What we do, and what we will not do.
An honest breakdown of how Mini Me OS handles accounts and data. For anything that is not covered, write through the contact form — we will answer.
Account-scoped data
Every workspace row is keyed to your user id and protected by Postgres row-level security. Other users cannot read your tasks, goals or routines.
TLS everywhere
All browser-to-server traffic uses TLS. Service-role keys live only on the server and never reach the browser.
No advertising trackers
No analytics scripts, no marketing pixels, no retargeting. Only a session cookie and a local cache that the app itself controls.
AI as suggestion
Every AI-assisted feature shows a preview first. Nothing is created or modified in your account until you explicitly confirm.
Export your data
Settings → Download my data gives you a JSON archive of every workspace entity attached to your account.
Delete is real
Settings → Delete account removes every row tied to your user across all workspace tables, then deletes the authentication user itself.
The stack we rely on
- Authentication and database — Supabase (Postgres + Supabase Auth). Account-scoped data is enforced with row-level security policies that scope every read and write to the signed-in user.
- Hosting — Vercel for the application, edge network and build pipeline.
- AI provider — Google (Gemini API), used only by the opt-in AI features (Smart Add, "Break into steps", "Explain today's plan", "Break a project into tasks", and the Voice → text fallback for browsers without on-device speech recognition). See the AI Disclosure for exactly what each feature sends.
Third-party integrations
Two integrations connect Mini Me OS to data outside your workspace, both read-only and both opt-in:
- Calendar (Pro+) — you paste a private iCal URL in Settings; we read the next 7 days of events. No write scope, no OAuth. Disconnect deletes both the URL and the cached events.
- Email (Max-tier, opt-in) — connect a Gmail account via OAuth; we sync subject + snippet + sender for the latest 30 INBOX messages on demand. No reply, no archive, no full body. Refresh tokens are encrypted at rest with pgcrypto. Disconnect deletes both the token and every synced message row.
Beyond those two, Mini Me OS does not connect to your contacts, files, social accounts or any other third-party service.
Billing
Mini Me OS lists Pro and Max prices on the pricing page, but card processing is not yet connected. No payment data is collected today. When billing goes live we will publish the matching billing terms and ask you to confirm before charging anything.
Reporting a vulnerability
If you find a security issue, write to us through the contact form. We do not run a paid bug-bounty programme yet; serious responsible disclosures can be acknowledged on this page with your permission.
Honest limitations
Mini Me OS is built and maintained by a small team. We do not currently hold an external security certification (SOC 2, ISO 27001 or similar). We would rather say that out loud than pretend otherwise. If you need a deeper security conversation, write in.
Want the legal version?