Rebel Privacy Policy

This Privacy Policy explains how Mindstone AI Limited ("Mindstone", "we", "us", "our") handles your personal data when you use the Rebel desktop application ("Rebel") and what to expect when connecting third‑party AI services and integrations. This policy is intended for external customers, enterprise buyers, and prospective users.

Last updated: 22 Feb 2026 Version: 2.0 | Owners: CTO & COO

How Rebel Works

Rebel is a desktop application that works with data on your local machine and connects to external services you authorise (for example, cloud storage, email, or collaboration tools). It uses AI to help you complete tasks against that data. Rebel itself does not store your content or conversations; it routes your instructions to the configured services and AI providers and collects only limited telemetry to ensure reliability.

Rebel operates on a local-first architecture: your files, memory, and workspace remain under your control in your chosen cloud storage (e.g. Google Drive, OneDrive). Mindstone does not host your content on its own servers.

Executive Summary: Key Privacy Risks

Critical awareness points for Rebel users:

1. Mindstone does not process/store your content or conversations - But data flows through multiple third parties

2. Shared storage visibility - Files in shared cloud locations are visible to colleagues with access — you control who that is by managing permissions in your cloud storage provider (e.g. Google Drive, OneDrive)

3. Multiple third-party services - Your data flows through Rebel, AI providers, and individual service APIs

4. Personal memory system - Your system prompt (AGENTS.md) and Space README.md files, along with memory/ folders, may contain sensitive context in shared locations. Personal memory — stored in your private Chief-of-Staff Space — is only visible to you. Shared memory, stored in company Spaces, is visible to colleagues with access to that Space. See Section 6 for details.

5. MCP access scope - When you authorise MCP tools, you grant access to entire services (all Gmail, all Slack messages, etc.) MCP connectors are integrations that allow Rebel to interact with external services on your behalf — for example, reading emails or creating calendar events. You choose which MCPs to connect in Settings → Connectors, and you can configure each connector to allow only specific actions — for example, permitting Rebel to draft emails but not send them. You can disconnect any connector at any time.

Good news:

• Rebel's usage analytics and error monitoring include PII (email, IP address) but not your proprietary data (conversations, files, memories)

• Rebel's default AI providers (Anthropic for text, OpenAI for voice) state that API data is not used for model training

• You have control over what goes in shared vs. private locations

Information We Collect

We collect the following categories of personal data:

1. Information You Provide Directly

• Account information: name, email address, and credentials used to create and access your Rebel account

• Payment information: Mindstone invoices customers directly. We do not collect or store payment card data.

• Communications: emails or messages you send to Mindstone (e.g. support requests, feedback)

2. Information Collected Automatically

• Usage telemetry: feature usage counts, session duration, performance metrics, and error reports, collected via RudderStack/PostHog (behavioural analytics) and Sentry (error monitoring). This may include your email address and IP address but is not intended to include your conversational content, files, or memories.

• Technical data: device type, operating system, app version

• Log data: error logs and crash reports (automatically redacted of sensitive content such as API keys)

3. Information in Your Workspace (Not Collected by Mindstone)

Your prompts, AI outputs, files, and memory stored in your Rebel workspace remain on your local device and chosen cloud storage. Mindstone does not access, store, or process this content on its own servers. However, this content may be transmitted to third-party AI providers and services you authorise — see sections below.

4. Information from Third Parties

• Single sign-on (SSO): if you sign in via Google or another identity provider, we receive basic profile information (name, email) from that provider

• Integrated services: when you connect external services (Gmail, Slack, Notion, etc.) via MCP connectors, data from those services is processed locally by Rebel or passed to your chosen AI provider — it is not stored by Mindstone

How We Use Your Information

We use the personal data we collect for the following purposes:

We do not use your data to train AI models. See "AI Training and Your Data" below.

AI Training and Your Data

Mindstone and Rebel do not train AI models on your data.

More specifically:

• Your prompts, outputs, files, and workspace content are never used by Mindstone to train, fine-tune, or improve AI models

• Anthropic (Claude) and OpenAI, Rebel's default AI providers, contractually commit not to use API data for model training. Rebel connects to these providers via API — not consumer products — which carries stronger data protections.

• Third-party MCP providers you connect (Gmail, Slack, Notion, etc.) have their own policies; Rebel does not share your data with these providers for training purposes

If Mindstone ever introduces opt-in model improvement programmes in the future, this policy will be updated and explicit consent will be obtained before any such use.

Enterprise customers: see "Enterprise Customers" section below for additional protections.

Privacy Layers

Rebel involves multiple privacy boundaries. Your data flows through several systems:

Each layer has different data handling practices. The sections below explain each component.

1. Cloud Storage and Shared Locations

Risk level: Medium - Visibility to team members

What's shared:

• Anything saved in your chosen cloud storage or shared locations (e.g., Google Drive, Microsoft OneDrive/SharePoint, Dropbox, Box) can be visible to colleagues with access (you control who has access to your shared storage locations)

• Personal files may live in shared locations unless you explicitly work in a private local directory

Implications:

• Do not put truly private/confidential information in shared folders

• In organisation‑managed environments, your organisation administers permissions and access controls for shared local storage and cloud repositories

Mitigation:

• Use your Chief-of-Staff Space for sensitive work (this Space is private within Rebel and never shared by the app; however, if your workspace is in shared cloud storage, the underlying files are still accessible to colleagues with folder access)

• Tag sensitive files with GDPR-PII-sensitive: true frontmatter

Provider privacy policies (examples):

• Google: https://policies.google.com/privacy

• Microsoft: https://privacy.microsoft.com/privacystatement

• Dropbox: https://www.dropbox.com/privacy

• Box: https://www.box.com/legal/privacypolicy

2. Rebel App

Risk level: Low - Limited telemetry only, no content storage

What Rebel does:

• Pass data to the 3rd-party AI providers of your choice (e.g. Anthropic, OpenAI, ElevenLabs), but only using the API keys you provide

• Connect to external services (Google Workspace, Slack, Notion, etc.) via built-in connectors that keep OAuth tokens local on your device

• Tracks usage telemetry (e.g., feature usage counts, performance/error metrics) via RudderStack/PostHog (behavioral analytics) and Sentry (error monitoring) to keep the platform reliable. This telemetry includes PII such as email address and IP address. Mindstone makes a best effort to exclude and redact proprietary user data (conversational content, memories, files, API keys, etc.) from monitoring, analytics, and logs, though no redaction system is perfect.

• Produces aggregated usage statistics for reporting (no content, no user‑identifiable transcripts)

What Rebel does not do:

• Does not process or store your text, files, or conversations in a Mindstone backend server at all

• Does not train AI models on your data

• Does not sell your personal data

3. MCP Integrations

Risk level: Medium - Varies by integration

Key considerations:

• When you connect external services via MCP, your data flows through those service providers

• Each service has its own data handling policies

• Rebel's built-in connectors keep OAuth tokens local to your device

• MCP (Model Context Protocol) connectors are integrations that allow Rebel to interact with external services on your behalf — for example, reading your emails, accessing your calendar, or creating documents. You choose which connectors to enable in Settings → Connectors.

• Each connector can be configured to allow specific actions only — for example, you can permit Rebel to draft emails but disable the ability to send them, or allow read access to a service without write access.

• When you authorise an MCP connector, you grant Rebel access to that service on your behalf. Rebel does not store the retrieved data; it is processed locally or passed to your chosen AI provider.

Mitigation:

• Understand what you're authorising when connecting services

• Review service provider privacy policies

• Disconnect services you no longer need

• To revoke access: go to Settings → Connectors and disconnect the relevant service. Any OAuth tokens are deleted from your device immediately.

4. LLM Model Providers (Third‑Party AI APIs)

Risk level: Variable - Depends on provider and configuration

If you choose to use external AI APIs from Rebel (for example Anthropic, OpenAI, or Google Gemini), the inputs you send and the outputs you receive are processed by those providers. Rebel's default primary AI providers — Anthropic (for text/reasoning) and OpenAI (for voice) — state that data submitted via their APIs is not used for model training. If you configure additional or alternative providers, review their specific terms.

Provider policies:

• Anthropic Privacy Policy: anthropic.com/legal/privacy

• OpenAI Privacy Policy: openai.com/policies/privacy-policy

• Google Privacy Policy: policies.google.com/privacy

Additional API‑specific terms and data usage pages:

• OpenAI API Data Usage: openai.com/policies/api-data-usage

• Google Gemini API Terms: ai.google.dev/terms

• Anthropic API Docs (Data Usage): docs.anthropic.com

Always verify the latest provider terms before sending sensitive content.

5. Voice and Speech Features (TTS/STT)

Text-to-Speech (TTS)

Rebel supports spoken responses via two providers:

OpenAI TTS (recommended, default): Text is sent to OpenAI to generate speech.

• OpenAI API Data Usage: https://openai.com/policies/api-data-usage

• OpenAI Privacy Policy: https://openai.com/policies/privacy-policy

ElevenLabs TTS (alternative): Text is sent to ElevenLabs to generate speech.

• ElevenLabs Privacy Policy: https://elevenlabs.io/privacy

Outputs are audio files/streams returned to your device; Rebel does not store your content or the generated audio.

Speech-to-Text (STT)

Rebel offers three options for voice input, in order of recommendation:

OpenAI Whisper (recommended, default) - Audio is sent to OpenAI for transcription. OpenAI states that, by default, data submitted via API is not used to train models.

• OpenAI API Data Usage: https://openai.com/policies/api-data-usage

• OpenAI Privacy Policy: https://openai.com/policies/privacy-policy

• Whisper (Speech-to-Text) Docs: https://platform.openai.com/docs/guides/speech-to-text

ElevenLabs Scribe (alternative) - Audio is sent to ElevenLabs for transcription.

• ElevenLabs Privacy Policy: https://elevenlabs.io/privacy

Local transcription via Parakeet v3 (privacy-sensitive option) - Audio never leaves your computer. Select "Local" in Settings → Agents & Voice. Works on macOS; untested on Windows.

Local mode provides transcription only. Text-to-speech is not available with local transcription — Rebel will respond with text only.

Additional considerations

• Ensure you have the necessary rights and consent for any voices, recordings, or content you submit.

• If you are using Rebel Note Taker to record meetings, Rebel Note Taker will announce itself at the start of the meeting and tell everybody that it's recording.

• Avoid submitting sensitive or regulated information in audio where not strictly necessary.

6. Personal Memory System

Risk level: Medium - Contains your work context, may be in shared storage

What's in your memory:

• AGENTS.md - The main system prompt in rebel-system/

• README.md (in each Space) - Auto-loaded context sections (50%+ utility)

• memory/topics/ - On-demand detailed context

• May contain: project details, meeting notes, client information, work patterns

Rebel has two types of memory storage with different privacy implications:

• Personal memory (Chief-of-Staff Space): stored only on your local device and private cloud storage. Visible only to you.

• Shared memory (company Spaces): stored in your organisation's shared cloud storage. Visible to colleagues who have access to those Spaces.

Privacy consideration:

• If stored in shared cloud locations, colleagues with access can read it

• Be thoughtful about what personal/confidential information you include

Best practices:

• Keep truly private information in your Chief-of-Staff/ Space (private within Rebel; ensure your workspace is on a private local drive for full confidentiality)

• Use GDPR tags for candidate/personal data

• Review your memory files periodically

• When in doubt, keep things private — you can always share later

Data Retention

Mindstone retains the limited personal data it collects for the following periods:

Your conversational content, files, and workspace data are not stored by Mindstone and therefore have no Mindstone retention period.

• Rebel does not store your content or conversations.

• Usage telemetry used to ensure reliability and generate aggregated usage reports is retained for the periods above.

• Retention periods for third‑party providers (cloud storage, MCP connectors, AI APIs) are governed by their policies.

On account closure: we will delete your account data from our active systems within 30 days. Anonymised aggregated telemetry may be retained beyond this period.

Enterprise Customers

Mindstone offers additional data protections for enterprise customers:

• Data Processing Agreement (DPA): A DPA is available upon request for enterprise customers requiring GDPR compliance documentation. Contact [email protected].

• No training on enterprise data: Mindstone and Rebel do not use enterprise customer data to train AI models. Your organisation's data is never used for model improvement.

• Subprocessors: Our key subprocessors include Anthropic (AI processing), OpenAI (AI processing and voice), RudderStack (analytics), PostHog (analytics), and Sentry (error monitoring). A full subprocessor list is available upon request.

• Workspace admin access: Rebel workspace administrators within your organisation may have access to shared Spaces in accordance with your organisation's access controls. The Chief-of-Staff Space is private to individual users and not accessible to administrators via Rebel.

• Custom retention: Enterprise customers requiring specific data retention configurations should contact [email protected].

Frequently Asked Questions

Q: Can my colleagues see my prompts to the AI? A: No. Your Rebel conversations are local to your machine/account. But colleagues can see any files you create/edit in shared cloud storage.

Q: Is client data safe if I use it in AI prompts? A: Rebel's default AI providers (Anthropic, OpenAI) state that API data isn't used for training. But it still flows through Rebel, MCP connectors, and model providers. For highly sensitive client work, use anonymised examples instead of real data.

Q: What's the biggest privacy risk? A: The main risk is shared cloud storage — colleagues can read files you create in shared locations. Always be mindful of what you store in shared Spaces.

Q: Does Rebel sell my data? A: No. Mindstone does not sell your personal data. Usage telemetry is collected for reliability and aggregated reporting only.

Q: What happens to my voice recordings? A: Audio sent to OpenAI Whisper or ElevenLabs Scribe (STT) is processed for transcription. Text sent for TTS is processed for speech generation. Rebel doesn't store the audio or generated speech. For maximum privacy, use local transcription (Parakeet v3) so audio never leaves your device. Review provider policies for their retention practices.

Q: What telemetry does Rebel collect? A: Rebel collects usage telemetry (feature usage counts, performance metrics, error reports) via RudderStack/PostHog and Sentry, which may include PII such as email address and IP address. It is not intended to include your conversational content, memories, or files. Mindstone applies automated redaction of sensitive information in monitoring and logs, though no redaction system is perfect.

Q: Does Mindstone and Rebel use my data to train AI models? A: No. Mindstone and Rebel do not train AI models on your data. See "AI Training and Your Data" above.

Q: What age do users need to be to use Rebel? A: Rebel is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18.

Children's Privacy

Rebel is not directed at children. We do not knowingly collect or process personal data from individuals under the age of 18. If you become aware that a minor has provided personal data to us, please contact us at [email protected] and we will investigate and delete the data as appropriate.

When in Doubt

General principle: When gathering information from MCPs (emails, Slack messages, etc.) or writing to memory systems, always consider privacy implications before proceeding with sensitive/private sources (DMs, private channels) or adding potentially sensitive information (credentials, confidential details, personal matters). Default to public/safe sources only.

If you're uncertain about privacy implications:

1. Consider what data is truly necessary for the task

2. Use generic examples instead of real sensitive data

3. Check if the information needs to be in shared locations

4. Default to more private/cautious approaches

Best Practices

For Sensitive Client Work

1. Assess data sensitivity before using AI tools

2. Use generic/anonymised examples where possible

3. Redact company names and personal details in prompts

4. Prefer your Chief-of-Staff Space for highly confidential work

5. Tag appropriately with GDPR-PII-sensitive

For Candidate/Hiring Data

1. Always tag files with GDPR-PII-sensitive: true

2. Minimise PII in prompts

3. Delete when appropriate after decisions

4. Respect GDPR data subject rights

For MCP Service Connections

1. Ask before accessing sensitive sources; default to public/safe sources

2. Understand that authorising a service (e.g., Gmail) typically exposes the entire account scope

3. Review authorisations periodically and disconnect what you do not need

For Personal Privacy

1. Review your Space README.md files and AGENTS.md system prompt for comfort with what's included

2. Use topics/ for selectively loaded, more detailed context

3. Prefer your Chief-of-Staff Space for truly private work

4. Run periodic privacy audits of shared storage locations

Security

We implement commercially reasonable technical and organisational measures designed to protect information from unauthorised access, disclosure, alteration, or destruction. No method of transmission or storage is 100% secure.

Mindstone is ISO 27001 certified.

In the event of a personal data breach, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach.

International Transfers

Your personal data may be transferred to and processed in countries outside your own, including the United States, where our AI providers and analytics services operate. Where such transfers involve data from the European Economic Area (EEA) or the United Kingdom, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum. Our key third-party providers maintain their own transfer safeguards — see their respective privacy policies.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you

• Rectification — correct inaccurate or incomplete data

• Erasure ("right to be forgotten") — request deletion of your personal data

• Restriction — ask us to limit how we process your data

• Portability — receive your data in a structured, machine-readable format

• Objection — object to processing based on legitimate interests

• Withdrawal of consent — where processing is based on consent, withdraw it at any time

• Automated decision-making — Mindstone does not make decisions about you based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk. In the EU, contact your national data protection authority.

For rights relating to data held by third-party providers (AI providers, cloud storage, MCP services), contact those providers directly.

Legal Bases for Processing (GDPR)

For users in the European Economic Area and United Kingdom, we process personal data on the following legal bases:

The data controller for users in the EEA and UK is: Mindstone AI Limited, 85 Great Portland Street, First Floor, London, W1W 7LT. Contact: [email protected].

No Data Protection Officer (DPO) is required.

CCPA Disclosure (California Residents)

If you are a California resident, the following applies under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of personal information collected in the preceding 12 months:

• Identifiers (name, email address, IP address)

• Internet or other electronic network activity (usage telemetry, feature interactions)

• Commercial information (payment and subscription records)

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.

Your CCPA rights:

• Right to know what personal information we collect, use, disclose, and sell

• Right to delete your personal information

• Right to correct inaccurate personal information

• Right to opt out of sale or sharing (not applicable — we do not sell or share)

• Right to non-discrimination for exercising your rights

To exercise your rights, contact [email protected]. You may also designate an authorised agent to submit requests on your behalf.

We do not knowingly sell or share personal information of residents under 16 years of age.

Changes to This Policy

We may update this policy to reflect operational, legal, or regulatory changes. We will indicate the date of the latest update at the top of this page. For material changes, we will make reasonable efforts to notify you (for example, by email or by displaying a prominent notice in the Rebel app).

Contact Us

If you have questions about this policy or our practices, contact: [email protected]

Data controller: Mindstone AI Limited 85 Great Portland Street, First Floor, London, W1W 7LT

Further Reading

Platform-specific details:

• permissions.md - What the AI can/cannot do automatically

• AI-models.md - Available AI models (if available)

Usage guidance:

• GDPR-PII-tag-files.md - GDPR compliance workflow

• secrets-and-passwords.md - Credential management

• memory-folders-and-approvals.md - Personal vs. shared workspace

Technical architecture:

• architecture-technical-description.md - How data flows through the system

• mcp-connectors-tools-and-integrations.md - External service connections (if available)

Appendix A: Using Rebel with External IDEs

Some users may choose to use Rebel alongside external IDEs like Cursor. For privacy considerations when using these tools, see the dedicated documentation:

• Cursor Privacy Policy - Comprehensive details on Cursor's privacy modes, data collection, and security practices

• Cursor Setup Guide - Configuration and usage

Note: External IDE support is considered legacy functionality. The Rebel desktop app is the recommended interface for most users.

Document status: V2 — 22 Feb 2026