Privacy Policy
Last updated: 2026-06-01T00:00:00.000Z
This Privacy Policy describes how Mingles AI (“we”, “us”) collects, uses, and shares information when you use the Mingo website and API (the “Service”).
We aim to collect the minimum data required to run the Service, bill it correctly, and keep it secure.
1. Data we collect
Account data
- Email address (from Google OAuth or email signup).
- Display name and Google profile picture URL (if you sign in with Google).
- Account creation timestamp and last-login timestamp.
- Brand context (
mingo) inferred from the domain at signup.
Billing data
- Subscription tier, period dates, and renewal status.
- Prepaid balance amounts and transaction history.
- For Stripe payments: a customer ID, payment-method type (e.g. “Visa ending 4242”), country, and invoice metadata. We never receive or store full card numbers. Card data is collected directly by Stripe.
- For crypto payments (USDT/USDC via NOWPayments): invoice ID, payer wallet (where exposed by the network), and on-chain transaction hash.
Usage data
- API requests: timestamp, model, token counts (input/output), HTTP status, latency, route, and your API key identifier (not the full secret).
- Optional request/response bodies are retained only when explicitly enabled in your Console preferences for debugging, and are auto-deleted after 7 days.
Technical and analytics data
- IP address (truncated for analytics), user-agent, referrer, and UTM parameters on landing pages.
- Cookie/local-storage identifiers used by our product analytics (PostHog) and Google Analytics 4.
- Captcha challenge results from hCaptcha at signup.
Communications
- Email correspondence with our support team (
support@mingles.ai, etc.).
2. How we use data
We process personal data to:
- Provide the Service: authenticate you, route requests, count tokens, charge your balance.
- Bill and reconcile: process payments, manage subscriptions, prevent fraud.
- Keep the platform safe: detect abuse, throttle suspicious traffic, comply with our AUP.
- Improve the Service: aggregated, de-identified analytics on usage, model performance, error rates.
- Communicate: send service-related emails (account, billing, security) and, only with your consent, occasional product updates. You can unsubscribe from product updates at any time.
- Comply with law: respond to lawful requests and enforce our Terms.
We do not train models on Customer Content or sell personal data.
3. Legal bases (GDPR)
We rely on the following legal bases under the EU/UK GDPR:
- Contract — for account, billing, and core API functionality (Article 6(1)(b)).
- Legitimate interests — for security, fraud prevention, analytics in aggregated form (Article 6(1)(f)).
- Consent — for non-essential cookies and marketing emails (Article 6(1)(a)). Withdrawable at any time.
- Legal obligation — for tax, accounting, and lawful-request compliance (Article 6(1)(c)).
4. Sharing with sub-processors
We share limited data with the following sub-processors, each under a Data Processing Agreement:
| Sub-processor | Purpose | Data |
|---|---|---|
| Stripe, Inc. | Card payments and subscriptions | Email, country, billing metadata |
| NOWPayments | Crypto payments | Invoice metadata, payer wallet, email |
| Google LLC | OAuth sign-in, Analytics 4 | Email, profile, cookie IDs |
| PostHog Inc. | Product analytics | IP (truncated), event data |
| hCaptcha | Bot mitigation at signup | IP, user-agent, captcha solution |
| Cloud hosting provider | Application hosting and database | All operational data |
| Email delivery (Gmail / SMTP) | Transactional email | Email address, subject, body |
| CoinGecko / market-data APIs | Currency conversion (pricing) | None personal |
The current full list is published at /legal/privacy/subprocessors (coming soon). Material additions will be
announced at least 14 days in advance.
We do not sell personal data and do not share it with advertisers for behavioral profiling.
5. International transfers
Some of our sub-processors are located outside your country. Where required, transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.
6. Retention
- Account and billing data: for the life of the account and up to 7 years after closure to meet tax/audit obligations.
- API request metadata: 90 days; aggregated usage metrics: indefinitely (no personal identifiers).
- Optional request/response bodies: 7 days max, or per your Console preference.
- Support emails: 3 years.
- Marketing-email opt-outs: indefinitely (suppression list).
7. Your rights
Subject to applicable law (GDPR, UK GDPR, CCPA, and similar), you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Delete your data (“right to be forgotten”). You can delete your account in the Console; some billing records must be retained for legal reasons.
- Restrict or object to certain processing.
- Portability: receive your data in a structured, machine-readable format.
- Withdraw consent at any time (e.g. unsubscribe from marketing emails).
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@mingles.ai.
8. Security
We use industry-standard measures: TLS in transit, encryption at rest, scoped API tokens, hashed secrets, audit logging, principle-of-least-privilege access, and regular review. No system is perfectly secure; you are responsible for protecting your API keys.
To report a security issue, email security@mingles.ai.
9. Children
The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have, email privacy@mingles.ai and we will delete it.
10. Changes
We will post material changes here and notify registered users by email at least 14 days before they take effect.
11. Contact
- Privacy: privacy@mingles.ai
- Security: security@mingles.ai
- Legal: legal@mingles.ai
Mingles AI · Mingo product.