Privacy Policy

Mondegar AI operates the website at https://www.mondegar.ai and provides editorial analysis and conversational intelligence for public SEC 13F filings. We are committed to maintaining the absolute security, confidentiality, and integrity of your data. We do not sell personal data, and we do not share your private account activity with third-party advertising brokers.

• Consent Framework: By accessing the Service, registering an account, or entering into a subscription agreement, you expressly consent to the collection, processing, and transfer of your personal data as outlined in this Policy.
• Withdrawal of Consent: You have the right to withdraw your consent to our data processing at any time. You can do this by deleting your account via your settings dashboard or by submitting a request to info@mondegar.ai. Upon receiving your withdrawal request, we will deactivate your account and initiate the deletion of your personal data within 30 days, subject to standard billing/tax retention requirements.

We collect and process only the minimum necessary data to provide our services:

• Account Registration Data: When you sign in with Google (via Firebase Authentication), we receive your secure display name, email address, profile image URL, and a secure unique user identifier. We never receive or store your Google password.
• Subscription & Billing Data: If you upgrade to Pro, Stripe collects payment details on our behalf. Mondegar AI stores only the subscription identifier, status, and renewal dates — we never store or process credit card numbers.
• Usage Data & Interaction Logs: We log request metadata (timestamps, requested routes, IP-derived general geographic region, and anonymised user-agent strings) and aggregate counters (such as how many chat questions you asked). Used strictly to enforce rate limits, detect infrastructure abuse, and diagnose errors.
• User Prompt Submissions: Standard and conversational queries entered in our AI chat are processed in real-time. Do not submit corporate secrets or highly confidential proprietary data.
• Cookies: One session cookie (insights_session) keeps you signed in. We do not use third-party advertising cookies or cross-site trackers.

We disclose data only to a limited set of infrastructure processors necessary to deliver our services:

• Google Firebase: Authentication and identity verification.
• Stripe: Subscription billing operations.
• Railway: Application hosting, Postgres database, and Redis cache instances inside secure US-based servers.
• OpenRouter / DeepSeek: User prompt queries are paired with public 13F filing context and sent to the LLM API to generate summaries and chat responses. Integrations are configured under strict Zero-Retention API policies — the LLM providers do not retain, store, log, or use your prompt inputs to train their models. We do not share your name, email, or Stripe billing profile with the LLM providers.
• Resend: Transactional service emails.

We implement comprehensive technical safeguards to protect your personal data:

• Transit Encryption: All data transmitted between your browser and our servers is secured using industry-standard Transport Layer Security (TLS 1.3 / HTTPS).
• Encryption at Rest: Core database instances, including user tables and metadata, are protected by AES-256 storage-level encryption.
• Infrastructure Isolation: Databases are locked behind firewall boundaries, with internal communication isolated to protected Virtual Private Clouds (VPC).
• Access Controls: Access to backend database consoles and server management panels is restricted to authorized operations engineers using multi-factor authentication (MFA) and audited credentials.
• Incident Response & Notification: In the highly unlikely event of a confirmed security breach impacting your personal data, we will notify affected users within 72 hours of verification.

We hold your personal data only as long as necessary to fulfill operational and regulatory purposes:

• Account Data: Stored continuously while your account remains active. Upon manual deletion or deactivation request, account profiles are hard-deleted from our databases within 30 days.
• System Logs: Metadata logs and performance metrics are rotated out and permanently deleted every 90 days.
• Stripe & Tax Records: Payment histories, subscription durations, and tax-relevant transaction records are retained for a minimum of 7 years following subscription cancellation to comply with standard state and federal tax guidelines.
• Backups: Encrypted system database backups are retained for a maximum of 30 days before automatic rotation and overwrite.

Mondegar AI operates in compliance with international privacy frameworks, including the EU/UK GDPR, California's CCPA, and Canada's PIPEDA. Under these frameworks, you hold the following rights:

• Right of Access & Portability: Request a structured copy of all personal data we process about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal records.
• Right to Erasure ("Right to be Forgotten"): Request the permanent deletion of your profile and data (subject to tax record retention).
• Right to Restriction & Objection: Request that we limit processing of certain details or object to processing altogether.
• Right to Non-Discrimination: We do not penalize, limit, or vary terms of service based on the exercise of your privacy rights.

To exercise these rights, submit your request to our compliance team at: info@mondegar.ai.

The Service is not intended for or directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover that a child under 16 has registered an account, we will immediately delete all corresponding data.

We will update this policy from time to time to match advancements in our technology, security practices, or regulations. Material updates will be communicated through in-app dashboard notices or transactional email alerts at least 14 days before their effective date.

If you have questions, concerns, or requests regarding this Privacy Policy, please contact our Data Protection Officer at: info@mondegar.ai.