MiniMax AI Security and Privacy Features
Enterprise-grade security and privacy posture of the MiniMax AI platform (Hailuo AI).
Why / When to Use
Use when evaluating MiniMax for enterprise deployment, justifying it to security teams, or deciding on the right data-handling configuration.
Core Concept / Features
Compliance
- GDPR-compliant (EU), follows applicable US state privacy laws
- Minimum age: 16 (no data collected from minors)
Encryption
- Data in transit: TLS 1.3
- Data at rest: AES-256
Data handling options
| Mode | Description |
|---|---|
| Standard | Data stored; may be used to improve models |
| Zero-Retention | Input not stored; not used for model training |
| Private Cloud / VPN | Processing stays inside org’s own environment; no unexpected egress |
Zero-retention confirmed by 2025 security audit: deletes data within specified timeframe when delete request issued.
Enterprise controls
Zero-Retention mode— disable data storage per org- Private Cloud deployment — run M2 on VPC; audit confirmed no data egress outside private cloud
- Supports explicit opt-out of data use for training
Key Options / Variants
- SaaS (standard) — easiest, GDPR controls apply
- SaaS + Zero-Retention — SaaS convenience with training-data isolation
- Private Cloud / VPN — maximum control; all computation stays on-prem or in org VPC
Gotchas
- Zero-retention must be explicitly enabled; it is not the default
- Private cloud deployment requires coordination with MiniMax enterprise team
- Policy details verified as of 2025 audit; re-verify before any compliance review
Source
Conversation “Minimax privacy policy data training concerns” — 2026-05-18
Updates — 2026-05-19
Reviewed Z.ai Developer Documentation (Z.ai = the international API brand for MiniMax/Zhipu AI):
API Data Policy (confirmed from DPA bundled in Privacy Policy, Section 4b):
- API input is not stored — processed in real-time only, not saved to servers
- API data is not used for model training unless explicitly opted in
- The DPA for API Services is publicly available (embedded in the Privacy Policy document)
User type distinction:
| User Type | Data stored? | Used for training? |
|---|---|---|
| Individual (chat.z.ai) | Yes | Yes (legitimate interests basis) |
| API / Enterprise | No | No (unless explicit consent) |
Compliance risk flag:
- Z.ai’s parent company (Zhipu AI) is on the US Entity List (US government blacklist)
- Organisations subject to US export control or compliance requirements should assess this before procurement
- Data stored in Singapore (primary)
License clause risk:
- Terms grant a “perpetual, irrevocable, worldwide” licence — standard for API TOS but worth flagging to legal if sensitive data may pass through individual accounts
Updates — 2026-05-19 (MiniMax.io Direct Policy Analysis)
⚠️ Important distinction: The note above covers Z.ai (international API brand). The analysis below covers MiniMax.io’s own Open Platform Privacy Policy (2023) — a different, less protective document.
Key finding: MiniMax’s own policy lacks explicit “no training” guarantee.
| Concern | What the policy says | Risk |
|---|---|---|
| No training guarantee | No clause stating data will not be used to train models | 🔴 High |
| De-identified data | Explicitly states right to use de-identified data for commercial purposes (includes training) | 🔴 High |
| Conversation storage | Personal info filtered/deleted; non-personal content retention ambiguous | 🟡 Medium |
| Data location | China (PRC) — not Singapore | 🔴 High |
| Third-party cloud | Data automatically shared with cloud providers; no additional consent required | 🟡 Medium |
| DPA available? | No public DPA for API customers in this document | 🔴 High |
Z.ai vs MiniMax direct comparison:
| Feature | MiniMax.io policy | Z.ai policy |
|---|---|---|
| API data not stored | ❌ Not stated | ✅ Explicit |
| API data not used for training | ❌ Not stated | ✅ Explicit (DPA Section 4b) |
| Public DPA for API | ❌ Absent | ✅ Bundled in Privacy Policy |
| Data location | 🔴 China | 🟡 Singapore |
| De-identified data reuse | 🔴 Allowed commercially | 🟡 Unclear |
Implication for procurement: The initial security clearance in the procurement effort was based on Z.ai-side research and MiniMax’s marketing claims. A direct reading of MiniMax.io’s actual published Privacy Policy (2023) reveals materially weaker protections. Procurement should verify which entity’s policy governs API access before finalising.
Source: Conversation “Minimax privacy policy data training concerns” — 2026-05-19 (analysis of actual MiniMax Open Platform Privacy Policy document)