Privacy Policy
Last updated: February 15, 2026
1. Introduction
Massu AI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI Engineering Governance Platform ("the Service"). This policy applies to all users worldwide and is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data We Collect
We collect different categories of data depending on how you use the Service:
Account Information
- Email address (for authentication and communication)
- Display name (optional)
- Organization name and details
- Billing information (processed by Stripe; we do not store full card numbers)
Usage Data (Cloud Tiers Only)
- Session metadata (timestamps, tool usage, token counts)
- Observations and code quality metrics
- Analytics events (feature usage, performance data)
- Audit trail entries
Technical Data
- IP address and approximate location
- Browser type and version
- Device information
- Pages visited and interactions on our website
Open-Source Core: Local Only
When using the open-source core without Cloud features, all data remains on your local machine. No data is transmitted to our servers.
3. How We Use Your Data
We use collected data for the following purposes:
- Providing the Service: Authentication, cloud sync, team collaboration, and dashboard features
- Billing and payments: Processing subscriptions and managing your account
- Service improvement: Understanding usage patterns to improve features and performance
- Communication: Sending essential service notifications, security alerts, and (with consent) product updates
- Security and compliance: Detecting and preventing fraud, abuse, and security incidents
We do not sell your personal data to third parties. We do not use your code or session data for AI model training.
4. Cookies
We use essential cookies required for the Service to function (authentication, session management). We may also use analytics cookies to understand how visitors interact with our website. You can control cookie preferences through your browser settings.
- Essential cookies: Required for authentication and core functionality. Cannot be disabled.
- Analytics cookies: Help us understand usage patterns. Can be opted out.
5. Third-Party Services
We use the following third-party services to operate the platform:
- StripePayment processing. Stripe handles all payment card data and is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
- SupabaseAuthentication, database storage, and real-time features. Data is stored in SOC 2 Type II compliant infrastructure. See Supabase's Privacy Policy.
- VercelWebsite hosting and edge functions. See Vercel's Privacy Policy.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:
- Account data: Retained while your account is active; deleted within 30 days of account closure
- Session and analytics data: Retained for up to 24 months, then automatically purged
- Audit logs: Retained for up to 36 months for compliance purposes
- Billing records: Retained as required by tax and accounting regulations (typically 7 years)
7. Your Rights
Under GDPR and other applicable data protection laws, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data ("right to be forgotten")
- Right to restriction: Request restriction of processing of your data
- Right to data portability: Receive your data in a structured, commonly used format
- Right to object: Object to processing of your data for certain purposes
- Right to withdraw consent: Withdraw previously given consent at any time
Exercise Your Rights
- Right to data portability: Export all your data from Dashboard > Settings > Account
- Right to erasure: Delete your account and all associated data from Dashboard > Settings > Account
To exercise any of these rights, contact us at privacy@massu.ai. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest
- Row-level security policies on all database tables
- Regular security audits and vulnerability assessments
- Access controls with role-based permissions for team members
- API key hashing (keys are never stored in plaintext)
9. International Transfers
Our infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA) or other regions with data transfer restrictions, your data may be transferred to and processed in the US. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) and our service providers' compliance certifications.
10. Children's Privacy
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "last updated" date at the top of this page indicates when this policy was last revised.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:
- Email: privacy@massu.ai
- Contact form: massu.ai/contact
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.