Privacy policy

1. Marketing site (mycelium-ai.co)

The pilot inquiry form collects: company name, your name, work email, role, industry, company size band, expected pilot start window, current AI tooling toggles, biggest integration pain, and an optional free-text field. The form delivers a single email to the founder via Resend (transactional email provider, US-based, GDPR processor with a published DPA at resend.com/legal/dpa).

We use PostHog (posthog.com/privacy) for product analytics on the marketing site. We capture pageviews, page leave events, and a small set of CTA clicks to understand what enterprise readers find valuable. We do not enable autocapture, do not link sessions to your work email, and do not write identifying cookies until you submit the form.

We do not run third-party advertising trackers, social pixels, or session replay tools on this site.

1b. Install onboarding form (mycelium-ai.co/install)

Every AI Brain Starter install begins with an email-capture form at mycelium-ai.co/install (and mycelium-ai.co/es/installfor Spanish). The form collects: your name, email, country, role, optional company, intent (free-text), the operating system you’ll install on, your prior Claude Code experience, and (for paying-tier or cohort branches) approximate notes count, where those notes currently live, and an optional link to a recent piece of your writing for voice-fingerprinting. Two consent checkboxes: one required (process my data to deliver the install plus newsletter), one optional (allow Mycelium to anonymize me in case studies).

On submit we mint a 32-character install token, store it for 30 days in Upstash Redis (US, encrypted at rest, sub-processed under our DPA), append a row to a Mycelium-owned Google Sheet via a service account so the founder has a single roster of every signup, subscribe your email to the matching Substack publication (English: adelaidadiazroa, Spanish: perspectivasblog), and send a welcome email via Resend that contains the personalized install command. Your token is then gated against the bootstrap on your machine, so installs cannot proceed without it. You can withdraw consent and request deletion at any time at privacy@mycelium-ai.co; deletion removes you from the Sheet, the Substack list, and the Redis token store.

Existing users who installed before the gate was live (clones from before the form went live) will be prompted on their next bootstrap re-run to backfill their email by completing the same form. Once we have an email-on-file marker, the prompt does not re-fire.

2. Open-source memory layer

The open-source memory layer at github.com/adelaidasofia/ai-brain-starter runs entirely on your own machine. We never receive your vault data, journals, decisions, or any local state created by the memory layer unless you explicitly send a portion of it to us as part of a paid pilot or a support request.

3. Productized runtime (paying pilots)

Customers on a paid pilot run the productized runtime in either a Mycelium-managed tenant (US or EU region of your choice) or in your own cloud or on-premise infrastructure (Mycelium Enterprise tier). In every deployment shape, your tenant data stays inside the tenant boundary and is never used to train shared models, shape another tenant’s outputs, or marketed to a third party.

The runtime maintains an audit log of every read, write, and synthesis event with actor, timestamp, and source. Audit logs are exportable on demand. Default retention is twelve months; longer retention is configurable per tenant under SOX or HIPAA- adjacent contracts.

4. Subprocessors

Across our marketing and runtime surfaces we currently rely on the following subprocessors:

• Vercel Inc. (hosting, edge network), US
• Resend, Inc. (transactional email), US
• PostHog, Inc. (product analytics), US (EU instance available on request)
• Upstash, Inc. (Redis-compatible key-value store for install tokens), US
• Google LLC (Sheets API for the install signup roster), US
• Substack, Inc. (newsletter delivery for installs that consent), US
• Anthropic PBC (LLM compute, used inside the runtime where opted in by the customer), US
• OpenAI, OpenRouter, MiniMax (LLM compute, opt-in per-tenant), US

A complete subprocessor list, with regions and contractual safeguards, is available in our Data Processing Addendum at /dpa.

5. International transfers

Personal data submitted via the marketing site is processed in the United States by our subprocessors. For customers in the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum (March 2022) where applicable. Customers on the Mycelium Enterprise tier can elect to keep data in an EU region under separate contractual terms.

6. Your rights (GDPR, UK GDPR, CCPA, LGPD)

You have the right to access, correct, delete, or request a copy of the personal data we hold about you. You can also object to or restrict our processing, and (where applicable) withdraw consent or lodge a complaint with a supervisory authority. To exercise any of these rights, write to privacy@mycelium-ai.co. We respond within thirty days; complex requests may extend to sixty.

7. Retention

Inquiry-form submissions are retained while we are evaluating or running a pilot with you, and for twelve months after the pilot ends, after which we delete the thread and related notes unless you ask us to keep them. Audit logs in the productized runtime follow the retention schedule named in your engagement letter.

8. Security

TLS 1.3 in transit. AES-256 at rest. Per-tenant scoping on every request, every tool call, every webhook. Vulnerability reports go to security@mycelium-ai.co; we follow the coordinated disclosure timeline at /security.

9. Changes

We update this policy when our subprocessor list, retention defaults, or runtime shape change in a way that affects you. Material changes are surfaced in the footer and notified by email to active pilot customers no less than thirty days before they take effect.

10. Contact

Privacy questions: privacy@mycelium-ai.co. General contact: contact@mycelium-ai.co.