Privacy policy

1. Marketing site (myceliumai.co)

The pilot inquiry form collects: company name, your name, work email, role, industry, company size band, expected pilot start window, current AI tooling toggles, biggest integration pain, and an optional free-text field. The form delivers a single email to the founders via Resend (transactional email provider, US-based, GDPR processor with a published DPA at resend.com/legal/dpa).

We use PostHog (posthog.com/privacy) for product analytics on the marketing site. We capture pageviews, page leave events, and a small set of CTA clicks to understand what enterprise readers find valuable. We do not enable autocapture, do not link sessions to your work email, and do not write identifying cookies until you submit the form.

We do not run third-party advertising trackers, social pixels, or session replay tools on this site.

2. Open-source memory layer

The open-source memory layer at github.com/adelaidasofia/ai-brain-starter runs entirely on your own machine. We never receive your vault data, journals, decisions, or any local state created by the memory layer unless you explicitly send a portion of it to us as part of a paid pilot or a support request.

3. Productized runtime (paying pilots)

Customers on a paid pilot run the productized runtime in either a Mycelium-managed tenant (US or EU region of your choice) or in your own cloud or on-premise infrastructure (Enterprise Pilot tier). In every deployment shape, your tenant data stays inside the tenant boundary and is never used to train shared models, shape another tenant’s outputs, or marketed to a third party.

The runtime maintains an audit log of every read, write, and synthesis event with actor, timestamp, and source. Audit logs are exportable on demand. Default retention is twelve months; longer retention is configurable per tenant under SOX or HIPAA- adjacent contracts.

4. Subprocessors

Across our marketing and runtime surfaces we currently rely on the following subprocessors:

• Vercel Inc. (hosting, edge network), US
• Resend, Inc. (transactional email), US
• PostHog, Inc. (product analytics), US (EU instance available on request)
• Anthropic PBC (LLM compute, used inside the runtime where opted in by the customer), US
• OpenAI, OpenRouter, MiniMax (LLM compute, opt-in per-tenant), US

A complete subprocessor list, with regions and contractual safeguards, is available in our Data Processing Addendum at /dpa.

5. International transfers

Personal data submitted via the marketing site is processed in the United States by our subprocessors. For customers in the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum (March 2022) where applicable. Customers on the Enterprise Pilot tier can elect to keep data in an EU region under separate contractual terms.

6. Your rights (GDPR, UK GDPR, CCPA, LGPD)

You have the right to access, correct, delete, or request a copy of the personal data we hold about you. You can also object to or restrict our processing, and (where applicable) withdraw consent or lodge a complaint with a supervisory authority. To exercise any of these rights, write to adelaida@diazroa.com. We respond within thirty days; complex requests may extend to sixty.

7. Retention

Inquiry-form submissions are retained while we are evaluating or running a pilot with you, and for twelve months after the pilot ends, after which we delete the thread and related notes unless you ask us to keep them. Audit logs in the productized runtime follow the retention schedule named in your engagement letter.

8. Security

TLS 1.3 in transit. AES-256 at rest. Per-tenant scoping on every request, every tool call, every webhook. Vulnerability reports go to adelaida@diazroa.com; we follow the coordinated disclosure timeline at /security.

9. Changes

We update this policy when our subprocessor list, retention defaults, or runtime shape change in a way that affects you. Material changes are surfaced in the footer and notified by email to active pilot customers no less than thirty days before they take effect.

10. Contact

Privacy questions: adelaida@diazroa.com. General contact: adelaida@diazroa.com.