Skip to main content

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Third Time Lucky Corp Pty Ltd ("we", "us", "our"), operating the Minolith platform ("Service"), collects, uses, discloses, and protects your personal information. We are committed to handling your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

By using the Service, you consent to the collection and use of your information as described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Password (securely hashed; we never store plaintext passwords)
  • Timezone and display preferences (theme, time format)

2.2 Project and Service Data

Data you store through the Service's APIs, including:

  • Context entries (rules, patterns, decisions, warnings, facts, workflows)
  • Changelog entries and versions
  • Feedback items and notes
  • Runbook definitions and run progress
  • Agent definitions and configurations
  • Event logs

This data belongs to you. We store it to provide the Service and do not use it for any other purpose.

2.3 Billing Information

Payment processing is handled entirely by Stripe. We store a Stripe Customer ID to link your account to your billing profile. We do not store credit card numbers, bank account details, or other payment instrument data on our servers. Stripe's handling of your payment information is governed by Stripe's Privacy Policy.

2.4 Feedback Widget Data

If you use the embeddable feedback widget, we may collect browser metadata submitted alongside feedback items:

  • Page URL where feedback was submitted
  • User agent string
  • Screen resolution
  • Viewport size

This data is collected to help you (the project owner) understand the context of feedback. It is stored as part of the feedback item and is subject to the same data handling as all project data.

2.5 Usage and Analytics Data

We use Google Analytics (property ID: G-FHK3Y844ED) on our marketing website (minolith.io) to understand how visitors find and use the site. Google Analytics collects:

  • Pages visited and time spent
  • Referring website or search terms
  • Browser type, operating system, and device category
  • Approximate geographic location (country/region level)

Google Analytics data is anonymised and aggregated. For more information, see Google's Privacy Policy.

2.6 API and Server Logs

We log API requests for security, debugging, and abuse prevention. Logs may include:

  • IP address
  • Request path and method
  • Timestamp
  • API key identifier (securely stored; raw keys are not retained)
  • Response status code

Server logs are retained for a limited period and are not used for marketing or profiling.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process billing and manage your account
  • Communicate with you about your account, service updates, or support requests
  • Detect and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service
  • Comply with legal obligations

We do not sell your personal information. We do not use your project data to train AI models or for any purpose other than providing the Service to you.

4. Third-Party Services

We use the following third-party services that may process your data:

4.1 Stripe

Payment processing, invoicing, and tax calculation. Stripe receives your email address and payment details. See Stripe's Privacy Policy.

4.2 Google Analytics

Website analytics on minolith.io (marketing site only, not the app dashboard). See Google's Privacy Policy.

4.3 Cloudflare

CDN, DNS, and DDoS protection. Cloudflare processes requests to our domain and may log IP addresses and request metadata. See Cloudflare's Privacy Policy.

4.4 Google reCAPTCHA v3

Bot prevention on login and registration pages. reCAPTCHA collects hardware and software information, including device and application data, and sends it to Google for analysis. See Google's Privacy Policy.

5. Cookies and Tracking

We use cookies for the following purposes:

  • Session cookies — to maintain your login session on the dashboard (essential, cannot be disabled)
  • CSRF tokens — to protect against cross-site request forgery attacks (essential)
  • Google Analytics cookies — to collect anonymous usage data on the marketing site (non-essential)
  • reCAPTCHA cookies — to assess bot risk on login and registration pages

The API (api.minolith.io) and MCP server (mcp.minolith.io) do not use cookies. They authenticate via API key headers only.

6. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit: All connections are encrypted via TLS/SSL
  • Secure credential storage: Passwords and API keys are cryptographically hashed before storage and cannot be retrieved in plaintext
  • Two-factor authentication: Optional 2FA available for account access
  • Rate limiting: Automated abuse prevention on all API endpoints
  • Spending caps: Configurable limits to prevent unexpected charges
  • Tenant isolation: Strict data separation between accounts; no cross-tenant data access is possible

While we take reasonable steps to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention and Deletion

We retain your data only for as long as necessary to provide the Service:

  • Project data: Retained until you delete it. Deletion is immediate and permanent (hard delete). Deleted data stops being metered for billing.
  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Server logs: Retained for a limited period for security and debugging, then automatically purged.
  • Billing records: Retained as required by Australian tax law (typically 5 years).

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request deletion of your account and all associated data
  • Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

You can exercise your access and correction rights through the dashboard settings, or by contacting us at support@minolith.io. We will respond to requests within 30 days.

For users in other jurisdictions, we will make reasonable efforts to comply with applicable data protection laws, including the GDPR for users in the European Economic Area and the UK GDPR for users in the United Kingdom.

9. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@minolith.io.

10. International Data Transfers

The Service is hosted in Australia. If you access the Service from outside Australia, your information will be transferred to and processed in Australia.

Some of our third-party service providers (Stripe, Google, Cloudflare) may process data in other countries. These providers maintain their own privacy and security standards. By using the Service, you consent to the transfer of your information to these countries.

We take reasonable steps to ensure that any overseas recipients of your personal information comply with the Australian Privacy Principles, consistent with APP 8.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the dashboard at least 30 days before they take effect.

The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Australian Privacy Principles Compliance

We are committed to compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Key commitments include:

  • APP 1 (Open and transparent management): This policy describes our practices clearly and is publicly accessible
  • APP 3 (Collection): We only collect personal information that is reasonably necessary for our functions
  • APP 5 (Notification): We notify you of how your information will be used at the point of collection
  • APP 6 (Use and disclosure): We only use personal information for the purpose it was collected, or a directly related purpose
  • APP 8 (Cross-border disclosure): We take reasonable steps to ensure overseas recipients comply with the APPs
  • APP 11 (Security): We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access
  • APP 12 (Access): You can request access to your personal information at any time
  • APP 13 (Correction): You can request correction of your personal information at any time

13. Contact

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).