mumo — Privacy Policy

Effective: February 17, 2026 Last updated: April 8, 2026

Overview

mumo is a multi-model AI conversation platform. This policy explains what data we collect, why, how it's stored, who else sees it, and how you can control it.

We've written this in plain language. If something is unclear, contact us at support@mumo.chat.

1. What we collect

Account data

• Google profile information: name, email address, and profile photo (provided via Google OAuth at sign-in)
• Account identifiers: a unique user ID generated by our authentication system

We do not collect or store your Google password.

Conversation data

• Prompts: the questions and instructions you submit
• Annotations: the excerpts you highlight, the bucket actions you take (Keep, Explore, Challenge, Core, Shift), and the commentary you add
• Steering decisions: which content you choose to share with which models, full response selections, and routing targets
• Model responses: the text generated by AI models in response to your curated input
• Session metadata: timestamps, active models, round counts

API keys (BYOK)

• If you provide your own API keys, they are encrypted using AES-256-GCM before storage
• We store only the encrypted ciphertext, initialization vector, and authentication tag
• We retain the last 4 characters of each key in plaintext for display purposes only
• We cannot retrieve or view your full API key after storage

Usage data

• Product analytics: page views, feature usage, session duration — collected via PostHog
• Session replay: PostHog records interaction patterns (mouse movements, clicks, scrolls, page navigation) to help us understand how users navigate the platform. All text content in session recordings is masked — conversation content, prompts, model responses, and personal information are never captured or transmitted to PostHog. Only structural UI elements (button labels, navigation items, model names) are visible in recordings.
• We do not use third-party advertising trackers

2. How we use your data

• To provide the service: storing conversations, assembling prompts, generating share links, displaying your session history
• To improve the platform: aggregated, anonymized usage patterns (e.g., how often features are used, average session length) may inform product decisions
• To communicate with you: service-related notifications (e.g., terms changes, outages)

What we do NOT do

• We do not train AI models on your data — not ours, not anyone else's
• We do not sell your data to third parties
• We do not use your data for advertising
• We do not build user profiles for targeting or marketing purposes

3. Who else sees your data

AI model providers

When you use mumo, your prompts, annotations, and curated content are sent to third-party AI model providers via their APIs. Providers currently include, but are not limited to:

• Anthropic (Claude) — see Anthropic's Privacy Policy
• OpenAI (GPT) — see OpenAI's Privacy Policy
• xAI (Grok) — see xAI's Privacy Policy

We may add or remove providers over time. An up-to-date list of available models is maintained within the application.

These providers' API terms generally state that API inputs and outputs are not used for model training. However, their policies may change — we encourage you to review them directly.

What providers receive:

• The prompts and curated content you send through mumo
• Conversation history as assembled by mumo's prompt system (which includes only content you explicitly chose to include)

What providers do NOT receive:

• Your email address or Google profile information
• Your API keys for other providers (each provider only receives its own API key — Claude does not see your OpenAI or xAI key, and so on)
• Annotations or commentary you did not route to that model

When you share a conversation

When you create a share link, the following becomes publicly accessible to anyone with the link:

• The full conversation transcript
• All model responses
• Your annotations and commentary
• Your steering decisions (which excerpts you kept, challenged, or explored)

Share links do not expose your email, account information, or API keys.

Infrastructure providers

Your data is stored and processed using:

• Supabase (database and authentication) — hosted in the US
• Vercel (application hosting)
• PostHog (product analytics and session replay) — see PostHog's Privacy Policy

These providers process data on our behalf under their respective terms of service and privacy policies.

Law enforcement

We will disclose data if required by law, court order, or legal process. We will attempt to notify you unless legally prohibited from doing so.

4. Where your data is stored

• Conversation data and account information are stored in a PostgreSQL database hosted by Supabase in the United States (us-west-2 region)
• API keys are encrypted at rest using AES-256-GCM
• Data in transit is encrypted via TLS

5. How long we keep your data

• Conversations: stored indefinitely until you delete them. Deleting a session removes it from our database.
• Account data: retained as long as your account exists. If you delete your account, your data will be removed within 30 days.
• API keys: stored until you remove them from settings or delete your account.
• Share links: public share links remain accessible until you delete the underlying session.

6. Your rights and controls

You can:

• View your data: all conversations are accessible in your session history
• Delete conversations: remove individual sessions at any time
• Delete your account: removes your account and associated data
• Remove API keys: delete stored keys from settings at any time
• Revoke share links: delete the underlying session to remove public access

If you need assistance with data deletion or have questions about your data, contact us at support@mumo.chat.

For users in the EU/EEA

If you are located in the European Economic Area, you may have additional rights under GDPR including the right to access, rectification, erasure, data portability, and the right to object to processing. Contact us to exercise these rights.

For users in California

If you are a California resident, you may have additional rights under CCPA including the right to know what data we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

7. Children

mumo is not intended for users under 18 years of age. We do not knowingly collect data from children. If we become aware that we have collected data from a user under 18, we will delete it promptly.

8. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the platform. The "last updated" date at the top reflects the most recent revision.

9. Contact

Questions or concerns about your privacy? Contact us at support@mumo.chat.