GitHub

Last updated: November 2, 2025

1. Introduction

This Privacy Policy explains how the MiniMax-M2 services available at https://minimax-m2.com and related domains (“MiniMax-M2”, “we”, “us”, or “our”) collect, use, disclose, and safeguard personal data. We operate the MiniMax M2 reasoning model through hosted chat experiences, developer APIs, and workspace tooling (the “Services”). This notice applies to our marketing site, documentation portal, dashboard, public chat, and customer support channels.

MiniMax-M2 is the data controller for personal data processed through the Services unless we act as a processor on your instructions. This policy complements our Cookie Policy and is intended to comply with the EU/UK GDPR, CCPA/CPRA, VCDPA, Singapore PDPA, and comparable regulations. Where consent is required, we present it via banners, in-product settings, or contractual agreements.

2. Data We Collect

Category	What We Collect	Purpose & Notes
Account Data	Email address (required), hashed authentication credentials, organisation/workspace name, role, invited team members.	Needed to create and secure your workspace. We currently require an email address to enable login, password resets, and security alerts.
Front-end Conversation Data	Messages you type in the hosted MiniMax-M2 chat UI, including system prompts, attachments, and model responses.	Stored so you and your teammates can view the conversation history inside the dashboard. You can delete conversations at any time; admins can disable retention across a workspace.
API Conversation Data	Prompts and responses sent through REST or SDK calls.	We process API payloads transiently to generate a response and meter usage. We do not retain API request or response bodies after a response is delivered, except for pseudonymised metrics (token counts, latency, error codes).
Service Usage Data	IP address, device/browser metadata, session identifiers, feature engagement, request ids, `<think>` reasoning split indicators, rate-limit events.	Used to secure the service, detect abuse, and improve reliability. Telemetry is aggregated and stored for short periods.
Billing Data	Contact name, email, billing address, tax ids, and payment instrument tokens handled by Creem (Merchant of Record).	Creem processes card data; we only store references, invoices, and receipts.
Support & Feedback	Emails, chat transcripts, attachments, or survey responses you send to our support team.	Used to troubleshoot issues and improve the platform.

3. How We Use Personal Data

We process personal data to:

Provide, maintain, and secure the Services, including authentication, account recovery, and feature access.
Display saved front-end chat conversations inside your dashboard; by default, only workspace members can see them.
Deliver API responses, meter token usage, and issue invoices. API payloads are not stored once the response is returned.
Communicate service updates, onboarding resources, and security notifications (you can manage marketing preferences at any time).
Monitor infrastructure health, debug incidents, and protect against fraud or misuse.
Comply with legal obligations, enforce agreements, and defend legal claims.

Our legal bases include performance of a contract (for account provisioning and service delivery), legitimate interests (security, product improvement), compliance with legal obligations, and consent (for optional cookies or marketing).

We do not sell personal data. We share information only with:

Service providers such as Cloudflare/Vercel (hosting), Plausible (self-hosted analytics), Resend (email delivery), Creem (billing), Google/GitHub (SSO), and vetted customer-support vendors. Each is bound by data processing agreements and only receives the minimum necessary data.
Workspace collaborators when you invite team members or explicitly share a conversation link.
Legal authorities when required to comply with law, regulation, or valid legal process, or to protect rights and safety.
Corporate transactions (merger, acquisition, restructuring) subject to continued protection and notice to affected users.

5. Cookies and Similar Technologies

We use strictly necessary cookies for login, security, and consent records, and optional cookies for functionality or analytics. See our Cookie Policy for details and preference controls.

6. Retention

Account Data – stored while your account remains active and for up to 24 months after closure (longer if legally required).
Front-end Conversation Data – retained until you delete the conversation or the workspace admin disables retention. Deleted conversations are removed from our primary systems within 30 days and from backups within 90 days.
API Conversation Data – not persisted; payloads are kept only in volatile memory for inference and streaming delivery.
Billing Data – retained for the period mandated by tax and accounting laws (typically seven years).
Telemetry & Security Logs – retained for 30–180 days depending on the log type.
Support Tickets – kept for up to three years to maintain an auditable trail.

When data is no longer needed, we delete or anonymise it unless law requires longer storage.

7. Security

We implement administrative, technical, and organisational safeguards such as:

TLS 1.2+ encryption in transit and AES-256 (or equivalent) encryption at rest.
Cloudflare Workers + Vercel edge protections, rate limiting, and abuse detection.
Role-based access controls, multi-factor authentication, and least-privilege principles.
Continuous monitoring, vulnerability management, and independent penetration tests.
Documented incident response procedures aligned with industry standards.

No service can guarantee absolute security, but we continuously improve our defences.

8. International Data Transfers

MiniMax-M2 operates from the United States with infrastructure in the U.S., EU, and Singapore. When data leaves your region, we rely on Standard Contractual Clauses or other recognised safeguards to maintain adequate protection in line with GDPR/UK GDPR and analogous laws.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Request deletion or anonymisation of personal data (subject to legal/contractual limits).
Restrict or object to certain processing.
Receive a portable copy of your data.
Withdraw consent for optional processing.
Lodge a complaint with your local supervisory authority.

Submit requests to privacy@minimax-m2.com. We may ask for additional information to verify your identity before acting. We respond within the timelines mandated by applicable law.

10. Children’s Privacy

The Services are intended for individuals 16 years and older. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us so we can delete it.

11. Changes to This Policy

We may update this policy when our Services or legal obligations change. Material updates will be communicated via email, dashboard banners, or other prominent notice. The “Last updated” date reflects the most recent revision.

12. Contact

For privacy inquiries or to exercise your data rights:

Email: privacy@minimax-m2.com

EU/UK residents may also contact their local supervisory authority if concerns remain unresolved.