Privacy Policy

MislyAI is the data controller for personal data processed through this service. Contact: [email protected].

We collect three categories of data:

• Account data. Email, display name, password hash (if email + password sign-in), Google account ID + avatar (if Google sign-in), account creation date.
• Content you create. Goals, habits, milestones, journal entries, intake answers, notes — everything you put into your dashboards.
• Usage telemetry. Aggregate event signals (e.g., “a brief was generated”, “a habit was ticked”) used to improve the product. We do not sell this data.

We do not collect special-category data (health, biometrics, etc.) on purpose. If you choose to write health-related goals into a journal entry, that content lives under “content you create” with the same protection as everything else.

• Contract. To provide the service you signed up for.
• Legitimate interest. To prevent fraud, debug errors, and improve the product using aggregated telemetry.
• Consent. For any optional feature that goes beyond the basics — e.g., email newsletters if and when we offer one. You can withdraw consent at any time.

We use a small number of trusted processors. Each is contracted under standard data-processing agreements:

• Neon— managed Postgres database where your account + content live.
• Anthropic— the AI model provider that generates plans, briefs, and reflections. Your prompts pass through Anthropic but are not used to train their foundation models per their commercial terms.
• Vercel— the hosting platform that serves the website and runs the server-side code.
• Stripe— payment processor (only when paid plans launch). Stripe is the data controller for payment information; we never store full card numbers.
• Google— OAuth identity provider, only if you sign in with Google.

We never sell your data, and we never share content you create with advertisers or third-party model trainers.

Some processors are based outside the EEA / UK. Where that applies we rely on Standard Contractual Clauses or equivalent transfer mechanisms approved by the European Commission and the UK ICO.

• Account + content data: for as long as your account exists. Deleted within 30 days of account closure.
• Telemetry: aggregated and retained for up to 24 months for product analytics.
• Server logs: 30 days, then rotated.

Under GDPR / UK GDPR / CCPA you have the right to:

• Access a copy of your personal data
• Correct inaccurate data
• Delete your data (“right to be forgotten”)
• Object to or restrict processing on legitimate-interest grounds
• Export your data in a portable format
• Withdraw consent for any consent-based processing
• Lodge a complaint with your data-protection authority — in Bulgaria the CPDP

To exercise any of these, email [email protected]. We’ll respond within 30 days. (We’re working on self-serve export + deletion in-product so you don’t need to email us.)

We use a small number of cookies for session login and a theme-preference token. We do not use third-party advertising or cross-site tracking cookies. We respect the browser-level Do Not Track signal — when set, our telemetry endpoints accept the request and discard it without writing.

MislyAI is not designed for and not directed at children under 16. We don’t knowingly collect data from children. If you think we have, contact us and we’ll delete the account.

We may update this policy. Material changes are notified by email or in-product before they take effect. The date at the top reflects the latest revision.