Privacy Policy

Effective date: October 24, 2025

At Menturi OÜ (“Menturi”, “we”, “us”), we are committed to protecting your privacy and handling personal data responsibly. This Privacy Policy explains what information we collect, how we use and share it, how we protect it, and the rights available to you under applicable law, including the GDPR.

1) Scope

This policy applies to:

  • menturi.com, subdomains, and related web properties
  • Our applications, products, and services
  • Customer support, sales, and marketing interactions

It does not apply to third‑party websites, services, or integrations that we do not control.

2) What We Collect

Account & Contact Information

  • Name, email, password (hashed), role, team/workspace
  • Company details, billing and payment information (processed via PCI‑compliant providers)

Service Content You Provide

  • Chats and messages: prompts, replies, direct messages, channel posts, comments, transcripts, and files/attachments
  • Knowledge Base uploads and derived artifacts. Some indexing and retrieval features are performed by vetted third‑party processors acting on our instructions.
  • AI interactions: prompts sent to models, model outputs/responses, and tool results
  • API keys: We store API keys encrypted at rest and restrict their use to executing your requests.

Derived Data We Create to Provide the Service

  • Conversation and document metadata (e.g., message IDs, participants, timestamps, channel/workspace, file names, sizes, and content type)

Usage & Device Information

  • Log and telemetry data: feature usage, clicks, performance metrics, error reports
  • IP address, browser, OS, device, locale, referring URL, and session identifiers
  • Security events (logins, MFA status, access denials, admin actions, content exports)

Support & Communications

  • Requests you submit to support or success, and any content you choose to share for troubleshooting

Note: Chats/messages and knowledge base content are encrypted in transit and at rest.

3) Legal Bases for Processing

We process personal data under these legal bases:

  • Consent (e.g., non‑essential cookies, marketing)
  • Contractual necessity (service provisioning, account management)
  • Legal obligation (tax, accounting, compliance)
  • Legitimate interests (service improvement, security, fraud prevention) balanced against your rights and freedoms

4) How We Use Information

  • Provide, maintain, and improve our services
  • Authenticate users and operate core messaging, collaboration, and knowledge features
  • Ensure security, prevent abuse, and investigate incidents
  • Conduct analytics to improve performance and user experience (in aggregate or de‑identified forms where appropriate)
  • Deliver customer support and service‑related communications
  • Comply with legal obligations and enforce terms

We do not sell personal data or customer content.

5) AI & Model Processing

To deliver AI features, your prompts, relevant context (including excerpts from chats or knowledge base where needed), and tool inputs may be sent to AI models we host or to approved sub‑processors acting on our instructions.

  • Data minimization: Only the context required for each request is processed.
  • Model training: Customer content is not used to train our or third‑party foundation models by default.
  • Encryption: Data is encrypted in transit to/from model providers.
  • Regional controls: Where available, we use regional endpoints as agreed with enterprise customers.
  • Human review: We do not access customer content except for support, security, or legal reasons, following approval and logging.

6) Security Commitments

Access Controls

  • Role‑based access control (RBAC), least privilege, and regular access reviews
  • Multi‑factor authentication for privileged access
  • Time‑bound, approval‑based access to customer content; all access is logged and monitored
  • Logical separation of customer data

Encryption

  • TLS 1.2+ for data in transit
  • Industry‑standard encryption for data at rest
  • Secure key management and encrypted backups/cloud redundancy

Logging & Monitoring

  • Logs include user login/logout, CRUD actions on key objects, security setting changes, and administrator access to customer data
  • Logs include user ID, IP, timestamp, action type, and object; protected against tampering
  • Log retention for at least 30 days; alerts on suspicious events; regular reviews

System Operations

  • Documented change management with testing, approvals, and rollback
  • File integrity monitoring and intrusion detection where feasible
  • Time synchronization across systems

7) Data Classification & Handling

We classify data as Confidential, Restricted, or Public and apply controls accordingly.

  • Confidential (e.g., customer PII, credentials, source code): strongest protections, encryption in transit/at rest, restricted access with approvals, no storage on personal or removable media
  • Restricted (e.g., internal policies, contracts): need‑to‑know access and secure handling
  • Public: intended for broad distribution

Confidential data is not used or stored in non‑production environments without explicit authorization and safeguards.

8) Data Retention & Deletion

We retain personal data only as long as necessary for the purposes described or as required by law.

  • Messages, chats, files, and AI outputs: retained for the life of the account unless deleted by users or governed by workspace retention rules.
  • Telemetry and security logs: retained for at least 30 days and up to 12 months where necessary for security and operations.
  • Billing/transaction data: retained for 7 years (regulatory).
  • Marketing data: retained until consent is withdrawn or after 3 years of inactivity.

9) International Data Transfers

If personal data is transferred outside the EEA/UK, we implement appropriate safeguards (e.g., Standard Contractual Clauses) and assess local laws and practices to protect your data.

10) Sharing & Sub‑processors

We share data only as necessary to operate our services and for lawful purposes:

  • With service providers acting as processors under DPAs and appropriate security obligations (e.g., hosting, storage, search/indexing, email delivery, analytics, AI model providers)
  • With professional advisors (legal, accounting) under confidentiality duties
  • To comply with laws, legal processes, or enforce our terms
  • In connection with a corporate transaction (e.g., merger, acquisition)

Some sub‑processors may process message content solely to deliver features you invoke (e.g., AI generation, search). We maintain an up‑to‑date list of sub‑processors and provide notice of material changes where contractually required.

11) Team Workspaces & Admin Controls

  • Visibility: Messages and files may be visible to other members of your workspace per channel, sharing, and admin settings.
  • Admin controls: Admins can manage users, retention, legal hold, exports, and integrations; certain actions are logged and reviewed.
  • Exports: Enterprise customers may request workspace exports of messages and files in common formats.

12) Your Privacy Rights

Depending on your location, you may have rights to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact us using the details below. We may request information to verify your identity and will respond within applicable statutory timelines.

13) Enterprise Clients: Data Ownership & Portability

  • Customers retain all rights to their business and customer content submitted to the service.
  • We process customer content solely to provide and improve the services, in accordance with customer agreements and DPAs.
  • Upon request or termination, we offer export of customer content in a structured, commonly used, machine‑readable format within a reasonable period.
  • Access to customer content by Menturi personnel is limited, approved, logged, and monitored.

14) Incident Response & Breach Notification

  • We maintain a formal Incident Response Plan with defined roles, escalation paths, and post‑incident review.
  • We monitor for security events and investigate suspected incidents promptly.
  • Where required by law, we notify relevant supervisory authorities without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach.
  • We notify affected customers and individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms, including the nature of the incident, data impacted, likely consequences, and mitigation steps.

15) Cookies & Your Choices

  • Necessary cookies: authentication, security, load balancing, core features.
  • Analytics cookies: usage metrics to improve functionality and performance.

Manage your preferences via our cookie banner (accept all, reject non‑essential, or customize) and through your browser settings.

16) Changes to This Policy

We may update this policy to reflect changes to our practices or legal requirements. We will post updates on this page and, where appropriate, notify you via email or in‑product notices. Please review periodically.

17) Contact Us

18) Additional Transparency Notes

  • Law enforcement requests are reviewed for legal validity and scope; we seek to narrow requests where appropriate.
  • We do not engage in automated decision‑making that produces legal or similarly significant effects without human oversight.

Company
Contact
Information
Terms of Service
Privacy Policy
© 2025 Menturi OÜ. All rights reserved.