Privacy Policy

---

Who we are and scope

Mynth operates our websites and apps under the mynth.io domain, including persona.mynth.io. This Privacy Policy applies to all Mynth services and apps.

Questions? Contact us at [email protected] or [email protected]. See also our Terms of Use. A Data Processing Agreement (DPA) is available upon request.

Our philosophy

We believe in user freedom and creativity. Our goal is to give you powerful tools for content generation while protecting your privacy.

• We never sell your data. We don’t share data with ad companies.
• We don’t need or want to see your private content. We design systems to avoid collecting more than necessary.
• When you ask for support, we help without judgment and only look at what’s strictly needed to resolve your request.
• Your freedom to create matters—within our Terms of Use and applicable law.

Let’s be honest: we don’t care what you generate. We care that it’s your data and it stays yours.

What we collect

• Account data (via Clerk): We store your Clerk user ID in our database. Clerk manages your email, name, and authentication data. We may receive your email via Clerk webhooks to help identify sessions in analytics. See Clerk’s Privacy Policy.
• App content you provide: Persona prompts and messages, persona data (JSON profiles), version metadata, and events history. If you generate images, we store prompts and the resulting images.
• Usage/telemetry: IP address (rate limiting/abuse prevention), client analytics (page views, page leave, exceptions), server/application logs, and feature events.
• Payments: Purchase metadata (token amounts purchased, order/checkout IDs, product IDs). We do not store card details; payments are processed by our provider.

How we use data

• Provide and improve the service (persona creation/editing, image generation).
• Authenticate users and authorize access.
• Process token balances, transactions, and payments; provide support.
• Analytics, debugging, error tracking, security (including anti‑abuse and rate limits).
• Communicate service‑related updates.
• At your request, help troubleshoot issues and verify refunds or credits (see “Support access with your permission”).

Support access with your permission

Sometimes you may ask us to review specific content (for example, a bad image generation) to process a refund or investigate a problem. In those cases:

• We only access the minimum data needed and only the items you identify (e.g., specific image, prompt, or persona).
• We require your explicit permission via email sent from the same address registered with your account.
• We use the data solely to resolve your request (for example, verifying token usage or an error), then we stop accessing it.
• We keep minimal records of the support case (such as ticket IDs and outcome) and do not retain copies of your content beyond what’s necessary to resolve the request.

Tip: If you prefer not to grant access, you can share screenshots or links to the specific items you want reviewed.

AI/model providers

• Text generation via OpenRouter: We send prompts/system instructions and options; we set headers identifying our app. We do not attach your user ID. Content may include any personal information you put in prompts. See OpenRouter’s policy at openrouter.ai/privacy.
• Image generation via Runware: We send prompts, model, and parameters; we do not include your user ID in generation requests.

Model providers may process content for safety/abuse detection and, depending on model/vendor defaults, training or evaluation. We intend to opt‑out of training where available (subject to provider options/policies).

Storage and hosting

• Database: Hosted Postgres (Neon) stores user IDs, personas, versions, events, image generation metadata, token balances, and transactions.
• File storage/CDN: Bunny.net stores and serves generated images via CDN URLs. Note: images are publicly accessible via hard‑to‑guess URLs (no signed URLs).
• Hosting/runtime: Vercel (application hosting and edge/middleware).
• Background jobs: Trigger.dev (task orchestration metadata and run IDs).

Analytics, logging, and events

• PostHog (client analytics): Page views, page leave, and exceptions (uses cookies/local storage). See posthog.com/privacy.
• Logtail/Better Stack (server logs): Structured server logs (may include IDs and operational context).
• LogSnag (product events/insights): Event tracking and user identification (by Clerk ID and, where available, email).

Logging clarity: We do not log private chat content or personas in production. We only log high‑level usage (for example, model name, token usage) and errors.

Chat data

• Storage: Your conversations/messages are stored in our hosted database (Neon) so that you can access your chat history.
• Access policy: We do not read your chats. Only if you report an issue and provide explicit consent will we review the specific items you identify, and only to resolve that request.
• No chat logging: We never log chat content for debugging or analytics. We log usage only (token counts, approximate cost, model ID) and errors without message content.
• Providers and routing: We proxy requests through OpenRouter or directly to model providers. We do not attach your account/user identifiers to provider requests. Any personal data in prompts is only what you choose to send.
• Free models: Free models may use your prompts/outputs for training/evaluation per provider defaults and may be unstable or unavailable. Our side imposes no additional usage limits (provider limits may still apply).
• Transparency labels: Where possible we show model/provider names (e.g., Venice) so you can review their policies. We plan to add icons/labels that summarize data usage and provider policies when such information is available.
• Guidance: Do not include sensitive personal information in chats. You control what you share.
• Future: We are working on end‑to‑end encrypted chats and local‑only chat options for maximum anonymity.

Logging clarity: We do not log private chat content or personas in production. We only log high‑level usage (for example, model name, token usage) and errors.

Payments

We use Polar for checkout and webhooks. We process order/checkout IDs, product IDs, token amounts, and your external user ID (Clerk ID) to credit tokens. Payment details are processed by Polar and/or its payment service provider; we do not store card data.

Cookies and local storage

• Authentication (Clerk): Strictly necessary session cookies to keep you signed in.
• Functional: A UI preference cookie/local storage key (e.g., sidebar_state) to remember whether the sidebar is open or closed.
• Analytics (PostHog): Cookies/local storage for usage analytics and error tracking.

Where required (e.g., in the EU/UK), we honor consent for analytics cookies. You can manage cookies via your browser settings. Typical lifetimes: session for auth cookies; up to 1 year for UI preferences; analytics per provider defaults.

Legal bases (GDPR)

• Contract: To provide core app functionality you request.
• Legitimate interests: Security, fraud prevention, service analytics, and improvement.
• Consent: Analytics cookies/marketing where required, and case‑by‑case support access when you explicitly authorize it.

Data sharing and recipients

• Identity/auth: Clerk (account and session management).
• Payments: Polar (checkout and webhooks metadata).
• AI providers: OpenRouter and its upstream model vendors; Runware (generation requests and outputs).
• Storage/CDN: Bunny.net (image storage and delivery).
• Analytics: PostHog, LogSnag (product analytics and insights).
• Logging: Better Stack / Logtail (server logs).
• Hosting/infra: Vercel (hosting), Neon (database), Trigger.dev (background jobs).

International transfers

Your data may be transferred to/processed in the United States and other countries where our providers operate (for example, PostHog US endpoints, Vercel, OpenRouter/model vendors, Polar, Bunny.net, Better Stack). We rely on appropriate safeguards such as Standard Contractual Clauses where applicable. You can contact us to request more information.

Retention

• Account and persona data: Kept until you delete your account or as needed to provide the service.
• Token transactions: Kept for accounting/audit (up to 7 years).
• Logs and analytics: Server logs typically 30–90 days; analytics per provider defaults; longer retention may apply for security incidents.
• Generated images: Kept until you delete them or delete your account.

Your rights and choices

• Access, correct, delete, or export your data.
• Object to or limit processing where applicable.
• Manage analytics cookie preferences (where available) and browser settings.
• Opt‑out of non‑essential communications.

To delete personas/images, use in‑app deletion. To request account deletion, use your Clerk account settings or email us.

Security

• Encryption in transit; modern hosted providers with physical/network security.
• Least‑privilege internal access controls.
• CDN‑backed image delivery (public by URL as noted).
• Rate limiting and abuse detection.

Children’s privacy

Persona is for adults only. We do not knowingly collect data from anyone under 18 years old, or under the age of majority in their jurisdiction if higher. If you believe a minor has provided us data, contact us so we can delete it and take appropriate steps.

Automated decision‑making

AI outputs affect persona content and images but are not used to make decisions with legal or similarly significant effects on individuals.

Changes to this policy

We may update this Privacy Policy from time to time. We will post updates here and update the effective date.

Contact

Email us with privacy questions or requests:

• mynth: [email protected]
• persona: [email protected]
• everything else: [email protected]

Effective date: 2025-08-31

---

For technical details and source code, see our open‑source repository: github.com/mynthio/mynth-persona.