Privacy Policy
Effective date: 3 April 2026 Version: 1.0
1. Controller Identity
This Privacy Policy explains how SC INNOVALISTA SRL, a company registered in Romania ("we", "us", "our"), processes your personal data when you use the Central Auth platform at auth.aiblewmymind.com ("Central Auth").
Contact: support@aiblewmymind.com
Central Auth provides a single account for the AI Blew My Mind ("AIBMM") ecosystem of services. This policy covers only the Central Auth platform. Each AIBMM Service has its own Privacy Policy that governs how it handles data received through Central Auth.
2. Data We Collect
2.1 Account Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address | Account identification, notifications | Performance of contract |
| Password (hashed) | Authentication | Performance of contract |
| Email verification status | Security, service provisioning | Performance of contract |
2.2 Authentication Events
| Data | Purpose | Lawful Basis |
|---|---|---|
| Login/signup timestamps | Security auditing | Legitimate interest (platform security) |
| IP addresses | Fraud detection, audit trail | Legitimate interest (platform security) |
| User agent | Session management | Legitimate interest (platform security) |
| Refresh token metadata | Theft detection | Legitimate interest (platform security) |
2.3 Third-Party Identity
| Data | Purpose | Lawful Basis |
|---|---|---|
| Google OAuth profile link | Alternative sign-in | Consent (user initiates Google sign-in) |
2.4 User-Stored Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| API keys/credentials (encrypted AES-256-GCM) | Cross-service secret access | Performance of contract |
| Perk entitlements | Cross-service feature access | Performance of contract |
2.5 Preferences
| Data | Purpose | Lawful Basis |
|---|---|---|
| Newsletter opt-in | Email marketing | Consent |
| Terms acceptance version and timestamp | Legal compliance | Legal obligation |
2.6 Anti-Fraud Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| reCAPTCHA v3 interaction data | Bot prevention at signup | Legitimate interest (fraud prevention) |
reCAPTCHA data is processed by Google under Google's Privacy Policy and Terms of Service. We receive only a risk score — we do not receive or store the underlying interaction data.
3. How We Use Your Data
We use your data to:
- Authenticate you across AIBMM ecosystem Services
- Mint signed tokens (JWTs) containing your identity and Perks for Services you authorize
- Detect security threats including refresh token theft, brute-force attacks, and suspicious login patterns
- Send transactional emails such as password reset links, email verification, and account deletion confirmations
- Sync Perks across Services where your account is provisioned
- Send newsletters if you have opted in (you may unsubscribe at any time)
- Maintain audit logs for security investigation and regulatory compliance
We do not use your data for profiling, automated decision-making, or advertising.
4. Data Shared with Third Parties
4.1 AIBMM Ecosystem Services
When you authorize a Service, we share:
- Your email address and central user identifier
- Your email verification status
- Your active Perk entitlements (type, value, granting service)
- A service-specific user identifier
Each Service becomes an independent data controller for the data it receives. Refer to each Service's own Privacy Policy for details on its data practices.
4.2 Google
- Google OAuth: If you sign in with Google, your Google profile is linked to your Account. Google processes data under its own Privacy Policy.
- reCAPTCHA v3: At signup, interaction data is sent to Google for bot risk assessment. We receive only a score.
4.3 Stripe
Stripe webhook events (subscription changes) are processed to automatically grant or revoke Perks. We correlate subscription metadata with your Account but do not send your personal data to Stripe through Central Auth. Stripe's processing is governed by the relevant Service's relationship with Stripe.
4.4 No Data Sales
We do not sell, rent, or trade your personal data to any third party.
5. Data Retention
| Data | Retention |
|---|---|
| Active account data | Retained while your Account exists |
| Audit logs | Retained for the lifetime of your Account for security purposes |
| Refresh tokens | Automatically expire after 24 hours |
| Authorization codes | Automatically expire after 10 minutes |
| Deleted accounts | 30-day grace period, then permanently deleted (including all associated data) |
When your Account is permanently deleted, all data is cascaded: user secrets, perk records, service links, refresh tokens, authorization codes, and audit logs are permanently removed.
6. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
6.1 Right of Access
You may request a copy of all personal data we hold about you.
6.2 Right to Rectification
You may update your email address or other account information at any time through your account settings.
6.3 Right to Erasure
You may delete your Account at any time. After a 30-day grace period (during which you can cancel), all your data is permanently deleted. See our Terms of Service, Section 8 for details.
6.4 Right to Data Portability
You may request your personal data in a structured, commonly used, machine-readable format.
6.5 Right to Restriction of Processing
You may request that we restrict the processing of your data while we verify the accuracy of the data or the lawfulness of our processing.
6.6 Right to Object
You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
6.7 Right to Withdraw Consent
Where processing is based on consent (newsletter, Google OAuth), you may withdraw your consent at any time without affecting the lawfulness of prior processing. You can unsubscribe from the newsletter via any email we send, or unlink your Google account from your settings.
6.8 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with:
ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) The Romanian Data Protection Authority Website: https://www.dataprotection.ro
You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence.
Exercising Your Rights
To exercise any of these rights, contact us at support@aiblewmymind.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
7. Cookies and Local Storage
Central Auth uses only strictly necessary cookies for session management and authentication. These cookies are required for the platform to function and do not require your consent under the ePrivacy Directive.
We do not use:
- Analytics cookies
- Advertising or tracking cookies
- Third-party cookies (except those set by Google reCAPTCHA during signup, which are covered by Google's cookie policy)
8. Security Measures
We implement the following security measures to protect your data:
- Encryption at rest: User Secrets and service credentials are encrypted with AES-256-GCM
- Signed tokens: JWTs are signed with RS256 (central) and ES256 (service-specific) algorithms
- PKCE enforcement: All OAuth authorization flows require Proof Key for Code Exchange (S256)
- Refresh token theft detection: Token reuse triggers automatic revocation of the entire token family
- Transport security: All communications are encrypted in transit via TLS
Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches in our internal register regardless of severity
9. International Transfers
Your data is processed within the European Union. If we ever need to transfer data outside the EU/EEA, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses approved by the European Commission) and inform you accordingly.
10. Children
Central Auth is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time.
- Non-material changes (clarifications, formatting): We will post the updated policy and notify you by email at least 30 days before the effective date. Continued use after the effective date constitutes acceptance.
- Material changes (new data collection, sharing practices, or reduced rights): We will require you to actively re-accept the updated policy at your next login. You will be shown a summary of what changed.
12. Contact
For any questions, concerns, or data subject requests:
SC INNOVALISTA SRL Email: support@aiblewmymind.com