MITRITY Platform — Privacy Policy

Last updated: March 2026

Your privacy is important to us. This Privacy Policy explains how MITRITY collects, uses, shares, and protects personal data when you visit our website, use our Service, or interact with us.

1. Data Controller

The data controller for the personal data described in this policy is:

MITRITY MITRITY AB Registration number: 559564-7305 VAT number: SE559564730501 Registered office: Stockholm, Sweden

Data Protection Officer (DPO): Email: dpo@mitrity.com

If you have any questions or concerns about how we process your personal data, please contact our DPO.

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

Data you provide when creating an account or managing your subscription:

Full name
Email address
Organization name and details
Job title or role
Phone number (optional)
Billing address
Payment information (processed by Stripe; MITRITY does not store full payment card details)
Authentication credentials (password hashes, MFA settings)
Account preferences and settings

2.2 Agent Action Data

Data transmitted by Customer's AI agents through the Edge Node to the Service:

Action metadata (action type, target resource, timestamps, duration)
Action parameters (configuration values, command parameters)
Agent identifiers (agent ID, agent type, mission scope)
Action outcomes (success, failure, blocked)
Behavioral patterns (action sequences, frequency patterns)

Important: Agent action payloads may contain personal data of Customer's end users or employees. The processing of such personal data is governed by the Data Processing Agreement (DPA), where Customer is the data controller and MITRITY is the data processor.

2.3 Usage Data

Data generated automatically through your use of the Service:

Features used, pages visited within the Service, and click patterns
Session duration and frequency
Device information (browser type, operating system, screen resolution)
IP address
Geographic location (city/country level, derived from IP address)
Performance data (page load times, errors encountered)

2.4 Communication Data

Data from your interactions with us:

Support tickets and correspondence
Feedback and survey responses
Marketing preferences and consent records

2.5 Website Visitor Data

Data collected when you visit mitrity.com:

IP address
Browser type and version
Pages visited and referring URL
Cookies and similar technologies (see our Cookie Policy)

3. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

Data Category	Legal Basis	Details
Account Data	Contract performance (Art. 6(1)(b))	Necessary to create and manage your account and provide the Service
Agent Action Data	Contract performance (Art. 6(1)(b))	Necessary to deliver the core governance and monitoring functionality
Billing and payment	Contract performance (Art. 6(1)(b))	Necessary to process subscriptions and payments
Usage Data (analytics)	Legitimate interest (Art. 6(1)(f))	To understand usage patterns, improve the Service, and ensure security. Our interest in improving our service is balanced against minimal privacy impact (data is pseudonymized/aggregated)
Security monitoring	Legitimate interest (Art. 6(1)(f))	To detect and prevent fraud, abuse, and security incidents
Marketing communications	Consent (Art. 6(1)(a))	Only with your explicit opt-in consent; you may withdraw consent at any time
ML model training	Legitimate interest (Art. 6(1)(f))	To improve governance accuracy using anonymized and aggregated data only
Legal compliance	Legal obligation (Art. 6(1)(c))	When required by applicable law (e.g., tax records, regulatory requests)

4. How We Use Data

4.1 Service Delivery

Providing, operating, and maintaining the Platform
Processing and validating agent actions through Edge Nodes and the Control Plane
Generating governance dashboards, reports, and alerts
Managing user authentication and access control
Processing subscriptions and billing

4.2 Service Improvement

Analyzing usage patterns to improve features and user experience
Identifying and fixing bugs, errors, and performance issues
Developing new features based on aggregated usage insights

4.3 Machine Learning and Analytics

Training and improving ML models that detect anomalous agent behavior
All training data is anonymized and aggregated before use
Individual customers or data subjects are not identifiable in training data
ML models are designed to improve governance accuracy for all customers

4.4 Security

Monitoring for unauthorized access, fraud, and abuse
Enforcing the Acceptable Use Policy
Investigating security incidents
Maintaining audit logs

4.5 Communications

Sending transactional emails (account confirmation, password reset, billing receipts, alerts)
Sending service notifications (maintenance, incidents, product updates)
Sending marketing communications (only with your consent)

4.6 Legal and Compliance

Complying with legal obligations (tax reporting, regulatory requirements)
Establishing, exercising, or defending legal claims
Responding to lawful requests from public authorities

5. Data Sharing

We share personal data only in the following circumstances:

5.1 Sub-Processors

We use the following third-party sub-processors to deliver the Service:

Sub-Processor	Purpose	Data Processed	Location
Google Cloud Platform	Infrastructure hosting, compute, storage, database	All Service data	europe-north1 (Finland), EU
Stripe, Inc.	Payment processing	Billing data, payment details	EU/US (with appropriate safeguards)
Twilio SendGrid	Transactional email delivery	Email addresses, email content	EU/US (with appropriate safeguards)
Google Analytics 4	Website analytics	Website visitor data (anonymized IP)	EU settings enabled
Google reCAPTCHA Enterprise	Bot protection on forms	IP address, browser characteristics, interaction patterns	EU (via GCP)

A current list of sub-processors is maintained in the Data Processing Agreement.

5.2 Legal Requirements

We may disclose personal data if required by law, regulation, legal process, or governmental request. We will notify you of such disclosure unless prohibited by law.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of MITRITY's assets, personal data may be transferred to the acquiring entity. We will notify affected individuals and provide an opportunity to opt out where feasible.

5.4 With Your Consent

We may share personal data with third parties when you have given us explicit consent to do so.

5.5 What We Do Not Do

We do not sell personal data.
We do not share personal data with advertisers.
We do not use personal data for profiling that produces legal effects on individuals.

6. International Data Transfers

6.1 EU-Based Infrastructure

The Service infrastructure is hosted in the European Union (Google Cloud europe-north1, Finland). The majority of personal data processing occurs within the EU.

6.2 Transfers Outside the EU

Where personal data is transferred to sub-processors located outside the EU/EEA (e.g., Stripe and SendGrid have operations in the United States), we ensure appropriate safeguards are in place, including:

(a) EU-US Data Privacy Framework — Where the sub-processor is certified under the EU-US Data Privacy Framework;

(b) Standard Contractual Clauses (SCCs) — EU Commission-approved standard contractual clauses; and/or

(c) Adequacy decisions — Where the European Commission has determined that the destination country ensures an adequate level of data protection.

6.3 Transfer Impact Assessments

We conduct transfer impact assessments for each sub-processor to evaluate the legal framework and data protection practices in the destination country and implement supplementary measures where necessary.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

Data Category	Retention Period	Rationale
Account Data	Duration of the account + 30 days post-deletion	Service delivery; 30-day grace period for account recovery
Agent Action Data	As defined in the Subscription Plan (default: [STARTER_RETENTION] for Starter, [PRO_RETENTION] for Professional, custom for Enterprise)	Service delivery; customer-configurable
Billing records	7 years after the transaction	Swedish accounting law (Bokforingslagen) and tax regulations
Usage Data	26 months	Analytics and service improvement
Support correspondence	3 years after resolution	Quality assurance and dispute resolution
Marketing consent records	Duration of consent + 3 years	Demonstrating lawful consent
Security logs	12 months	Security monitoring and incident investigation

After the retention period expires, personal data is deleted or anonymized in accordance with our data deletion procedures.

8. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access a copy of that data, along with information about how it is processed.

8.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

8.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where:

The data is no longer necessary for the purpose it was collected;
You withdraw consent and there is no other legal basis for processing;
You object to processing and there are no overriding legitimate grounds; or
The data has been unlawfully processed.

This right is subject to exceptions, including where retention is required by law.

8.4 Right to Restriction of Processing (Article 18)

You have the right to restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data or assess an objection.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract performance and carried out by automated means.

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing at any time.

8.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

8.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

Email: dpo@mitrity.com

We will respond to your request within 30 days, as required by GDPR. If the request is complex, we may extend this by an additional 60 days with notice.

We may need to verify your identity before processing your request. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

8.10 Right to Lodge a Complaint

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with a supervisory authority. In Sweden, the supervisory authority is:

Integritetsskyddsmyndigheten (IMY) Swedish Authority for Privacy Protection Box 8114 104 20 Stockholm, Sweden Website: https://www.imy.se Email: imy@imy.se

You may also lodge a complaint with the supervisory authority in your country of residence.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
Access controls: Role-based access control, mandatory multi-factor authentication
Tenant isolation: Database-level isolation between customers
Infrastructure security: Google Cloud Platform security features, Cloud Armor WAF, private networking
Monitoring: Continuous security monitoring, intrusion detection, and audit logging
Personnel: Background checks, confidentiality agreements, security training for all employees
Incident response: Documented incident response plan with 72-hour breach notification

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

If you believe we have inadvertently collected personal data from a child under 16, please contact us at dpo@mitrity.com.

11. Cookies and Similar Technologies

We use cookies and similar technologies on our website and within the Service. For detailed information about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

12. Third-Party Links

Our website and Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with personal data.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

(a) Update the "Last updated" date at the top of this policy;

(b) Notify you via email or through a prominent notice in the Service at least 30 days before the changes take effect; and

We encourage you to review this policy periodically.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data processing practices:

Data Protection Officer MITRITY AB Email: dpo@mitrity.com

General inquiries Email: hello@mitrity.com Website: https://mitrity.com