Privacy Policy

Last updated: 2025-09-24

We care about your privacy. This Privacy Policy explains how Mycelo ("we", "us") collects, uses, discloses and protects personal data when you use our collaborative whiteboard platform, websites and related services (the "Service"). It also explains your rights and choices. If you do not agree with this Policy, do not use the Service.

1. Data We Collect

• Account Data: Name, email, avatar, authentication identifiers.
• Workspace & Usage Data: Board names, objects created, feature interactions, session timestamps, role metadata.
• Content Data: Diagrams, text, uploads, AI prompts and outputs you choose to store.
• Device & Technical: Browser type, OS, approximate region (derived from IP), performance metrics, error logs.
• Billing: Subscription plan, payment status (processed via PCI-compliant provider—we do not store full card numbers).
• Support: Messages, attachments, debug exports you voluntarily send.

2. How We Use Data

• Provide, maintain and secure the Service.
• Facilitate collaboration, sharing & versioning.
• Improve performance, reliability, UI and AI features.
• Send transactional emails (invites, security alerts, billing).
• Resolve incidents and provide customer support.
• Detect, prevent and investigate abuse or fraud.
• Comply with legal obligations and enforce terms.
• Where permitted, analyse aggregated usage to guide roadmap.

3. Legal Bases (EEA/UK)

• Contract: Necessary to deliver the Service you request.
• Legitimate Interests: Product improvement, security, limited analytics with minimal privacy impact.
• Consent: Optional cookies/marketing and certain AI features if they process additional data.
• Legal Obligation: Compliance with accounting, tax, regulation or lawful requests.

4. AI & Data Handling

AI prompts and outputs may be logged for abuse prevention, rate limiting and feature quality. We do not use private workspace Content to train general foundation models. We may use aggregated, anonymised patterns to improve model orchestration and performance (e.g. prompt length statistics, feature usage counts). Sensitive data should not be input unless necessary and authorised.

5. Sharing & Disclosure

• Service Providers: Cloud hosting, storage, email delivery, analytics, AI inference—bound by data processing or confidentiality obligations.
• Team Collaboration: Your name, avatar and activity may be visible to other workspace members.
• Legal: We may disclose data to comply with law, enforce agreements, or protect rights, safety or integrity.
• Business Transfers: In a merger, acquisition or reorganisation, data may transfer as part of assets subject to this Policy.
• Aggregated / Anonymised: We may publish usage trends that do not identify individuals.

6. International Transfers

We may process data in the UK, EU or other countries where we or our subprocessors operate. Where required we use appropriate safeguards (e.g. Standard Contractual Clauses) for cross‑border transfers.

7. Data Retention

We keep personal data for as long as necessary to provide the Service and for legitimate business or legal purposes (audit, security, dispute resolution). We may anonymise data for longer‑term analytics. Deleted boards and files may persist in backups for a limited period (typically < 30 days) before secure purge.

8. Security

Measures include encryption in transit (HTTPS), access controls, least privilege, audit logging, regular dependency patching and backups. No system is perfectly secure; you are responsible for strong passwords, managing access, and reporting suspected issues promptly.

9. Your Rights

Depending on jurisdiction you may have rights to access, rectify, erase, restrict, object, port data, or withdraw consent. Request via privacy@mycelo.app. We will verify identity before fulfilling requests. We may decline requests that would infringe others' privacy or our legal obligations.

10. Children's Data

The Service is not directed to children under 16. If we learn we processed data of a child without proper consent, we will delete it.

11. Subprocessors

Key infrastructure and processors (may evolve): cloud hosting/IaaS, object storage, email transactional service, authentication provider, optional analytics, AI inference. A detailed list (with region and purpose) will be published at /subprocessors when available and material changes will be notified as required.

12. Data Subject Request Workflow

Requests submitted by email are logged, triaged, identity verified, evaluated for scope, responded to within statutory timelines (usually 30 days) or extended with justification if complex.

13. Changes to This Policy

We may update to reflect service evolution or legal guidance. Material changes will be communicated via email or in‑app notice; the updated date will change. Continued use indicates acceptance.

14. Contact

Questions, concerns, complaints or DSR requests: privacy@mycelo.app. EU/UK representative and DPO details (if appointed) will be published when applicable.

We aim to build a trustworthy product with minimal, transparent data collection.