Privacy Policy

Minimist FlexCo Last updated: 10 April 2026

1. Who We Are

Minimist FlexCo ("Minimist", "we", "us", or "our") is a company registered in Austria.

  • Registered address: Neustiftgasse 36, 1070 Vienna, Austria
  • Firmenbuchnummer (Company Register Number): FN632330y
  • UID-Nummer (VAT ID): ATU81042168
  • Privacy contact: [email protected]

We provide a B2B SaaS platform that helps merchants create digital representations of second-hand inventory through image capture, AI-powered listing generation, and cross-platform marketplace publishing.

2. Scope

This Privacy Policy applies to all personal data processed through:

  • Our websites at mnm.st and minimist.com (including subdomains)
  • The Minimist mobile app (available on iOS and Android, used by merchant employees for inventory capture)
  • The Minimist dashboard (minimist-xl, a web application for inventory management and marketplace publishing)
  • Any related APIs, integrations, and services we operate

This policy applies regardless of how you access our services — whether as a website visitor, a merchant customer, an employee of a merchant customer, or any other capacity.

3. Our GDPR Roles

Under the General Data Protection Regulation (GDPR), an organisation may act as either a data controller (determining the purposes and means of processing) or a data processor (processing data on behalf of a controller). Minimist acts in both capacities depending on the context.

3.1 When Minimist Acts as Controller

We are the data controller for personal data we collect and process for our own purposes, including:

  • Website visitors: browsing data, analytics, cookie data, and form submissions on mnm.st and minimist.com
  • Marketing and sales: contact information collected through marketing campaigns, newsletters, event registrations, and sales outreach
  • CRM and prospecting: data stored in our CRM system (HubSpot) for relationship management and business development
  • Customer support: data collected through our support channels (Intercom), including conversation history and contact details
  • Account management: registration data for merchant accounts, billing contacts, and administrative users

For these activities, this Privacy Policy describes how we handle your data, and you may exercise your rights directly with us.

3.2 When Minimist Acts as Processor

We act as a data processor on behalf of our merchant customers (the data controllers) when we process:

  • Inventory and product data: product photographs, descriptions, pricing, and associated metadata uploaded or captured through our mobile app and dashboard
  • Employee usage data: data generated when a merchant's employees use the Minimist mobile app or dashboard (e.g., app activity, device information, capture history)
  • Marketplace order data: buyer names, email addresses, phone numbers, delivery addresses, and payment statuses synced from connected marketplace platforms (eBay, Shopify, Vinted, Discogs)

When acting as processor, our processing of personal data is governed by a Data Processing Agreement (DPA) between Minimist and the merchant customer. If you are an employee of a merchant or a buyer whose order data is processed through our platform, your employer or the merchant is the data controller responsible for your data. Please refer to their privacy policy for information about how they handle your personal data.

4. Personal Data We Collect

4.1 Account Data

When you create an account or your employer provisions access for you, we collect:

  • Email address
  • Full name
  • Phone number (optional)
  • Profile picture (obtained via Google or Apple OAuth sign-in, if provided)
  • Organisation name and role

4.2 Device and Usage Data

When you use our mobile app, dashboard, or websites, we automatically collect:

  • Device identifiers (device ID, advertising ID where permitted)
  • IP addresses
  • Browser type and version, operating system, and screen resolution
  • Firebase Cloud Messaging (FCM) push notification tokens
  • Session duration, pages visited, features used, and interaction patterns

4.3 Image and Media Data

Our core service involves capturing and processing product photographs. In this context, we collect:

  • Product photographs — these may incidentally contain personal data such as faces of people in the background, visible addresses on labels, or other identifiable information
  • EXIF metadata embedded in images, which may include:
    • GPS coordinates (latitude and longitude)
    • Timestamps (date and time of capture)
    • Device information (device make and model)
    • Camera settings (focal length, exposure, aperture)

4.4 Location Data

  • GPS coordinates: collected through the mobile app when the user has granted location permission, used to associate inventory captures with store locations
  • IP-based approximate location: derived from IP addresses for analytics, security, and service configuration purposes

4.5 Telemetry

We collect technical telemetry to maintain and improve our services:

  • Firebase Analytics events: feature usage, screen views, and user flows
  • Firebase Crashlytics crash reports: stack traces, device state, and OS version at the time of a crash
  • Custom app usage telemetry: performance metrics, API response times, and error rates
  • Performance metrics: page load times, network latency, and resource utilisation

4.6 Support Data

When you contact our support team (via Intercom or email), we collect:

  • User ID and account information
  • Name, email address, and phone number
  • Message content and attachments
  • Conversation history and resolution status

4.7 Marketing and CRM Data

Through our marketing activities and CRM system (HubSpot), we collect:

  • Contact records (name, email, company, job title)
  • Meeting scheduling data (availability, meeting notes)
  • Website form submissions (demo requests, newsletter sign-ups, contact forms)
  • Email engagement data (opens, clicks) for marketing communications
  • Website activity associated with identified contacts

4.8 Order and Transaction Data

When merchants connect their marketplace accounts, we sync order data that may include:

  • Buyer name
  • Buyer email address and phone number
  • Delivery address
  • Payment status and transaction references
  • Order items and quantities

This data is processed on behalf of the merchant (see Section 3.2).

5. How We Use Your Data

We process personal data for the following purposes:

  • Service delivery and account management: provisioning accounts, authenticating users, managing subscriptions, and providing access to platform features
  • Image processing: background removal, resizing, format conversion, and visual enhancement of product photographs
  • AI-powered listing generation: generating product descriptions, extracting attributes (brand, size, colour, condition), suggesting categories, and providing pricing recommendations based on product images and metadata
  • Cross-platform marketplace publishing: creating and syncing listings across connected marketplace platforms (eBay, Shopify, Vinted, Discogs) on behalf of merchants
  • Search indexing and discovery: indexing product data to enable search, filtering, and inventory management within the dashboard
  • Push notifications and email communications: sending transactional notifications (e.g., listing status updates, order alerts) and, where consent is given, marketing communications
  • Customer support: responding to enquiries, troubleshooting issues, and providing technical assistance
  • Analytics and service improvement: understanding usage patterns, identifying issues, measuring feature adoption, and improving platform performance and user experience
  • Marketing and sales: conducting outreach, managing business relationships, and promoting our services (with consent where required by law)
  • Security, fraud prevention, and legal compliance: detecting and preventing unauthorised access, abuse, and fraud; complying with applicable legal obligations

6. Legal Bases for Processing

We process personal data only where we have a valid legal basis under Article 6(1) of the GDPR:

6.1 Performance of a Contract (Article 6(1)(b))

We process data as necessary to perform our contract with you or to take pre-contractual steps at your request:

  • Providing and maintaining your account
  • Delivering the core platform services (image processing, listing generation, marketplace publishing)
  • Processing and syncing order data from connected marketplaces
  • Sending transactional communications related to your use of the service

6.2 Legitimate Interests (Article 6(1)(f))

We process data where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. We conduct a balancing test for each processing activity. Our legitimate interests include:

  • Service improvement: analysing usage patterns and telemetry to improve platform performance, reliability, and user experience
  • Security: monitoring for unauthorised access, fraud, and abuse; maintaining audit logs
  • Business operations: internal reporting, capacity planning, and operational decision-making
  • Customer support: maintaining conversation history to provide consistent and efficient support
  • Direct marketing to existing customers: sending information about similar products or services (with an easy opt-out mechanism)

6.3 Consent (Article 6(1)(a))

We rely on your consent for:

  • Marketing emails and newsletters (where you are not an existing customer or where required by local law)
  • Non-essential cookies and tracking technologies (see Section 10)
  • Location tracking via the mobile app (GPS permission)
  • Any other processing where consent is specifically requested

You may withdraw consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6.4 Legal Obligation (Article 6(1)(c))

We process data where necessary to comply with legal obligations, including:

  • Tax and accounting record-keeping requirements
  • Responding to lawful requests from public authorities
  • Compliance with applicable regulatory requirements

7. AI Processing

7.1 How We Use AI

Our platform uses third-party artificial intelligence services to help merchants create accurate and compelling product listings. Specifically, AI is used for:

  • Description generation: creating product descriptions based on photographs and any provided metadata
  • Attribute extraction: identifying product characteristics such as brand, size, colour, material, and condition from images
  • Categorisation: suggesting appropriate product categories for marketplace listings
  • Pricing suggestions: providing estimated pricing based on product attributes and comparable items

7.2 AI Sub-Processors

Product images and associated metadata are sent to the following third-party AI services for processing:

  • Anthropic (Claude)
  • OpenAI
  • Google (Gemini)
  • Groq

7.3 Data Sent to AI Services

We send product images and associated metadata (such as any user-provided product details) to AI services. No personal user data (such as names, email addresses, or account information) is intentionally sent to AI services.

However, because our service processes product photographs, these images may incidentally contain personal data — for example, faces of people in the background, visible addresses on packaging, or other identifiable information captured in the photograph.

7.4 No Automated Decision-Making Under Article 22

AI-generated outputs (descriptions, attributes, categories, pricing suggestions) are presented as recommendations to the merchant user. They can be reviewed, edited, or rejected before any listing is published. There is no automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

7.5 AI Training Restrictions

All AI sub-processors are contractually prohibited from using customer data for model training or any purpose other than providing the requested inference service. Data sent for processing is not retained by AI sub-processors beyond what is necessary to deliver the response.

8. Data Sharing and Sub-Processors

8.1 Sub-Processors

We engage sub-processors to help deliver our services. A current list of sub-processors, including their purposes and locations, is maintained at:

minimist.com/en/legal/sub-processors

Sub-processors fall into the following categories:

  • Cloud infrastructure: hosting, storage, and compute services
  • AI services: image analysis and natural language generation
  • Communication: email delivery, push notifications
  • Analytics: usage analytics and crash reporting
  • Customer support: help desk and live chat
  • Payment processing: subscription billing and payment handling
  • CRM: customer relationship management and marketing automation

We enter into appropriate data processing agreements with all sub-processors and conduct due diligence to ensure they provide sufficient guarantees regarding data protection.

8.2 Customer-Directed Integrations

When merchants connect their marketplace accounts (eBay, Shopify, Vinted, Discogs), data — including product listings, images, and order information — is shared with those platforms under the merchant's authorisation and in accordance with each platform's own terms and privacy policies. Minimist facilitates this data transfer at the merchant's direction but is not responsible for how those platforms process data once received.

8.3 Other Disclosures

We may also share personal data:

  • With professional advisors (legal, accounting, auditing) under obligations of confidentiality
  • With law enforcement or regulatory authorities when required by law or to protect our legal rights
  • In connection with a merger, acquisition, or asset sale, in which case we will notify affected parties

We do not sell personal data to third parties.

9. International Data Transfers

9.1 Primary Infrastructure

Our primary infrastructure is located within the European Union and European Economic Area:

  • Google Cloud Platform (GCP): europe-west1 (Belgium)
  • Hetzner: Germany

9.2 Transfers Outside the EEA

Some of our sub-processors are based in the United States or other countries outside the EEA. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs): as adopted by the European Commission (Implementing Decision (EU) 2021/914), incorporated into our agreements with relevant sub-processors
  • Adequacy decisions: where the European Commission has determined that a third country provides an adequate level of data protection

9.3 Supplementary Measures

In addition to SCCs, we implement supplementary technical and organisational measures:

  • EU-hosted analytics: we use server-side Google Tag Manager hosted within the EU to minimise data transfers for analytics purposes
  • Encryption: all data is encrypted in transit (TLS 1.2+) and at rest
  • Access controls: access to personal data by sub-processor personnel is limited to what is strictly necessary
  • Contractual restrictions: sub-processors are contractually prohibited from disclosing data to government authorities beyond what is required by applicable law, and must notify us of any such requests where legally permitted

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our websites. For detailed information about the specific cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy:

minimist.com/en/legal/cookie-policy

In summary, we use the following categories of cookies:

  • Strictly necessary cookies: required for the website to function (e.g., authentication, security). These cannot be disabled.
  • Analytics cookies: help us understand how visitors interact with our websites (e.g., page views, navigation paths). Require consent.
  • Functional cookies: enable enhanced functionality and personalisation (e.g., language preferences, saved settings). Require consent.
  • Marketing cookies: used to deliver relevant advertisements and measure campaign effectiveness. Require consent.

You can manage your cookie preferences at any time through the cookie consent banner on our websites.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are:

Data CategoryRetention Period
Account dataDuration of the account plus 90 days after account deletion
Product images and listingsDuration of the subscription plus 90 days after subscription ends
Transaction and order dataUp to 7 years (tax and accounting obligations under Austrian law)
Analytics and telemetryAggregated or anonymised after 26 months
Support conversationsUp to 3 years after the last interaction
Marketing and CRM dataUntil consent is withdrawn, or 3 years of inactivity
Crash reports90 days

When data is no longer required, it is securely deleted or irreversibly anonymised. Where we act as a processor, retention is governed by the DPA with the respective merchant customer, and data is deleted or returned upon termination of the agreement.

12. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about how it is processed.
  • Right to rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful — subject to applicable legal retention obligations.
  • Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest its accuracy or object to processing.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing without delay.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. As noted in Section 7.4, we do not engage in such automated decision-making.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]

We will respond to your request within one month of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it within the first month.

We may ask you to verify your identity before processing your request, to ensure the security of your data.

Employees of Merchant Customers

If you use the Minimist mobile app or dashboard as an employee of a merchant customer, your employer is the data controller for the data processed through those services. Please direct any rights requests to your employer in the first instance. Minimist will assist the controller in responding to your request in accordance with our Data Processing Agreement.

13. Children

Our services are designed for business use and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe we may have collected data from a child, please contact us at [email protected].

14. Security

We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption in transit: all data transmitted between clients and our services is encrypted using TLS 1.2 or higher
  • Encryption at rest: data stored in our databases and object storage is encrypted at rest using industry-standard encryption
  • Access controls: role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege
  • Infrastructure security: firewalls, network segmentation, intrusion detection, and regular vulnerability assessments
  • Incident response: documented incident response procedures, including breach notification processes in compliance with Articles 33 and 34 GDPR
  • Employee training: regular data protection and security awareness training for our team

Details of our technical and organisational measures are available upon request and are included in our Data Processing Agreements with merchant customers.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Publish the revised policy on our websites
  • Where appropriate, notify you by email or through a prominent notice on our platform

We encourage you to review this policy periodically. Your continued use of our services after any changes take effect constitutes your acknowledgement of the updated policy. If a change materially affects the processing of your personal data in a way that requires your consent, we will seek that consent before applying the change to your data.

16. Contact and Complaints

Privacy Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: [email protected]

Postal address: Minimist FlexCo Neustiftgasse 36 1070 Vienna Austria

Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority. For Austria, the competent authority is:

Datenschutzbehörde (DSB) Barichgasse 40-42 1030 Vienna, Austria Email: [email protected] Website: https://www.dsb.gv.at

You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work, if different from Austria.