What data we collect and why it matters

Getting started on Mindrift requires sharing some personal information, but everything we ask for has a clear and specific purpose — mainly to ensure the integrity of the platform, enable fair compensation, and keep everyone secure. During registration, we ask for: 

• Full name and username

• Email and phone number

• Native language and country of residence

• Date of birth

• Education history

• Preferred language

• English proficiency

This type of data collection is typical of online gig platforms. If you’re invited to join the platform, we also ask for additional information for identity verification through Persona, a trusted third-party platform, including: 

• Passport or ID number

• Photo of the ID

• A selfie

In short, this data helps us verify the applicant’s identity, communicate properly, and ensure fair and transparent participation in our projects. For a complete list of the data categories we process, Oleg recommends reading through our Privacy Notice.

How and where user data is stored (and who can access it)

User data isn’t floating around unchecked. It’s stored securely, both in Mindrift-controlled databases and with carefully vetted third-party service providers. The key principle we follow is data minimization: access is limited to the people who need it, and only for as long as they need it.

“Access is granted on a least privilege basis, reviewed regularly, and provided only to users who need it for specific processing purposes,” Oleg says.

We also sign Data Processing Agreements with our third-party partners to clearly define necessary data protection measures and clear rules for data use and storage.

“We verify all vendors' security measures before engagement,” Oleg adds. “That’s part of our vendor management process.”

Our commitment to GDPR and international compliance

Mindrift operates under the strict guidelines of the General Data Protection Regulation (GDPR), one of the most robust data privacy laws in the world. But being "GDPR compliant" isn't just a label — it means we continuously follow a wide range of protective protocols and get audited by independent experts.

“We’ve implemented and maintained all GDPR-required practices,” says Oleg. “These are verified annually during our ISO 27701 compliance audits.”

In addition to annual external audits, Mindrift also conducts internal reviews to identify any risks and reinforce best practices. This ensures we stay proactive, not just reactive, when it comes to privacy and compliance.

Who has control over user data?

AI Trainers on the Mindrift platform have rights over their data, and we’ve made it easier to exercise them.

If a contributor wants to access or delete their personal data, they can:

• Delete their profile directly through the platform

• Submit a request via the support window

• Email our privacy team at privacy@toloka.ai

“We have established a process to handle these requests within the required timeframe,” Oleg explains.

Even if they decide to leave the platform, their data won’t be held unnecessarily. “Personal data will be deleted from all storage locations, except for data required for anti-fraud purposes,” he adds.

Are tasks and contributions linked to identity?

One common concern is whether the tasks and projects completed on the platform are linked back to our users’ real-world identity. 

“Basically, no,” Oleg assures. “In cases where identity is involved, we ensure data subject rights are fully implemented in compliance with all applicable regulatory requirements.”

That means performance and task data stays separate from our trainers’ personal profiles unless there’s a specific, transparent reason to connect them. Importantly, tasks on our platform do not involve transferring AI tutors’ personal data to clients. If a project does require personal information, participation is always voluntary: we provide full details about the project, obtain explicit consent, and apply strict safeguards to protect data subjects’ rights.

How we prepare for the unexpected

While we've never had a data breach at Mindrift, we believe in preparing for every scenario.

“The company maintains a comprehensive information security incident management policy and a dedicated action plan for personal data breaches,” says Oleg. “In the event of a data compromise, the service will promptly notify affected users via email.”

Our approach is not just about prevention, but rapid response. If something ever did go wrong, we’d make sure every contributor knew right away and would guide them through the next steps.

Why user data is safe with Mindrift

It all comes down to a layered approach: secure storage, limited access, ongoing audits, responsible vendors, and a trained team constantly improving our defenses.

“Our data protection measures follow global best practices, utilizing tools from leading industry vendors,” Oleg explains. We strongly emphasize data security — not just to keep user data safe, but also because our many big tech clients have stringent data protection requirements. 

“A professional information security team, led by a dedicated Data Protection Officer directly responsible for personal data security, continuously maintains and enhances our security measures,” adds Oleg. “As a result, we have maintained a perfect record with zero data breaches throughout our operational history.”

Data security and privacy isn’t just a checkbox exercise for us — it’s a core part of how we operate and who we are.

Our ongoing promise is more than just compliance

We understand that sharing personal information with an online platform takes trust. That’s why we’re committed to making our practices not just secure, but understandable and transparent.

Mindrift, and the future of AI, depends on the expertise and contributions of experts like you. In return, they deserve clear answers and real protection.

Still have questions? Explore the Mindrift Help Center or get to know our Support Team — we’re always here to help!