Privacy Policy

Mangles AI, Inc. (“Mangles”, “we”, “us”, or “our”) operates the Mangles.ai platform (the “Service”). This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices you have regarding your information.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, do not use the Service.

2.1 Account and Identity Data

• Email address (used for authentication and communication)
• Display name and profile information you provide during onboarding
• Organization name and membership details
• Account creation and last-login timestamps

2.2 User-Generated Content

Content you create and store within the Service, including:

• AI agent configurations (name, system instructions, model preferences)
• Skill instruction blocks (content, categories, when to use)
• Strategy knowledge base entries (market research, brand guidelines, personas, marketing angles)
• Dataset definitions and dataset row contents (arbitrary structured JSON data)
• Task titles, descriptions, tags, and associated to-do items
• Agent messages and AI-generated outputs stored in chat sessions
• Files uploaded to the Service (processed via AWS S3)

2.3 API Keys (BYOK)

If you choose to provide your own API keys for third-party AI providers (e.g. Anthropic, OpenAI, xAI), those keys are stored encrypted at rest using industry-standard encryption. They are only decrypted in memory at the time of an API call and are never logged or transmitted in plaintext.

2.4 Connector Credentials

If you connect third-party platforms (e.g. social media accounts, marketing tools) via OAuth, we store the resulting OAuth access tokens and refresh tokens in encrypted form. These are used solely to authorize agent actions on your behalf on those platforms.

2.5 Webhook Payloads

When external systems send HTTP requests to your Mangles webhook endpoints, the full request payload (headers, body) is received, processed, and logged in our trigger log database. You are responsible for ensuring that payloads sent to your endpoints comply with applicable data protection laws.

2.6 Usage and Telemetry Data

• AI API call counts and estimated monetary cost per agent
• Agent hours active and task completion counts
• Trigger execution logs (webhook, schedule, one-time run) with timestamps and status
• Plan limits, billing cycle data, and budget threshold settings
• Browser type, operating system, and IP address (standard server logs)

2.7 Cookies and Session Data

We use a single session authentication cookie (JWT token) to maintain your logged-in state. We do not use third-party tracking cookies or advertising cookies. No cross-site tracking or behavioral profiling is performed.

• Authentication: To verify your identity and maintain your session securely.
• Service delivery: To run AI agent executions based on your configurations, execute triggers, process datasets, and generate and store outputs.
• Billing and plan management: To track usage against plan limits, calculate costs, enforce budget thresholds, and process payments.
• Service improvement: Aggregated, anonymized usage patterns (never individual User Content) may inform product decisions and infrastructure capacity planning.
• Communication: To send authentication codes, account notices, billing alerts, and material updates to these policies. We do not send marketing emails without your explicit opt-in.
• Security and compliance: To detect and prevent fraud, abuse, and unauthorized access; to comply with legal obligations.

We do not use your User Content (agent instructions, datasets, knowledge base entries, generated outputs) to train AI models, develop products, or share with other customers.

4.1 Sub-Processors

To provide the Service, we share data with the following categories of sub-processors. Each sub-processor is bound by appropriate data protection agreements:

When your AI agents make inference calls, the relevant portion of the conversation context (including system instructions and user messages in that session) is transmitted to the selected AI Provider. These providers process data under their own privacy policies and terms. We recommend reviewing the applicable AI Provider's privacy policy for details on how they handle inference inputs.

4.2 Legal Disclosures

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service prior to any such transfer.

We retain your data for as long as your account and Organization remain active. When you delete an item (agent, task, dataset, etc.), it is soft-deleted and retained for up to 30 days before permanent deletion, to allow for recovery. When you request deletion of your account:

• Your personal account data is deleted within 30 days of the request;
• Organization data is retained for up to 90 days to allow other administrators to export or transfer ownership, then permanently deleted;
• Aggregated, anonymized usage statistics may be retained indefinitely as they cannot be linked back to you;
• Data required to be retained by law (e.g. billing records) will be kept for the legally mandated period.

We implement industry-standard security measures to protect your data, including:

• TLS encryption for all data in transit;
• Encryption at rest for the database and file storage;
• Encrypted storage of all API keys and OAuth credentials with decryption only at the time of use;
• Access controls that limit employee access to production data to authorized personnel on a need-to-know basis;
• Regular security reviews and vulnerability assessments.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Portability: Request a machine-readable export of your data where technically feasible.
• Restriction / Objection: Request that we restrict processing of your data or object to certain processing activities.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at hello@mangles.ai. We will respond within 30 days. California residents may also have rights under the California Consumer Privacy Act (CCPA). EU/EEA residents may lodge a complaint with their local supervisory authority.

Mangles AI, Inc. is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our sub-processors operate. By using the Service, you acknowledge these transfers. Where required, we rely on Standard Contractual Clauses or other appropriate transfer mechanisms for data transferred from the EU/EEA.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete it. If you believe a child has provided us personal data, please contact us at hello@mangles.ai.

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Effective date” at the top of this page and notify you via email or a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our privacy team at: