# Privacy Policy **Effective Date:** April 28, 2026 **Last Updated:** April 28, 2026 --- ## 1. Introduction Mitrai ("we," "us," or "our") refers to **Mitrai, operated by Lakshmi Arumugam**, contactable at **privacy@mitrai.live**, the data controller and operator of Mitrai Cloud and the Mitrai Memory Engine platform services. This Privacy Policy explains our data practices across all Mitrai products and services, including **Mitrai Cloud** (hosted AI chat application) and the **Mitrai Memory Engine** (self-hostable RAG engine). This policy applies to: - Users of Mitrai Cloud at [mitrai.web.app](https://mitrai.web.app) - Visitors to our website - Operators and end-users of self-hosted Mitrai Memory Engine deployments, **to the extent described in Section 4.4** **Self-hosted Memory Engine:** Mitrai does not receive, access, or store user content from self-hosted Memory Engine deployments. For self-hosted deployments, the deploying organization — not Mitrai — is the data controller responsible for providing end-user privacy notices, establishing lawful processing bases, and obtaining any required consents (including for third-party AI providers such as NVIDIA). This policy does not substitute for those obligations. "You" refers to the individual or entity using our Services. --- ## 2. Information We Collect ### 2.1 Account Information (Mitrai Cloud) When you register for a Mitrai Cloud account, we collect: - **Email address** — used for authentication and communications - **Username** — your chosen display name - **Password** — stored exclusively as a **PBKDF2-SHA256 hash with 600,000 iterations** (an industry-standard, high-security hashing scheme). Your plaintext password is never stored or transmitted after the point of entry. - **Account role** — `admin` or `user`, for access control purposes ### 2.2 Usage Data (Mitrai Cloud) During your use of Mitrai Cloud, we collect and store: - **Chat history** — the full text of your conversations with AI models, stored in PostgreSQL on our infrastructure - **Uploaded documents** — files you upload for document-based Q&A or RAG; stored on our servers - **Query and interaction logs** — records of AI queries made through your account - **Document vector embeddings** — mathematical representations of your document content, stored in Qdrant on our infrastructure ### 2.3 Trial and License Metadata - **License type and status** — free, trial, or paid - **Trial start and expiration dates** — your 14-day trial is tracked from the moment of account creation - **Plan and billing information** — if you subscribe to a paid plan ### 2.4 Technical and Session Data - **IP address** — logged for security, abuse prevention, and rate limiting - **Browser and device information** — user-agent string and similar technical metadata - **Session cookies** — JWT-based authentication cookies set by Chainlit's authentication system; these are required for the service to function - **Local browser storage** — limited data such as UI preferences (e.g., theme choice) may be stored in your browser's localStorage ### 2.5 Google Drive OAuth Tokens If you choose to connect your Google Drive account, we store: - An **OAuth access token** and **refresh token** in your user account metadata in our database - This is necessary to enable Mitrai Cloud to access your designated Google Drive files on an ongoing basis This data is only collected and stored if you explicitly authorize the Google Drive integration. See Section 6 for more detail. --- ## 3. How We Use Your Information We use the information we collect to: - **Provide and operate the Services** — authenticate your account, process AI queries, store and retrieve chat history, and manage your documents - **Enforce licensing and trial terms** — track your trial period, apply usage limits, and process subscription billing - **Improve the Services** — analyze usage patterns (in aggregate where possible) to improve reliability, performance, and features - **Ensure security** — detect and prevent fraud, abuse, unauthorized access, and violations of our Terms of Service - **Communicate with you** — send account-related notifications, respond to support requests, and (with your consent) send product updates We do not sell your personal information to third parties. We do not use your data for advertising targeting. ### 3.1 Lawful Bases for Processing We process your personal data on the following lawful bases: - **Contract performance** — account information, chat history, documents, session cookies, and license/billing data are processed as necessary to perform our contract with you (the Terms of Service). - **Legitimate interests** — IP addresses and security/abuse logs are processed for fraud prevention and service security, where these interests are not overridden by your rights. - **Consent** — Google Drive OAuth tokens are processed only on the basis of your explicit consent at the time of connection. You may withdraw this consent at any time (see Section 6). ### 3.2 International Data Transfers Mitrai Cloud is operated in the United States. By using Mitrai Cloud, you understand that your data may be processed in the U.S. or in other countries where NVIDIA or other configured AI providers operate their infrastructure. For users in the European Union, European Economic Area, or United Kingdom, we ensure that any international transfer of personal data is protected by appropriate safeguards. Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent mechanisms. You may request details of the safeguards applicable to your data transfer by contacting **privacy@mitrai.live**. When your content is transmitted to NVIDIA's API for AI processing (the default configuration), that transfer is subject to NVIDIA's own international data transfer mechanisms. --- ## 4. Third-Party AI Providers > **This section describes a critical aspect of how Mitrai processes your data. Please read it carefully.** ### 4.1 NVIDIA NIM — Default and Primary AI Provider **NVIDIA NIM is the default and primary AI provider for both Mitrai Cloud and the Mitrai Memory Engine's default configuration.** This is not an optional setting you must enable — it is the standard operating mode. **What this means:** When you use Mitrai Cloud or the Memory Engine in its default configuration, **your prompts, messages, and the text content of documents you upload are transmitted to NVIDIA's API servers** at `integrate.api.nvidia.com/v1` for AI inference and embedding generation. This transmission is inherent to how the AI functionality works. Specifically, NVIDIA processes: - The text of your chat messages and prompts - The content of documents you upload (in chunk form, for embedding) - Search queries used for document retrieval **NVIDIA's Privacy Policy:** NVIDIA's handling of data transmitted through their API is governed by NVIDIA's own privacy policy and data processing terms. We strongly encourage you to review: [https://www.nvidia.com/en-us/about-nvidia/privacy-policy/](https://www.nvidia.com/en-us/about-nvidia/privacy-policy/) Mitrai does not control how NVIDIA stores, uses, or retains data processed through their API. ### 4.4 Self-Hosted Memory Engine — Operator Responsibility If you are an **operator** deploying the Mitrai Memory Engine for your own users: Mitrai is not the data controller for your users' data. You are. You are responsible for: - Providing your end-users with adequate privacy notices disclosing which AI provider(s) process their content (including NVIDIA NIM if using the default configuration) - Obtaining any legally required consents from your end-users - Establishing a valid lawful basis under GDPR or other applicable law - Ensuring compliance with all applicable data protection laws for your deployment This Privacy Policy does not satisfy those obligations on your behalf. ### 4.2 Fully Local Alternative (Ollama) If you require that no content leave your own infrastructure, you must: 1. Self-host the **Mitrai Memory Engine** on your own hardware 2. Configure it to use **Ollama** as the AI provider with a local Qdrant instance In this configuration, 100% of processing occurs on your own machine. No data is transmitted to NVIDIA, Mitrai, or any external service. **Note:** Mitrai Cloud does not offer a fully local configuration. If data locality is a strict requirement, the self-hosted Memory Engine with Ollama is the appropriate solution. ### 4.3 Other Providers (Memory Engine Self-Hosted) Self-hosted Memory Engine deployments may be configured to use other AI providers including: - **OpenAI** — subject to OpenAI's privacy policy and data processing terms - **Anthropic** — subject to Anthropic's privacy policy - **Cohere** — subject to Cohere's privacy policy - **HuggingFace** — subject to HuggingFace's privacy policy When configured with any of these providers, document chunks and queries are transmitted to that provider's API. Review each provider's privacy documentation before use. --- ## 5. Data Storage and Retention ### 5.1 What We Store and Where | Data Type | Storage System | Location | |---|---|---| | User credentials (hashed passwords, email, username) | PostgreSQL | Mitrai's production servers | | Chat history | PostgreSQL | Mitrai's production servers | | License and trial metadata | PostgreSQL | Mitrai's production servers | | Uploaded document files | Server filesystem | Mitrai's production servers | | Document vector embeddings | Qdrant | Mitrai's production servers | | Google Drive OAuth tokens | PostgreSQL (user metadata) | Mitrai's production servers | | Session authentication state | JWT cookie in browser | Your browser | | UI preferences | Browser localStorage | Your browser | ### 5.2 Retention - **Active accounts:** We retain your data for as long as your account is active. - **Deleted accounts:** When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain data by law or for legitimate security purposes (e.g., fraud investigation records). - **Uploaded documents:** Document files are retained for the duration of your account. You may delete individual documents at any time through the application interface. - **Chat history:** Retained for the duration of your account. You may delete conversations through the application interface. - **Backups:** Deleted data may persist in encrypted backups for up to 90 days after deletion, after which it is permanently removed from backup storage. --- ## 6. Google Drive Integration The Google Drive integration is **entirely optional** and only activated if you explicitly connect your Google account through the OAuth authorization flow in Mitrai Cloud settings. **What we access:** - Only the files you explicitly select or that fall within the scope of the permissions you grant during the OAuth flow. - We download selected files to Mitrai's servers for processing as RAG documents (including embedding generation via NVIDIA's API, as described in Section 4). **How OAuth tokens are stored:** - OAuth access and refresh tokens are stored in your Mitrai account metadata in our PostgreSQL database. - These tokens are used solely to access your Google Drive files as part of the Mitrai service. **How to revoke access:** - Through your Mitrai account settings (disconnects Google Drive and removes stored tokens) - Directly via your [Google Account permissions page](https://myaccount.google.com/permissions) — revoke Mitrai's access there at any time Your use of the Google Drive integration is also subject to [Google's Terms of Service](https://policies.google.com/terms) and [Google's Privacy Policy](https://policies.google.com/privacy). --- ## 7. Cookies and Tracking We use only the cookies and browser storage necessary to operate our service: - **Authentication cookies** — JWT-based session tokens set by Chainlit. These are required for you to remain logged in. They are session-scoped and expire upon logout or session end. - **Browser localStorage** — limited, non-identifying UI preference data (e.g., theme choice) may be stored locally in your browser. We do not knowingly deploy advertising cookies, retargeting pixels, cross-site tracking scripts, or third-party behavioral analytics trackers. If this changes, we will update this policy and notify you as described in Section 11. --- ## 8. Data Security We implement the following security measures to protect your data: - **Password hashing:** All passwords are hashed using **PBKDF2-SHA256 with 600,000 iterations** before storage. This exceeds minimum industry standards and is resistant to brute-force attacks. Plaintext passwords are never stored. - **Encryption in transit:** All data transmitted between your browser and our servers uses TLS. Data transmitted from our servers to NVIDIA's API and other third-party providers also uses TLS. - **Authentication:** Session authentication uses a Chainlit authentication secret combined with JWT-based browser cookies. - **User data isolation:** User data in Qdrant is stored in per-user collections with unique namespaces enforced at all API boundaries. - **Database storage:** User credentials, chat history, and license data are stored in PostgreSQL on Mitrai's production infrastructure. Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your data. If you discover a security vulnerability, please report it to **security@mitrai.live**. --- ## 9. Your Rights You have the following rights with respect to your personal data: ### 9.1 Access and Portability You may request a copy of the personal data we hold about you by contacting **privacy@mitrai.live**. ### 9.2 Correction You may update your account information (email, username) through your account settings. For other corrections, contact **privacy@mitrai.live**. ### 9.3 Deletion You may delete your account at any time through account settings, which initiates deletion of your data in accordance with our retention schedule (Section 5.2). For explicit deletion requests, contact **privacy@mitrai.live**. ### 9.4 GDPR Rights (EU/EEA Residents) If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR): - **Right to erasure** ("right to be forgotten") - **Right to restrict processing** - **Right to data portability** - **Right to object** to processing based on legitimate interests - **Right to lodge a complaint** with your local supervisory authority To exercise any of these rights, contact **privacy@mitrai.live**. We will respond within 30 days. ### 9.5 Canadian Residents (PIPEDA) Mitrai is based in Ontario, Canada and complies with the **Personal Information Protection and Electronic Documents Act (PIPEDA)** and applicable provincial privacy laws. As a Canadian resident you have the right to: - Access the personal information we hold about you - Challenge the accuracy of your information and have it corrected - Withdraw consent to our use of your information (subject to legal and contractual obligations) - Lodge a complaint with the **Office of the Privacy Commissioner of Canada** at [https://www.priv.gc.ca](https://www.priv.gc.ca) **Cross-border transfers:** When you use Mitrai Cloud or the Memory Engine with its default NVIDIA NIM configuration, your personal information (including prompts and document content) is transferred to and processed by NVIDIA on servers located in the **United States**. By using these services, you acknowledge that your information may be subject to the laws of the United States, which may differ from Canadian law. You may avoid cross-border AI processing by configuring the Memory Engine to use a local Ollama provider. ### 9.6 California Residents (CCPA) California residents may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete, and the right to opt out of sale (we do not sell personal information). Contact **privacy@mitrai.live** to submit a CCPA request. --- ## 10. Children's Privacy Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe we have collected information from a child under 13, please contact **privacy@mitrai.live**. --- ## 11. Changes to This Policy We may update this Privacy Policy from time to time. When we make material changes, we will: - Update the "Last Updated" date at the top of this document - Notify you via email or in-app notification at least 14 days before changes take effect Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acceptance of the revised policy. If you do not agree, you should stop using the Services and delete your account. --- ## 12. Contact For privacy-related questions, requests, or concerns: **Email:** privacy@mitrai.live **Legal inquiries:** legal@mitrai.live **Support:** support@mitrai.live Mitrai | [mitrai.web.app](https://mitrai.web.app) --- *This Privacy Policy is effective as of April 28, 2026.*