Privacy Policy

Last updated: 16 May 2026

This Privacy Policy describes how Mindful AI ("Mindful AI", "we", "us") collects, uses, and protects your information when you use the application available at https://mindful-ai-56s.pages.dev (the "Service"). By using the Service, you agree to the practices described here.

1. Who we are

Mindful AI is operated by Mindful AI, contactable at hello@mindful.fyi. If you have questions about this policy or wish to exercise your rights, write to us at that address.

2. Information we collect

We deliberately collect the minimum needed to run an expense tracker.

a. Account information (via Google Sign-In)

When you sign in, Google shares your name, email address, profile picture URL, and a stable Google account identifier ("sub") with us. We never receive your Google password. We do not request access to your Gmail, Drive, contacts, or any other Google service.

b. Expense data you enter

Every message you type into the chat — amount, merchant, category, note, date, tags — is stored as a transaction record under your account. We treat this as financial data and keep it scoped to you.

c. Chat history

Messages you send and the assistant's replies are saved so you can scroll back through your history.

d. Derived data

We compute monthly rollups, category breakdowns, and budget progress from your transactions. We also generate vector embeddings of your transaction notes so the assistant can answer free-form questions about your spending.

e. Session and technical data

A session cookie (mf_session) — a random token — identifies your browser to our servers. We store a SHA-256 hash of the token, not the token itself. We do not use third-party analytics, advertising trackers, or fingerprinting.

f. Audit logs

We keep short-lived logs of AI parser inputs and outputs (the parse_events table) so we can debug misparsed expenses. These contain the text you sent.

3. How we use your information

• To authenticate you via Google OAuth.
• To parse your natural-language expense messages into structured transactions, using Cloudflare Workers AI.
• To compute totals, budgets, category breakdowns, and reports — all done with SQL against your own data.
• To power semantic search and the "ask a question about your spending" feature, using vector embeddings stored in Cloudflare Vectorize.
• To improve reliability by reviewing parser audit logs when something looks wrong.

We do not sell your data. We do not share it with advertisers. We do not use your expense data to train any AI model.

4. AI processing

Mindful AI uses Cloudflare Workers AI to (a) parse your messages into structured expenses and (b) compose natural-language answers about your spending. Inputs are sent to Cloudflare's hosted models (@cf/meta/llama-3.1-8b-instruct and @cf/baai/bge-base-en-v1.5) over Cloudflare's network. We do not send your data to OpenAI, Anthropic, Google Gemini, or any other third-party AI provider. Per Cloudflare's published terms, Workers AI inputs are not used to train Cloudflare's models.

All monetary figures shown in chat replies are computed by us from our SQL database — never generated by an AI model — so the numbers you see are always the numbers in your account.

5. Where your data is stored

• Transaction and account data: Cloudflare D1 (SQLite), region routed by Cloudflare based on access patterns.
• Vector embeddings: Cloudflare Vectorize.
• Static assets and server code: Cloudflare Pages / Workers.

Cloudflare may process data globally. By using the Service you consent to this cross-border processing.

6. Retention

• Active accounts: data is retained as long as your account is active.
• Sessions: deleted automatically 7 days after last use, or on sign-out.
• Parser audit logs: retained for up to 30 days, then deleted.
• Deleted transactions: soft-deleted records are kept for 30 days so you can restore, then purged.
• Account deletion: when you delete your account (or request deletion via email), we erase your account row, transactions, chat history, rollups, sessions, and vector embeddings within 30 days, except where law requires longer retention.

7. Your rights

Depending on where you live, you may have the right to:

• Access a copy of your data.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format.
• Withdraw consent and stop using the Service.

To exercise any of these, email hello@mindful.fyi. We will respond within 30 days. Indian users have rights under the Digital Personal Data Protection Act, 2023; EU/UK users under the GDPR/UK GDPR.

8. Security

• Sessions are random tokens; only their SHA-256 hashes are stored.
• All traffic is HTTPS.
• OAuth uses PKCE and a state cookie to prevent CSRF.
• Every database query is scoped by your user ID; we do not run cross-user queries.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the appropriate regulator as required by law.

9. Children

The Service is not directed to children under 18. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

10. Cookies

We use exactly two cookies:

• mf_session — strictly necessary for sign-in.
• mf_oauth_state / mf_oauth_pkce — short-lived (10 minutes), used during Google sign-in.

No analytics, advertising, or tracking cookies are set.

11. Changes to this policy

If we make material changes we will post the new policy at this URL and update the "Last updated" date. Continued use after changes means you accept the revised policy.

12. Contact

Questions, requests, or complaints: hello@mindful.fyi.