mapifast is an AI-powered tool that converts any YouTube video or PDF into an interactive, research-grounded mind map in under 30 seconds. It uses a multi-agent pipeline to extract knowledge, conduct per-node research from academic sources, and generate spaced-repetition quizzes.

Yes. mapifast offers a free forever plan with 10 tokens per month and basic mind maps — no credit card required. Paid plans start at $19/month (Pro) and $49/month (Business).

How does mapifast convert YouTube videos to mind maps?

Paste a YouTube URL into mapifast. The Architect agent extracts the video transcript and builds a hierarchical knowledge structure. The Researcher agent then grounds each node in peer-reviewed papers from arXiv. The result is an interactive, clickable mind map delivered in seconds.

Can I export my mind maps to Notion or Obsidian?

Yes. mapifast supports one-click export to Notion, Obsidian, Markdown, and PDF, with formatting fully preserved.

What makes mapifast different from other YouTube summary tools?

Unlike basic summarizers, mapifast uses a multi-agent system that produces structured, hierarchical knowledge graphs — not bullet lists. Each node is grounded in academic research. It also includes spaced-repetition quizzes with AI grading, Notion/Obsidian export, and a personal searchable knowledge base.

Does mapifast have an API?

Yes. Business plan subscribers get API access. mapifast also offers an MCP (Model Context Protocol) server for developers. See https://www.mapifast.space/docs/api for details.

Privacy Policy — mapifast

This Privacy Policy explains what personal data mapifast (“we”, “our”) collects when you use the mapifast web application and the mapifast Lens browser extension (collectively, the “Service”), why we collect it, how we store and protect it, and the rights you have over it.

1. Data we collect

Account data

Name, email address, password hash (when you sign up with email).
OAuth identifiers from Google or GitHub when you sign up via those providers.
Profile image URL if provided by your OAuth provider.

Content data

YouTube URLs you submit, generated mindmaps, research notes, quizzes, and notes you create.
Messages and follows initiated through the in-app social features.

Usage data

Token-spend ledger entries (per request, per model).
Aggregated daily usage rollups for the dashboard.
Server logs (request method, path, status code, correlation ID, anonymised IP).

Integration data

Notion access tokens (encrypted at rest with AES-256-GCM).
Obsidian plugin keys (hashed).
Custom MCP server headers you configure (encrypted at rest).

Browser Extension (mapifast Lens)

When explicitly triggered by you, the extension reads the active tab's URL, page title, and selected text to generate a mindmap.
Your mapifast API key and extension preferences are stored securely in your browser's local storage.
The extension does not track your browsing history or collect data in the background.

2. Google OAuth & user data

mapifast uses Google OAuth 2.0 to allow you to sign in with your Google account. This section describes in detail how we access, use, store, share, and retain Google user data, as required by the Google API Services User Data Policy and the Google APIs Terms of Service.

2.1 Data accessed

When you choose to sign in with Google, we request the following OAuth scopes:

https://www.googleapis.com/auth/userinfo.profile — access to your Google display name and profile picture URL.
https://www.googleapis.com/auth/userinfo.email — access to your Google email address and unique Google user ID.

The specific Google user data we receive is limited to:

Data field	Source	Purpose
Email address	Google Account	Unique identifier, authentication, transactional emails
Display name	Google Account	Profile name shown in the app UI
Profile picture URL	Google Account	Avatar rendered in the app UI and navbar
Google user ID	Google Account	Account linkage and duplicate-prevention

We do not request or access any other Google user data, including but not limited to: your Google Drive files, Gmail messages, Google Calendar events, YouTube watch history, Google Contacts, or location data.

2.2 Data usage

We use the Google user data described above solely for the following purposes:

Account creation and authentication: Your email address and Google user ID are used to create a unique mapifast account or to link an existing account to your Google sign-in. This allows you to log in without a separate password.
Session management: After successful authentication, we issue a signed JWT session cookie tied to your account. This cookie is used to keep you authenticated across page loads and API requests.
Profile display: Your display name and profile picture URL are shown in the application interface (navbar, settings page, and shared mindmap attribution where applicable) to personalize your experience.
Transactional communication: Your email address is used to send essential account-related communications such as password-reset links, billing receipts, and security alerts. We do not use your Google email for marketing unless you explicitly opt in.

We do not use Google user data for advertising profiling, sale to third parties, or training of machine-learning models.

2.3 Data sharing

Google user data is not shared with any third parties, affiliates, or sub-processors, except as strictly necessary to operate the Service and as described below:

MongoDB Atlas: Your name, email, profile picture URL, and Google user ID are stored in our primary database hosted by MongoDB Atlas. MongoDB acts as a data processor under our direction and does not use this data for its own purposes.
No sale or monetisation: We do not sell, rent, trade, or otherwise monetise Google user data. We do not share Google user data with advertisers, data brokers, or analytics vendors for cross-site tracking.

2.4 Data storage & protection

Storage location: Google user data is stored in our MongoDB Atlas database cluster. Database backups are encrypted and retained for disaster-recovery purposes.
Encryption at rest: Sensitive fields such as OAuth tokens and integration credentials are encrypted at rest using AES-256-GCM. Passwords (for email-based accounts) are hashed with bcrypt.
Encryption in transit: All data exchanged between your browser and our servers, and between our servers and Google APIs, is transmitted over TLS 1.2 or higher.
Session security: Authentication sessions are maintained via signed JWT cookies with rotating secrets. Sessions are tracked in a server-side sessionscollection, allowing you to revoke access from any device at any time.
CSRF protection: Google OAuth flows are protected with CSRFstate parameters to prevent authorization-code interception attacks.
Rate limiting: Login endpoints are rate-limited (5 attempts per 5 minutes per IP) and per-account lockout is enforced (10 failures per hour per email) to prevent brute-force attacks.

2.5 Data retention & deletion

Retention period: Google user data (email, name, profile picture URL, Google user ID) is retained for as long as your mapifast account remains active.
Self-service deletion: You can delete your account — and thereby all associated Google user data — at any time by visiting Settings → Danger and clicking “Delete account”. Account deletion is immediate and cascades across all data associated with your user ID, including mindmaps, notes, quizzes, sessions, integrations, and OAuth linkage records.
Post-deletion: After account deletion, your Google user data is permanently removed from our active database within 24 hours. Database backups containing your data are automatically purged according to our 30-day backup-retention schedule.
Data portability: Before deletion, you may export all mindmaps, notes, and quizzes you own as JSON from Settings → Danger.

3. How we use your data

To deliver the Service: generate mindmaps, run research and quizzes, sync to integrations.
To bill you and apply token spend: only payment metadata is processed by Razorpay; we never store full card numbers.
To keep the Service safe: rate-limiting, abuse detection, account lockout.
To send transactional emails: verification, password reset, billing receipts.
With explicit consent only: product announcements and weekly recaps.

3a. Legal bases (GDPR)

Contract — operating the Service you signed up for.
Legitimate interest — security, abuse prevention, basic analytics.
Consent — non-essential cookies, marketing emails.
Legal obligation — tax, accounting, lawful requests.

4. Third-party processors

We share only the minimum data needed with the following sub-processors:

Processor	Purpose	Data shared
Razorpay	Payments & subscriptions	Email, billing address, payment method (collected by Razorpay directly)
OpenRouter	LLM inference proxy (OpenAI, Anthropic, Google, xAI)	Prompts & transcripts you submit
Pinecone	Vector recall for RAG	Node text + your user ID for namespace filtering
Tavily	Web search tool calls	Search queries derived from your prompts
Notion	Optional export integration	OAuth token + the mindmap content you choose to export
Resend / SES	Transactional email	Email address + message body
MongoDB Atlas	Primary database	All persistent data above

5. Data retention

Account data: kept until you delete your account.
Mindmaps, notes, quizzes: kept until you delete them or your account.
Server logs: 30 days, then purged via TTL index.
Token ledger entries: kept for 13 months for billing reconciliation.
Webhook receipts (Razorpay): 30 days for idempotency, then purged.

6. Your rights

You can at any time, from Settings → Danger:

Export every mindmap, note, and quiz you own as JSON.
Delete individual items.
Delete your account, which cascades across mindmaps, notes, quizzes, follows, messages, sessions, and integrations.

For GDPR/CCPA requests not covered by self-service, email privacy@mapifast.space.

7. Security

OAuth and integration tokens encrypted at rest with AES-256-GCM.
Passwords hashed with bcrypt.
Sessions are signed JWTs with rotating secrets and tracked in a server-side sessions collection so you can revoke any device.
Login rate-limited (5 attempts / 5 min / IP) and per-account lockout (10 failures / hour / email).
OAuth flows protected with CSRF state parameters.

8. Children

The Service is not directed at children under 13. Do not create an account if you are under 13.

9. International transfers

Your data may be processed in the United States and the European Union, depending on the sub-processor. We use Standard Contractual Clauses where required.

10. Changes to this policy

We will notify you by email and via an in-app banner of material changes at least 14 days before they take effect.

11. Contact

Email privacy@mapifast.space for any privacy-related question.