Privacy Policy
Effective: March 2026 · Version 1.0 · Jurisdiction: France / EU (GDPR)
Mycorum.ai is committed to protecting your personal data. This policy explains what information we collect when you use our platform, how we use it, and what rights you have over it.
1. Who we are
Mycorum.ai is operated by ECOEMIT SOLUTIONS SARL, a French simplified joint-stock company (SAS), trading as Mycorum.ai. When this policy refers to "Mycorum", "we", "us", or "our", it refers to ECOEMIT SOLUTIONS SARL acting as data controller.
As a French entity offering services to users in the European Union, we operate in full compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").
For data protection inquiries, contact us at privacy@mycorum.ai. See our Legal Information page for full company details.
2. Data we collect
We collect only what is necessary to provide the Mycorum service.
| Category | What we collect | When |
|---|---|---|
| Account data | Email address, name, authentication credentials (managed via Clerk) | At registration |
| Deliberation content | Questions and context you submit; deliberation outputs (Corum Synthesis) | Each deliberation |
| Uploaded documents | Files you upload as deliberation context (PDF, text, structured data). Chunked embeddings are stored for semantic search. | When uploaded |
| Conversations | Chat messages with the AI assistant, conversation metadata | Each message |
| Deliberation profile | AI-extracted behavioral profile: expertise level, decision style, domains of expertise, recurring blind spots (see Section 6) | After each deliberation |
| Usage data | Mode used, credit consumption, deliberation timestamps, session metadata | Continuously |
| Billing data | Payment method tokens (not full card numbers — managed via Stripe). Invoices and transaction history. | At payment |
| MCP & connector data | MCP server URLs, connected source metadata (Google Drive, GitHub, Slack, Notion, OneDrive). Encrypted OAuth tokens. | When configured |
| Technical data | IP address, browser type, operating system, referring URL, error logs | Automatically |
We do not collect special categories of personal data (health, political opinions, biometric data) as part of our standard service. You remain responsible for any such data you choose to include in a deliberation question.
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the deliberation service | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing credits | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (credit low, deliberation complete) | Contract performance (Art. 6(1)(b)) |
| Personalizing AI responses based on your deliberation profile (see Section 6) | Legitimate interest (Art. 6(1)(f)) — you may object or disable in Settings |
| Analyzing aggregate usage patterns to improve our service | Legitimate interest (Art. 6(1)(f)) — we do not use your data to train AI models |
| Security monitoring, PII detection, and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending product updates and newsletters (optional) | Consent (Art. 6(1)(a)) |
We do not use your deliberation content to train AI models, and we do not sell your data to third parties.
4. AI model processing & provider eligibility
Mycorum's deliberation engine routes your questions to one or more AI language model providers depending on the mode selected, the domain of your question, and your account's regional eligibility settings.
What happens to your content
When you submit a deliberation, your question and context are transmitted to the selected AI model providers as part of the inference request. Each provider processes this data under their own data processing terms. Mycorum does not store a copy of raw model inputs beyond what is necessary to display your deliberation history. Provider outputs (Corum Synthesis) are stored in your account.
Current AI providers: OpenAI, Anthropic, Google (Gemini), Mistral AI, and models accessed via OpenRouter (including Grok, Llama, Perplexity Sonar, and others).
Web search providers: When research is enabled, search queries derived from your question may be sent to Tavily, Brave Search, or Exa for web research.
Provider eligibility by region: Mycorum applies regional AI provider eligibility rules based on applicable law and internal compliance policy. Certain providers may be unavailable depending on your account's declared region. You can always see which providers were used in each deliberation result.
Content moderation: Your questions are screened by our content safety system, which includes OpenAI's Moderation API and heuristic pattern matching. A PII detection layer warns you if personal identifiers (SSN, credit cards, IBAN, email addresses) are detected in your input, though this does not block submission.
5. Data retention
We retain your data for as long as your account is active and for a period thereafter as required by law or legitimate business purposes.
- Deliberation history: retained for 2 years from creation, then anonymized
- Conversations: retained for 1 year from last message
- Account data: retained while active, plus 30 days after deletion request for hard-delete processing
- Billing records: retained for 10 years (French accounting law)
- Uploaded documents: deleted within 30 days of deliberation completion, or immediately upon your request
- User memories: retained while account is active, deleted on account deletion
- Server logs: retained for 90 days
- LLM cost logs: retained in anonymized form for 1 year (no deliberation content)
You may request complete deletion of your account and associated data at any time. See Section 7.
6. Automated profiling (GDPR Art. 22)
Mycorum builds a deliberation profile based on your usage patterns, including your expertise level, decision style, preferred analysis depth, domains of expertise, and recurring blind spots. This profile is extracted by AI after each deliberation and is used to personalize subsequent AI responses to your questions.
This profiling does not produce legal effects or similarly significantly affect you — the AI provides analysis and recommendations, but you always make the final decision.
You may object to profiling or disable profile personalization by contacting privacy@mycorum.ai.
7. Sharing & sub-processors
We share data only with the sub-processors required to operate the Mycorum platform. We do not sell data. We do not share data with advertisers.
| Sub-processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication and identity management | USA (SCCs/DPF) |
| Supabase | Database and storage | EU (AWS eu-west-3, Paris) |
| Railway | Backend hosting and compute | USA (GCP us-west, SCCs) |
| Vercel | Frontend hosting and CDN | USA (iad1, SCCs) |
| Stripe | Payment processing | USA (SCCs/DPF) |
| Sentry | Error tracking and session replay on errors (text masked) | EU (Germany, ingest.de.sentry.io) |
| AI model providers | Deliberation inference (see Section 4) | Varies by provider |
| Tavily, Brave Search, Exa | Web research for deliberations | USA (SCCs) |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). DPF = EU-US Data Privacy Framework.
8. International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA). For these transfers, we rely on:
- The EU-US Data Privacy Framework (for certified sub-processors), and/or
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
Technical safeguards include TLS 1.2+ encryption for all data in transit and contractual commitments that API data is not used for model training. You may request a copy of the relevant SCCs by contacting privacy@mycorum.ai.
9. Your rights (GDPR)
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations
- Right to restriction (Art. 18) — request that we restrict processing in certain circumstances
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON)
- Right to object (Art. 21) — object to processing based on legitimate interests, including profiling
- Right to withdraw consent — withdraw consent for newsletters at any time
To exercise any of these rights, contact privacy@mycorum.ai. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or the supervisory authority in your country of residence.
10. Cookies
Mycorum uses a minimal set of cookies necessary for the platform to function.
| Cookie | Purpose | Duration |
|---|---|---|
| __session | Clerk authentication session token | Session |
| __client_uat | Clerk client-side auth state | 1 year |
We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies. These cookies are strictly necessary for authentication and are exempt from consent requirements under the ePrivacy Directive.
11. Security
We implement appropriate technical and organizational measures to protect your data, including:
- TLS encryption for all data in transit
- Encryption at rest for database storage (Supabase managed encryption)
- Row-level security (RLS) policies ensuring users can only access their own data
- API authentication via signed JWT tokens with audience verification
- Content safety guardrails with PII detection
- Encrypted storage of OAuth connector credentials (AES-128 + HMAC-SHA256)
- Regular dependency audits and security patching
12. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach (GDPR Art. 33). If the risk is high, we will also notify you directly (Art. 34), including: the nature of the breach, the likely consequences, the measures we have taken, and recommendations for steps you can take to protect yourself.
13. Children
Mycorum is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, please contact us at privacy@mycorum.ai and we will delete the account promptly.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The effective date at the top of this page reflects the most recent version. Previous versions are available upon request.
15. Contact
For any questions about this Privacy Policy or to exercise your data rights:
Data Controller: ECOEMIT SOLUTIONS SARL, trading as Mycorum.ai
Privacy: privacy@mycorum.ai
General: contact@mycorum.ai