Data hosting and privacy

MindWeaveBoard treats your boards, members, comments, AI conversations, and metadata as confidential. We never sell or share them, and we host them where European data-protection rules apply.

Where your data lives

All MindWeaveBoard data — boards, comments, members, files, AI conversations, audit logs — is hosted in the European Union, specifically in Germany. Our infrastructure provider runs ISO 27001-certified data centres with EU-resident operations staff.

Backups stay inside the EU. Replicas stay inside the EU. There is no scenario where customer data is replicated to another region without an explicit contractual agreement.

What's stored

Board content — shapes, stickies, text, drawings, frames, connectors, comments, tasks.
Files — anything uploaded as an attachment.
Member records — name, email, role, organisation membership, last-active date.
Audit logs — admin actions, role changes, billing events.
AI conversations — the chat history visible inside each board, plus the global AI thread per user.

What's never stored

We don't store your password. Authentication is hashed (bcrypt) and we cannot recover the original. Use the password-reset flow if you forget it.
We don't store payment-card details. Cards are tokenised by our payment processor (Stripe); we only see the last four digits and the brand.
We don't store voice-session audio after the session ends. Transcripts are kept if you saved them to the board; raw audio is discarded.

What's encrypted

In transit — every connection uses TLS 1.2 or higher.
At rest — all data is encrypted on disk by the underlying storage layer. Backups are encrypted separately.
Per-tenant secrets — service-to-service tokens are tenant-scoped; cross-tenant access is structurally impossible.

Who can access your data

You and your organisation's members — at the access level their roles grant.
Guests you've invited — only the specific boards you invited them to.
MindWeaveBoard staff — only when explicitly investigating a support ticket you filed, only with logged access, and only by named senior staff. Routine engineering does not have access to customer board content.

We never look at customer content for product or marketing analysis. Aggregate, anonymised usage stats are based on metadata (board counts, feature usage rates) — never content.

AI and your data

MindWeave AI processes your board content only on a per-request basis to answer the specific question or run the specific action you asked for. The board content is sent to the AI provider as context for that single request and discarded after the response. Your data is never used to train external models.

We have explicit contractual terms with our AI provider stating they do not retain customer data sent for inference.

Retention and deletion

Active board content is retained as long as the board exists.
Deleted boards are unrecoverable after 30 days (the grace window for accidental deletion).
Audit logs are retained for 1 year on Starter/Advanced and 7 years on Enterprise.
When you cancel your subscription, your data is retained for 90 days in case you reactivate, then permanently deleted.

You can request immediate deletion of your account from Settings → Account → Delete account. See GDPR compliance for the formal data-subject-rights process.

GDPR compliance — formal rights and processor obligations.
Enterprise security — SSO, audit, custom retention.
Two-factor authentication — protecting your account.

Data hosting and privacy ​

Where your data lives ​

What's stored ​

What's never stored ​

What's encrypted ​

Who can access your data ​

AI and your data ​

Retention and deletion ​

Related ​