Privacy
Policy.

Introduction

MindBacklog ("we," "our," or "us") operates the MindBacklog platform, a product management tool that uses artificial intelligence to help product managers collect, analyze, and prioritize feature requests and feedback.

This Privacy Policy explains what information we collect, how we use it, how we protect it, and what choices you have. It applies to all users of our website (mindbacklog.com) and platform services.

By using MindBacklog, you agree to the practices described in this policy. If you do not agree, please do not use our services.

Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (or OAuth credentials if you sign in with Google or Microsoft). If you subscribe to a paid plan, we collect billing information processed securely through Paddle, our Merchant of Record — we never store your payment details.

Product & Workspace Data

When you create a product workspace, you may provide product documentation, URLs, descriptions, vision documents, and answers to clarifying questions. This information is used to build your product context within the MIND intelligence system.

Feedback & Source Data

When you connect external sources, the platform ingests data from those sources on your behalf:

• → Apple App Store and Google Play Store reviews (publicly available data)
• → Reddit threads from subreddits you specify (publicly available data) — coming soon
• → Emails forwarded to or received at your connected email address via IMAP
• → Feedback widget submissions embedded on your website or application (may include end-user feedback text, email if provided, page URL, and browser metadata)
• → Web scraper data from URLs you configure (competitor websites, documentation, changelogs — publicly available content)
• → Web form and customer portal submissions from your users or stakeholders
• → Data synced from Jira or Azure DevOps (tickets, comments, estimates, status) — coming soon

Feedback Widget End Users

When your organization embeds the MindBacklog feedback widget on your website or application, we may collect data from your end users including feedback text, email (if voluntarily provided), page URL, and browser metadata. This data is processed as Customer Data within your Workspace and is subject to the same protections described in this policy. Your organization is responsible for providing appropriate notice to your end users about data collection through the widget.

Usage Data

We automatically collect standard usage information including IP address, browser type, device information, pages visited, features used, and timestamps. This helps us improve the platform and diagnose issues.

How We Use Your Data

AI & Data Processing

MindBacklog uses artificial intelligence to provide core platform features including feedback clustering, feature scoring, user story generation, and product context analysis.

How AI processes your data:

• → Product documentation and feedback are processed into vector embeddings stored in your isolated workspace
• → AI models receive your product context when generating recommendations, scores, and descriptions
• → The MIND system maintains a persistent product memory specific to your workspace — it does not share context across customers

What AI does not do:

• ✗ Your data is never used to train, fine-tune, or improve AI models for any purpose beyond your direct service
• ✗ Your product context, feedback, and features are never shared with, visible to, or accessible by other customers
• ✗ AI does not make automated decisions that affect you without human review — the product manager always has final approval

We use third-party AI model providers to process certain requests. When data is sent to these providers, it is transmitted securely and subject to their data processing agreements, which prohibit the use of customer data for model training. We select providers whose data handling practices meet our security requirements.

Sharing & Disclosure

We do not sell, rent, or trade your personal information or product data. We share data only in these limited circumstances:

• → Service providers: Third-party vendors who help us operate the platform (hosting, payment processing, email delivery, AI model providers) under strict data processing agreements
• → Connected integrations: When you connect Jira, Azure DevOps, or other services, data flows between platforms as configured by you
• → Legal requirements: When required by law, subpoena, court order, or government request — we will notify you unless legally prohibited from doing so
• → Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy
• → With your consent: For any purpose you explicitly authorize

Third-Party Services

MindBacklog integrates with and uses the following categories of third-party services:

Each third-party service is bound by their own privacy policies. We encourage you to review them. We select services that meet our security and privacy requirements and maintain data processing agreements where applicable.

Sub-Processors

We maintain a list of sub-processors who process Customer Data on our behalf. The third-party services table above reflects our current sub-processors.

Data Storage & Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• → Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 with perfect forward secrecy
• → Encryption at rest: All stored data, including database contents and file uploads, is encrypted using AES-256 encryption
• → Workspace isolation: Each customer's product data, feedback, and AI context are logically isolated and inaccessible to other customers
• → Access controls: Role-based access control within your organization. Internal access to customer data is restricted to authorized personnel on a need-to-know basis
• → Infrastructure: Hosted on reputable cloud infrastructure with SOC 2 Type II certification. Our own SOC 2 compliance process is in progress

While we implement robust security measures, no system is 100% secure. In the unlikely event of a data breach, we will notify affected users within 72 hours of discovery as required by applicable law.

Data Retention

Active accounts: We retain your data for as long as your account is active and as needed to provide services.

Cancelled accounts: When you cancel your subscription, your account and workspace data are retained for 30 days in case you wish to reactivate. After 30 days, workspace data (product context, feedback, features, AI-generated content) is permanently deleted.

Account deletion: You may request complete account deletion at any time by contacting us. Upon request, all personal data, product data, and workspace content will be permanently deleted within 30 days. Some data may be retained in encrypted backups for up to 90 days before being purged.

Billing records: Transaction records are retained for 7 years as required by financial regulations.

Anonymized data: We may retain anonymized, aggregated data that cannot identify you for analytics and product improvement purposes indefinitely.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• → Access: Request a copy of the personal data we hold about you
• → Correction: Request correction of inaccurate or incomplete personal data
• → Deletion: Request deletion of your personal data (subject to legal retention requirements)
• → Export: Request a machine-readable export of your data
• → Objection: Object to specific processing activities
• → Restriction: Request that we limit how we use your data
• → Withdraw consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at privacy@mindbacklog.com. We will respond within 30 days.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information.

European residents (GDPR): Our legal bases for processing personal data are detailed below:

You have the right to lodge a complaint with your local data protection authority.

Cookies & Tracking

We use cookies and similar technologies for the following purposes:

We do not use advertising cookies or tracking pixels. We do not share cookie data with third-party advertisers. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the platform from functioning properly.

Children's Privacy

MindBacklog is a business-to-business product designed for professional use. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@mindbacklog.com.

International Data Transfers

MindBacklog may process and store data in locations outside your country of residence. When we transfer data internationally, we implement appropriate safeguards including standard contractual clauses and data processing agreements to ensure your data remains protected in accordance with this policy and applicable law.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and update the "Last Updated" date at the top of this page.

We will not retroactively reduce your rights under this policy without your explicit consent. We encourage you to review this page periodically.

Contact Us

If you have questions, concerns, or requests related to your privacy or this policy, you can reach us at:

We aim to respond to all privacy-related requests within 30 days.