GDPR Statement

Mundus AI ("Mundus AI", "we", "us", "our") is committed to protecting the privacy and security of personal data. This statement outlines our approach to data protection and compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We strive to operate with transparency and provide our users ("you", "your") with control over their personal information when using our All-in-one AI Marketing Platform (the "Service") available at mundusai.co.uk.

We embrace the principles of privacy by design and default. We aim only to collect and process personal data that is necessary for the provision and improvement of our Service, operating under the legal framework of the United Kingdom.

This statement applies to the processing of personal data of individuals, particularly those whose data protection rights fall under the scope of the UK GDPR, when they interact with our Service.

The GDPR distinguishes between organisations that are "data controllers" and "data processors". Mundus AI acts in both capacities:

Data Controller: Mundus AI is the Data Controller for the personal data we collect directly from you when you register for an account, manage your subscription, interact with our website, or contact us directly (e.g., your name, email address, account settings, payment information processed via our payment provider).

Data Processor: When you use our Service to generate marketing strategies, create content (including uploading product information or using AI generation features), manage competitor data, analyse performance, or manage sub-client accounts, you are the Data Controller for that data. Mundus AI acts as a Data Processor, processing this data strictly based on your instructions, as provided through your use of the Service and in accordance with our Terms of Service.

We process different categories of personal data to provide and improve our Service:

• Identity & Contact Data: Name, email address, company name (if applicable).
• Account Data: User ID, password (hashed), subscription plan details, account settings, user preferences, security information.
• Brand & Client Data (Processed on Your Behalf): Brand names, brand information, associated assets or product details you provide, sub-client details (if using the agency feature), API keys or credentials for linked social media accounts.
• User Input & Generated Content Data (Processed on Your Behalf): Prompts provided for AI generation, uploaded product information used for generation, AI-generated strategies and content (text, image context descriptions), scheduled post details.
• Usage Data: Information about how you use our platform, including features accessed, content generated/scheduled, analytics viewed, IP address, browser type, device information, access times, and interaction data collected via cookies and similar technologies (see our Cookie Policy).
• Analytics Data (Processed on Your Behalf): Performance metrics related to your content and social media pages, audience insights, competitor performance data (based on publicly available information and competitors you add), sentiment analysis results.
• Payment Data: Transaction details related to your subscription (processed securely by our third-party payment processor, Stripe; we do not store full credit card details).
• Communication Data: Records of communications between you and Mundus AI (e.g., support requests, feedback).

We do not intentionally collect or process 'special categories' of personal data (as defined by the UK GDPR, e.g., health, race, political opinions) unless it is incidentally included within the content you generate or manage using the platform, for which you are the Data Controller.

We only process your personal data when we have a valid legal basis under the UK GDPR:

• Performance of a Contract: Processing necessary to provide the Service you have subscribed to, including account creation, content generation, scheduling, analytics, and sub-client management, as outlined in our Terms of Service.
• Consent: Where you have given explicit consent for specific processing activities, such as receiving optional marketing communications or enabling certain optional platform features or cookies. You can manage your consents via your account settings and withdraw consent at any time.
• Legitimate Interests: Processing necessary for our legitimate interests, provided these do not override your fundamental rights and freedoms. This includes:
  • Improving and developing our Service (using anonymised and aggregated usage data).
  • Ensuring the security and integrity of our platform.
  • Providing customer support.
  • Conducting business analytics and reporting (on an aggregated basis).
  • Enforcing our Terms of Service.
• Legal Obligation: Processing necessary to comply with our legal obligations, such as financial record-keeping or responding to lawful requests from authorities.

Our Service utilises AI to provide features such as strategy generation, content creation, and analysis.

• AI Content Generation: We process your inputs (prompts, brand information, product details) to generate marketing content via AI systems. This processing is performed based on your instructions as part of the Service delivery (Performance of a Contract).
• AI Model Improvement: Currently, our AI models are not trained using your specific prompts, brand assets, generated content, or identifiable personal information. Our AI systems may be improved using anonymised and aggregated data derived purely from general platform usage patterns and performance metrics, ensuring individual user data is not identifiable. Should we intend to use anonymised user-generated content or prompts for model training in the future, we will update this policy and may seek your explicit consent where required by law before implementing such changes.
• Third-Party AI Services: We may utilise external AI services from trusted providers. Only the minimum necessary data (typically anonymised or specific inputs required for the task) is shared, under strict contractual safeguards.

Under the UK GDPR, you have rights regarding your personal data. Mundus AI is committed to facilitating these rights:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate or incomplete personal data.
• Right to Erasure ('Right to be Forgotten'): You can request the deletion of your personal data under certain conditions (e.g., it's no longer necessary, you withdraw consent).
• Right to Restrict Processing: You can request the limitation of how we process your personal data under certain circumstances.
• Right to Data Portability: You can request your personal data in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller where processing is based on consent or contract and carried out by automated means.
• Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).
• Rights related to Automated Decision-Making: You have rights concerning decisions made solely by automated means that have legal or similarly significant effects.

To exercise any of these rights, please submit a request via email to privacy@mundusai.co.uk or use the Data Subject Request Form below. We will require you to verify your identity before processing your request. We aim to respond to all valid requests within one calendar month, as required by law. We will maintain records of all requests and actions taken.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption of sensitive data
• Access controls with strong authentication
• Secure password hashing (bcrypt with salt)
• Regular security assessments and vulnerability testing
• Staff training on data protection best practices
• Content Security Policy implementation
• HTTPS for all data transmission
• Rate limiting to prevent brute-force attacks

However, no internet transmission is completely secure, and we cannot guarantee absolute security.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including providing the Service, complying with legal obligations (e.g., financial regulations), resolving disputes, and enforcing our agreements. Our general retention periods are outlined below (specific details may vary):

• Account Data: Retained for the duration your account is active, plus a limited period afterwards (e.g., 30-90 days) for operational reasons or as required by law, unless requested earlier erasure is applicable.
• Generated Content & Brand Data: Retained while your subscription is active and for a defined period post-termination (e.g., 60 days) to allow for reactivation, unless deleted earlier by you or subject to an erasure request.
• Usage & Analytics Data: Logs retained for security/performance monitoring (e.g., 90 days); anonymised/aggregated analytics data may be retained longer for trend analysis.
• Payment Records: Retained as required by financial laws (typically 7 years).

More detailed information can be found in our Data Retention Policy available upon request.

We use cookies and similar technologies to operate and improve our website and Service, analyse usage, and personalise experience. We use the following types of cookies:

• Authentication cookies to maintain your login session
• Rate-limiting cookies to prevent abuse
• First-party functional cookies essential for platform operation
• Analytics cookies (via PostHog) to understand usage patterns

We do not use third-party advertising cookies. For detailed information, please see our Cookie Policy at mundusai.co.uk/cookies.

We utilise carefully selected third-party service providers to assist in delivering our Service (e.g., hosting, payment processing, analytics, AI services). We ensure these providers offer sufficient guarantees regarding data protection and have Data Processing Agreements (DPAs) in place where required. Key providers include:

• Vercel (Hosting - AWS eu-west-2, London)
• Amazon Web Services (AWS) (Cloud Infrastructure - eu-west-2, London)
• Stripe (Payment Processing - Primarily USA/EEA, with appropriate safeguards)
• Adobe (e.g., Adobe Express Integration - Varies, with appropriate safeguards)
• Neon DB (Database Hosting - Varies, with appropriate safeguards)
• Upstash (Redis Caching - Varies, with appropriate safeguards)
• PostHog (Product Analytics - Varies, with appropriate safeguards)

A full list of our current sub-processors is available at mundusai.co.uk/subprocessors.

Our primary operations and data storage are within the UK and the European Economic Area (EEA). However, some of our third-party service providers may be based outside the UK/EEA (e.g., in the USA). Where personal data is transferred outside the UK/EEA to countries not deemed 'adequate' by the UK government, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or other mechanisms permitted under UK data protection law.

For users acting as Data Controllers (e.g., agencies managing client data), Mundus AI makes available a Data Processing Addendum (DPA) that outlines our commitments as a Data Processor under the UK GDPR. To request a copy of our pre-signed DPA, please contact legal@mundusai.co.uk with your account details.

If you have any questions or concerns about this GDPR statement or our data protection practices, please contact us at:

privacy@mundusai.co.uk

You also have the right to lodge a complaint with the UK's data protection supervisory authority, the Information Commissioner's Office (ICO), if you believe your data protection rights have been infringed. Visit www.ico.org.uk for more information.

We may update this GDPR statement from time to time to reflect changes in our practices, technology, legal requirements, or the Service. We will post any changes on this page and indicate the effective date. For significant changes, we will provide more prominent notice, such as via email or a notification within the platform, and may require re-acceptance where legally necessary.