Privacy Policy

If you sign up for the newsletter

We collect: your email address.

We use it to: send the weekly "One AI Workflow a Week" email (one per Friday).

Where it's stored: Brevo (EU-based). You can unsubscribe with one click from any email.

We never share newsletter addresses with anyone, including affiliates.

If you buy a product on Gumroad

Gumroad handles the entire checkout, payment, and delivery flow. We see only: the order ID, product, price, your email, and your country. We never see card details.

For F1 subscriptions purchased via Stripe: same principle. Stripe handles the card; we see the customer email and subscription tier.

If you use F1 (BYOK Anthropic proxy)

F1 has its own dedicated security page that goes deeper: /f1/security. Summary of what we store:

• One row per API call in our usage_events table: timestamp, model, token counts, USD cost, HTTP status, latency, and a SHA-256 hash of the first 2 KB of your input (one-way; never reversible).
• Your Anthropic API key, encrypted at rest with AES-GCM. The encryption master key lives only as a Cloudflare Worker secret — never in code or environment files.
• A "key access log" with timestamps and a privacy-preserving IP hash for every decryption of your Anthropic key.

We never store the body of any request or response. This is a hard policy enforced at the code level; the Worker source is MIT-licensed and public at github.com/mini-on-ai/f1.

Who sees your data (subprocessors)

• Cloudflare — Workers, D1, KV, Pages hosting (all our infrastructure).
• Stripe — payment processing for F1 subscriptions.
• Gumroad — payment processing for one-time digital products.
• Brevo — transactional email (welcome emails, F1 key delivery) and newsletter.
• Anthropic — for F1 customers, your API calls are forwarded verbatim to Anthropic (this is the entire point of the proxy).

No analytics SDKs, no tracking pixels, no ad networks. The only third-party JavaScript on the site is Cloudflare Web Analytics (privacy-preserving, no cookies). Full subprocessor list with data-sharing details: /f1/security#subprocessors.

Cookies

The site itself sets no cookies. The dashboard and product pages use localStorage only to remember your dark-mode preference. Cloudflare may set a session cookie for bot detection — that's at the infrastructure layer and we have no access to it.

How long we keep things

• Newsletter addresses — until you unsubscribe.
• F1 usage events — 90 days in full, then aggregated to daily rollups and the per-call rows are deleted.
• F1 key-access log — last 1000 entries, FIFO.
• F1 account + encrypted Anthropic key — while your subscription is active, plus a 30-day grace period after cancellation.
• Gumroad / Stripe order data — retained per their respective policies for tax and chargeback compliance.

Your rights

You can, at any time:

• Request a copy of everything we have on you.
• Ask for everything to be deleted. For F1: use the DELETE button in your dashboard Settings tab. For newsletter: click "unsubscribe" in any email. For Gumroad orders: contact us and we'll remove what we hold.
• Object to or withdraw consent for any processing.

To exercise any of these, email hello@mini-on-ai.com. We respond within 7 days.

About the brand

mini-on-ai is operated by an anonymous solo founder. We acknowledge this creates a trust asymmetry for a product that handles credentials. Our mitigation: the F1 Worker source is MIT-licensed and public, encryption is verifiable in the code, and our subprocessors (Cloudflare, Stripe, Brevo, Anthropic) are all recognizable infrastructure providers you can evaluate independently. See /f1/security for the full reasoning.

Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top and email anyone whose data is materially affected. The full revision history is in the git log of our public site repo.

Contact

Privacy questions: hello@mini-on-ai.com
Security disclosures: security@mini-on-ai.com (see also /.well-known/security.txt)