1. Who Is the Data Controller?
NEXAPHAZE LTD (trading as Mindgrads) is the data controller for all personal data processed through the Mindgrads platform.
For all privacy enquiries, contact: privacy@mindgrads.com.
2. What Data We Collect
We collect and process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, password hash | You, at registration |
| Usage data | Login times, features accessed, credit usage | Automatic collection |
| Document content | Assignment briefs, uploaded PDFs, notes, drafts | You, during workspace use |
| Billing data | Payment method tokens, subscription status | Stripe (we do not store card numbers) |
| Communications | Support emails, contact form messages | You, via contact channels |
| Technical data | IP address, browser type, device info, cookies | Automatic collection |
3. Lawful Basis for Processing
Under UK GDPR Article 6, we process your data on the following lawful bases:
| Processing Activity | Lawful Basis | Reference |
|---|---|---|
| Account registration and service delivery | Performance of a contract | Article 6(1)(b) |
| AI feature processing (document analysis, generation) | Performance of a contract | Article 6(1)(b) |
| Billing and payment processing | Performance of a contract | Article 6(1)(b) |
| Service improvement and analytics | Legitimate interests | Article 6(1)(f) |
| Marketing communications (opt-in only) | Consent | Article 6(1)(a) |
| Legal compliance and fraud prevention | Legal obligation | Article 6(1)(c) |
| Support and complaint handling | Legitimate interests | Article 6(1)(f) |
4. AI Data Processing and Third-Party Providers
When you use AI-powered features on Mindgrads, your document content and prompts are transmitted to third-party AI providers for processing. We currently use:
- Anthropic (Claude models) — anthropic.com
- OpenAI (GPT models) — openai.com
- Google (Gemini models and search APIs) — google.com
We do not use your content to train, fine-tune, or improve public AI models. All AI providers process your data under strict data processing agreements that prohibit model training on customer data.
5. International Data Transfers
Anthropic, OpenAI, and Google are US-based companies. Processing your data through these services involves transferring personal data outside the UK. We ensure these transfers are lawful through:
- UK International Data Transfer Agreements (IDTAs) based on the UK GDPR adequacy framework
- Standard Contractual Clauses (SCCs) where IDTAs are not in place
- Reliance on adequacy decisions where the recipient country has been deemed adequate by the UK Secretary of State
You may request details of the specific transfer mechanisms in place by contacting privacy@mindgrads.com.
7. Data Retention
We retain your personal data for as long as necessary to provide the service and comply with our legal obligations:
| Data Category | Retention Period |
|---|---|
| Account data (active) | Retained for the duration of your account |
| Document content and workspaces | Retained while your account is active, then 90 days after account deletion |
| Billing records | 7 years from transaction (UK tax law obligation) |
| Support communications | 3 years from resolution |
| Analytics and usage data | 24 months, then aggregated anonymously |
| Deleted account data | Permanently removed 90 days after deletion request |
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of Access — request a copy of your personal data (Subject Access Request)
- Right to Rectification — ask us to correct inaccurate or incomplete data
- Right to Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations
- Right to Restriction — ask us to restrict processing of your data in certain circumstances
- Right to Data Portability — receive your data in a structured, machine-readable format
- Right to Object — object to processing based on legitimate interests or for direct marketing
- Rights relating to automated decision-making — we do not use fully automated decision-making that produces legal or similarly significant effects without human oversight
To exercise any of these rights, contact privacy@mindgrads.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:
- Encrypted storage and transmission (TLS/HTTPS)
- Access controls and role-based permissions
- Regular security assessments and monitoring
- Data processing agreements with all third-party providers
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay, as required by UK GDPR Articles 33–34.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The effective date at the top of this document will be updated accordingly.
For privacy questions or data subject requests, email privacy@mindgrads.com. For general support, email support@mindgrads.com.
© 2026 NEXAPHAZE LTD. All rights reserved.