Rebel Privacy Policy
Mar 25, 2026
Rebel Privacy Policy
This Privacy Policy explains how Mindstone AI Limited ("Mindstone", "we", "us", "our") handles your personal data when you use the Rebel desktop application ("Rebel") and what to expect when connecting third‑party AI services and integrations. This policy is intended for external customers, enterprise buyers, and prospective users.
Last updated: 25 Mar 2026 | Version: 3.0 | Owners: CTO & COO
How Rebel Works
Rebel is a desktop application that works with data on your local machine and connects to external services you authorise (for example, cloud storage, email, or collaboration tools). It uses AI to help you complete tasks against that data. Rebel itself does not store your content or conversations; it routes your instructions to the configured services and AI providers and collects only limited telemetry to ensure reliability.
Rebel operates on a local-first architecture: in desktop-only mode, your files, memory, and workspace remain under your control on your local device and chosen cloud storage (e.g. Google Drive, OneDrive). Mindstone does not host your content on its own servers in desktop-only mode.
Rebel also offers optional cloud features with different data flows. Cloud Continuity can mirror your conversations, inbox, and workspace to your own cloud instance so you can continue in mobile/browser clients. Meeting Notetaker can join meetings and return transcripts to your workspace. See Section 7 and Section 8 for how these optional modes handle data.
Executive Summary: Key Privacy Risks
Critical awareness points for Rebel users:
In desktop-only mode, Mindstone does not process or store your content or conversations — but data flows through multiple third parties.
Shared storage visibility — Files in shared cloud locations are visible to colleagues with access — you control who that is by managing permissions in your cloud storage provider (e.g. Google Drive, OneDrive).
Multiple third-party services — Your data flows through Rebel, AI providers, and individual service APIs.
Cloud continuity (optional) — Moves selected Rebel data to a cloud server you control (single-user instance) to keep desktop, mobile, and browser in sync. See Section 7.
Meeting Notetaker (optional) — Uses cloud services to join and transcribe meetings before returning transcripts to your workspace. See Section 8.
Personal memory system — Your system prompt (AGENTS.md) and Space README.md files, along with memory/ folders, may contain sensitive context in shared locations. Personal memory — stored in your private Chief-of-Staff Space — is only visible to you. Shared memory, stored in company Spaces, is visible to colleagues with access to that Space. See Section 6 for details.
MCP access scope — When you authorise MCP tools, you grant access to entire services (all Gmail, all Slack messages, etc.) MCP connectors are integrations that allow Rebel to interact with external services on your behalf — for example, reading emails or creating calendar events. You choose which MCPs to connect in Settings → Connectors, and you can configure each connector to allow only specific actions — for example, permitting Rebel to draft emails but not send them. You can disconnect any connector at any time.
Good news:
Rebel’s usage analytics and error monitoring include PII (email, IP address) but not your proprietary data (conversations, files, memories).
Rebel’s default AI providers (Anthropic for text, OpenAI for voice) state that API data is not used for model training.
You have control over what goes in shared vs. private locations.
Information We Collect
1. Information You Provide Directly
Account information — name, email address, and credentials used to create and access your Rebel account.
Payment information — Mindstone invoices customers directly. We do not collect or store payment card data.
Communications — emails or messages you send to Mindstone (e.g. support requests, feedback).
2. Information Collected Automatically
Usage telemetry — feature usage counts, session duration, performance metrics, and error reports, collected via RudderStack/PostHog (behavioural analytics) and Sentry (error monitoring). This may include your email address and IP address but is not intended to include your conversational content, files, or memories.
Technical data — device type, operating system, app version.
Log data — error logs and crash reports (automatically redacted of sensitive content such as API keys).
3. Information in Your Workspace (Not Collected by Mindstone)
Your prompts, AI outputs, files, and memory stored in your Rebel workspace remain on your local device and chosen cloud storage. Mindstone does not access, store, or process this content on its own servers. However, this content may be transmitted to third-party AI providers and services you authorise — see sections below.
In cloud continuity mode, your workspace files, sessions, memory, and connector OAuth tokens are stored on your dedicated cloud instance (see Section 7).
4. Data from Third Parties
Single sign-on (SSO) — if you sign in via Google or another identity provider, we receive basic profile information (name, email) from that provider.
Integrated services — when you connect external services (Gmail, Slack, Notion, etc.) via MCP connectors, data from those services is processed locally by Rebel or passed to your chosen AI provider — it is not stored by Mindstone.
OAuth tokens — when you connect a service, we store an access token so Rebel can act on your behalf. In desktop-only mode, these tokens are stored locally on your device. In cloud continuity mode, they are stored on your dedicated cloud instance.
How We Use Your Information
Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
Provide and operate the Rebel application | Account info, authentication data, workspace data | Contract performance |
Improve product reliability and features | Usage analytics, error reports | Legitimate interests |
Process payments and manage subscriptions | Account info, payment info | Contract performance |
Respond to support requests | Support communications, account info | Contract performance / Legitimate interests |
Sending product updates and service communications | Account info, email address | Contract performance |
Sending marketing communications (with your consent, where required) | Account info, email address | Consent / Legitimate interests |
Detecting and preventing fraud, abuse, and security incidents | Account info, usage logs, IP address | Legitimate interests / Legal obligation |
Comply with legal obligations | Account info, usage logs | Legal obligation |
Operate cloud continuity and mobile features (where opted in) | Sessions, settings, workspace files, memory, OAuth tokens | Contract performance / Consent |
Operate meeting notetaker (where opted in) | Meeting audio, transcripts, summaries | Contract performance / Consent |
AI Training and Your Data
Mindstone and Rebel do not train AI models on your data.
More specifically:
Your prompts, outputs, files, and workspace content are never used by Mindstone to train, fine-tune, or improve AI models.
Anthropic (Claude) and OpenAI, Rebel’s default AI providers, contractually commit not to use API data for model training. Rebel connects to these providers via API — not consumer products — which carries stronger data protections.
Third-party MCP providers you connect (Gmail, Slack, Notion, etc.) have their own policies; Rebel does not share your data with these providers for training purposes.
If Mindstone ever introduces opt-in model improvement programmes in the future, this policy will be updated and explicit consent will be obtained before any such use.
If you use alternative or self-hosted AI providers, their data practices apply instead — please review the relevant provider’s policy.
Enterprise customers: see the “Enterprise Customers” section below for additional protections.
Privacy Layers
Rebel is a multi-layer system. Each layer has different privacy characteristics. The following sections explain what data each layer handles and what controls you have.
Section 1: Cloud Storage (Google Drive, OneDrive, etc.)
Risk level: Medium — governed by your cloud storage provider
Your Rebel workspace — including Space folders, AGENTS.md, memory files, and any files you place in Spaces — lives in your chosen cloud storage. Mindstone does not have standing access to this storage; Rebel reads it locally via your device’s synced folder or via the storage provider’s API using your credentials.
Data at rest is governed by your cloud storage provider’s terms (Google, Microsoft, Dropbox, etc.).
Files placed in shared folders are visible to all collaborators with access to that folder.
You control permissions by managing sharing settings in your storage provider.
In organisation-managed environments, your organisation administers permissions and access controls.
Use your Chief-of-Staff Space for sensitive work, and tag sensitive files with
GDPR-PII-sensitive: truefrontmatter.
Provider privacy policies: Google | Microsoft | Dropbox | Box
Section 2: Rebel App
Risk level: Low in desktop-only mode; Medium in cloud continuity mode
The Rebel desktop application runs on your local machine. In desktop-only mode, your conversations, workspace content, and OAuth tokens are not transmitted to or stored on Mindstone’s servers.
What Rebel does:
Pass data to the 3rd-party AI providers of your choice (e.g. Anthropic, OpenAI, ElevenLabs), but only using the API keys you provide.
Connect to external services via built-in connectors that keep OAuth tokens local on your device in desktop-only mode (in Cloud Continuity mode, tokens are relayed to your cloud instance — see Section 7).
Track usage telemetry via RudderStack/PostHog and Sentry. This telemetry includes PII such as email address and IP address.
Produce aggregated usage statistics for reporting.
What Rebel does not do:
In desktop-only mode, does not process or store your text, files, or conversations in a Mindstone backend server at all.
Does not train AI models on your data.
Does not sell your personal data.
In cloud continuity mode, your sessions, settings, workspace files, memory, and connector OAuth tokens are stored on a dedicated single-user cloud instance operated on your behalf. See Section 7 for full details.
Important note on in-app Privacy & Data statements: Privacy & Data statements in the Safety tab (for example, “No conversation storage” and “Secrets stay local”) apply to desktop-only mode. When Cloud Continuity is enabled, data is stored on your cloud instance.
Section 3: MCP Integrations
Risk level: Medium — varies by integration
MCP (Model Context Protocol) connectors let Rebel interact with external services — Gmail, Slack, HubSpot, Linear, and others — on your behalf. When you connect an MCP integration:
You grant Rebel an OAuth token scoped to that service. In desktop-only mode, the token is stored locally. In cloud continuity mode, it is stored on your dedicated cloud instance.
Rebel can read and write to that service as permitted by the token’s scope — which is typically broad (e.g., access to all emails, all Slack messages).
Data retrieved from those services may be sent to your configured AI provider as context for your instructions.
Each connector can be configured to allow only specific actions — for example, permitting Rebel to draft emails but not send them.
Rebel does not store the retrieved data; it is processed locally or passed to your chosen AI provider.
You can disconnect any connector at any time from Settings → Connectors — any OAuth tokens are deleted from your device immediately.
Section 4: LLM Model Providers (Third-Party AI APIs)
Risk level: Variable — depends on provider and configuration
When you send a message in Rebel, your prompt and relevant context (which may include file excerpts, email content, calendar data, memory entries, etc.) are sent to your configured AI provider. By default this is Anthropic (Claude) for text and OpenAI (Whisper/GPT) for voice features.
Rebel’s default primary AI providers — Anthropic (for text/reasoning) and OpenAI (for voice) — state that data submitted via their APIs is not used for model training.
Your prompts and context are subject to the AI provider’s privacy policy and terms of service.
You can configure Rebel to use alternative providers, including self-hosted models, in Settings → AI Providers.
Enterprise customers can request data processing agreements with Anthropic and OpenAI directly.
Provider policies: Anthropic | OpenAI | Google
Additional API-specific terms: OpenAI API Data Usage | Google Gemini API Terms | Anthropic API Docs
Section 5: Voice and Speech Features (TTS/STT)
Risk level: Medium — audio is transmitted to a third-party transcription service
When you use Rebel’s voice input features, audio is captured on your device and sent to your configured transcription provider. Speech-to-Text options in order of recommendation:
OpenAI Whisper (recommended, default) — audio is transmitted to OpenAI and subject to OpenAI’s privacy policy.
ElevenLabs Scribe (alternative) — audio is transmitted to ElevenLabs and subject to their privacy policy.
Local transcription via Parakeet v3 (privacy-sensitive option) — audio never leaves your computer.
Text-to-Speech: OpenAI TTS (default), ElevenLabs (alternative). We do not store audio recordings on Mindstone servers. A voice proxy may be used to route audio in cloud continuity or mobile configurations — see Section 7.
Section 6: Personal Memory
Risk level: Low for private memory; Medium for shared memory
Rebel’s memory system allows the AI to retain context about you and your work across sessions. Memory is stored in files (AGENTS.md, README.md, memory/ folders) within your Spaces in cloud storage.
Personal memory (Chief-of-Staff Space) — stored only on your local device and private cloud storage. Visible only to you.
Shared memory (company Spaces) — stored in your organisation’s shared cloud storage. Visible to colleagues who have access to those Spaces.
Memory files are plain text and can be reviewed, edited, or deleted at any time.
Memory content may be included in prompts sent to your AI provider.
Section 7: Cloud Continuity and Mobile (Optional)
Risk level: Medium-High — your Rebel data is stored in a dedicated cloud instance when enabled
Cloud continuity is an optional feature. When you opt in, Rebel provisions a dedicated single-user cloud instance to keep your sessions, settings, workspace files, memory, and connector OAuth tokens persistent and accessible across devices — including Rebel mobile.
Infrastructure
Default hosting is on Fly.io (region iad in US East by default, with user-selectable region options). Bring-your-own-cloud deployments are also supported on DigitalOcean (nyc1) and Hetzner (fsn1).
Cloud Continuity uses a single-user model: one cloud instance per user.
What is stored on your cloud instance
Sessions and conversation history — so you can resume conversations across devices.
Settings and preferences — your Rebel configuration, including AI provider settings.
Workspace files and memory — synced copies of Space content, AGENTS.md, and memory files.
Connector OAuth tokens — credentials used by MCP integrations, stored securely on your instance rather than only on your local device.
Inbox and automations — your cloud instance becomes authoritative for inbox and automation state when Cloud Continuity is enabled.
Additional cloud behaviours
Push notifications — delivered via Expo’s push notification service. Notification payloads may include limited preview text such as titles or status labels, but not full conversation content.
Shared conversation links — you can create shared conversation links (including optional password protection). A snapshot of that conversation is stored on your cloud instance and accessible to anyone with the link.
Voice proxy — voice requests may be proxied by your cloud instance to speech providers for STT/TTS.
Auto-updates — the cloud service periodically checks for software updates and may restart to apply them. Updates are deferred while work is in progress.
Authentication and OAuth infrastructure
rebel.mindstone.com handles account login and cloud provisioning control.
rebel-auth.mindstone.com (Cloudflare Worker) handles OAuth callback redirects.
Your control
Cloud Continuity is opt-in. You can disconnect at any time in Settings. Upon disconnection, Rebel returns to desktop-only local processing.
Each deployment is a single-user instance with encrypted cloud volumes.
The last-synced data remains on your cloud instance until the instance is deleted. For Mindstone-managed instances, contact [email protected].
OAuth tokens stored on the cloud instance are encrypted at rest. Disconnecting a connector in Settings → Connectors revokes the token and removes it from your instance.
Section 8: Meeting Notetaker (Optional)
Risk level: Medium-High — meeting audio and transcripts processed via cloud infrastructure
The Rebel Meeting Notetaker is an optional feature that joins your video meetings (Zoom, Google Meet, Microsoft Teams, etc.) to capture audio, generate transcripts, and produce AI summaries.
Infrastructure
Mindstone runs the meeting backend on a Cloudflare Worker.
Recall.ai (us-west-2.recall.ai) provides the underlying meeting capture/transcription infrastructure, hosted in us-west-2 (AWS Oregon).
Avatar web assets are hosted on Cloudflare Pages, with media assets in Cloudflare R2.
Data flow
Desktop app → Mindstone Cloudflare Worker → Recall.ai → transcript back to desktop app → saved to workspace.
How it works
Meeting bot — a bot participant joins your meeting via Recall.ai. Cloudflare Durable Objects provide WebSocket relay for live captions/avatar interactions.
Temporary storage — meeting data (bot metadata and limited meeting artifacts such as chat messages used for interactive features) is held in Cloudflare KV with a 7-day TTL. After 7 days, data is automatically deleted.
AI transcription and summarisation — transcripts are processed by your configured AI provider (Anthropic by default) to generate summaries and action items.
Per-bot security — each bot is assigned a random client secret stored locally on your device.
Multi-user meetings — only one bot is placed into a meeting (deduplicated across users), and each user gets their own transcript copy in their own workspace.
Local fallback recording
The “local fallback” option uses Recall Desktop SDK capture, but still uploads through the cloud pipeline for transcription.
Data handling summary
Meeting audio and transcripts are processed by Recall.ai (us-west-2) and your AI provider.
Temporary meeting data is stored in Cloudflare KV for up to 7 days, then automatically deleted.
Mindstone does not retain meeting recordings or transcripts on its own servers beyond the 7-day Cloudflare KV window.
Meeting summaries and action items generated by the AI provider may be saved to your Rebel workspace (in your cloud storage) if you choose to save them.
All participants in a meeting should be informed that a notetaker bot is present. Rebel will display a disclosure when you enable the notetaker. You are responsible for ensuring participants are aware of and consent to recording in accordance with applicable law.
Data Retention
Data Type | Retention Period |
|---|---|
Usage telemetry (PostHog/RudderStack) | 2 years |
Error logs (Sentry) | 12 months |
Account information (name, email) | 6 years after account closure |
Payment records | 6 years (as required by applicable financial regulations) |
Support communications | 6 years after resolution |
In desktop-only mode, your conversational content, files, and workspace data are not stored by Mindstone.
If you enable Cloud Continuity, your data is stored on your dedicated cloud instance for as long as you remain connected. When you disable Cloud Continuity, the last-synced data remains on your cloud instance until the instance is deleted. For Mindstone-managed instances, contact [email protected].
Workspace content (desktop-only mode) — not stored on Mindstone servers. Governed by your cloud storage provider’s retention policies.
Cloud continuity data — sessions, settings, workspace files, memory, and OAuth tokens stored on your dedicated cloud instance persist until you disconnect from cloud continuity or request deletion. Upon disconnection, the instance is deprovisioned.
Meeting notetaker data — meeting audio, transcripts, and metadata held in Cloudflare KV are automatically deleted after 7 days. Any summaries saved to your workspace are governed by your cloud storage provider’s retention policies.
You may request deletion of your account and associated data at any time by contacting us at the address in the Contact Us section.
Enterprise Customers
For enterprise deployments, Mindstone can provide:
A Data Processing Agreement (DPA) covering Mindstone’s role as a data processor.
A list of subprocessors and their roles.
Support for configuring Rebel with enterprise-approved AI providers.
Assistance with completing vendor security questionnaires.
Current Subprocessors
Subprocessor | Role | Location |
|---|---|---|
Anthropic | AI text processing (default LLM provider) | USA |
OpenAI | Voice transcription and fallback AI | USA |
RudderStack | Behavioural analytics / usage telemetry | USA / EU |
PostHog | Usage analytics | USA / EU |
Sentry | Error monitoring | USA |
Stripe | Payment processing | USA |
Fly.io | Cloud continuity instance hosting (optional) | USA (configurable) |
Expo | Mobile push notifications (optional) | USA |
Cloudflare | Meeting bot backend, OAuth callback workers, KV storage, Durable Objects, Pages, R2 | USA / Global edge |
Recall.ai | Meeting capture and transcription (optional meeting notetaker) | USA (us-west-2) |
Enterprise customers may request the full, current subprocessor list and DPA by contacting [email protected].
Frequently Asked Questions
Does Rebel read my files without me asking?
Rebel indexes your connected Spaces to enable search and context retrieval. This indexing runs locally (or on your cloud instance in cloud continuity mode) and the index is not transmitted to Mindstone. Rebel only actively reads file contents when you ask it to perform a task that requires those files.
Are my conversations stored?
Desktop-only mode: Conversation history is stored locally on your device. Mindstone does not have access to it. Cloud continuity mode: Conversation history is stored on your dedicated cloud instance so you can resume across devices. Mindstone personnel do not routinely access your instance, but the data is technically accessible to Mindstone as the operator of the underlying infrastructure.
Can Mindstone read my memory files?
Memory files live in your cloud storage (Google Drive, OneDrive, etc.). Mindstone does not have standing access to your cloud storage. Mindstone could theoretically access memory files stored on a cloud continuity instance, but does not do so as a matter of policy. If this is a concern, use desktop-only mode.
What happens when I connect a Google account?
Rebel requests OAuth permission from Google. The resulting token allows Rebel to access your Google services (Drive, Gmail, Calendar) within the scopes you authorise. In desktop-only mode, this token is stored locally on your device. In cloud continuity mode, it is stored on your dedicated cloud instance. Rebel uses the token to fulfil your instructions — for example, reading an email you’ve asked about or creating a calendar event. You can revoke access at any time from your Google Account settings or from Settings → Connectors in Rebel.
Does Rebel use my data to train AI?
No. Mindstone does not use your data to train AI models. Anthropic and OpenAI (the default providers) both state that API data is not used for training. If you use other providers, their policies apply.
Is Rebel GDPR compliant?
Mindstone is a UK-registered company and processes data in accordance with the UK GDPR and EU GDPR. See “Your Rights” and “Legal Bases for Processing” below.
How do I delete my data?
You can delete your Rebel account at any time from Settings → Account. This will delete your Mindstone account record, analytics association, and (where applicable) deprovision your cloud continuity instance. Files stored in your own cloud storage are not deleted — you control those directly. To submit a formal erasure request, use our Data Privacy Request Portal or contact [email protected].
What data does cloud continuity store, and who can access it?
When you opt into cloud continuity, your sessions, settings, workspace files, memory, and connector OAuth tokens are stored on a dedicated single-user cloud instance provisioned for you on Fly.io. This data is isolated to your instance and not shared with other users. Mindstone, as infrastructure operator, has technical access to the instance but does not routinely access your data. To disconnect and deprovision your instance, go to Settings → Cloud & Mobile. For data deletion, use our Data Privacy Request Portal or contact [email protected].
Are my OAuth tokens safe in cloud continuity mode?
OAuth tokens stored on your cloud continuity instance are encrypted at rest. Your instance is dedicated solely to you — tokens are not shared with other users or accessible by Mindstone in the normal course of operations. Mindstone has technical access as infrastructure operator but does not access tokens as a matter of policy. You can revoke any individual connector token at any time from Settings → Connectors, which removes it from your instance immediately. Disconnecting from cloud continuity entirely deprovisions the instance and all tokens stored on it.
Where is my meeting notetaker data processed and stored?
Meeting capture is handled by Recall.ai, whose infrastructure is located in us-west-2 (AWS Oregon, USA). Meeting orchestration runs via a Mindstone Cloudflare Worker. Meeting audio, transcripts, and metadata are held in Cloudflare KV for up to 7 days, then automatically deleted. Any summaries you choose to save go to your own workspace storage.
Security
Mindstone implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. Mindstone is ISO 27001 compliant. These measures include:
Encryption in transit (TLS) for all data transmitted between Rebel, Mindstone services, and third-party providers.
Encryption at rest for data stored on cloud continuity instances and Cloudflare KV.
Access controls limiting Mindstone personnel access to production systems.
Regular security reviews of our infrastructure and third-party subprocessors.
No system is perfectly secure. We encourage you to use strong, unique passwords and to enable two-factor authentication on your Mindstone account and connected services.
International Transfers
Mindstone is incorporated in the United Kingdom. Your data may be processed by subprocessors in the United States and other countries. Where personal data is transferred outside the UK or European Economic Area, we rely on appropriate transfer mechanisms, including the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs), as applicable.
Key subprocessors with US-based processing include Anthropic, OpenAI, RudderStack, PostHog, Sentry, Stripe, Fly.io, Expo, Cloudflare, and Recall.ai.
When in Doubt
If you are unsure whether it is appropriate to use Rebel for a particular task — especially one involving sensitive personal data, confidential client information, or regulated data — err on the side of caution. You can always:
Use Rebel in desktop-only mode for maximum local control.
Avoid placing sensitive data in shared Spaces.
Review and trim memory files regularly.
Disconnect MCP integrations you are not actively using.
Contact us at [email protected] with any questions.
Best Practices
Sensitive Client Work
If you work with confidential client data (legal, financial, medical, etc.):
Keep client-specific Spaces private — do not share them with colleagues unless necessary.
Be mindful of what context is included in prompts sent to AI providers.
Consider whether your engagement letter or client agreement permits use of AI tools for that work.
Use desktop-only mode to avoid any cloud storage of work product.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your personal data (subject to legal retention obligations).
Restriction — ask us to restrict processing of your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, use our Data Privacy Request Portal or contact us at [email protected]. We will respond within the timeframes required by applicable law (typically 30 days under UK/EU GDPR).
Legal Bases for Processing (GDPR)
Under the UK GDPR and EU GDPR, we rely on the following legal bases:
Processing activity | Legal basis |
|---|---|
Providing the Rebel application and account management | Contract performance (Article 6(1)(b)) |
Usage analytics and error monitoring | Legitimate interests (Article 6(1)(f)) — improving product reliability |
Payment processing | Contract performance (Article 6(1)(b)) |
Support communications and responding to requests | Contract performance (Article 6(1)(b)) / Legitimate interests (Article 6(1)(f)) |
Sending product updates and service communications | Contract performance (Article 6(1)(b)) |
Sending marketing communications | Consent (Article 6(1)(a)) / Legitimate interests (Article 6(1)(f)) |
Detecting and preventing fraud, abuse, and security incidents | Legitimate interests (Article 6(1)(f)) / Legal obligation (Article 6(1)(c)) |
Legal compliance and record-keeping | Legal obligation (Article 6(1)(c)) |
Cloud continuity and mobile features | Contract performance (Article 6(1)(b)) / Consent (Article 6(1)(a)) |
Meeting notetaker features | Contract performance (Article 6(1)(b)) / Consent (Article 6(1)(a)) |
CCPA Disclosure
For California residents: Mindstone does not sell your personal information. We share data with service providers (subprocessors) as described in this policy solely for business purposes. You have the right to know what personal information we collect, to request deletion, and to opt out of any sale (which does not occur). To exercise your California privacy rights, use our Data Privacy Request Portal or contact [email protected].
Children's Privacy
Rebel is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].
Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you via the Rebel application or by email. The “Last updated” date at the top of this policy reflects the date of the most recent revision. Continued use of Rebel after changes are notified constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, data subject requests, or to request a DPA, contact:
Mindstone AI Limited
Email: [email protected]
Address: 85 Great Portland Street, First Floor, London, W1W 7LT
You can also submit a request directly via our Data Privacy Request Portal.
For urgent data protection concerns, you may also contact our lead supervisory authority: the UK Information Commissioner's Office (ICO) at ico.org.uk.
Further Reading
Appendix A: Using Rebel with External IDEs
Rebel can be configured to work alongside external IDEs (such as Cursor, VS Code, or Windsurf) via the Model Context Protocol (MCP). In this configuration, Rebel acts as an MCP server, exposing your connected Spaces, memory, and tool integrations to the IDE's AI assistant.
Privacy implications
Your IDE's AI assistant gains access to whatever Rebel exposes via MCP — including Space files, memory, and connected service data.
The IDE provider's privacy policy applies to data processed by its AI assistant. For example, if you use Cursor, Cursor's terms govern how your data is handled by Cursor's AI.
Rebel itself does not change its data handling in this configuration — Rebel still processes data locally (or on your cloud instance in cloud continuity mode) and only sends data to configured AI providers.
Recommendations
Review your IDE provider's privacy policy before connecting Rebel via MCP.
Limit the Spaces and connectors you expose to the IDE to those necessary for your development work.
Be mindful that code, files, and context sent to the IDE AI may be processed by that provider's infrastructure.