Privacy Policy

Last updated: April 8, 2026

MindGryd Software Private Limited ("MindGryd," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Areev platform, including our website at areev.ai, cloud service, self-hosted software, APIs, and all related services (the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

1. Information We Collect

1.1 Personal Information

We may collect the following personal information when you register, subscribe, or interact with the Service:

  • Name, email address, and contact details;
  • Company name, job title, and business information;
  • Billing and payment information (processed through third-party payment providers; we do not store full payment card details);
  • Account credentials and authentication data;
  • Communication preferences and correspondence with us.

1.2 Technical Information

We automatically collect certain technical information when you access the Service:

  • IP address, browser type, operating system, and device information;
  • Pages visited, access times, referring URLs, and navigation patterns;
  • API usage data, request logs, and performance metrics;
  • Cookies and similar tracking technologies (see Section 9).

1.3 AI Memory Data (Customer Content)

As an AI agent memory database, the Service stores data submitted by you or your AI agents, which may include:

  • Memory grains (beliefs, events, states, workflows, actions, observations, goals, reasoning, consensus, and consent records);
  • Text inputs, embeddings, and structured data;
  • Metadata such as timestamps, tags, confidence scores, and provenance information;
  • Agent interaction data and tool invocation records.

Important: You are the data controller for all Customer Content. MindGryd processes Customer Content solely as a data processor acting on your instructions to provide the Service. We do not access, use, or analyze your Customer Content for any purpose other than operating the Service, unless required by law.

2. How We Use Your Information

We use collected information for the following purposes:

  • Service provision: To operate, maintain, and provide the features and functionality of the Service;
  • Account management: To manage your account, process payments, and communicate with you about your subscription;
  • Service improvement: To analyze usage patterns, diagnose technical issues, and improve the Service (using aggregated, anonymized data only);
  • Security: To detect, prevent, and respond to fraud, abuse, security threats, and technical issues;
  • Compliance: To comply with applicable laws, regulations, and legal processes;
  • Communication: To send you service-related notifications, updates, and (with your consent) marketing communications;
  • Support: To respond to your inquiries and provide customer support.

3. AI-Specific Privacy Practices

Given the nature of Areev as an AI memory database, we implement the following specific practices:

  • No training on your data: We do not use your Customer Content to train or develop AI models or any other product. Your Content is processed solely as necessary to provide, operate, maintain, and improve the Service as described in our Terms of Service;
  • Data minimization: The Service is designed to store only the data you explicitly submit. We do not infer, derive, or generate additional personal data beyond what is necessary to operate the Service;
  • Per-user encryption: Customer Content is encrypted at rest using per-user encryption keys (AES-256-GCM) where your deployment configuration supports it. In self-hosted deployments with external key management, MindGryd does not have access to your encryption keys. In cloud deployments, encryption keys are managed by MindGryd's infrastructure and access is restricted to authorized systems necessary to operate the Service;
  • Cryptographic erasure: When you exercise your right to deletion (e.g., GDPR Right to be Forgotten), we perform cryptographic erasure by destroying the user's encryption key, rendering all associated data permanently unreadable. This process is subject to applicable legal hold requirements and may not extend to data that has been included in anonymized aggregates or backup systems, which are purged in accordance with our retention schedules;
  • Audit trail: All operations on Customer Content are recorded in an immutable, hash-chained audit trail for transparency and accountability;
  • PII/PHI detection: The Service includes automated, best-effort detection of personally identifiable information (PII) and protected health information (PHI) to help you maintain compliance. This detection is provided as an assistive tool and is not guaranteed to identify all sensitive data. You remain solely responsible for ensuring that your data handling practices comply with applicable regulations;
  • No cross-customer data sharing: Customer Content is strictly isolated between customers. No data from one customer is ever accessible to or used for the benefit of another customer.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service providers: With trusted third-party vendors who assist us in operating the Service (e.g., payment processors, cloud hosting providers, analytics services), bound by confidentiality obligations and data processing agreements;
  • Legal requirements: When required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety;
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change;
  • With your consent: When you explicitly authorize us to share your information with a specific third party;
  • Aggregated data: We may share anonymized, aggregated statistical data that cannot reasonably be used to identify you.

5. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption at rest (AES-256-GCM) and in transit (TLS 1.2+);
  • Per-user data encryption keys with support for external key management (HashiCorp Vault, AWS KMS, PKCS#11 HSM);
  • Regular security assessments and code reviews;
  • Access controls and authentication mechanisms;
  • Immutable, hash-chained audit logging;
  • Automated compliance verification checks.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Breach Notification

In the event of a confirmed security breach that results in unauthorized access to, or disclosure of, your personal information, MindGryd will:

  • Notify affected users without undue delay and in accordance with applicable law (which may require notification within 72 hours of becoming aware of the breach, where required by GDPR, or within other timeframes as required by applicable jurisdiction);
  • Provide details of the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach;
  • Cooperate with applicable regulatory authorities as required by law.

Notification may be delayed where law enforcement authorities determine that notification would impede a criminal investigation, or where MindGryd reasonably determines that additional time is needed to assess the scope of the breach. MindGryd shall not be liable for breaches caused by your actions, your misconfiguration, or third-party services outside MindGryd's control.

7. Data Retention

  • Account data: Retained for the duration of your account and for a reasonable period thereafter as required for legal, tax, or accounting purposes;
  • Customer Content (cloud): Retained for the duration of your subscription. Upon account termination, Content is available for export for thirty (30) days, after which it may be permanently deleted;
  • Customer Content (self-hosted): Stored entirely on your infrastructure. MindGryd does not retain copies of self-hosted Customer Content;
  • Technical and usage data: Retained in anonymized or aggregated form for analytics and service improvement purposes;
  • Audit logs: Retained in accordance with applicable regulatory requirements and our data retention schedule.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you;
  • Correction: Request correction of inaccurate or incomplete personal information;
  • Deletion: Request deletion of your personal information, subject to legal retention requirements;
  • Data portability: Request your personal information in a structured, machine-readable format;
  • Restriction: Request restriction of processing of your personal information;
  • Objection: Object to the processing of your personal information for certain purposes;
  • Withdraw consent: Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing;
  • Lodge a complaint: Lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, please contact us using the information in Section 13.

9. Cookies and Tracking Technologies

9.1 What We Use

We use the following cookies and tracking technologies:

  • Essential cookies: Required for the operation of the Service (e.g., authentication, session management). These cannot be disabled;
  • Analytics cookies: Help us understand how visitors interact with our website (e.g., third-party analytics services). These are used only with your consent;
  • Preference cookies: Remember your settings and preferences (e.g., theme, language).

9.2 Managing Cookies

You can manage your cookie preferences through the cookie banner displayed on our website, or through your browser settings. Disabling certain cookies may affect the functionality of the Service.

9.3 Do Not Track

We endeavor to honor Do Not Track (DNT) browser signals where technically feasible. When DNT is detected, we make reasonable efforts to limit non-essential tracking, though we cannot guarantee that all third-party services integrated with our website will honor DNT signals.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including India, where MindGryd is headquartered, and other jurisdictions where MindGryd or its service providers maintain infrastructure.

10.1 Transfer Safeguards

Where personal data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant data protection authority, MindGryd implements appropriate safeguards as required by applicable law, including:

  • Standard Contractual Clauses (SCCs): We enter into the European Commission-approved Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable) with recipients of personal data outside the EEA. For UK transfers, we use the UK International Data Transfer Addendum to the EU SCCs;
  • Adequacy decisions: Where available, we rely on adequacy decisions by the European Commission or other relevant data protection authorities;
  • Supplementary measures: Where required by the circumstances of the transfer, we implement additional technical (encryption in transit and at rest), organizational, and contractual safeguards to ensure an essentially equivalent level of protection.

10.2 Your Consent and Acknowledgement

By using the Service, you acknowledge and consent to the transfer of your information to India and other jurisdictions where MindGryd or its service providers operate. Where your consent serves as the legal basis for a particular transfer, you may withdraw consent at any time by discontinuing use of the Service, though this will not affect the lawfulness of transfers conducted prior to withdrawal.

MindGryd shall not be liable for data protection failures by third-party infrastructure providers, sub-processors, or governmental actions in recipient countries that are beyond MindGryd's reasonable control, provided that MindGryd has implemented the safeguards described in this section.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

MindGryd Software Private Limited
B116, Cheran Ma Nagar, Coimbatore, Tamil Nadu, India — 641035
Website: mindgryd.com
Email:

14. Jurisdiction-Specific Provisions

14.1 European Economic Area (GDPR)

If you are located in the EEA, the legal bases for processing your personal information are: (a) performance of a contract (providing the Service); (b) legitimate interests (security, fraud prevention, service improvement); (c) compliance with legal obligations; and (d) your consent (marketing communications, analytics cookies). You have additional rights under GDPR, including the right to lodge a complaint with your local supervisory authority.

14.2 California (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how we use it; (b) request deletion of your personal information; (c) opt out of the "sale" of personal information (we do not sell personal information); (d) non-discrimination for exercising your rights. To submit a request, contact us using the information in Section 13.

14.3 India (DPDPA)

If you are located in India, we process your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable rules. You have the right to access, correct, and erase your personal data, and to nominate another individual to exercise these rights on your behalf.