Privacy Policy
01Information We Collect
Account information
- Name — shown in your workspace and account profile
- Email address — used to sign you in, verify your identity, and contact you about the Service
- Password — stored only as a salted bcrypt hash; we never see or store it in plaintext
- Workspace slug — the unique identifier you pick for your workspace URL
- Plan, tier, and subscription metadata — needed to provision and bill your workspace
Workspace content ("Your Content")
- Events — entries your AI agents write to your workspace (text content, types, scopes, timestamps)
- Projects — titles, summaries, statuses, and next actions you define
- Preferences — language, timezone, tone, working hours, and any instructions you set
- Audit records — cryptographic hash-chain entries for tamper-evident traceability
Technical information
- IP address — captured at signup and login for rate limiting and security monitoring
- Browser user agent — used to render appropriate responses
- Session cookies — see Cookies & Tracking
- Request logs — paths, status codes, and timing for operations and troubleshooting (we don't log request bodies)
Billing information (once paid plans launch)
Payment is handled by Stripe. We receive a Stripe customer ID, the last 4 digits of your card, and basic billing metadata. We never receive or store your full card number, CVV, or expiration date.
02How We Use Information
We use the information we collect to:
- Run the Service — host your workspace, execute your AI agents' memory operations, render the dashboard
- Authenticate you — verify sign-in attempts, manage sessions, and prevent unauthorized access
- Communicate with you — send verification emails, welcome messages, security alerts, billing notices, and material updates
- Improve the Service — analyze aggregate, anonymized usage to fix bugs and prioritize features
- Keep the Service secure — detect abuse, prevent fraud, enforce rate limits, and investigate incidents
- Meet legal obligations — respond to lawful requests, enforce our Terms, and handle disputes
What we don't do:
- Sell Your Content or any personal data
- Use Your Content to train AI models — ours or anyone else's
- Show ads or share data with advertisers
- Read Your Content, except where strictly necessary to operate the Service (for example, while investigating a support request you opened with us)
03Legal Basis for Processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar privacy laws, we rely on the following legal bases to process your data:
- Contract — to deliver the Service you signed up for: account creation, workspace provisioning, billing, and customer support
- Legitimate interest — to keep the Service secure, prevent abuse, improve it through aggregate analytics, and send operational communications about your account
- Legal obligation — to comply with tax, accounting, or law-enforcement requirements
- Consent — for any optional processing (such as marketing emails, where applicable). You can withdraw consent at any time.
05Data Retention
We hold different categories of data for different periods:
- Active accounts — we keep Your Content for as long as your account is active
- Deleted accounts — a 30-day grace period during which you can ask us to restore your data
- After the grace period — Your Content is permanently and irrecoverably deleted from our production systems
- Encrypted backups — may still hold a copy for up to 90 days, until the routine rotation overwrites them
- Anonymized aggregates — operational metrics that can no longer be tied back to you may be kept indefinitely
- Legal hold — we may retain specific data longer when required by law or for an active legal matter
06Your Rights
Depending on where you live, you have the following rights over your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete personal data
- Erasure ("right to be forgotten") — ask us to delete your account and personal data
- Portability — receive your data in a structured, machine-readable format (JSON)
- Restriction — limit how we process your data in specific circumstances
- Objection — object to processing that we base on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Lodge a complaint — file a complaint with your local data protection authority
To exercise any of these rights, email onboarding@mothershipmethod.cloud from the address tied to your account. We'll respond within 30 days of receiving a valid request.
07International Data Transfers
Mothership Method runs primarily on infrastructure in the United States (Boston) and Germany (Hetzner backups). If you access the Service from outside these regions, your data will be transferred to and processed in those locations.
For transfers from the European Economic Area, the United Kingdom, or Switzerland to other jurisdictions, we rely on Standard Contractual Clauses or equivalent legal mechanisms with each sub-processor.
08Security Measures
We take the security of your data seriously. Current safeguards include:
- Encryption in transit — TLS 1.2+ (Let's Encrypt certificates) on every public endpoint
- Encryption at rest — database storage encrypted on supported infrastructure
- Password hashing — bcrypt with an appropriate cost factor; passwords are never stored in plaintext
- JWT signing — RS256 with a rotating key pair and protection against algorithm-confusion attacks
- Cryptographic audit chain — tamper-evident hash chain across every workspace event
- Tenant isolation — every workspace runs in its own database. Solo accounts run on shared infrastructure with logical isolation; Team accounts run in dedicated containers
- Rate limiting — signup, login, and onboarding endpoints are rate-limited to deter abuse
- Security headers — CSP, HSTS preload, X-Frame DENY, X-Content nosniff, Referrer-Policy, and Permissions-Policy are all enforced
- Email authentication — SPF, DKIM, and DMARC are configured on outbound mail
- Off-site backups — encrypted incremental backups to a separate provider, on rotation
No system is impenetrable. If you find a vulnerability or believe you've seen a breach, please email onboarding@mothershipmethod.cloud with the details. We'll acknowledge reports within 5 business days.
10Children's Privacy
The Service is not directed to children under the age of 16 (or the age of digital consent in your jurisdiction). We don't knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we'll delete it promptly.
11Changes to This Policy
We may update this Privacy Policy from time to time. We'll let registered users know about material changes by email and update the "Last updated" date above. We encourage you to check back from time to time.
12Contact & Data Protection Inquiries
For privacy questions, data requests, or to exercise any of your rights:
If you're in the European Economic Area or the United Kingdom and you're unhappy with our response, you have the right to lodge a complaint with your local data protection authority.
This Privacy Policy explains how Mothership Method handles your personal data. Read it alongside our Terms of Service.