contract, to (a) process Personal Data only on Mindai's documented instructions; (b) maintain confidentiality; (c) implement appropriate technical and organisational security measures; and (d) provide adequate cross-border transfer safeguards.

The current list of Subprocessors is maintained at https://macaron.im/zh/mindlab (the "Subprocessor Page") or otherwise made available to enterprise customers on request. Mindai will provide prior notice of material changes to its Subprocessors as set out in the DPA.

Article 9 — Data Residency and Cross-Border Data Transfers

MinT is provided by MINDAI PTE. LTD., a Singapore-incorporated entity. The location of Subprocessor infrastructure on which Personal Data is processed depends on the deployment mode selected by the Customer:

  • (a) Cloud deployment: Personal Data is stored and processed on the mainland-China nodes of licensed cloud service providers engaged by Mindai (the current list of which is published on the Subprocessor Page referenced in Article 8). Personal Data of cloud-deployment customers is not, in the ordinary course of operation, transferred outside the People's Republic of China.
  • (b) On-premises / private deployment: Personal Data is stored and processed on infrastructure controlled by the Customer. The Customer determines the location of, and is responsible for any cross-border movement of, such Personal Data.
  • (c) Residual cross-border transfers may occur in connection with administrative functions such as technical support, billing, contractual administration, or customer-relationship management.

Where Personal Data is transferred outside the jurisdiction in which it was collected, Mindai applies the legal mechanisms required by the applicable law:

  • Singapore (PDPA): Mindai ensures that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to PDPA, in accordance with the PDPA Transfer Limitation Obligation (PDPA s 26 and the Personal Data Protection Regulations 2021).
  • EEA / UK (GDPR / UK GDPR): Mindai relies on the European Commission Standard Contractual Clauses (2021/914) and, where transferring from the UK, the UK International Data Transfer Addendum, supplemented by transfer impact assessments and additional safeguards as appropriate.
  • People's Republic of China (PIPL): where personal information of PRC data subjects is transferred outside the PRC, Mindai relies on (and assists customers in establishing) one of the legal bases under PIPL Article 38, including the CAC Standard Contract for Cross-Border Transfer of Personal Information, security assessment, or PIPL-recognised certification, as applicable.

Where you require additional documentation or assistance in completing your own cross-border transfer obligations, please contact contact@mindlab.ltd.

Data Residency Matrix (Indicative)

The table below summarises, by deployment mode, where Customer Data and operational data are ordinarily stored and which cross-border transfer mechanism applies. Specifics for a particular deployment are confirmed in the applicable Order Form and the Subprocessor List.

Deployment ModePrimary RegionData Categories HostedCross-Border MechanismNotice of Change
Cloud — ChinaMainland ChinaCustomer Data, Training Data, Customer Model Outputs, logsData remains in PRC in ordinary course; PIPL mechanism applies to any residual outbound transfer30 days prior notice for Subprocessor change
Cloud — International (as launched)Singapore / EEA (as elected)Customer Data, Training Data, Customer Model Outputs, logsPDPA Transfer Limitation Obligation; EU SCCs (2021/914) Module Two where GDPR applies30 days prior notice for Subprocessor change
Private / On-PremisesCustomer-controlled environmentCustomer Data and Training Data remain with Customer; only license/telemetry/support data flows to MindaiCustomer determines; Mindai acts as independent Controller for minimal license/telemetry/support dataN/A for Customer data; 30 days for Mindai-side Subprocessor change
Administrative / SupportSingapore (Mindai HQ) and regional support centresBilling data, account identifiers, support ticket contentPDPA / GDPR / PIPL mechanisms as applicable to the individual flow30 days prior notice for Subprocessor change

Article 10 — Data Retention

We retain Personal Data only for as long as necessary for the purposes for which it was collected, including legal, accounting, or reporting requirements. Indicative retention periods are set out below; the actual period in any specific case will depend on the data category and applicable law.

  • Account information: for the duration of your account plus thirty (30) days following termination, after which such information is deleted or anonymised, except where retention is required by law (e.g., tax records).
  • Billing and tax records: as required by applicable tax and accounting law (typically five (5) to ten (10) years).
  • Customer Data: deleted within thirty (30) days after termination of your account, except as set out in Article 16 of the Terms of Service. You may export Customer Data and Training Outputs during that 30-day window.
  • Usage logs and security logs: typically retained for ninety (90) to one hundred and eighty (180) days, then aggregated or deleted, except where required for ongoing security investigations.
  • Communications and support records: retained for up to twenty-four (24) months following the closure of the relevant ticket.

Article 11 — Data Security

Mindai implements reasonable and appropriate technical and organisational measures to protect Personal Data against unauthorised access, accidental loss, alteration, disclosure, or destruction, having regard to the state of the art, the costs of implementation, and the nature of the data. These measures include:

  • Encryption of data in transit (TLS 1.2+ or higher) and encryption at rest (AES-256 or equivalent).
  • Network segmentation, firewalls, and intrusion-detection systems.
  • Identity and access management with multi-factor authentication and least-privilege principles.
  • Audit logging and continuous monitoring of access to Personal Data.
  • Personnel screening, security training, and confidentiality undertakings.
  • Vendor risk assessment and Subprocessor contractual safeguards.
  • Incident response plan and breach notification procedures.

In the event of a Personal Data breach affecting your data, Mindai will notify you without undue delay and, where applicable, in accordance with the timelines required by law (e.g., GDPR 72-hour notification to the supervisory authority).

Article 12 — Your Rights

Subject to applicable data protection law, you have the following rights with respect to your Personal Data:

  • Right of access: to obtain confirmation of whether your Personal Data is being processed and a copy of such data.
  • Right of rectification: to request correction of inaccurate or incomplete Personal Data.
  • Right of erasure / deletion: to request deletion of your Personal Data, subject to retention obligations under applicable law.
  • Right of portability: to receive your Personal Data in a structured, commonly used, machine-readable format.
  • Right to restrict processing: to request that processing of your Personal Data be limited in certain circumstances.
  • Right to object: to object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: where processing is based on consent, to withdraw such consent without affecting the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: with the competent data protection authority of your jurisdiction (e.g., the Personal Data Protection Commission in Singapore; supervisory authorities under GDPR; the Cyberspace Administration of China for PIPL matters).

How to exercise rights. Please email contact@mindlab.ltd from the email address associated with your account, or use the in-product privacy controls where available. Mindai will respond within thirty (30) days, or such shorter or longer period as applicable law requires (with reasons given for any extension).

Identity verification. To protect your information, Mindai will take reasonable steps to verify your identity before fulfilling a rights request. Verification methods may include matching information you provide with information already in our records, requiring you to authenticate through your existing account credentials, or, in higher-risk cases, requesting additional documentation.

Authorized agents. Where applicable law permits (including under the California CCPA/CPRA), you may use an authorized agent to submit a rights request on your behalf. The agent must provide written proof of authorization signed by you, and Mindai may still require you to verify your identity directly with us before acting on the request.

Mindai may decline requests that are manifestly unfounded, excessive, or repetitive, or that would adversely affect the rights and freedoms of others, in each case to the extent permitted by applicable law.

Article 13 — Cookies and Similar Technologies

Mindai uses cookies and similar technologies (e.g., local storage, web beacons) on its websites and dashboards for the following purposes:

  • Strictly necessary: authentication, session management, security, load balancing. These cannot be disabled without breaking the Service.
  • Functional: language preferences, UI settings, accessibility. These improve usability.
  • Analytics: aggregated, de-identified usage measurement to understand how the Service is used and to improve it. You may opt out via the cookie banner or your browser settings.

Mindai does not use advertising cookies or sell Personal Data to advertising networks.

Article 14 — Children's Privacy

MinT is intended for developers, researchers, and enterprise users aged 18 or above (or the age of legal majority in your jurisdiction, whichever is higher). We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently collected Personal Data from a minor, we will delete such data without undue delay.

Article 15 — Region-Specific Provisions

15.1 Singapore (PDPA)

This Privacy Policy serves as Mindai's notification under the PDPA. Mindai's Data Protection Officer can be reached at contact@mindlab.ltd. You may also contact the Personal Data Protection Commission of Singapore (PDPC) at https://www.pdpc.gov.sg.

15.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

Where Mindai processes Personal Data of data subjects in the EEA, the UK, or Switzerland, Mindai is the controller (or, in the case of Customer Data, the processor) within the meaning of GDPR. Mindai's lead supervisory authority is to be determined; data subjects may also lodge a complaint with their local supervisory authority.

EU/UK Representative (GDPR Article 27 / UK GDPR Article 27). Where Mindai is required to designate a representative in the European Union or the United Kingdom, Mindai will appoint such representative and update this Privacy Policy with the representative's name and contact details. Until such designation, EEA, UK, and Swiss data subjects may direct all data-protection inquiries to contact@mindlab.ltd, and Mindai will handle such inquiries on the same basis as if a representative had been formally appointed.

15.3 People's Republic of China (PIPL)

Where Mindai processes personal information of natural persons within the territory of the People's Republic of China for the purpose of providing products or services to such persons, Mindai complies with PIPL. Mindai's PIPL contact and personal information protection officer is reachable at contact@mindlab.ltd. PRC data subjects may file complaints with the Cyberspace Administration of China (CAC) or local cybersecurity and informatisation departments.

PIPL In-Country Designation (PIPL Article 53). Where Mindai is required under PIPL Article 53 to designate a dedicated entity or representative within the territory of the People's Republic of China, Mindai will make such designation and update this Privacy Policy with the designated entity's or representative's name and contact details. Until such designation, PRC data subjects may direct all personal-information-protection inquiries to contact@mindlab.ltd.

15.4 California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"):

  • Right to Know — to request information about the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and categories of recipients.
  • Right to Delete — to request deletion of personal information we have collected from you, subject to statutory exceptions.
  • Right to Correct — to request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing — Mindai does NOT "sell" or "share" personal information as those terms are defined under the CCPA, including for cross-context behavioural advertising. Accordingly, no "Do Not Sell or Share My Personal Information" link is required.
  • Right to Limit Use of Sensitive Personal Information — Mindai does not use or disclose sensitive personal information for purposes that would trigger this right; Mindai uses sensitive personal information, if at all, only as reasonably necessary to provide the Service requested by you.
  • Right to Non-Discrimination — Mindai will not discriminate against you for exercising any CCPA right (e.g., by denying service or charging different prices).
  • Authorized Agent — California consumers may use an authorized agent to submit requests, in accordance with the procedure set out in Article 12.

To exercise any of these rights, please contact contact@mindlab.ltd. Mindai does not offer financial incentives in exchange for the collection, sale, or retention of personal information.

Article 16 — Changes to This Privacy Policy

Mindai may update this Privacy Policy from time to time. Where the change is material, Mindai will provide at least thirty (30) days' prior notice via email, the MinT dashboard, or a website notice, and where required by applicable law, Mindai will obtain your consent to the change. The current version is identified by the version number and effective date on the cover page.

Article 17 — Contact Information

If you have any questions, comments, or complaints about this Privacy Policy or about how Mindai processes your Personal Data, please contact:

Effective Date and Governing Versions

This Privacy Policy is effective from the date stated on the cover page. Mindai may publish localised versions of this Privacy Policy. In the event of any conflict between the English version and a localised translation, the English version shall prevail unless otherwise expressly required by applicable local law.

— End of Privacy Policy —

MinT Terms of Service

Previous page

MinT Acceptable Use Policy

Next page

On this page

MinT Privacy PolicyArticle 1 — DefinitionsArticle 2 — Scope and Roles2.1 Scope2.2 Roles2.3 Out of ScopeArticle 3 — Categories of Personal Data We Collect3.1 Account Information3.2 Identity-Verification Information (Enterprise tier or where required by law)3.3 Billing and Payment Information3.4 Usage and Telemetry Data3.5 Device and Connection Data3.6 Communications3.7 Customer Data Containing Personal Data (processor capacity)3.8 Sensitive Personal InformationArticle 4 — How We Use Personal DataArticle 5 — Customer Data and the No-Training CommitmentArticle 6 — Legal Basis for ProcessingArticle 7 — Sharing and DisclosureArticle 8 — SubprocessorsArticle 9 — Data Residency and Cross-Border Data TransfersData Residency Matrix (Indicative)Article 10 — Data RetentionArticle 11 — Data SecurityArticle 12 — Your RightsArticle 13 — Cookies and Similar TechnologiesArticle 14 — Children's PrivacyArticle 15 — Region-Specific Provisions15.1 Singapore (PDPA)15.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)15.3 People's Republic of China (PIPL)15.4 California (CCPA / CPRA)Article 16 — Changes to This Privacy PolicyArticle 17 — Contact InformationEffective Date and Governing Versions