Privacy Policy

Privacy Policy

Last Updated: July 29, 2025

Who we are: Mielto, Inc., 724 Cole St, Unit 3, San Francisco, CA 94117, USA (“Mielto,” “we,” “us,” “our”).

How to contact us: privacy@mielto.com (privacy) • legal@mielto.com (legal) • Postal address above.

Plain-English summary (not legally binding):

We run a SaaS + AI platform. Most of the data we process is Customer Content you upload and Service Data about how you use our product.

We do not use Customer Content to train foundation models unless you explicitly opt in. We do use Service/Usage/De-identified data to operate and improve the Service.

You control your workspace data; we act as a processor for Customer Content and as a controller for our own Service Data (billing, security logs, etc.).

You have privacy rights; we honor GPC (Global Privacy Control) for advertising cookies.

We don’t “sell” personal information; we may “share” limited identifiers for cross-context behavioral advertising unless you opt out.

1) Scope

This Policy explains how we collect, use, disclose, and protect Personal Data when you visit our websites, use our apps/APIs, or interact with us (the “Services”). If you have an enterprise agreement or Data Processing Addendum (DPA), that DPA governs where it conflicts with this Policy for processing we perform on your behalf.

2) Key Definitions (consistent with our Terms)

Customer Content: data, files, prompts, messages, and materials you (or your end users) submit to the Services.

AI Output: content generated by the Services in response to inputs.

Service Data: operational data about the Service (e.g., device/browser info, logs, telemetry, security/audit events, performance metrics).

Usage Data: aggregated analytics about features and interactions (e.g., feature usage, session counts).

De-identified Data: data that cannot reasonably be used to identify a person, considering available technology.

Role: For Customer Content, Mielto is typically a processor to your organization (the controller). For Service Data, Mielto is the controller.

3) What We Collect & Sources

Directly from you or your organization

Account details (name, email, role, organization, billing contact), workspace settings, support tickets, prompts/instructions, files you upload.

Automatically when you use the Service

Service Data/telemetry (IP address, device/browser type, OS, language, timestamps, log events), security logs, crash reports, performance data, cookie/SDK identifiers.

From third parties

ID providers (SSO), payment processors, CRM and helpdesk tools, and integrations you connect.

Sensitive data: Please do not upload PHI, cardholder data, or other regulated data unless you have a signed addendum with us (e.g., BAA/PCI/DPA).

4) How We Use Data (Purposes & Legal Bases)

Operate the Services (perform the contract; legitimate interests)

Authenticate users, provide features, maintain and secure infrastructure, process transactions.

Improve and secure (legitimate interests; consent where required)

Monitor reliability and misuse, debug issues, develop new features, conduct analytics using Service/Usage/De-identified Data.

Customer support & communications (perform contract; legitimate interests; consent for marketing)

Respond to inquiries, provide onboarding, send product updates. You may opt out of marketing emails anytime.

Compliance & safety (legal obligation; legitimate interests)

Enforce Terms, investigate abuse/security incidents, comply with lawful requests.

AI-specific use

We do not use Customer Content to train foundation models unless you explicitly opt in via admin settings or a signed amendment. We may use Service Data, Usage Data, and De-identified Data to operate, secure, and improve models and Services (e.g., latency reduction, abuse detection).

GDPR legal bases (EEA/UK): performance of contract, legitimate interests (e.g., security, product improvement), consent (cookies/marketing), legal obligation, vital interests (rare).

5) Cookies, Analytics, and Advertising

We use cookies/SDKs for authentication, fraud/security, and product analytics. For advertising and measurement on our marketing site, we may enable third-party tags that qualify as “sharing” under California law.

Manage preferences via our cookie banner and your browser settings.

We honor Global Privacy Control (GPC) signals as an opt-out of sale/share for the browser sending the signal.

More detail is available in our Cookie Notice ([link to your cookie page]).

6) Disclosure of Personal Data

We disclose data to:

Service providers / subprocessors (cloud hosting, logging, email, payments, analytics, support). Our current list is at [Subprocessor URL] (we post updates there).

Authorized integrations you enable (e.g., SSO, helpdesk, CRM, storage).

Corporate transactions (merger, acquisition, financing, asset sale).

Legal & safety (lawful requests; to protect rights, users, and the Service).

We do not sell personal information. We may “share” limited identifiers with ad/analytics partners on our marketing site unless you opt out via cookies or GPC.

7) International Transfers

We are U.S.-based and may transfer data globally. Where applicable, we use approved transfer mechanisms (e.g., EU Standard Contractual Clauses; UK IDTA). Details are in our DPA at [DPA URL].

8) Data Retention

We retain Personal Data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention:

Account/billing records: 7 years after closure (tax/audit).

Security logs: 12–24 months.

Customer Content: per your admin/configuration and contract; deleted or exported within the post-termination window defined in your agreement.

We may keep De-identified Data indefinitely.

9) Security

We implement reasonable and appropriate technical and organizational measures (access controls, encryption in transit, network segmentation, backups, monitoring). No system is 100% secure; you are responsible for maintaining the confidentiality of your credentials and for configuring available security controls (e.g., SSO, MFA).

10) Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, port, restrict/opt-out, and object to certain processing, and to withdraw consent.

How to exercise your rights

Submit a request via privacy@mielto.com.

We will verify your identity and respond within applicable timeframes.

You may use an authorized agent; we will require proof of authorization.

Appeals (U.S. state laws like VA/CO/CT/TX): If we deny your request, you may appeal by replying to our decision email or emailing privacy@mielto.com with “Privacy Appeal” in the subject. If unresolved, you may contact your state AG.

Do Not Sell/Share: Use the cookie banner or send a request; we also honor GPC signals.

Limit Use of Sensitive PI (California): We do not use Sensitive Personal Information for purposes requiring a “Limit” link; if this changes, we will provide that control.

11) Children

The Services are not directed to children under 13 (or 16 where consent is required). We do not knowingly collect data from children. If you believe a child provided data, contact privacy@mielto.com and we will delete it.

12) AI-Specific Disclosures

Prompts & Outputs may contain personal data if you include it in your inputs. Do not include special categories of data unless covered by a signed addendum.

Customer Content is yours. We process it under your instructions; you are responsible for lawful collection and for providing any required notices/consents to your end users.

No default training on Customer Content. We may request opt-in for training with clear admin controls.

Abuse & safety monitoring. We may automatically scan inputs/outputs to detect and prevent abuse, malware, or policy violations.

13) California & U.S. State Privacy Disclosures

Notice at Collection (California)

Categories collected: identifiers (name, email, IP), commercial info (plan, transactions), internet/network activity (logs, telemetry), geolocation (coarse IP-based), professional info (role), inferences (product usage segments). Sensitive PI: not sought; avoid submitting unless under a signed addendum.

Purposes: see Section 4. Retention: see Section 8.

Sale/Share: we do not sell PI; we may share identifiers with ad/analytics partners on our marketing site unless you opt out (cookie banner/GPC).

Sources/Recipients: see Sections 3 and 6. Non-discrimination: we won’t discriminate for exercising rights. Financial incentives: none.

Other State Laws (VA/CO/CT/UT/TX, etc.)

We provide rights to access, correct, delete, portability, and to opt out of targeted advertising, sale, and profiling where applicable. Use privacy@mielto.com.

Nevada (NRS 603A)

We do not sell covered information as defined by Nevada law. You may still submit an opt-out request at privacy@mielto.com.

14) Your Organization’s Responsibility

If you are an organization using Mielto for your employees or customers, you are responsible for:

Providing any required privacy notices and obtaining consents.

Configuring data retention and security settings.

Entering into our DPA where required and managing any cross-border transfer needs.

15) Third-Party Links & Integrations

Our Services may include links to third-party sites and enable integrations you choose to connect. Their privacy practices are governed by their own policies; review those before enabling.

16) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here and, where required, we’ll notify your account owner/admin. Continued use after the effective date means you acknowledge the updated Policy.

17) How to Contact Us

Email: privacy@mielto.com

Mail: Mielto, Inc., 724 Cole St, Unit 3, San Francisco, CA 94117, USA

18) Controller/Processor Annex (Summary)

When Mielto is a Processor: For Customer Content you submit to the Services, we process under your instructions and the DPA at www.mielto.com/legal/dpa. We may use subprocessors listed at www.mielto.com/legal/subprocessors and will provide notice of material changes.

When Mielto is a Controller: For Service Data (account, billing, security logs, product telemetry) and for our websites/marketing, Mielto determines purposes and means of processing and relies on the legal bases in Section 4.