What we hold, and how we hold it.
Last updated: May 2026.
The short version
Mintdrop holds very little about you: an email, a practice name and specialty, a brand kit, and a record of which captions you copied. We do not hold patient data, and we do not hold card numbers. Less data is the security strategy — there is not much here to lose.
Payments
All billing runs through Stripe, a PCI-DSS Level 1 provider. Card details are entered on Stripe-hosted fields and never pass through or rest on Mintdrop servers. Mintdrop sees a charge succeeded or failed — never a full card number.
Where your data lives
Account data and brand-kit assets are stored on Supabase (US region) — Postgres for records, Supabase Storage for uploaded logos and images. Traffic between your browser, Mintdrop, and these services is encrypted in transit with TLS. The app is served from Vercel.
No patient data
Mintdrop is a marketing tool, not a clinical one. We do not collect or store patient records, intake forms, or protected health information, and the app gives you no place to put them. Mintdrop is not a HIPAA-covered service and does not sign business associate agreements — by design, there is no PHI in scope. Any patient before/after images you choose to use stay on your own devices and accounts.
AI and your data
Phase 1 content is human-written. When AI personalization ships in later phases, it runs through OpenAI's API on Mintdrop's account under terms that prohibit training on customer data. Your brand voice is used to generate your captions — never to train a shared model.
Account access
Logins are handled by Supabase Auth with session cookies scoped to your browser. We recommend a unique password and, where your email provider supports it, two-factor authentication on the inbox tied to your account — that inbox is the recovery path.
Reporting a vulnerability
If you believe you've found a security issue, email hello@mintdrop.ai with steps to reproduce. We acknowledge reports within two business days and will not pursue good-faith researchers who follow responsible-disclosure practice.
Related
What we collect and why is on the privacy page. The service agreement is in the Terms.