1mn.ai
Legal

Privacy Policy

Last updated: June 23, 2026

This Privacy Policy explains how 1mn.ai ("1mn", "we", "us", or "our") collects, uses, shares, and protects personal data in connection with the 1mn.ai platform, websites, and services (the "Service"). It should be read together with our Terms & Conditions.

In plain English. 1mn is an autonomous AI platform that runs product, marketing, and support loops for a software business. To do its job, it processes information about you (our customer), the data and accounts you connect, and the content it generates. For some data — especially data about your end users that you collect through our SDK or integrations — you are in charge and we act on your instructions. This policy describes both situations.

1. Scope and our roles

This policy covers personal data we process when you visit our websites, create an account, and use the Service. It does not cover third-party services you connect, which have their own privacy practices.

We act in two different capacities:

  • As a controller for personal data about you and other users of our Service — for example, account and billing data and how you use the Service. For this data, we decide the purposes and means of processing, and this policy applies directly.
  • As a processor (or service provider) for personal data you submit or generate through the Service that relates to your business and your end users — for example, events collected through the 1mn SDK, data pulled from your connected analytics, advertising, search, repository, or messaging tools, and the content the AI processes on your behalf. For this data, you are the controller: you decide why and how it is processed, you are responsible for having a lawful basis and the necessary notices and consents, and we process it under your instructions and any applicable data processing addendum ("DPA").

2. Information we collect

In plain English. Some information you give us, some is created as the Service works for you, and some is collected automatically.

Information you provide:

  • Account and profile data — name, email, password (stored hashed), and, if you sign in with a third-party provider, basic profile information from that provider.
  • Business and workspace data — your website URL and the content, instructions, files, and configuration you submit, and information the Service derives from them (such as a business profile, brand voice, competitor records, and goals).
  • Integration credentials — access tokens, API keys, and connection identifiers for tools you connect. Sensitive credentials are encrypted at rest, and certain provider keys are injected only at the point of use and are not exposed to the AI runtime.
  • Billing data — subscription status, plan, credit balances, advertising wallet balances and ledger, and transaction metadata. Card and payment details are collected and processed by our third-party payments provider, not stored by us.
  • Support and communications — messages you send us and related metadata.

Information created by the Service: prompts, agent run logs and traces, generated content and other Output, reports, recommendations, advertising drafts and performance metrics, automated-action records, and similar operational data produced as the Service performs work for you.

Information collected automatically: device and usage data (such as IP address, browser and device information, pages and features used, timestamps, and diagnostic and error data), collected through our own analytics and security tooling and essential cookies (see Section 8).

Data you process through the Service (you as controller): depending on the features and integrations you enable, the Service processes data from your connected tools and from end users of your product — for example, product analytics events, identified-user properties, error reports, web-vitals, in-app feedback, advertising performance, search-console metrics, and repository contents. You determine what this data contains.

3. How the AI processes your data

In plain English. To do the work you ask for, we send the relevant context to AI model providers and run tasks in isolated cloud environments. We don't sell your data, and we don't use it to train third-party foundation models.

The Service relies on third-party large language models and runs agent tasks in isolated, ephemeral cloud sandboxes. To perform a task, we transmit the relevant context — which may include Your Content, connected data, and instructions — to our AI subprocessor(s) for processing, and we retain operational logs of the run. We do not use your content or your end users' data to train third-party foundation models, and we do not sell personal data. Our AI providers process data under their terms and their enterprise/commercial data-use commitments; we select providers that do not train their models on customer API data by default. AI processing is probabilistic and may produce inaccurate results — see the autonomous-AI provisions of the Terms & Conditions.

4. How we use information

We use personal data to:

  • provide and operate the Service — authenticate you, run the agent loops and tasks you request, generate Output, execute authorized actions through your connected accounts, and manage advertising and wallets;
  • process billing — manage subscriptions, credits, deposits, fees, and reconciliation;
  • secure and maintain the Service — monitor for abuse, fraud, and security incidents, enforce limits and guardrails, debug, and ensure reliability;
  • communicate with you — send service, transactional, security, and (where permitted) product and marketing messages, which you can opt out of;
  • improve the Service — analyze usage and performance using telemetry and de-identified or aggregated data that does not identify you or your end users; and
  • comply with law — meet legal obligations and enforce our agreements.

Where required, we rely on a lawful basis such as performance of our contract with you, your consent, our legitimate interests in operating and improving the Service, or compliance with a legal obligation. For data we process as your processor, the lawful basis is your responsibility as controller.

5. How we share information

In plain English. We share data with the infrastructure and AI providers that run the Service, with the third-party tools you connect, and where the law requires. We do not sell your personal data.

We share personal data with:

  • Subprocessors — vetted vendors that host and power the Service, including cloud infrastructure and storage, AI/LLM providers, payment processing, email delivery, and analytics. We maintain a current list of subprocessors and the categories of processing they perform; see Section 6.
  • Third-party platforms you connect — when you authorize an integration, we exchange data with that platform to provide the feature (for example, to read metrics or to create and manage advertising on your behalf). Your use of those platforms is governed by their terms and privacy policies.
  • Your own organization — other members or collaborators you invite to your workspace.
  • Legal, safety, and corporate transactions — to comply with law or lawful requests, to protect rights, safety, and the integrity of the Service, and in connection with a merger, acquisition, financing, or sale of assets (subject to this policy).

We do not sell personal data and do not "share" it for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

6. Subprocessors and integrations

The Service uses third-party subprocessors to operate, and integrates with platforms you choose to connect. As built, these include providers of: cloud hosting, compute, databases, object storage, and isolated containers; large language model and AI services; payment processing and billing; transactional email; and product analytics and error monitoring. Connected integrations may include advertising platforms, web and product analytics, search-console data, code hosting, and messaging tools. Because the Service evolves, our subprocessors and supported integrations may change; we maintain an up-to-date list and will provide it on request or as required by an applicable DPA.

7. Cookies and similar technologies

We use strictly necessary cookies and similar technologies to authenticate sessions, remember preferences, secure the Service, and understand usage. We dogfood our own analytics SDK on our websites. Where required by law, we present cookie/consent choices; you can also control cookies through your browser. Some features will not function without essential cookies.

8. Data retention

We retain personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Operational logs, agent run traces, and event data are retained for a limited period appropriate to their purpose and then deleted or aggregated. Data we process as your processor is retained according to your instructions and the applicable DPA. When you close your account, we delete or de-identify personal data within a commercially reasonable period, except where retention is required by law or for legitimate business purposes such as security and fraud prevention.

9. Security

In plain English. We design the Service to limit who and what can see sensitive data — credentials are encrypted, secrets are kept out of the AI runtime, and tasks run in isolated environments.

We implement administrative, technical, and organizational measures appropriate to the risk, including encryption of sensitive credentials at rest, isolation of agent runs in ephemeral sandboxes, scoping and short-lived issuance of access tokens, keeping certain provider secrets out of the execution environment, access controls, and monitoring. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and for the security choices you make, including which integrations you connect and what autonomy you enable.

10. International data transfers

We and our subprocessors may process personal data in countries other than your own. Where we transfer personal data internationally, we use appropriate safeguards required by applicable law, such as standard contractual clauses or other recognized transfer mechanisms.

11. Your rights and choices

Depending on where you live and your relationship to the data, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent. You can manage much of your information directly in the Service or by contacting us at [email protected]. We will respond as required by applicable law and will not discriminate against you for exercising your rights.

If we process data about you as a processor on a customer's behalf (for example, you are an end user of a product that uses the 1mn SDK), please direct your requests to that customer — the controller of your data — and we will assist them as required.

Region-specific disclosures

In plain English. Extra rights apply if you're in the EEA/UK or in certain U.S. states. They're summarized here.

  • EEA / UK (GDPR). Our lawful bases are described in Section 4. You have the rights listed above and the right to lodge a complaint with your supervisory authority. For data we process on your behalf, a DPA with EU/UK standard contractual clauses is available. The data controller for account data is 1mn Inc.; for data you process through the Service, you are the controller.
  • California (CCPA/CPRA) and similar U.S. state laws. We describe the categories of personal information we collect, use, and disclose, and the purposes, above. We do not sell or share personal information for cross-context behavioral advertising. You have rights to know, access, correct, delete, and to limit certain uses of sensitive information, and the right not to be discriminated against for exercising them. You may submit requests to [email protected]; we will verify requests as required by law, and you may use an authorized agent.

12. Children's privacy

The Service is not directed to children, and we do not knowingly collect personal data from children under the age required by applicable law (at least 16 in some jurisdictions). If you believe a child has provided us personal data, contact us and we will take appropriate action.

13. Changes to this Privacy Policy

In plain English. As we add features, integrations, and AI capabilities, we'll keep this policy current and tell you about material changes.

We may update this Privacy Policy to reflect new features, integrations, AI capabilities, data practices, or legal requirements. We will post the updated policy with a new "Last updated" date and, for material changes, provide reasonable notice. Your continued use of the Service after an update constitutes acceptance of the revised policy where permitted by law.

14. Contact us

For privacy questions or to exercise your rights, contact us at [email protected]. The Service is operated by 1mn Inc. (1mn.ai). If you have a data-protection inquiry, you can also reach our privacy team at the same address.