Privacy Policy — MyThinkTank.AI

Introduction

MTT.AI, Inc. ("MTT.AI," "we," "us," or "our") operates MyThinkTank.AI. This Privacy Policy explains what personal information we collect when you use our website at https://www.mythinktank.ai, our web application at https://mythinktank.ai/chat, and any related services (collectively, the "Services"); how we use, store, and protect that information; and what rights you have over it.

We process personal information for a defined set of purposes:

providing and improving our AI-powered roundtable discussion services;
authenticating users and protecting accounts;
processing payments for paid subscriptions;
responding to support inquiries; and
monitoring platform health, security, and performance.

Questions about how we handle personal information should go to data@mythinktank.ai.

Scope and Application

This Privacy Policy applies to all users of the Services, including:

Anonymous visitors who use the Services without creating an account
Registered users with free accounts
Paid subscribers

It applies whether you are browsing the website, using the AI roundtable application, or managing a subscription.

Data Collection and Processing

Information We Collect

We collect only the information necessary to operate the Services.

Account Information (registered users):

email address
username (display name)
password (stored as a salted cryptographic hash — we cannot read your password)
account tier (free or paid)

Conversation Data (all users):

messages you send during AI roundtable sessions
AI-generated responses in your sessions
session metadata (panel composition, timestamps, dialectical phase/state)
documents you upload for discussion (paid users only)

Anonymous User Data:

a randomly generated identifier stored in your browser's local storage, used to associate sessions across visits if you use the Services without an account
session history linked to that identifier

Payment Information:

We do not directly collect or store credit card numbers, bank details, or other payment instruments. All payment processing is handled by Stripe, Inc. From Stripe we receive your Stripe customer ID, subscription status, and tier level. See Stripe's privacy policy for how Stripe handles your payment data.

Technical Information (collected automatically):

IP address (used transiently for anonymous-session rate limiting; not retained long-term; cleared from rate-limiting records when you authenticate)
standard HTTP request headers (user-agent, referrer) as part of normal server operation and access logging

Search and Telemetry Data:

persona search queries (the names or descriptions you search for during panel design)
search result quality metrics (hits, misses, resolution method)

Information We Do NOT Collect

For clarity, we do not collect:

date of birth
phone number
physical address or city
GPS or real-time location data
browser fingerprints
device identifiers
biometric data
social media profiles
data from third-party sources about you

Special Category Data (GDPR Article 9)

The Services include personas representing religious, political, philosophical, and health-related viewpoints. By engaging in roundtable discussions on these topics, your conversation content may reveal or relate to your religious beliefs, political opinions, philosophical views, or health concerns. We process this data only to provide the AI roundtable services you have requested. Under GDPR Article 9(2)(a), by voluntarily initiating or participating in discussions involving these topics, you explicitly consent to the processing of any such special category data contained in your conversations. You may withdraw this consent at any time by ceasing to use the Services and requesting deletion of your data.

Lawful Bases for Processing (GDPR Article 6)

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under GDPR Article 6:

Performance of a contract. We process your account information, conversation data, and payment-related information to provide the Services you have requested under our Terms of Service.
Legitimate interests. We process technical information, search and telemetry data, and aggregated usage data to secure the Services, prevent fraud and abuse, monitor performance, and improve persona recommendations and platform quality. We have assessed that these processing activities do not override your fundamental rights and freedoms.
Consent. Where we process special category data (see above) or any other data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Legal obligation. We process and retain certain information (such as payment records) to comply with tax, financial, and other legal obligations.

How We Use Your Information

Authentication and security — verifying identity, protecting accounts, detecting and preventing abuse
Providing the Services — processing your messages through AI infrastructure, storing conversation history, enabling session resume and export
Payment processing — managing subscriptions through Stripe
Platform improvement — analyzing search telemetry to improve persona recommendations, monitoring performance and error rates
Customer support — responding to your inquiries
Legal compliance — meeting regulatory obligations and responding to lawful requests

We do not use your personal information for:

advertising or ad targeting;
selling to third parties;
training AI models;
marketing communications, unless you explicitly opt in;
behavioral profiling or tracking across other websites.

Third-Party Data Processors

We use the following third-party services to operate the platform. Each processes certain data on our behalf:

Processor	Purpose	Data Shared	Privacy Policy
Amazon Web Services (AWS)	Cloud infrastructure (hosting, database, file storage)	All platform data is stored on AWS infrastructure in the United States (us-east-2 region, with some services in us-east-1)	aws.amazon.com/privacy
AWS Bedrock (Anthropic Claude)	AI model processing	Your conversation messages and uploaded documents are sent to AWS Bedrock for AI response generation	aws.amazon.com/bedrock/faqs
Stripe, Inc.	Payment processing	Email address, subscription tier, payment method (handled directly by Stripe)	stripe.com/privacy
Langfuse	AI observability and quality monitoring	Conversation content may be logged for debugging and quality monitoring; used for engineering investigations and performance analysis	langfuse.com/privacy

All third-party processors are bound by data processing agreements that require them to handle your data in accordance with applicable data protection laws.

Data Storage and Protection

Storage Location

All data is stored on Amazon Web Services infrastructure in the United States (primarily us-east-2, Ohio).

Security Measures

Encryption at rest: Database (RDS) encrypted with AWS KMS; file storage (S3) encrypted with AES-256
Encryption in transit: All connections use TLS 1.2 or higher
Access control: Role-based access following the principle of least privilege
Password security: Passwords hashed with scrypt; compromised-password checking via Have I Been Pwned integration
Infrastructure protection: AWS WAF (Web Application Firewall), CloudFront security headers (HSTS, X-Frame-Options), VPC network isolation
Audit logging: AWS CloudTrail, VPC Flow Logs, ALB access logs
Dependency scanning: Automated vulnerability scanning via Dependabot

No security program is perfect. We strive to apply industry-standard practices but cannot guarantee absolute security.

Data Retention

Registered user data: retained until you delete your account
Anonymous session data: retained in our database until you request deletion or migrate the session to a registered account
Server logs: retained for 90 days
Payment records: retained as required by tax and financial regulations

If you delete your account, we will delete the associated personal information from our active systems. Some data may persist temporarily in encrypted backups before being overwritten on the normal backup rotation cycle, and we may retain limited records as required for legal compliance, dispute resolution, and enforcement of our agreements.

Cookies and Local Storage

Web Application

The MyThinkTank.AI web application does not use cookies for tracking, analytics, or advertising. Specifically:

no advertising or targeting cookies
no analytics cookies in the application
no third-party tracking pixels or web beacons in the application

The application uses browser local storage (not cookies) for:

authentication tokens (JWT) — to keep you logged in
anonymous user identifier — a randomly generated UUID that associates your sessions if you use the Services without an account

Marketing Website

Our marketing website at www.mythinktank.ai may use cookies for analytics and performance monitoring. When you visit the marketing website, you will see a cookie consent banner where you can accept, reject, or customize cookie preferences. The banner is also accessible from the footer at any time.

Data Sharing and Disclosure

We do not sell your personal information. We do not share your personal information for advertising purposes.

We may disclose your information in the following limited circumstances:

Service providers — to the third-party processors listed above, solely to operate the Services
Legal obligations — when required by applicable law, court order, subpoena, or other legal process
Protection of rights — when reasonably necessary to enforce our Terms of Service, protect against fraud or abuse, or protect the rights, safety, or property of MTT.AI, our users, or the public
Business transfers — in connection with a merger, acquisition, financing, or sale of assets, in which case we will provide notice and any acquirer will be bound by privacy commitments at least as protective as those in this Policy

Your Rights and Choices

General Rights

Subject to applicable law, you have the following rights with respect to your personal information:

Right of access — request a copy of the personal information we hold about you
Right to rectification — request correction of inaccurate or incomplete information
Right to erasure ("right to be forgotten") — request deletion of your personal information
Right to restriction of processing — request that we limit how we process your data
Right to data portability — receive your data in a structured, machine-readable format (JSON)
Right to object — object to processing of your personal information
Right to withdraw consent — where processing is based on consent, withdraw it at any time
Right to lodge a complaint — file a complaint with a supervisory authority in your jurisdiction

How to Exercise Your Rights

Self-service (registered users):

Download your data: account page → "Download My Data" (exports threads, messages, documents, and telemetry as JSON)
Delete your account: account page → "Delete Account" (permanently deletes your account and associated data, including conversation history, uploaded documents, Stripe customer record, and any cached audio files)

By request: contact data@mythinktank.ai. We will respond within 30 days as required by applicable data protection law. We may need to verify your identity before processing certain requests.

California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act ("CCPA/CPRA"):

Right to know what personal information we have collected, used, disclosed, and shared
Right to delete personal information we have collected from you
Right to correct inaccurate personal information
Right to limit use of sensitive personal information — although MTT.AI does not use sensitive personal information for purposes that trigger the right to limit (we do not use it for inferring characteristics or for cross-context behavioral advertising), you may make this request
Right to opt out of "sales" and "sharing" — MTT.AI does not sell personal information and does not share personal information for cross-context behavioral advertising
Right to non-discrimination — we will not deny you services, charge you different prices, or provide a different level of service for exercising your rights

Global Privacy Control (GPC). We honor GPC signals sent by your browser as a valid opt-out request for any processing that would otherwise qualify as a "sale" or "sharing" under California law. Because we do not engage in such activity in any case, the practical effect of a GPC signal in our application is informational only.

Authorized agents. You may designate an authorized agent to make a request on your behalf. We will require verification of the agent's authority and may also require verification of your identity.

Appeals. To appeal a decision regarding your request, contact data@mythinktank.ai within 60 days of receiving our response.

Automated Decision-Making

The Services use artificial intelligence to generate responses in roundtable discussions. This automated processing is the core function of the platform you are using. AI-generated content is delivered as-is and is not reviewed by humans before delivery. You should not rely on AI-generated content for professional, medical, legal, or financial decisions.

We do not use automated decision-making to make legally significant decisions about you, such as decisions about credit, employment, insurance, housing, or access to essential services.

Children's Privacy

The Services are not directed to or intended for use by anyone under the age of 18, and we do not knowingly collect personal information from children. The Services are not designed to comply with the Children's Online Privacy Protection Act ("COPPA") because they are not intended for children under 13. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a minor has provided personal information to us, please contact data@mythinktank.ai.

International Data Transfers

If you access the Services from outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, as well as equivalent transfer mechanisms where required by applicable law, to provide adequate protection for personal data transferred from the European Economic Area, the United Kingdom, or Switzerland. Where our third-party processors (such as AWS and Stripe) process data outside your jurisdiction, they maintain their own transfer mechanisms (including SCCs and approved certifications). For more information or to obtain a copy of the applicable safeguards, contact data@mythinktank.ai.

Data Breach Notification

In the event of a data breach that poses a risk to your privacy rights:

Regulatory authorities — we will notify relevant data protection authorities within 72 hours where required by law, including under GDPR Article 33.
Affected individuals — we will notify you without undue delay, by email if we have your address and/or by prominent notice on the Services.
Information provided — the nature of the breach, the types of data affected, and steps you can take to protect yourself.

If you believe you may have been affected by a data breach, contact data@mythinktank.ai.

Policy Updates

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or business operations. For material changes, we will:

update the "Last updated" date at the top of this document;
provide prominent notice on the Services; and
where we have your email address, notify you by email.

For non-material edits (typographical corrections, clarifications, formatting), we may update without individual notice. Your continued use of the Services after the updated Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us:

Email: data@mythinktank.ai

MTT.AI, Inc.
4322 Rimridge Drive
Evansville, IN 47711
United States