Privacy Policy

The Data Controller responsible for the processing of your personal data under the GDPR is:

Where no Data Protection Officer has been appointed, please use the contact details above for all privacy-related inquiries. If the legal requirements for appointing a Data Protection Officer become applicable, this Privacy Policy will be updated accordingly.

When you interact with MMARW, we collect specific categories of personal data.

Mandatory Data: Providing your email address, name, and a password is a contractual requirement to create an account. Without this data, we cannot provide the Service to you.

• Account & Registration Data: Email address, name, hashed password, email verification status, and account status flags.

• Profile & Preference Data (Optional): Preferred AI name, primary use case/specialization, specific position, UI preferences (dark/light mode), enabled/disabled AI models, and explicit consent choices for product updates and marketing/newsletter emails.

• Authentication Data: Security cookies, session tokens, and optional Two-Factor Authentication (2FA) verification codes.

• Content & AI Interaction Data: Projects you create (including their title, description and metadata), user inputs, prompts, chat histories, uploaded files (images, PDFs), AI-generated outputs and modified outputs in the workspace.

• Log & Error Data: Server logs (IP address, browser type, timestamp) in the session database (kept for the duration of the session and Cloudflare (kept for max 90 days), and AI Gateway logs for error debugging and DDoS protection.

• Support & Bug Reports: Bug report submissions (which may include chat content only if you voluntarily toggle "include chat content") and support email communications.

• Payment & Subscription Data: Subscription plan status and limited payment metadata received via Stripe webhooks. (Note: Full payment and credit card details are processed directly and securely by Stripe; we do not store them).

• Communication Data: Transactional emails, security notifications, and interaction tracking via AWS SES.

• Analytics & Marketing Data: Cloudflare Web Analytics (for users outside the EU) and Google Ads / Google Tag via Zaraz (for EU users, strictly subject to prior explicit consent via our cookie banner).

We process your personal data based on the following legal grounds under Art. 6(1) GDPR:

• Performance of a Contract (Art. 6(1)(b)): To provide the core MMARW service, manage your account, authenticate logins, process subscriptions, facilitate multi-agent AI workflows (including transmitting prompts/files to selected AI providers), and provide customer support.

• Legitimate Interests (Art. 6(1)(f)): To ensure platform security, prevent fraud, maintain system stability, and diagnose software errors (using bug reports, server logs, and AI Gateway logs).

• Consent (Art. 6(1)(a)): For optional profile fields, newsletter subscriptions, promotional updates, and the use of tracking cookies/analytics (e.g., Google Ads via Zaraz) for users located within the EU.

• Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, and legal retention obligations (e.g., keeping payment records or commercial support correspondence).

To operate our Service, we use specialized third-party service providers. Depending on the functionality you use, your personal data may be processed in the United States and other countries outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we implement appropriate safeguards in accordance with Chapter V GDPR, including, where applicable, adequacy decisions, the EU-US Data Privacy Framework for certified organizations, and the European Commission’s Standard Contractual Clauses.

We store your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law.

• Unverified Accounts: If you register but do not verify your email address, your account and associated data will be automatically deleted 7 days after creation.

• Account Deletion: You can delete your account at any time. We apply a 14-day grace period during which you can log back in to cancel the deletion. After 14 days, your account data is permanently deleted from our active databases.

• System Backups: Deleted data may remain in encrypted system backups (e.g., Cloudflare D1 snapshots) for up to 90 days before being completely overwritten.

• Bug Reports & Support: Bug reports, support correspondence, and voluntarily shared chat logs attached to bug reports are generally retained for up to 12 months after the issue has been resolved. In individual cases, retention may extend up to 24 months where this is strictly necessary for security investigations, the analysis of recurring system vulnerabilities, the prevention of abuse, or the establishment, exercise, or defense of legal claims. Where specific records are subject to statutory commercial or tax retention obligations, they may be retained for the legally required period.

• Server Logs: Standard server access logs collected by Cloudflare are retained for a maximum of 90 days.

As a data subject, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request information about the personal data we hold about you. You can trigger an automated export in your settings, and within a few minutes, you will receive an email containing a secure download link valid for 24 hours.

• Right to Rectification (Art. 16): You can update or correct inaccurate data in your account settings.

• Right to Erasure (Art. 17): You can request the deletion of your account and personal data at any time via your account settings.

• Right to Data Portability (Art. 20): You have the right to receive your data in a structured, commonly used format. You can trigger an automated export in your settings, and within a few minutes, you will receive an email containing a secure download link valid for 24 hours.

• Right to Restrict Processing (Art. 18): You may request that we limit the processing of your data under certain circumstances.

• Right to Object (Art. 21): You can object to data processing based on legitimate interests.

• Right to Withdraw Consent (Art. 7): You can withdraw your consent for optional features (e.g., newsletters or tracking cookies) at any time in your settings.

To exercise any of these rights, you can use the built-in features in your dashboard or contact us at mail@mmarw.com.

We distinguish between our Landing Page and our Web App:

• Web App (Logged In, https://app.mmarw.com): We use only strictly necessary cookies and local storage to keep you securely logged in, manage your active session, and save your UI preferences (e.g., dark/light mode).

• Landing Page (Logged Out, https://mmarw.com): We use local storage for UI preferences. For users outside the EU/EEA, we may use privacy-friendly analytics tools such as Cloudflare Web Analytics. For users inside the EU/EEA, non-essential analytics, advertising, and tracking technologies, including Google Ads and Google Tags via Cloudflare Zaraz where implemented, are activated only after you have provided your prior consent through our consent banner.

We do not use automated decision-making with legal or significant impact on you (Art. 22 GDPR). The AI assistant provides information only and does not replace your own judgment.

We may update this Privacy Policy from time to time to reflect changes in our Service, legal requirements, or technical developments. We will notify you of any material changes via email or an in-app notification. The "Last Updated" date at the top will reflect the current version.