Privacy Policy

Effective Date: April 1st, 2026 · Last Updated: April 1st, 2026

Introduction

Mimir Systems, Inc. (“Mimir,” “we,” “us,” or “our”) operates mimirsystems.ai, a Q&A platform for materials science research (the “Service”). This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data.

We built Mimir for researchers, and we take your privacy seriously. We collect only what we need to deliver, secure, and improve the Service, and we are transparent about how your data is handled — including by third-party service providers.

If you have questions about this policy, contact us at privacy@mimirsystems.ai.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address and name. Provided through third-party authentication services (such as Google sign-in or Firebase Authentication). We do not store your password. Authentication credentials are managed by the authentication provider. We use .edu email verification (or access code) to manage access to the Service. Your email domain tells us your institutional affiliation. We do not store your Google password — authentication is handled entirely by Google.
  • Role. We ask whether you are an undergraduate student, graduate student, postdoctoral researcher, faculty member, or industry researcher. This is required at signup.
  • Research field. We may ask about your research area or subfield. This is optional, and we explain why we ask: to help us prioritize which scientific domains to expand into.
  • Academic identifiers. You may optionally link a Google Scholar profile or ORCID. These are used to verify your research identity and are not shared with third parties.

We recognize that certain combinations of non-identifying information — such as your role, field, and institution — may be specific enough to identify you in practice. We treat such combinations with the same care as directly identifying information.

1.2 Query Data

When you use the Service, we collect:

  • Your queries. The questions you ask Mimir.
  • Our responses. The answers we return, including which papers and data points were referenced.
  • Retrieval metadata. Technical information about how we found and ranked results for your query (e.g., which search components were used, response time).
  • Your feedback. We collect two types of feedback:
    • Voluntary feedback. You may rate any response (e.g., thumbs up/down), provide written comments on response quality, or file bug reports. This is entirely optional.
    • Structured feedback. The Service includes usage limits on the free tier. One mechanism for expanding your access beyond these limits is providing structured, rubric-based feedback on response quality. When you provide structured feedback, it is collected as part of your use of the Service and becomes part of our service improvement data as described in Section 2.3.
  • Folders and projects. If you organize queries into folders or projects, we store that structure as part of your account.
  • Blocked queries. If a query is blocked by our content safety systems, we log the attempt. See Section 2.4.

1.3 Usage and Technical Data

We automatically collect:

  • IP address. Used for sanctions compliance screening, abuse prevention, and platform security. See Section 2.4.
  • Citation link clicks. When you click a DOI or citation link in a response, the click routes through our domain (e.g., mimirsystems.ai/ref/[DOI]) before redirecting you to the publisher's site. We log the click — including which paper, which query generated it, and a pseudonymous identifier — to measure how effectively we connect researchers with source literature. We do not record your identity in click logs.
  • Session data. Login times, session duration, pages visited, features used, rate limit events.
  • Device and browser information. Browser type, operating system, screen resolution. This is standard technical information used for compatibility and troubleshooting.

1.4 Information We Do Not Collect

We do not collect payment or financial information at this time. When paid tiers are introduced, payment processing will be handled by a third-party processor, and we will update this policy.

We do not use cookies for advertising or behavioral targeting. We use functional cookies (e.g., keeping you logged in) and analytics cookies (to understand how the Service is used).

The Service is designed for researchers, students, and professionals in higher education and industry. It is not directed at anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information. If you believe a person under 18 has created an account, please contact us at privacy@mimirsystems.ai.

2. How We Use Your Information

2.1 Providing the Service

We use your email to manage your account and communicate with you. We use your queries to generate responses — this requires sending your query text to our AI service providers (see Section 4). We use your role and research field (if provided) to tailor the Service and understand our user base.

2.2 Query History

We maintain a history of your queries and our responses so you can return to past results. Your query history is linked to your account and available to you for as long as your account exists. You may delete individual queries from your history or your entire history at any time. Deleting a query from your history removes it from your view; see Section 3 for how this interacts with our internal data practices.

2.3 Improving the Service and Developing Our Technology

We use pseudonymized and anonymized query data to improve and develop all components of the Mimir platform. When we use query data for these purposes, we strip identifying information (email, name, institution) and retain only the query text, response, retrieval metadata, feedback signals, and non-identifying categorical information such as career stage and broad research field.

Specific uses include:

  • Analyzing query patterns to identify where our answers are weak or where our corpus has gaps, and prioritizing which scientific domains to expand into.
  • Tuning and improving our search ranking, retrieval, and query-processing systems based on how researchers ask questions.
  • Developing, training, and improving machine learning models that power the Service — including models for search ranking, query understanding, data extraction, and answer generation. This may include fine-tuning or training models on anonymized query-response pairs.
  • Adapting the Service for different user needs. For example, we may use career stage information (without identifying information) to understand how questions from early-career researchers differ from those of experienced researchers, and to improve the Service for each group.
  • Comparing query embeddings against our corpus coverage to identify areas where we should expand, and to power notifications when new coverage becomes available in areas you have asked about (see Section 2.5, Coverage notifications).
  • Publishing anonymized, aggregated research findings — such as analyses of question patterns across career stages or research domains — in academic venues. Such publications will not contain information that could identify individual users. Data contributed through our Evaluator Program is governed by the separate Evaluator Program Agreement.

This work uses queries linked to pseudonymous identifiers — internal IDs that allow us to understand sequences of related queries (e.g., recognizing that a series of questions likely relates to the same research problem) without identifying you personally. See Section 3 for details on pseudonymization.

What we do not do:

  • We do not share your query data with our AI service providers for the purpose of training their models. Our providers process your queries solely to generate responses and retain them only temporarily under their own data policies (see Section 4).
  • We do not associate your queries with your name, email address, or institutional affiliation for training or research purposes.
  • We do not share identifiable query data with any third party for model training or development.

Enterprise and institutional customers may be governed by separate agreements that provide additional restrictions on how their data is used, including the option to exclude their queries from all training and improvement activities.

2.4 Safety, Security, and Legal Compliance

We use your information — including identifying information where necessary — for:

  • Acceptable Use Policy enforcement. We monitor for queries that may violate our Acceptable Use Policy, such as attempts to use the Service for weapons development or other prohibited purposes. Queries flagged by our safety systems are retained in identified form (linked to your account) for a limited period. See Section 3.
  • Sanctions compliance. As a U.S. company, we are required to comply with sanctions administered by the U.S. Office of Foreign Assets Control (OFAC). We screen IP addresses to prevent access from sanctioned countries and regions, and we may use account information for sanctions screening. This is a legal obligation, not an optional practice.
  • Platform security. We use IP addresses and session data for abuse prevention, rate limiting, and detection of unauthorized access (including scraping and credential theft).
  • Disclosure to authorities. In cases involving suspected violations of sanctions or other applicable laws, we may disclose identified user information to relevant governmental agencies as required or permitted by law. We will not make such disclosures for ordinary platform abuse (e.g., scraping) unless compelled by valid legal process.

We do not use IP addresses or technical data for advertising, behavioral profiling, or sale to any third party.

2.5 Communications

We may contact you by email for the following purposes:

  • Transactional messages. Password resets, account changes, security alerts, and other messages necessary to operate your account. These cannot be opted out of.
  • Product updates. Significant updates to the Service, including new features and changes to these policies. You may unsubscribe from product update emails at any time.
  • Coverage notifications. If you submit a query in a research area we do not yet cover, we may offer to notify you when coverage becomes available.
  • Opportunities. If you have indicated interest in hearing from us (e.g., by checking a contact preference box on a feedback form), we may reach out about relevant opportunities such as our Evaluator Program, Campus Representative Program, or research collaborations. We will not send unsolicited opportunity emails to users who have not opted in; instead, we may surface such invitations within the Service based on your pseudonymized usage patterns.

2.6 Institutional Adoption and Sales

Your email domain (e.g., the university portion of your .edu address) may be used in aggregate to understand institutional adoption patterns — for example, how many users have signed up from a particular university. We use this data to inform our outreach, product development, and sales decisions. We do not disclose individual user identities or query content to institutional decision-makers without user consent.

Aggregate institutional statistics (e.g., fraction of users in academia vs. industry, career stage breakdown, institutions represented) may be shared publicly or with investors as part of describing our user base. These statistics never identify individual users.

If we enter into an institutional agreement (such as a department license), usage reports shared with the institution will be limited to what that agreement specifies, and we will notify affected users.

2.7 Evaluator Program

If you participate in our Evaluator Program — in which researchers provide expert ratings of Mimir's responses — your evaluations are used to improve answer quality. Participation is voluntary and governed by a separate Evaluator Program Agreement, not this Privacy Policy. We may use your pseudonymized usage patterns to surface invitations to the Evaluator Program within your Mimir session; this does not involve looking up your identity.

2.8 Publisher Traffic Measurement

We track citation link clicks in aggregate to measure how much traffic Mimir drives to scientific publishers. This data supports our mission of connecting researchers with source literature and may be shared with publishers in aggregate form. We do not share per-user click data with publishers.

2.9 Inferred Information

We may infer your research area from your query patterns to improve the relevance of our Service — for example, to surface coverage updates in your field.

3. Data Retention and Pseudonymization

We maintain your data in distinct layers with different retention periods, access controls, and purposes.

3.1 Your Query History (Identified)

Your query history — the record of your questions, our responses, your folders and projects, and your feedback — is retained for as long as your account is active. You control this data: you can view it, delete individual entries, or delete your entire history. When you delete your account, your identified query history is permanently deleted within 30 days.

3.2 Internal Service Improvement Logs (Pseudonymized)

We maintain a separate set of logs for service improvement that are linked to a pseudonymous identifier — an internal ID that is not your email address or name. These logs contain query text, responses, retrieval metadata, feedback signals, and click data. The mapping between your pseudonymous ID and your account identity is stored separately in an access-controlled system.

These pseudonymized logs allow us to understand usage patterns, research workflows, and answer quality without routinely accessing your identity. They are retained indefinitely.

When you delete your account, we destroy the mapping between your pseudonymous ID and your identity within 30 days. The pseudonymized logs remain, but they are no longer linked to any identifiable person.

3.3 Safety and Compliance Logs (Identified)

Queries and account activity flagged by our safety and compliance systems are retained in identified form — linked to your account, including your IP address — according to the nature of the concern:

  • Concerns implicating applicable law (including sanctions violations, activity that may be reportable to governmental agencies, or other concerns related to national security or legal compliance): retained for up to 4 years, consistent with applicable statutes of limitations.
  • Platform integrity concerns (scraping, credential abuse, automated access violations, or other Acceptable Use Policy violations): retained for up to 1 year.

In both cases, retention may be extended if there is an active investigation or legal obligation (such as a litigation hold or government request) requiring longer retention. These logs are accessible only to authorized personnel under a documented access policy.

3.4 Legal Process and Government Requests

We may disclose your information in response to valid U.S. legal process, including subpoenas, court orders, and lawful government requests. We may also voluntarily disclose information to law enforcement when we believe in good faith that disclosure is necessary to prevent serious harm or to report suspected violations of law. Where legally permitted, we will make reasonable efforts to notify you of a government request for your data before disclosing it.

3.5 Access Controls and Deanonymization

Routine access to pseudonymized logs does not involve looking up user identities. In limited circumstances — such as suspected Acceptable Use Policy violations, compliance concerns, or valid legal requests — authorized personnel may link a pseudonymous identifier to an account identity. Such access requires a documented justification, approval by a designated officer, and is logged for audit purposes.

4. Third-Party Service Providers

We use third-party services to operate Mimir. These providers process your data on our behalf and are contractually prohibited from using it for their own purposes.

4.1 AI Service Providers

Your queries are sent to third-party AI service providers to generate responses. Under our commercial agreements with these providers, your query data is not used to train their models. These providers retain your data only temporarily for abuse monitoring purposes, after which it is automatically deleted.

For a current list of our AI service providers and their data retention practices, see our Sub-Processor List at mimirsystems.ai/subprocessors.

We evaluate our AI service providers on an ongoing basis and may change providers. If we do, we will update our Sub-Processor List and notify users in advance. Our commitments regarding how your data is used — including the prohibition on third-party model training — apply regardless of which provider we use.

4.2 Infrastructure and Hosting

The Service is hosted on cloud infrastructure provided by Google Cloud Platform. Your data is stored in data centers located in the United States. Our infrastructure provider processes data on our behalf under a data processing agreement.

4.3 Other Service Providers

We may use third-party services for:

  • Transactional email delivery (e.g., password resets, account notifications)
  • Error monitoring and performance analytics
  • Payment processing (when paid tiers are introduced)

All service providers are listed on our Sub-Processor List at mimirsystems.ai/subprocessors, which is updated when providers change.

5. International Data Transfers

Mimir is operated by a U.S. company, and your data is stored and processed in the United States. If you are located outside the United States — including in the European Economic Area (EEA), the United Kingdom, or Japan — your data is transferred to the United States when you use the Service.

For users in the EEA and UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data to the United States, where applicable. You may request a copy of the applicable SCCs by contacting us at privacy@mimirsystems.ai.

6. Your Rights

6.1 All Users

Regardless of where you are located, you can:

  • Access your data. View your query history, account information, and feedback within the Service.
  • Delete your data. Delete individual queries from your history, or request full account deletion.
  • Correct your data. Update your account information (email, role, field) at any time.
  • Opt out of non-essential communications. Unsubscribe from product updates and other optional emails.
  • Export your data. Request a copy of your query history and account information in a portable format.

6.2 Additional Rights for Users in the EEA and UK (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to erasure. You may request deletion of your personal data. We will comply within 30 days, subject to the exceptions in Section 3 (e.g., safety-flagged data, legal obligations).
  • Right to restrict processing. You may request that we limit how we use your data in certain circumstances.
  • Right to object. You may object to processing based on legitimate interest (see Section 7). We will cease such processing unless we demonstrate compelling legitimate grounds.
  • Right to data portability. You may request your personal data in a structured, machine-readable format.
  • Right to lodge a complaint. You may file a complaint with your local data protection authority.

Data controller: Mimir Systems, Inc. Contact: privacy@mimirsystems.ai.

We do not currently have a European representative or Data Protection Officer. If our EU user base grows to the point where these are required, we will appoint them and update this policy.

6.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with additional rights:

  • Right to know. You may request the categories and specific pieces of personal information we have collected about you.
  • Right to delete. You may request deletion of your personal information, subject to the exceptions in Section 3.
  • Right to opt out of sale or sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@mimirsystems.ai. We will verify your identity before processing your request.

7. Legal Bases for Processing (GDPR)

For users in the EEA and UK, we process your personal data under the following legal bases:

PurposeLegal Basis
Providing the Service (account management, query processing, query history)Performance of a contract (Art. 6(1)(b))
Sanctions screening and export control complianceLegal obligation (Art. 6(1)(c))
Service improvement (pseudonymized logs, retrieval tuning, coverage analysis)Legitimate interest (Art. 6(1)(f))
Safety monitoring and AUP enforcementLegitimate interest (Art. 6(1)(f))
Institutional adoption analyticsLegitimate interest (Art. 6(1)(f))
Publisher traffic measurement (aggregate)Legitimate interest (Art. 6(1)(f))
Product update emailsLegitimate interest (Art. 6(1)(f)), with opt-out
Coverage notifications and opportunity emailsConsent (Art. 6(1)(a))
Evaluator ProgramConsent via separate agreement (Art. 6(1)(a))
Disclosure to governmental agencies (security/compliance)Legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f))

Where we rely on legitimate interest, we have conducted a balancing assessment and concluded that our interests do not override your rights and freedoms, taking into account the measures we apply (pseudonymization, access controls, transparency, and your ability to object).

8. Security

We implement technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access controls. Access to identified user data and the pseudonymous ID mapping is restricted to authorized personnel with a documented need.
  • Audit logging of access to sensitive data stores, including the pseudonymous ID mapping.
  • Infrastructure hosted with a reputable cloud provider with industry-standard physical and logical security controls.

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — such as changing how we use your query data, adding new categories of data collection, or modifying retention periods — we will notify you by email and/or by prominent notice within the Service at least 30 days before the changes take effect.

Non-material changes (e.g., formatting, clarifications that do not change our practices) may be made without advance notice. The “Last Updated” date at the top of this policy reflects the most recent revision.

10. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Mimir Systems, Inc.
Email: privacy@mimirsystems.ai

For GDPR-related inquiries, please include “GDPR Request” in your subject line.

Appendix: Sub-Processor List

For a current list of third-party service providers that process your data on our behalf, visit mimirsystems.ai/subprocessors. This list includes each provider's name, purpose, data processed, and location.

We will notify users of material changes to our sub-processor list at least 30 days in advance by email or in-product notice.