Privacy Policy
Effective Date: May 26, 2026 | Last Updated: May 26, 2026
Mandate AI Labs, Inc. ("Mandate AI Labs," "we," "us," or "our") is committed to protecting the privacy of individuals and organizations that use our services. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at mandatelabs.ai (the "Site") or use our application programming interfaces and related services (collectively, the "Services").
1. Information We Collect
Information You Provide
- Account Information: When you register for an API account, we collect your name, email address, organization name, country, and billing information.
- Communications: When you contact us, we collect the content of your messages, your email address, and any other information you choose to provide.
- API Configuration: Agent identifiers, mandate definitions, and transaction parameters you configure through our Services.
Information Collected Automatically
- Usage Data: API call volumes, response times, error rates, and endpoint usage patterns.
- Transaction Metadata: Decision quality scores, authorization decisions, and behavioral telemetry data generated by our Services when processing agent transactions. We do not store the underlying financial transaction details (card numbers, bank accounts, etc.).
- Device and Log Information: IP address, browser type, operating system, referring URLs, and access timestamps when you visit our Site.
- Cookies and Similar Technologies: We use essential cookies to maintain session state and analytics cookies to understand Site usage. See Section 7 for details.
Information from Third Parties
- Identity Verification Providers: If you use our KYC/KYB passthrough feature, we receive verification status and reference identifiers from your designated provider. We do not receive or store the underlying identity documents.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: To provide, maintain, and improve the Services, including processing authorization requests and generating decision quality scores.
- Research and Development: To develop and improve our decision quality scoring models, behavioral telemetry, and agent verification algorithms. Data used for research is aggregated and de-identified.
- Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
- Communications: To send service-related notices, respond to inquiries, and provide technical support.
- Compliance: To comply with applicable laws, regulations, and legal processes.
- Analytics: To understand how our Site and Services are used and to improve user experience.
3. How We Share Your Information
We do not sell your personal information. We may share information in the following circumstances:
- Service Providers: With vendors who perform services on our behalf (cloud hosting, analytics, payment processing), subject to confidentiality obligations.
- Legal Requirements: When required by law, regulation, legal process, or governmental request.
- Protection of Rights: To protect the rights, property, or safety of Mandate AI Labs, our users, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
- With Your Consent: When you direct us to share information with third parties.
We do not share raw transaction data or decision quality scores with parties other than the principal (account holder) who submitted the authorization request.
4. Data Retention
We retain your information for as long as your account is active or as needed to provide the Services. Specifically:
- Account Information: Retained while your account is active and for 30 days following deletion request.
- Authorization Logs: Retained for 90 days in identifiable form, then aggregated and de-identified for research purposes.
- Behavioral Telemetry Data: Retained in de-identified, aggregated form indefinitely for model training and research.
- Communications: Retained for 2 years after last interaction.
We may retain certain information as required by law or for legitimate business purposes (fraud prevention, dispute resolution, enforcement of agreements).
5. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- API key hashing using industry-standard algorithms
- Role-based access controls and audit logging
- Regular security assessments and penetration testing
- Infrastructure hosted on SOC 2 compliant cloud providers
No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Your Rights and Choices
All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Data Portability: Request your data in a structured, machine-readable format.
- Opt-Out of Analytics: Disable non-essential cookies through your browser settings.
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
- No Sale of Personal Information: We do not sell personal information as defined by the CCPA. We do not sell personal information of minors under 16.
To exercise your rights, contact us at privacy@mandatelabs.ai. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.
Categories of Information Collected (CCPA Disclosure)
In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), commercial information (transaction metadata), internet activity (usage data, API logs), and professional information (organization name, role). These are collected from you directly and from your use of our Services, and are used for the business purposes described in Section 2.
7. Cookies and Tracking Technologies
Our Site uses the following types of cookies:
- Essential Cookies: Required for Site functionality (session management, security). Cannot be disabled.
- Analytics Cookies: Help us understand how visitors interact with our Site. You may opt out through your browser settings or by using the cookie banner on our Site.
We do not use advertising cookies or third-party tracking pixels. We do not respond to Do Not Track (DNT) signals at this time, as there is no industry-standard implementation.
8. International Data Transfers
Our Services are operated from the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to such transfers.
9. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete it promptly.
10. Third-Party Links
Our Site may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Site with a revised "Last Updated" date. For material changes affecting your rights, we will provide notice via email to the address associated with your account at least 30 days before the changes take effect.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Mandate AI Labs, Inc.
San Francisco, CA
Email: privacy@mandatelabs.ai
For CCPA-specific requests, you may also contact us at privacy@mandatelabs.ai with the subject line "CCPA Request."