Privacy Policy
01 Introduction and Data Controller Identity
TheMintLab ("we", "us", "our") operates the website https://themintlab.xyz and the TheMintLab NFT collection generator service (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
We are the data controller for the personal data described in this policy. If you have any questions about this policy or wish to exercise your data protection rights, please contact us at the address below.
02 Personal Data We Collect
We collect the minimum personal data necessary to provide our Service.
2.1 Data You Provide Directly
- Email address — collected when you request access to a paid or free tier, or when you use the Restore Access feature. Your email is used to issue your session access link and to communicate with you about your order.
- Payment information — when you purchase a paid tier, payment is processed by Stripe, Inc. We do not store your card number, CVV, or full payment details. We receive a Stripe Checkout Session ID and your email address from Stripe upon successful payment.
2.2 Data Collected Automatically
- IP address — logged when you request access or when Stripe redirects you to our callback endpoint, for rate limiting and fraud prevention purposes.
- Session token — a unique cryptographic token generated server-side when your session is created, stored in our database associated with your email and tier.
- Browser local storage — your session token is cached in your browser's localStorage to avoid you needing to click your access link on every visit. This is stored locally on your device and is not transmitted to us separately.
- Download logs — when you download a collection, we record the timestamp, your session reference, and collection size for operational and fraud prevention purposes.
- Email delivery logs — we retain a rolling log of the last 20 email send attempts (email address, timestamp, success/failure status) for diagnostic purposes.
2.3 Data We Do Not Collect
We explicitly do not collect your NFT layer images, trait files, or any creative assets you upload. All image compositing happens entirely in your browser — no images are transmitted to or stored on our servers. We also do not collect wallet addresses, private keys, blockchain credentials, sensitive personal data as defined by UK GDPR Article 9, or data from children under 18.
03 Lawful Bases for Processing
We rely on the following lawful bases under UK GDPR Article 6:
3.1 Contract Performance (Article 6(1)(b))
Processing your email address, session token, and tier information is necessary to perform the contract we have with you — specifically, to issue your access link, verify your session, enforce tier limits, and deliver your downloaded collection.
3.2 Legitimate Interests (Article 6(1)(f))
We process IP addresses and download logs on the basis of our legitimate interests in preventing fraud, detecting abuse, maintaining service security, and rate-limiting automated requests. We have conducted a Legitimate Interests Assessment and are satisfied that these interests are not overridden by your rights and freedoms, given the minimal nature of the data and the security purpose it serves.
3.3 Legal Obligation (Article 6(1)(c))
We may process and retain data where required to comply with applicable UK law, including responding to lawful requests from law enforcement or regulatory authorities.
04 How We Use Your Personal Data
We use the personal data we collect for the following purposes:
- Issuing and verifying session access links following payment or registration;
- Enforcing tier limits (maximum NFT collection size per tier);
- Sending transactional emails (access links, upgrade confirmations). We do not send marketing emails;
- Rate-limiting access requests to prevent brute-force and spam;
- Detecting and investigating potential fraud or abuse, including flagging multiple accounts from the same IP address;
- Maintaining download logs for operational analysis and dispute resolution;
- Complying with our legal obligations under UK law.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
05 Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Session records | 30 days following session expiry, then automatically deleted |
| Download logs | 90 days for fraud detection and dispute resolution, then deleted |
| Email delivery logs | Rolling log of last 20 send attempts — you may request deletion at any time |
| Payment records (Stripe Session ID + email) | Up to 7 years to satisfy UK financial record-keeping requirements |
Stripe retains payment records in accordance with their own retention policies and applicable financial regulations.
06 Data Sharing and Third Parties
We do not sell your personal data. We share it only with the following third-party processors, under appropriate data processing agreements:
6.1 Stripe, Inc.
Stripe processes payments on our behalf. When you purchase a paid tier, you are redirected to a Stripe-hosted Checkout page. Stripe collects your payment card details and billing information directly. We receive only your email address and a session confirmation from Stripe. Stripe is certified to PCI DSS Level 1. For more information, see Stripe's Privacy Policy.
6.2 Hosting and Infrastructure Provider
Our website is hosted on third-party server infrastructure. This provider may process your IP address and session data in the course of providing hosting services. We use providers that are either based in the UK/EEA or that offer UK GDPR-compliant data transfer mechanisms.
6.3 Email Delivery (SMTP)
Transactional emails (access links) are sent via our configured SMTP provider. Email addresses are transmitted to this provider solely for the purpose of delivering the email. We do not use this provider for marketing.
6.4 Law Enforcement and Regulatory Authorities
We may disclose personal data to law enforcement agencies, regulatory bodies, or courts where we are legally required to do so, or where disclosure is necessary to protect the rights, property, or safety of TheMintLab, our users, or others.
We do not transfer personal data outside the UK except where adequate safeguards are in place as described in Section 7.
07 International Data Transfers
Some of our third-party processors (including Stripe) are based in the United States or other countries outside the UK. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:
- Reliance on the UK's adequacy regulations for transfers to countries deemed adequate by the UK Secretary of State;
- Use of UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved for use under UK GDPR;
- Reliance on providers that are certified under approved frameworks offering equivalent protection.
You may request further information about the specific safeguards in place for international transfers by contacting us at enquiries@themintlab.xyz.
08 Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- All session tokens are cryptographically generated and stored server-side;
- HMAC-SHA256 signatures on server-generated data to prevent client-side tampering;
- Rate limiting on all access and session endpoints;
- HTTPS encryption for all data in transit;
- Database queries are parameterised to prevent SQL injection;
- Access to admin functions and raw data is restricted to authorised personnel only.
No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay, as required by UK GDPR Articles 33–34.
09 Your Rights Under UK GDPR
Subject to certain conditions and exemptions, you have the following rights regarding your personal data. To exercise any of these rights, contact us at enquiries@themintlab.xyz. We will respond within one month.
Right of Access
Request a copy of the personal data we hold about you and information about how we process it.
Right to Rectification
Request that inaccurate or incomplete personal data be corrected.
Right to Erasure
Request deletion of your personal data where it is no longer necessary. Note: erasure of session data will terminate your access.
Right to Restriction
Request that we restrict processing of your personal data in certain circumstances, for example while accuracy is disputed.
Right to Portability
Receive your personal data in a structured, commonly used, machine-readable format where processing is based on contract or consent.
Right to Object
Object to processing based on our legitimate interests. We will cease unless we can demonstrate compelling grounds that override your interests.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10 Cookies and Local Storage
Our Service does not use cookies for tracking or analytics purposes.
We use browser localStorage solely to cache your session token on your device, enabling you to access the Service across browser sessions without clicking your magic link each time. This data is stored locally on your device and is not transmitted to us separately from your session verification requests.
If you clear your browser's localStorage, you will need to click your access link again to restore your session.
11 Children's Privacy
Our Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child has provided us with personal data, please contact us at enquiries@themintlab.xyz and we will delete it promptly.
12 Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this document and, where appropriate, by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
We encourage you to review this policy periodically.
13 Contact Us
For any questions, concerns, or to exercise your data protection rights, please contact: