Legal
Privacy Policy
What MinuteWork collects, how we handle it, and how to exercise your rights.
Last updated April 26, 2026
1. Who we are
MinuteWork is a platform that helps domain experts turn their work experience into AI-operated businesses. The service is operated by MinuteWork, Inc., a Delaware corporation. This Privacy Policy explains what we collect when you use the service, how we use and share it, and what choices you have.
If you have a question about this policy, write to legal@minutework.ai or MinuteWork, Inc., [Registered Address].
2. The three-party model
MinuteWork is unusual because three different categories of people have data flowing through it. Knowing which one you are makes the rest of this policy easier to read.
- Operator — you signed up for an account at MinuteWork to build, run, or sell an AI-operated business. Your account, billing, résumé, and the configuration of your AI workforce live with us. For your personal data, MinuteWork is the data controller.
- End-Customer — you are a customer of an Operator's business. The Operator built that business on MinuteWork. The Operator decides what data is collected about you, why, and how long it is kept. For End-Customer data, the Operator is the data controller and MinuteWork is a data processor acting on the Operator's behalf. You should consult that Operator's privacy notice for the controller-level disclosures.
- Visitor — you are visiting the public MinuteWork website (for example, the landing page, this Privacy Policy, our blog). For visitor analytics and basic web traffic data, MinuteWork is the data controller.
When this policy says "you", it means whichever role you are in for that section.
3. What we collect
3.1 From Operators
When you create an Operator account or use the service, we collect:
- account information — email address, password (hashed), display name, and any profile information you choose to add
- work-history input — résumés, LinkedIn snippets, pasted work history, and free-form descriptions of what you do, which you provide so the platform can suggest candidate businesses
- business configuration — the AI workforce, schemas, workflows, prompts, and integrations that make up your tenant runtime
- runtime payload — data you generate or upload while operating your business, including documents, AI traces, transcripts, and connector data; this lives in your tenant runtime, not in our control plane
- billing information — plan and credit selections, billing address, and payment-method tokens; full payment-card data is handled by Stripe and never stored on our servers
- support and communication — emails and messages you send us, plus any feedback you submit
3.2 From End-Customers (as a processor)
When an Operator's AI workforce contacts you or processes your information, we may store on the Operator's behalf:
- contact details the Operator collected (name, email, phone)
- communication content (emails, SMS messages, voice transcripts) the Operator's workforce produced
- workflow state and follow-up records the Operator configured
We process this data only on the Operator's instructions and only to provide the service. We do not use this data for our own marketing, profiling, or model training.
3.3 From visitors to the public site
We collect basic web traffic information when you visit our public site, including IP address, user agent, referring URL, and pages visited, plus the cookies described in Section 7.
4. How we use information
We use the information we collect to:
- operate the service, including hosting your tenant runtime, executing your AI workforce, and delivering communications you authorize
- bill you and process payments through Stripe
- prevent fraud, abuse, and security incidents and to enforce our Terms
- communicate with you about your account, security, and material service changes
- analyze and improve the service using de-identified, aggregated signals only — we do not build user-level behavioral profiles for advertising
- comply with legal obligations and respond to lawful requests
For End-Customer data, we use it only to perform the processing the Operator has configured and only as their processor.
5. Our AI training commitment
This is the part that matters most for an AI platform, so we put it on its own line:
- We do not train MinuteWork-owned models on your Operator Content, on End-Customer data, on AI traces, or on runtime payloads.
- We require our model and AI subprocessors (including any large-language-model APIs we route through) to disable training on tenant inputs and outputs. Where a provider does not contractually offer that guarantee, we do not route tenant content through that provider.
- We may use de-identified, aggregated product telemetry — for example, error counts, feature-usage counts, and performance metrics — to improve the service. We do not re-identify those metrics.
6. Subprocessors
We use a small number of subprocessors to operate the service. We list them here so you know who has technical access and to what.
| Subprocessor | Role | Data category | | --- | --- | --- | | Stripe, Inc. | Payments and billing | Operator billing data, payment-method tokens | | OpenRouter, Inc. | Routing of large-language-model traffic | AI prompts and outputs (per Operator configuration) | | Twilio Inc. | Voice and SMS infrastructure | Phone numbers, call/SMS metadata, optional recordings | | Resend | Transactional and authorized outbound email | Email addresses, message content sent on Operator's behalf | | Neon Inc. | Managed Postgres for tenant runtimes | Operator runtime data and AI workforce state | | Akamai (Linode) | Compute and hosting | Service infrastructure, tenant runtime VMs |
We may add or replace subprocessors over time. Material changes will be reflected in this policy and, where required, communicated to Operators with reasonable notice.
7. Cookies and similar technologies
We use a small number of cookies on the public site and in the Operator console. The most important ones are:
mw_platform_session— your authenticated session cookie. Required.mw_platform_csrf— protects against cross-site request forgery. Required.mw_lp_abc_2026q2— assigns you to a landing-page test variant so your experience stays consistent across visits. Non-essential.mw_hero_intent— temporarily stores text you typed into the landing-page input so it is available after signup. Non-essential, short-lived.- Stripe checkout cookies, when you go through a payment flow.
We do not use third-party advertising cookies, retargeting pixels, or session-replay tools on the public site.
8. Data residency and sharing
The service is built around tenant isolation:
- Your private payload lives in your tenant runtime. AI traces, transcripts, embeddings, document bytes, and execution history stay there. Our control plane stores routing pointers, access grants, billing records, and service metadata — not your private content.
- Cross-tenant collaboration is by pointer-and-grant. When you share a thread or document with another Operator's tenant, we do not copy the payload to their tenant. They get scoped access through our bridge while you keep ownership. Revoking the grant immediately blocks further access.
- We do not sell your personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are used in U.S. state privacy laws.
We may disclose information when required by law, valid legal process, or to protect rights and safety. Where the law allows, we will notify you first.
9. People who never signed up (shadow records)
When an Operator's AI workforce reaches out to one of their End-Customers, the system creates lightweight identity, routing, and access-grant records on the Operator's behalf so the workflow can continue across email, SMS, and voice. Those records are processed for the Operator under Section 2 and Section 3.2.
If you are an End-Customer and want to access, correct, delete, or stop the processing of records about you, please contact the Operator who runs the business that contacted you. They are the controller of that data. If you cannot reach the Operator, you can write to us at legal@minutework.ai and we will route the request to them and, where the Operator is unresponsive, take reasonable steps consistent with our processor agreement.
10. Retention
We keep data only as long as we need it to provide the service or comply with law.
- Operator Content and tenant runtime. Kept while your account is active. After account closure, you have a thirty (30) day window to request export. After that window, we permanently delete Operator Content and tear down tenant runtime resources, except as set out below.
- Résumés or work-history input from people who never finish signup. Retained for seven (7) days and then deleted, unless you finish signup and the file is associated with your account.
- Billing, fraud-prevention, and legally required records. Retained for up to seven (7) years.
- Backups. Backups containing your data may persist for up to thirty (30) additional days after deletion before being overwritten in the ordinary course.
- Subprocessors. Each subprocessor deletes data on their own contractually agreed schedule once we instruct them to.
11. Your rights
Depending on where you live, you may have rights to:
- access the personal information we hold about you
- correct information that is inaccurate
- delete information we no longer need (subject to legal retention obligations)
- export a copy of your information in a portable format
- object to or restrict certain processing
To exercise a right as an Operator, use the operator console where supported, or write to legal@minutework.ai. We will respond within the time required by applicable law (generally within forty-five (45) days for U.S. state-law requests, with one extension where permitted).
California (CCPA / CPRA)
If you are a California resident:
- the categories of personal information we collect, use, and disclose are described in Section 3 and Section 4
- the categories of recipients are described in Section 6
- we do not sell or "share" personal information for cross-context behavioral advertising
- you have the right to know, delete, correct, and limit certain uses of sensitive personal information
- you may submit a request through legal@minutework.ai; we will not discriminate against you for exercising a right
- you may designate an authorized agent to act on your behalf, and we will verify your identity (and the agent's authority) before responding
Children
The service is intended for users 18 years of age or older. We do not knowingly collect personal information from children. If you believe we have, please write to us and we will delete it.
Outside the United States
The service is operated from the United States. If you access it from another country, you understand that your information will be processed in the United States, where data-protection laws may differ from yours. We do not currently offer formal transfer mechanisms (such as Standard Contractual Clauses) and we are not yet making explicit GDPR controller commitments. If you require those, contact us before signing up.
12. Security
We design the platform with tenant isolation, scoped credentials, and least-privilege defaults in mind, including:
- per-tenant runtime separation, with private databases and execution environments
- secrets stored as references (not plaintext) in source, artifacts, or published bundles
- pointer-and-grant federation so cross-tenant access is revocable at the access-control layer
- compute isolation with CPU, memory, timeout, and network-egress limits
No system is perfectly secure. If you discover a vulnerability or suspect a security incident, please write to legal@minutework.ai.
13. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the latest change. Material changes will be communicated by email or in-product notice with reasonable advance notice.
14. Contact
For any privacy question, request, or complaint, write to legal@minutework.ai or MinuteWork, Inc., [Registered Address]. If you are not satisfied with our response, you may have the right to complain to a data-protection authority in your jurisdiction.