Skip to main content

Privacy Policy

mistaike.ai

Version 2Last updated: 5 March 2026

1. Data Controller and Notice

mistaike.ai ("we", "us", "our") is the data controller responsible for your personal data. We are based in the United Kingdom and are committed to protecting your privacy in strict compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy fulfils our obligation under Articles 13 and 14 of the UK GDPR to inform you about how we process your personal data, the purposes of processing, retention periods, recipients, and your rights.

Contact: [email protected]

Data Protection Officer (DPO): As a Small and Medium-sized Enterprise (SME) whose core activities do not consist of large-scale, regular, and systematic monitoring of individuals or large-scale processing of special categories of data, we fall below the threshold for mandatory DPO appointment under Article 37 of the UK GDPR. All data protection enquiries can be directed to our legal team at the email address above.

2. What We Collect

We collect the absolute minimum personal data necessary to provide our Service:

Email address - Required to create and manage your account.

Password hash - A one-way cryptographic hash of your password; we never store plain-text passwords.

TOTP secret - Required if you enable Two-Factor Authentication; stored encrypted at rest.

IP addresses - Captured during sign up, and on a temporary basis for anonymous users.

API usage logs - Timestamps, endpoints called, error counts, response codes; we do not log request body content.

Submitted content - Bug patterns, code snippets, and descriptions you actively submit to the database.

Payment data - Processed exclusively by Stripe, Inc. as an independent data controller. We do not collect or store full payment card data or financial information.

3. Why We Collect It — Lawful Basis

Every data processing activity we undertake is grounded in a specific lawful basis under UK GDPR Article 6. The applicable basis for each data type is set out below.

3.1 Email Address

- Contract performance (Art. 6(1)(b)): Processing your email address is strictly necessary to create your account, deliver the Service, and authenticate your access. Without it we cannot fulfil our contractual obligations to you.

- Legitimate interests (Art. 6(1)(f)): We use your email address to send critical security alerts and important service notifications (for example, breach alerts, account changes). Our legitimate interest is the secure and effective operation of the platform. We have balanced this against your rights and freedoms and concluded that this processing does not pose an undue risk to you. You may object to non-essential communications at any time by contacting [email protected].

3.2 Password Hash

- Contract performance (Art. 6(1)(b)): Processing the password hash is strictly necessary to authenticate your access to the Service and to fulfil our contractual security obligations to you.

3.3 TOTP Secret

- Contract performance (Art. 6(1)(b)): Processing the TOTP secret is necessary to provide the Two-Factor Authentication feature you have voluntarily opted into as part of the Service. If you disable 2FA, this data is deleted immediately.

3.4 IP Addresses

- Legitimate interests (Art. 6(1)(f)): We process IP addresses temporarily to protect the platform from abuse, DDoS attacks, and unauthorised access. Our legitimate interest is platform security and fraud prevention.

Balancing test: We have assessed this processing against your rights and freedoms. The processing is minimal in scope (IP address only), temporary in duration (90 days), non-intrusive, and solely utilised for security purposes. We have concluded our interests are not overridden by your rights. You may object to this processing by contacting [email protected].

3.5 API Usage Logs

- Legitimate interests (Art. 6(1)(f)): We process usage logs to monitor system health, enforce rate limits, prevent abuse, and improve the Service. Our legitimate interest is the reliable and fair operation of the platform.

Balancing test: We have assessed this processing against your rights and freedoms. Logs are minimised (no request body content is captured), retained for a limited period of 90 days, and used only for operational and security purposes. We have concluded our interests are not overridden by your rights. You may object to this processing by contacting [email protected].

3.6 Submitted Patterns

- Legitimate interests (Art. 6(1)(f)): The core purpose of mistaike.ai is to build a public knowledge base of coding bug-fix patterns. When you submit a pattern, you do so voluntarily and with an understanding that it contributes to this public database.

Balancing test: We have concluded that our legitimate interest in operating this knowledge base is not overridden by your rights and freedoms because: (a) submission is a deliberate, informed act initiated by you; (b) users are explicitly warned not to include personal data in submissions; and (c) users may request deletion or anonymisation of associated personal data at any time. This is a proportionate means of achieving a legitimate purpose.

ALL submitted data is stored in isolation and encrypted, whether by us or you, until such time you explicitly approve the submission for integration into our knowledge base.

Important: While every effort is made to remove all PII from submissions, do not include personal data of other individuals (names, email addresses, identifiers) in submitted patterns. By submitting, you confirm the content is free of third-party personal data.

3.7 Payment Data

- Contract performance (Art. 6(1)(b)): Processing of subscription payments is strictly necessary to fulfil our contract with you. Payment data is collected directly by and processed by Stripe, Inc. acting as an independent data controller under its own privacy policy and legal obligations.

4. Automated Processing and Embeddings Pipeline

To provide semantic search capabilities, submitted bug patterns are processed through an internal AI embedding pipeline (utilising Ollama models hosted securely on our Hetzner infrastructure in Germany).

This pipeline involves the internal processing of database content (code and technical descriptions) to generate mathematical vector representations (embeddings). It does not involve profiling of individual users, nor does it result in automated decision-making that produces legal effects concerning you or that similarly significantly affects you within the meaning of Article 22 of the UK GDPR.

5. How We Store and Protect Your Data

Your data is stored securely on dedicated servers provided by Hetzner Online GmbH, located in Germany (European Union). Encrypted backups are held in U.K.

Security measures include:

- Encryption of personal data at rest

- TLS encryption for all data in transit

- Password hashing using bcrypt

- TOTP secrets encrypted at rest using AES-256

- Strict access controls limiting internal access to data on a least-privilege basis

The Vault: Data stored within the self-managed Vault feature is client-side encrypted using a master password only you know. We possess zero knowledge of the Vault contents and do not hold the master password. If you lose your master password, your Vault data is permanently and irrecoverably lost — we cannot assist with recovery. See the Terms of Service, Section 7, for full details.

6. Third Parties and International Transfers

We share your data only with essential service providers necessary to operate mistaike.ai. We do not use advertising networks, work with data brokers, or sell your personal data.

Third Party - Purpose - Their Role - Transfer Mechanism

Hetzner Online GmbH - Server hosting - Processor (under DPA) - Data is stored in Germany (EU). Transfer is lawful under UK GDPR Article 45 — the UK has granted an adequacy decision recognising EU data protection standards.

Stripe, Inc. - Payment processing - Independent controller - Stripe is based in the USA. Transfers are protected by the UK International Data Transfer Agreement (IDTA) or equivalent UK Addendum to EU Standard Contractual Clauses, incorporated into Stripe's Data Processing Agreement. A copy of Stripe's transfer documentation is available at https://stripe.com/legal/dpa.

Cloudflare, Inc. - DDoS protection, DNS, reverse proxy - Processor (under DPA) - Cloudflare is based in the USA. Transfers are protected by the UK IDTA or equivalent UK Addendum to EU SCCs, incorporated into Cloudflare's Data Processing Agreement available at https://www.cloudflare.com/cloudflare-customer-dpa.

Stripe acts as an independent data controller for your financial information. Their privacy policy is available at [stripe.com/privacy](https://stripe.com/privacy).

Cloudflare processes network request metadata (IP addresses, request headers) to protect the platform from DDoS attacks and abuse. Their privacy policy is available at [cloudflare.com/privacypolicy](https://cloudflare.com/privacypolicy).

Public-source patterns: Bug patterns sourced from public repositories are processed on the basis of their public nature and existing Open Source licences. You may opt in to associate your account to sourced repositories associated to your email. By standard they are not linked to mistaike.ai user accounts.

7. Data Retention

We retain personal data strictly for as long as necessary for the stated purposes. Specific retention periods are as follows:

Data Type - Retention Period

Email address, password hash, TOTP secret - For the duration of your active account, plus 30 days after account deletion.

API usage logs - 90 days rolling, then automatically and permanently deleted.

IP address logs - 90 days rolling, then automatically and permanently deleted.

Submitted patterns (personal data component)- Deleted or anonymised within 30 days of a validated erasure request.

Submitted patterns (anonymised — no longer personal data) - May be retained indefinitely as part of the public knowledge base.

Vault data - Deleted immediately and irrecoverably on account deletion or upon a validated erasure request.

Free-tier inactive accounts (no login for 24 months) - Flagged for deletion; a 30-day email notice is sent, after which the account and associated data are deleted if there is no

8. Your Rights Under UK GDPR

Under the UK GDPR, you possess the following rights in relation to your personal data. You may exercise any of these rights at any time by emailing [email protected]. We will respond within 30 days (extendable by a further two months for complex or numerous requests, in which case we will notify you within the initial 30-day period).

1. Right of access (Art. 15): Request a copy of the personal data we hold about you, along with information about how we process it.

2. Right to rectification (Art. 16): Request the correction of inaccurate or incomplete personal data we hold about you.

3. Right to erasure (Art. 17) — "right to be forgotten": Request the deletion of your personal data. Where your submission contains personal data and you submit a valid erasure request, we will delete that personal data. Anonymised pattern data that no longer constitutes personal data (as defined in Recital 26 UK GDPR) may be retained as part of the core Service knowledge base.

4. Right to restriction of processing (Art. 18): Request that we suspend or restrict the processing of your personal data under certain conditions (for example, while the accuracy of data is contested).

5. Right to data portability (Art. 20): Where processing is based on contract or consent and carried out by automated means, request the transfer of your data to yourself or another service in a structured, commonly used, machine-readable format (such as JSON or CSV).

6. Right to object (Art. 21): Object to processing of your personal data where we rely on legitimate interests (Art. 6(1)(f)) as our lawful basis. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7. Right to withdraw consent (Art. 7(3)): We do not currently rely on consent as a lawful basis for any processing activity. However, if we ever do so in future, you will have the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

8. Right to lodge a complaint with the ICO (Art. 77): If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.

9. Data Breach Notification

We maintain rigorous security protocols to protect your data. In the event of a personal data breach, we will:

- Notify the ICO within 72 hours of becoming aware of any breach likely to result in a risk to the rights and freedoms of individuals, as required by UK GDPR Article 33.

- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34, providing clear information about the nature of the breach and the steps we are taking.

10. Cookies

We use only strictly necessary session cookies that are essential for authentication and maintaining your secure login state. No other cookies are placed on your device.

- We do not use analytics cookies.

- We do not use tracking cookies.

- We do not use behavioural advertising cookies or third-party marketing cookies.

Because we use only strictly necessary cookies, a cookie consent banner is not required under Regulation 6(4) of the Privacy and Electronic Communications Regulations (PECR). Your consent is not required to place these cookies.

If our cookie usage changes in the future, we will update this policy and implement consent mechanisms where required by law.

11. Children

mistaike.ai is a professional tool designed for software developers and is not directed at children. The minimum age to register for and use the Service is 18.

We do not knowingly collect personal data from individuals under the age of 18. While the UK Data Protection Act 2018 sets the minimum age for consent-based processing of information society services at 13, we do not rely on child consent and set our minimum age at 18 as a deliberate, conservative, risk-based decision appropriate to a professional developer tool.

If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it immediately without further notice and without warning. If you believe a minor's data has been submitted, please contact [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by providing at least 30 days' notice via email or a prominent platform announcement before changes take effect. Your continued use of the Service after the changes take effect constitutes your acknowledgement of the updated policy.

13. Contact

For any questions, concerns, or rights requests regarding this Privacy Policy or how we handle your personal data:

Email: [email protected]