Legal

Privacy Policy

How minrva handles personal information and customer financial data. Written plainly. Reviewable on request.

Last updated: May 23, 2026

1. Who we are

minrva is operated by Minerva, Inc.[TODO: confirm legal entity name and state of incorporation] (“minrva,” “we,” “us,” “our”). This policy applies to minrva.ai and any minrva product, service, or workbench you access under a pilot agreement, order form, or subscription.

If you are a prospective customer browsing the site, you are a visitor. If your company has signed a pilot or commercial agreement with us, you are a customer, and the data your team puts into the workbench is customer data. Different parts of this policy apply to each.

2. What we collect

2.1 From visitors

  • Contact information you give us — name, work email, company, role, and whatever you write into the pilot application form.
  • Newsletter information — email address you submit through the footer subscribe form. Stored with our email provider.[TODO: name provider (Kit / ConvertKit) once form ID is live]
  • Basic request data — IP address, user-agent, referrer, and timestamps in server access logs, kept for security and abuse-prevention purposes.

We do not load advertising pixels, cross-site tracking scripts, or third-party analytics that profile visitors across the web. The marketing site uses no tracking cookies at this time.

2.2 From customers

Once your company is in a pilot or commercial engagement, the workbench may process:

  • Account information — user names, work emails, roles, and authentication credentials for the people on your team.
  • Customer data — financial data you load into minrva: general-ledger extracts, budgets, forecasts, CRM exports, ERP extracts, planning assumptions, and any documents you upload or connect.
  • Usage logs — records of which users took which actions in the workbench, what they asked, what was returned, and which sources were cited. These logs are the basis of the receipts and tie-out trail the product provides.

2.3 What we do not collect

  • We do not knowingly collect data from anyone under 16.
  • We do not collect sensitive personal information (health, biometric, precise geolocation, government ID numbers) through the marketing site.
  • We do not sell personal information.[TODO: confirm with counsel before this becomes a final commitment under CCPA / CPRA]

3. How we use it

  • Provide the service. Authenticate users, return answers, generate forecasts and reports, and produce the receipts/tie-out trail.
  • Operate the company. Respond to inquiries, fulfill pilot agreements, send service notices, invoice customers, and meet legal obligations.
  • Improve the product. Diagnose errors, monitor system health, and improve answer quality. When we use customer data to improve the product, we do so under the contract terms in your order form — never to train shared models that other customers can query.
  • Communicate. Send transactional and account messages. Marketing emails only if you have subscribed; you can unsubscribe at any time.

4. Customer data — the part that matters

Customer financial data is the most sensitive thing we touch. We treat it accordingly.

  • Confidentiality. Customer data is confidential information under your agreement with us. It is not used to market to your peers, train shared models, or generate content for other customers.
  • Tenant scoping. Customer data is processed within your tenant. Cross-customer aggregation requires either explicit consent or fully de-identified treatment.
  • Receipts. Every workbench answer is source-pinned. The cited sources and pinned assumptions remain inside your tenant and are visible to your team.
  • Access. minrva employees access customer data only as needed to operate the service, troubleshoot a ticket you opened, or comply with a legal obligation. Access is logged.

5. Sub-processors

We use a small number of third-party services to deliver the product. Current sub-processors are listed below and kept up to date.

  • [TODO: list cloud host, e.g. Vercel for marketing site, application host, database provider, email delivery provider, model inference provider, error monitoring, customer-support tooling, payment processor. Counsel to confirm form & whether a DPA + sub-processor schedule is published separately.]

Material changes to the sub-processor list will be communicated to active customers with reasonable notice.

6. How we share it

We share personal information only with:

  • Sub-processors acting on our behalf under written agreements with confidentiality and security obligations.
  • Professional advisors (legal, accounting, insurance) bound by confidentiality.
  • A successor entity in a corporate transaction, subject to this policy continuing to apply.
  • Government authorities when we are legally required to do so. We will notify customers unless prohibited.

7. Where data is stored

minrva operates from the United States. Data is processed in the United States and, where sub-processors are involved, in regions disclosed in the sub-processor list. International transfers of personal data from the EEA, UK, or Switzerland are made under the European Commission’s Standard Contractual Clauses or an equivalent legal mechanism.[TODO: counsel to confirm mechanism once first non-US customer is onboarded]

8. Security

We use commercially reasonable technical and organizational controls: encryption in transit, encryption at rest for customer data stores, scoped access, audit logging, vendor review, and routine review of our own systems. No system is perfectly secure, and we will not claim otherwise. If we become aware of a security incident affecting your customer data, we will notify you without undue delay as required by law and your agreement.

9. Retention

  • Marketing-site contact data is retained while we are in active conversation with you and for a reasonable period afterwards, then deleted or anonymized.
  • Newsletter subscribers are retained until they unsubscribe.
  • Customer data is retained for the term of your agreement and for the period specified in your order form. On termination, customer data is exported on request and then deleted on the schedule in the agreement.
  • System and audit logs are retained for a rolling window for security and reliability.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict the processing of, or object to the use of your personal information, and to lodge a complaint with a supervisory authority. To exercise any of these rights, write to privacy@minrva.ai.

If you are a customer’s end user (an employee of one of our customers), please direct rights requests to that customer; we will support them as a processor on your behalf.

11. Cookies and tracking

The marketing site uses only the minimum cookies needed to deliver pages and remember your preferences. No advertising or cross-site tracking cookies are loaded at this time. If that changes, this section will be updated and a notice will be displayed at the bottom of the site.

We honor the Global Privacy Control (GPC) signal as a valid opt-out where applicable.

12. Changes

We will update this policy when our practices change. Material changes will be highlighted on this page and communicated to active customers. The “Last updated” date at the top of the page reflects the current version.

13. Contact

Questions about this policy: