Privacy Policy

This Privacy Policy explains how Mundus AI Ltd. ("Mundus AI", "we", "us", or "our"), a company registered in the United Kingdom ([Registration Number - Placeholder]), collects, uses, processes, shares, and protects your Personal Data when you use our website (mundusai.co.uk), our AI-powered marketing platform, and related services (collectively, the "Services").

Mundus AI provides an all-in-one marketing platform enabling users to generate AI-powered strategies, content (including text and image descriptions), edit generated or uploaded content, analyse performance, gain competitor insights, schedule social media posts, and manage client accounts via sub-profiles.

We are committed to safeguarding your privacy and handling your Personal Data transparently and securely, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We practice data minimisation and do not sell your Personal Data or use it for third-party advertising revenue. Please visit our GDPR page for more information

This policy details:

• What Personal Data we collect.
• How we use your Personal Data, including for AI features.
• Our legal basis for processing under UK GDPR.
• Who we share your Personal Data with.
• Your data protection rights.
• Our security measures, data retention, and international transfer practices.

By using our Services, you acknowledge you have read and understood this policy.

Mundus AI Ltd. is the data controller for the Personal Data processed under this policy.

Registered Address:

Mundus AI Ltd.
[Your Full UK Registered Address - Placeholder]
United Kingdom

Contact Information:

• Privacy Enquiries: privacy@mundusai.co.uk
• General Enquiries: hello@mundusai.co.uk
• Support Enquiries: success@mundusai.co.uk

We collect the following categories of Personal Data:

3.1 Information You Provide Directly

• Account Information: Your first name, last name, email address, and password (stored securely using bcrypt hashing with salt).
• Brand Profile Information: Brand name, industry, defined brand voice characteristics, target audience descriptions, and brand colour schemes you configure within the platform.
• Content Generation Data: Text prompts you input for AI generation, preferences selected, the AI-generated outputs (strategies, text content, image context descriptions), and associated metadata.
• Uploaded Media: Images, logos, documents, or other brand assets you upload to the platform for use in content generation or storage.
• Competitor Information: URLs or names of competitors you optionally provide for analysis and comparison features.
• Payment and Billing Information: Billing name, address, and payment card details are processed by our secure third-party payment processors.
• Communications Data: Information provided when you contact support, give feedback, or otherwise communicate with us.
• Sub-Client Data (Agency Feature): Information related to client brands managed within sub-accounts, including their profiles, prompts, generated content, and associated data. You confirm you have the authority to provide and manage this data.

3.2 Information Collected Automatically

• Usage Data: History of generated content, content generation patterns, interaction data within the platform (clicks, features used, session times), collected via first-party means and through PostHog analytics (see Section 7).
• Log and Device Data: IP address, browser type, operating system, device information, access times, and referring URLs automatically logged by our servers (hosted on Vercel).
• Cookies and Similar Technologies:

• Authentication cookies to maintain your login session.
• Rate-limiting cookies (managed via Upstash Redis) to prevent abuse.
• First-party functional cookies essential for platform operation.
• Analytics cookies (via PostHog) to understand usage patterns (see Cookie Policy).

We do not use third-party advertising cookies. For full details, see our Cookie Policy at mundusai.co.uk/cookies.

3.3 Information from Third Parties

• Social Media Platforms: Access tokens and profile information when you connect your social media accounts (e.g., Instagram, Facebook) for publishing or analytics, based on your explicit authorisation via the platform's connection flow.
• Adobe Express: Usage data related to your interaction with Adobe Express features integrated within our platform.

Your Personal Data is used for the following purposes:

• Service Provision: To authenticate you, operate and maintain your account and the platform's core functionalities (AI generation, scheduling, analytics, sub-client management).
• Personalisation: To tailor the platform experience, prompts, and content suggestions based on your brand profile and preferences.
• AI Content Generation: To process your prompts and brand information using internal and external AI models to generate requested marketing content and strategies.
• Analytics and Insights: To provide you with performance analytics, competitor comparisons, and market insights based on your connected data and inputs.
• Service Improvement: To analyse anonymised usage patterns (via PostHog) and feedback to understand user behaviour, troubleshoot issues, enhance usability, and develop new features.
• AI Model Improvement: To improve the quality, accuracy, and safety of our AI generation capabilities over time using anonymised and aggregated data (see Section 6).
• Security and Abuse Prevention: To monitor platform activity, implement rate limiting (via Upstash Redis), detect and prevent security incidents, fraud, or violations of our Terms of Service.
• Communication: To send essential service notifications, respond to your support requests, and (with consent) send marketing communications.
• Compliance: To meet legal and regulatory requirements.

We process your Personal Data based on the following legal grounds:

• Contractual Necessity: Processing required to deliver the core Services you have subscribed to, as outlined in our Terms of Service.
• Legitimate Interests: Processing for our legitimate interests in operating and improving our business, ensuring security, providing relevant analytics, and conducting analytics on platform usage, provided these interests are not overridden by your rights.
• Consent: Processing based on your explicit consent for optional features, non-essential cookies, and direct marketing communications. You can withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable UK laws or regulations.

We utilise AI ethically and with respect for your data:

Content Generation Process

Your prompts and relevant brand information are securely transmitted to internal or external AI service providers solely for the purpose of generating the content you request. These providers are contractually bound not to retain or use your inputs beyond what is necessary for the generation task.

Generated Content Ownership and Storage

You retain ownership of the AI-generated content created specifically for your account (subject to our Terms of Service). This content is stored within your Mundus AI account (on Neon Database and Amazon Web Service servers). We do not use your specific generated content for any other purpose without your permission.

AI Model Training

• Your Data: We do not use your specific inputs (prompts), uploaded brand assets, generated content outputs, or confidential client data to train general AI models that could benefit other users.
• Anonymised Data: We may use anonymised, aggregated metadata about generation patterns (e.g., types of prompts used, feature engagement rates, success rates of certain structures, without the actual content) to improve the overall effectiveness, safety, and quality of our AI features and prompt recommendations system-wide.

AI Recommendations

Recommendations within the platform (e.g., prompt suggestions) are based on your brand profile, stated industry, general marketing best practices, and anonymised successful usage patterns.

User Control

You always maintain final editorial control over any AI-generated content before publishing or using it. You can delete your prompts and generated content history from your account.

We share your Personal Data only with specific third parties necessary to provide our Services, under strict data protection terms:

• AI Providers: We share prompts and necessary context (like brand voice descriptions, but typically not full brand profiles unless essential for the specific task) with third-party AI service providers to facilitate content and image generation. These providers are contractually obligated to process data securely and typically do not retain inputs post-generation.
• Adobe Express: When you use integrated Adobe Express features, relevant content and design assets are shared with Adobe to enable the creative editing functionality, governed by Adobe's terms and privacy policy.
• Neon Database: We use Neon Database for secure storage of all platform data, including account information, brand profiles, content, and usage data. Their servers are located in London.
• PostHog: We share anonymised or pseudonymised usage and behaviour data with PostHog for product analytics and understanding platform interaction patterns.
• Upstash Redis: Used for technical purposes like caching and implementing rate limiting, potentially involving temporary storage of identifiers related to usage frequency.
• Social Media Platforms: When you connect your accounts and authorise publishing or analytics, we exchange necessary data (e.g., content, access tokens, performance metrics) with platforms like Instagram, Facebook, LinkedIn, etc., via their official APIs.
• Vercel: As our hosting provider, Vercel's infrastructure processes and hosts the application data, including Personal Data stored within it. Their servers are located in London.
• Payment Processors: Stripe process your payment details securely.

We may also disclose data if legally required or to protect rights and safety, and in the event of a business transfer such as a merger or acquisition.

Mundus AI does not sell your Personal Data to advertisers or any other third parties for their marketing purposes.

We implement robust security measures to protect your Personal Data, including:

• Strong password hashing (bcrypt with salt).
• Multi-layered rate limiting via Upstash Redis to prevent brute-force attacks and abuse.
• Strict Content Security Policy (CSP) implementation to mitigate cross-site scripting (XSS) risks.
• HTTPS enforced for all data transmission.
• JSON Web Token (JWT) based authentication with secure configurations and expiration controls.
• Restricted database access policies and secure configurations for Neon Database.
• Regular security audits and vulnerability assessments.
• Secure infrastructure hosted on Vercel.

We retain your Personal Data only for as long as necessary for the purposes outlined herein or as required by law.

• Account Data: Retained while your account is active + a short period post-deletion (e.g., 90 days).
• Platform Content/Data: Retained while your subscription is active + a grace period (e.g., 60 days) post-cancellation.
• Billing Data: Retained per UK legal requirements (typically 6 years + current year).
• Logs/Analytics: Shorter retention (e.g., 90-180 days), then anonymised/deleted.

You can delete content or your entire account via settings, initiating the deletion process according to these timelines (subject to legal holds). Data may remain in backups for a limited time (e.g., 30 days) before final erasure.

Under UK GDPR, you have rights including:

• Access: Request a copy of your data.
• Rectification: Correct inaccurate data (via profile settings or contact).
• Erasure: Request deletion of your data (via account settings or contact).
• Restriction: Limit how we process your data in certain situations.
• Portability: Request your data in a portable format (export tools available).
• Object: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw consent for optional processing at any time.
• Complain: Lodge a complaint with the ICO (www.ico.org.uk).

To exercise these rights (except where self-service options exist), contact privacy@mundusai.co.uk. We will verify your identity and respond within one 14 working days.

We use authentication, rate-limiting, functional, and analytics (PostHog) cookies. We do not use third-party advertising cookies. Manage preferences via our Cookie Policy at mundusai.co.uk/cookies.

Your data is primarily stored and processed on servers provided by Neon Database and Vercel located in the EU. However, processing by third-party services such as AI providers or PostHog may occur in other regions such as the US. We ensure all international transfers comply with UK GDPR using appropriate safeguards like the UK IDTA, UK Addendum to EU SCCs, or reliance on UK Adequacy Regulations.

Our Services are for professional use by individuals aged 18+. We do not knowingly collect data from anyone under 18. Users confirm their age during registration. If we learn of data from a minor, we will delete it. Contact privacy@mundusai.co.uk if you believe this has occurred.

We may update this policy. Material changes will be communicated via email and/or in-app notification at least 30 days before they take effect. The "Last Updated" date will be revised. We maintain a version history, and previous versions may be requested. Continued use signifies acceptance of the updated policy.

For any questions or concerns about this Privacy Policy or your data:

Email:

• Privacy: privacy@mundusai.co.uk
• General: hello@mundusai.co.uk
• Support: success@mundusai.co.uk

Post:

Mundus AI Ltd.
Attn: Privacy Team / Data Protection Officer
[Your Full UK Registered Address - Placeholder]
United Kingdom