Privacy Policy.

This is a plain-English summary of what Million Mind ("we", "us") collects and why. It is not a substitute for legal review. If you operate this codebase in another jurisdiction, consult counsel.

1. What we do not collect

Million Mind does not require an account. We do not ask for your name, email address, date of birth, phone number, address, or any government-issued identifier. We do not process payments and have no credit-card data. We do not sell any personal information.

2. What we do collect

To enforce the free-tier rate limit (five generations per five-minute window) without requiring accounts, we derive a short non-reversible identifier from your request and store associated counters in a managed Redis store (Upstash). Specifically:

• Rate-limit identifier. A SHA-256 hash of your IP address, browser user-agent string, and the current date (UTC), truncated to 16 hexadecimal characters. The hash is one-way; we cannot recover your IP or user-agent from it. The identifier scope resets every 24 hours.
• Counters keyed by that identifier. Number of free generations made in the rolling 5-minute window, number of premium uses unlocked via rewarded ads, and number of ad-grants made in the rolling 1-hour window. No data about what you generated is stored server-side.
• Geolocation headers. Vercel and Cloudflare append country and region headers to incoming requests (e.g. cf-ipcountry, x-vercel-ip-country-region). We read these only to refuse service to residents of states where local law restricts lottery-adjacent products (currently Utah and Hawaii). These headers are not stored.

3. Data stored on your device

The browser's localStorage is used to remember:

• That you accepted the entertainment-only acknowledgment on first visit (so we don't prompt you again).
• Up to your last 50 generated combinations, for the "Recent generations" list on the home page. This data never leaves your device and is not synced to any server. Clear browser data to delete it.

4. Advertising — Google AdSense

This site is monetized by display advertising served through Google AdSense. Google and its third-party partners may use cookies, web beacons, or similar technologies to serve ads based on your prior visits to this site or other sites.

Google's use of advertising cookies enables it and its partners to serve ads based on your visit to this and/or other sites on the Internet. You may opt out of personalized advertising by visiting Google Ads Settings. Alternatively, you may opt out of a third-party vendor's use of cookies for personalized advertising by visiting www.aboutads.info.

For visitors in the European Economic Area, the United Kingdom, or Switzerland, Google operates as a controller under GDPR for the data it collects through its ad services. See Google's Privacy Policy for details on what they collect and how.

5. Product analytics — PostHog

We use PostHog to understand which features users engage with (e.g. which generation algorithms are popular, whether the rewarded-ad flow completes). PostHog stores an anonymous device identifier in localStorage and records event names like generation_requested and upgrade_cta_clicked. We do not send PostHog any personally identifying information.

6. Error tracking — Sentry

We use Sentry to collect application errors and stack traces so we can fix bugs. Sentry receives the URL where the error occurred, the browser's user-agent, and the page's JavaScript state at the moment of the error. We do not send Sentry any data you entered into the site.

7. Data retention

The rate-limit counters expire automatically:

• Free-generation timestamps: cleared after 5 minutes.
• Premium-use counters: cleared after 24 hours.
• Ad-grant timestamps: cleared after 1 hour.
• The rate-limit identifier hash itself rotates daily because the date is part of the input.

PostHog event data is retained per their standard retention policy. Sentry error data is retained for 90 days.

8. Your rights

Because we do not collect personal information directly, there is no account to delete or data subject access request to fulfill on our side. Specifically:

• To clear your local Million Mind data, clear your browser's site data for this domain.
• To opt out of personalized AdSense ads, see the Google Ads Settings link in section 4.
• For data Google, PostHog, or Sentry collect, contact each provider directly under their respective privacy policies.

9. Children

Million Mind is intended for users 18 years of age or older (21 in some jurisdictions). We do not knowingly collect any information from children under 13.

10. Geographic restrictions

Million Mind is currently not available to residents of Utah or Hawaii. Requests originating from these states are refused at the API layer before any analysis runs. This list may expand based on attorney guidance.

11. Changes

We may update this policy. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be highlighted in a notice on the site.

12. Contact

Questions about this policy can be sent through any of the contact options listed on the Terms of Service page.