Privacy policy

Last update

Last update

Last update

July 28, 2025

1. Introduction

MindFort AI, Inc. ("MindFort," "we," "our," or "us") provides autonomous security‑testing Services exclusively to customers located in the United States. We respect your privacy and are committed to safeguarding information that you—or your authorized users—entrust to us. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website, interact with our platform, or otherwise use our Services.

If you reside outside the United States, do not use the Services. We do not intentionally market to, or process data subject to, the laws of jurisdictions outside the U.S.

2. Definitions

"Personal Information" – information that identifies, relates to, describes, or could reasonably be linked to an identifiable individual.

"Processing" – any operation performed on Personal Information, including collection, storage, use, disclosure, or deletion.

"Service Providers" – third parties engaged by MindFort to perform Processing on our behalf.

"Sub‑processors" – Service Providers that may have logical access to Testing Data or Personal Information.

"Testing Data" – logs, payloads, proofs‑of‑concept, and other artifacts generated during autonomous security testing.

3. Information We Collect

3.1 Information You Provide

• Contact and professional details (name, e‑mail, phone, company, title)

• Account credentials and authentication factors

• Billing details (payment‑card token, invoicing address)

• Scope definitions, test parameters, configuration preferences

• Communications with our team (support tickets, e‑mail, in‑app chat)

3.2 Information Collected Automatically

• Testing Data and vulnerability findings relating to Your Systems

• Usage metrics (API calls, feature utilization, clickstream)

• Device and log data (IP address, browser, OS, timestamps)

3.3 Information from Third Parties

• Identity and fraud‑prevention services (e.g., ID verification vendors)

• Publicly available sources for contact enrichment

4. How we use information

(a) Service Delivery – create and manage accounts, execute autonomous security tests, generate reports, provide support, and process payments.

(b) Service Improvement – develop new features, train and refine machine‑learning models on de‑identified data (retained indefinitely unless you opt out), and analyze usage trends to enhance reliability and performance.

(c) Security and Compliance – monitor for abuse, verify identity, satisfy audits (including SOC 2), and meet legal obligations.

5. Data Retention

5.1 Testing Data

  • Data gathered by our AI agents and automated tools—including logs, payloads, exploit artifacts, vulnerability metadata, screenshots, and telemetry—is retained indefinitely unless you request deletion of your account or specific data.

  • Source code or other proprietary code supplied solely for an assessment is stored only for the duration of that assessment and is deleted within seven (7) days after the engagement closes. Findings, derivative artifacts, and anonymised embeddings generated from such code may be retained indefinitely as part of Testing Data.

5.2 Account and Billing Records

• Financial records: retained seven (7) years to meet tax and accounting requirements.

5.3 Deletion & Opt‑Out Requests

  • Upon verified request, we will delete or de‑identify Personal Information and, where technically feasible, purge related Testing Data.

  • You may request that your data be excluded from product‑improvement and machine‑learning training at any time; we will comply within 30 days of verification.

6.6. Data Sharing and Disclosure

6.1 Service Providers and Sub‑processors

We share information with vetted U.S.‑based vendors that provide cloud hosting, payment processing, communications, analytics, and AI inference. All vendors are bound by written agreements requiring confidentiality, SOC 2 or equivalent controls, and use of data only to support the Services.

We maintain an internal list of Sub‑processors and will provide it upon written request. We will give at least 30 days’ notice before engaging any new Sub‑processor that will process your Testing Data.

6.2 Legal Compliance

We may disclose information when required to comply with subpoena, court order, or similar legal process.

6.3 Business Transfers

Information may be transferred in connection with a merger, acquisition, or asset sale. Affected users will be notified via e‑mail and prominent in‑app notice.

6.4 With Consent

We share information with third parties only when you authorize us to do so.

7.Zero-Data-Retention AI Polisy

Our AI inference providers (currently Anthropic and OpenAI) are contractually bound to (i) store prompts and outputs no longer than necessary to complete inference and (ii) exclude our data from model training. Sessions are stateless and logs containing customer prompts are encrypted and deleted within 24 hours.

8. Security Measures (SOC 2 Aligned)

• Encryption in transit (TLS 1.2+) and at rest (AES‑256)

• Role‑based access control and MFA for all administrative access

• Continuous vulnerability management and penetration testing (CC7.1)

• Change‑management controls (CC8)

• Incident‑response plan with 24×7 monitoring

• Annual SOC 2 Type 1 (completed) and Type 2 (in progress) audits

9. Breach Notification

If we confirm unauthorized access to Personal Information, we will notify affected customers without undue delay and no later than 72 hours after validation, consistent with applicable U.S. data‑breach laws.

10. Your Privacy Rights (U.S.)

Depending on your state of residence (e.g., California, Colorado, Virginia), you may have rights to:

• Access specific pieces of Personal Information we hold about you.

• Correct inaccurate Personal Information.

• Delete Personal Information, subject to exceptions.

• Opt‑out of the sale or sharing of Personal Information (MindFort does not sell Personal Information).

We respond to verifiable requests within 45 days. Submit requests to founders@mindfort.ai. We will verify identity via account credentials and, if necessary, additional factors.

11. Cookies and Tracking

We use first‑party cookies for session management and analytics. Manage preferences through your browser settings. See our Cookie Policy at mindfort.ai/cookies for details.

13. Changes to this Policy

We may update this Policy periodically. Material changes will be announced by e‑mail and in‑app notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

14. CONTACT US

Questions or requests? E‑mail founders@mindfort.ai or write to:


© 2025 MindFort AI, Inc. All rights reserved.