Legal

Privacy Policy

Last updated: May 21, 2026
Effective date: May 21, 2026
The short version:we store your name, your email, and the events your AI agents write into your workspace. We don't sell your data, hand it to advertisers, or use it to train AI models. You can export or permanently delete your data whenever you want.

01Information We Collect

Account information

  • Name — shown in your workspace and account profile
  • Email address — used to sign you in, verify your identity, and contact you about the Service
  • Password — stored only as a salted bcrypt hash; we never see or store it in plaintext
  • Workspace slug — the unique identifier you pick for your workspace URL
  • Plan, tier, and subscription metadata — needed to provision and bill your workspace

Workspace content ("Your Content")

  • Events — entries your AI agents write to your workspace (text content, types, scopes, timestamps)
  • Projects — titles, summaries, statuses, and next actions you define
  • Preferences — language, timezone, tone, working hours, and any instructions you set
  • Audit records — cryptographic hash-chain entries for tamper-evident traceability

Technical information

  • IP address — captured at signup and login for rate limiting and security monitoring
  • Browser user agent — used to render appropriate responses
  • Session cookies — see Cookies & Tracking
  • Request logs — paths, status codes, and timing for operations and troubleshooting (we don't log request bodies)

Billing information (once paid plans launch)

Payment is handled by Stripe. We receive a Stripe customer ID, the last 4 digits of your card, and basic billing metadata. We never receive or store your full card number, CVV, or expiration date.

02How We Use Information

We use the information we collect to:

  • Run the Service — host your workspace, execute your AI agents' memory operations, render the dashboard
  • Authenticate you — verify sign-in attempts, manage sessions, and prevent unauthorized access
  • Communicate with you — send verification emails, welcome messages, security alerts, billing notices, and material updates
  • Improve the Service — analyze aggregate, anonymized usage to fix bugs and prioritize features
  • Keep the Service secure — detect abuse, prevent fraud, enforce rate limits, and investigate incidents
  • Meet legal obligations — respond to lawful requests, enforce our Terms, and handle disputes

What we don't do:

  • Sell Your Content or any personal data
  • Use Your Content to train AI models — ours or anyone else's
  • Show ads or share data with advertisers
  • Read Your Content, except where strictly necessary to operate the Service (for example, while investigating a support request you opened with us)

03Legal Basis for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar privacy laws, we rely on the following legal bases to process your data:

  • Contract — to deliver the Service you signed up for: account creation, workspace provisioning, billing, and customer support
  • Legitimate interest — to keep the Service secure, prevent abuse, improve it through aggregate analytics, and send operational communications about your account
  • Legal obligation — to comply with tax, accounting, or law-enforcement requirements
  • Consent — for any optional processing (such as marketing emails, where applicable). You can withdraw consent at any time.

04Data Sharing & Sub-processors

We rely on a small set of trusted third-party providers ("sub-processors") to run the Service. Each one is bound by a data-processing agreement consistent with its own service terms.

ProviderPurposeLocation
VercelFrontend hosting & edge deliveryUSA / EU
HostingerVPS hosting, DNS, transactional emailUSA (Boston)
MailChannelsOutbound email relay (via Hostinger)USA / global
HetznerEncrypted off-site backupsGermany (Falkenstein)
Stripe (when paid plans launch)Payment processing & billingUSA / EU
GitHubmm-mcp binary distribution (downloads only; no user data)USA

We may also disclose information when legally required (for example, a valid subpoena or court order), to enforce our Terms, or to protect the rights, property, or safety of Mothership Method, our users, or the public.

05Data Retention

We hold different categories of data for different periods:

  • Active accounts — we keep Your Content for as long as your account is active
  • Deleted accounts — a 30-day grace period during which you can ask us to restore your data
  • After the grace period — Your Content is permanently and irrecoverably deleted from our production systems
  • Encrypted backups — may still hold a copy for up to 90 days, until the routine rotation overwrites them
  • Anonymized aggregates — operational metrics that can no longer be tied back to you may be kept indefinitely
  • Legal hold — we may retain specific data longer when required by law or for an active legal matter

06Your Rights

Depending on where you live, you have the following rights over your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete personal data
  • Erasure ("right to be forgotten") — ask us to delete your account and personal data
  • Portability — receive your data in a structured, machine-readable format (JSON)
  • Restriction — limit how we process your data in specific circumstances
  • Objection — object to processing that we base on legitimate interest
  • Withdraw consent — where processing is based on consent, withdraw it at any time
  • Lodge a complaint — file a complaint with your local data protection authority

To exercise any of these rights, email onboarding@mothershipmethod.cloud from the address tied to your account. We'll respond within 30 days of receiving a valid request.

07International Data Transfers

Mothership Method runs primarily on infrastructure in the United States (Boston) and Germany (Hetzner backups). If you access the Service from outside these regions, your data will be transferred to and processed in those locations.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to other jurisdictions, we rely on Standard Contractual Clauses or equivalent legal mechanisms with each sub-processor.

08Security Measures

We take the security of your data seriously. Current safeguards include:

  • Encryption in transit — TLS 1.2+ (Let's Encrypt certificates) on every public endpoint
  • Encryption at rest — database storage encrypted on supported infrastructure
  • Password hashing — bcrypt with an appropriate cost factor; passwords are never stored in plaintext
  • JWT signing — RS256 with a rotating key pair and protection against algorithm-confusion attacks
  • Cryptographic audit chain — tamper-evident hash chain across every workspace event
  • Tenant isolation — every workspace runs in its own database. Solo accounts run on shared infrastructure with logical isolation; Team accounts run in dedicated containers
  • Rate limiting — signup, login, and onboarding endpoints are rate-limited to deter abuse
  • Security headers — CSP, HSTS preload, X-Frame DENY, X-Content nosniff, Referrer-Policy, and Permissions-Policy are all enforced
  • Email authentication — SPF, DKIM, and DMARC are configured on outbound mail
  • Off-site backups — encrypted incremental backups to a separate provider, on rotation

No system is impenetrable. If you find a vulnerability or believe you've seen a breach, please email onboarding@mothershipmethod.cloud with the details. We'll acknowledge reports within 5 business days.

09Cookies & Tracking

We use only the strictly necessary cookies the Service needs to function:

  • mm_session — httpOnly session JWT (expires after 8 hours)
  • mm_tenant_api_url — httpOnly cookie that stores your workspace's API endpoint
  • mm_signup_session — httpOnly cookie used only during the signup wizard (expires after 12 hours)

We don't use third-party tracking cookies, advertising cookies, or analytics cookies that identify individual users. There's no Google Analytics, no Facebook Pixel, and no similar trackers on the Service.

10Children's Privacy

The Service is not directed to children under the age of 16 (or the age of digital consent in your jurisdiction). We don't knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we'll delete it promptly.

11Changes to This Policy

We may update this Privacy Policy from time to time. We'll let registered users know about material changes by email and update the "Last updated" date above. We encourage you to check back from time to time.

12Contact & Data Protection Inquiries

For privacy questions, data requests, or to exercise any of your rights:

onboarding@mothershipmethod.cloud
Within 30 days for formal data-rights requests; sooner for general questions.

If you're in the European Economic Area or the United Kingdom and you're unhappy with our response, you have the right to lodge a complaint with your local data protection authority.

This Privacy Policy explains how Mothership Method handles your personal data. Read it alongside our Terms of Service.