Privacy Policy

This policy describes how Mini Me OS handles personal data. It is written in plain language and reflects what the product actually does today. It is not legal advice.

The short version

• We store your account email and the data you put into Mini Me OS — tasks, projects, goals, routines, captures, reviews — in our database, keyed to your account.
• Your account data is isolated from other users by row-level security in the database.
• We use a handful of named providers (Supabase, Vercel, Google (Gemini API)) to run the service. They are listed below.
• We do not sell your data. We do not use it for advertising.
• You can export everything you typed in, and you can delete your account — both from Settings.
• AI features send text you type into Quick Add, task break-down or "Explain my plan" to our AI provider. Nothing else is sent to AI automatically.

Who we are

Mini Me OS is a personal productivity service published at mini-me-os.me. For any privacy question you can reach us via the contact form. The legal entity behind Mini Me OS will be added here once the operator finalises their business registration.

What we collect

• Account data. Your email address and a password hash, handled by our authentication provider (Supabase Auth). When you sign up we also store the timestamp, and whether you have completed the onboarding wizard.
• Workspace data. Everything you create or store inside the app: tasks, projects, goals, milestones, routines, capture items, reviews, decisions (and their options), life-area settings, automation rules, focus-session records, your chosen rules (e.g. how many priorities per day), and your onboarding answers (primary needs, guidance level, energy default, planning style). This data is bound to your account.
• Shared-workspace membership data. If you create or accept a shared-workspace invite (Pro and Max), the workspace stores an owner-user-id, a list of member-user-ids and roles, and the single-use invite tokens you generated. Each member sees the same tasks / projects / goals / routines while their membership is active.
• Push-notification subscriptions. If you allow notifications, your browser-provided push endpoint and its public keys are stored against your account so the morning recap (and any automations you build) can reach you. Toggle in Settings → Notifications wipes the subscription on every device.
• Calendar feed cache. If you connect a calendar via its private iCal URL (Pro and Max), we store the URL on your workspace row and a cached list of upcoming events for the next 7 days. Disconnect deletes both.
• Connected email accounts (Max-tier, opt-in). If you connect a Gmail account to the Email module, we store an OAuth refresh token (encrypted at rest with pgcrypto), the connected account email address, and the subject + snippet + sender of the latest 30 INBOX messages you pull on demand. We never store full bodies, we never reply, archive or send mail. Disconnect deletes both the token and every synced message row.
• Operational data. Standard server logs maintained by our hosting provider (Vercel) and by Supabase: IP address, request timestamps, user-agent string, error traces. These are used to operate and secure the service, not for analytics or marketing.
• Support correspondence. If you write to us via the contact form, we keep the message and your email so we can reply.

What we do not collect

• We do not access your contacts, files, location, social-media accounts or any third-party account beyond the two opt-in integrations described above (Calendar via private iCal URL, Email via Gmail OAuth on the Max tier — both strictly read-only).
• We do not run analytics scripts or marketing cookies on the website or inside the app.
• We do not currently process payments. Pro and Max are documented prices, but billing is not connected yet, so we do not collect any card or billing data today.

Why we process it

• To create your account and let you sign in.
• To save your tasks, projects, goals, routines, reviews and other workspace data, and to show the same data on every device where you log in.
• To generate the smart recommendations on Today and the answers in the Assistant page from your own data.
• To handle support requests.
• To detect and prevent abuse (e.g. repeated failed sign-ins).
• To send transactional emails — confirmation of sign-up, password reset — via our authentication provider.

Legal basis (EU/UK/EEA users)

• Performance of a contract for everything required to provide the service you signed up for (account, data storage, the dashboard itself).
• Legitimate interests for security logging, abuse prevention, and operational logs that any modern web service requires.
• Consent for anything optional, such as AI features. AI features are off by default if no AI provider is configured by the operator, and you can avoid them entirely by not using the Smart Add, "Break into steps" or "Explain today's plan" buttons.

Providers we rely on

The service runs on top of these third parties. We share with them only what they need to do their job.

• Vercel — application hosting, edge network, build pipeline. May process request metadata and access logs.
• Supabase — Postgres database (your workspace data lives here), authentication, transactional auth emails (sign-up confirmation, password reset).
• Google (Gemini API) — provides the AI model used by the Smart Add, "Break into steps", "Explain today's plan", "Break a project into tasks" and (on Pro and Max) the Voice → text fallback features. We only send these features the specific text you submitted, plus a short system prompt. We do not send your account email, your full task list, your goals, or anything else you have not asked about.
• Google (Gmail API) — only if you connect a Gmail account in the Email module (Max-tier, opt-in). We use the OAuth refresh token to fetch subject + snippet + sender for the latest 30 INBOX messages on demand. No mail is sent or modified.
• Web Push services — your browser's push provider (Apple Push, Mozilla, Microsoft, Google) delivers our notifications to your devices using endpoints your browser issued. We never share message bodies that aren't already shown to you in-app.

Each provider operates under its own data-processing terms. Vercel and Supabase support EU-region hosting; the operator may choose a different region per project. Google (Gemini API)'s API processes requests in their own infrastructure under their data-usage terms. Some providers may transfer data outside the EEA; standard contractual safeguards apply through the providers' own terms.

How AI features work

Three features call the AI provider when you trigger them:

• Smart Add on Today and Capture sends the free-form text you typed so the model can split it into a clean list of tasks, goals, projects, routines or notes. You always see a preview and confirm before anything is saved.
• "Break into steps" on a task sends the task title (and an optional description and project context) so the model can suggest 3–6 subtasks. You pick which ones to keep before any task is created.
• "Explain today's plan" on the Assistant page sends a compact summary of what is on your Today screen (counts, the top task, attention items) so the model can write a short paragraph in plain English.

AI is suggestive, not authoritative. Output is shown as a preview, and Mini Me OS only creates or modifies data in your account after you confirm. We do not log AI prompts or responses on our own servers; what the provider stores is governed by their terms. If the AI provider is not configured, a local rule-based fallback runs and no data leaves the server.

Calendar integration

If you choose to connect a calendar via its private iCal URL (in Settings → Calendar), we store that URL on your workspace row and a cached list of upcoming events for the next 7 days. The cache is refreshed on demand and at most every 15 minutes from the Today page. We use this cache only to compute how much free time you have today — we never modify your calendar, never share it with third parties, and never send its contents to the AI provider.

The iCal URL grants read access to the source calendar. We protect it with the same Postgres row-level security as the rest of your data, but treat it like a password and disconnect if you ever revoke or rotate it on the provider's side. Encrypting the URL at rest with a dedicated key is on our follow-up list for v2. Disconnecting in Settings deletes both the URL and the cached events.

Cookies and similar storage

Two kinds of browser storage are used:

• An authentication cookie set by Supabase Auth so the server knows who is signed in. This is strictly necessary for the app to work.
• localStorage on your device, used as a cache of your workspace data so the dashboard loads instantly. If you log out, the cache for that user remains until you clear it from the browser. See the Cookie Policy for the full breakdown.

Retention

• While your account exists, we keep your workspace data so you can use the service.
• When you click Delete account in Settings, the server deletes the rows in every workspace table tied to your user, then deletes the authentication user itself. The email address is then free to be re-registered. See the Terms for the exact technical steps.
• Operational logs at Vercel and Supabase are retained per their own policies — typically a few days for access logs and longer for backups.
• Contact-form messages are kept while we need them to handle your request.

Your rights

If you are in the EEA, UK, Switzerland, or another jurisdiction with comparable rules, you have rights to access, correct, delete, export, restrict and object to the processing of your personal data. You can exercise most of these directly from inside the app:

• Access and portability: Settings → Download my data exports your workspace data as a JSON file.
• Correction: edit any workspace data directly inside the relevant module.
• Deletion: Settings → Delete account removes your account and your data; Reset all my data only wipes the content.

For anything else — restriction, objection, or a written confirmation of deletion — write to us via the contact form. We aim to reply within one month, as required by EU law.

Children

Mini Me OS is not marketed at children and is not designed to handle children's personal data. The operator may set a specific minimum age once a final business decision is made; in the meantime, the service is intended for users old enough to enter into a contract for online services in their country.

Security

Connections to the app use TLS. Workspace data is stored in Supabase Postgres, which encrypts data at rest and enforces our row-level security policies that scope every read and write to the signed-in user. Service-role keys live only on the server and never reach the browser. We are a small team and do not currently hold any external security certification — we say so rather than claim a badge we do not have.

Changes to this policy

If we change this policy in a way that affects your rights, we will post the updated version here and update the "Last updated" date at the top. Material changes will also be announced inside the app for signed-in users.