Privacy Policy (Draft)

Last updated: April 2026 · Effective date: TBD

This draft is based on a code-level audit of the Mycelium system. Have a qualified lawyer review for GDPR compliance before publishing.

This Privacy Policy explains exactly what data Mycelium collects, where it goes, in what format, and who can access it. We believe you should know precisely what happens with your data — no vague language, no hidden practices.

Mycelium is operated by [COMPANY LEGAL NAME], registered in Estonia, registry code [REGISTRY CODE].

1. The Short Version

Your data is yours. We don't sell it, rent it, or use it to train AI models.
Your data is encrypted. At rest (AES-256) and in transit (TLS).
Your data lives on Cloudflare infrastructure (EU/global) and your dedicated server (Hetzner, Germany).
AI providers process your messages to generate responses. They do not store or train on your data under our agreements.
You can export or delete your data at any time.
We are an Estonian company subject to GDPR and the Estonian Personal Data Protection Act.

2. What Data We Collect

2.1 Data You Provide Directly

Data Type	What It Includes	Purpose
Messages	Text via Portal, Telegram, Discord, WhatsApp	AI conversation, knowledge organization
Documents	Notes, reflections, living documents	Personal knowledge management
Files	Images, PDFs, audio, documents	Storage, processing (transcription, vision)
Voice Messages	Audio recordings	Transcription and AI processing
Account Info	Display name, timezone, email	Account management

2.2 Data We Generate From Your Content

Data Type	What It Is	Purpose
Text Embeddings	1024D vectors (BGE-M3)	Semantic search
Clustering Embeddings	256D vectors (Nomic v1.5)	Topic mapping, Mindscape
Topic Clusters	Groupings by theme	Knowledge organization
AI Responses	Generated text	Conversation history
Transcriptions	Text from audio	Searchability

2.3 Data We Do NOT Collect

No tracking or advertising cookies
No browsing history outside Mycelium
No advertising profiles
No analytics trackers (no Google Analytics, no Mixpanel, no Hotjar)
No device fingerprints
No location data

3. Where Your Data Goes

3.1 Cloudflare (Infrastructure)

What they host: D1 (database), R2 (file storage), Vectorize (embeddings), Workers AI (embedding generation, transcription).

What they do NOT receive: Your encryption keys. Your master key never leaves your server.

3.2 Anthropic (AI Provider — Claude)

What they receive: Message text and context when the AI processes your conversation.

Data retention: Under our API agreement, Anthropic does not use API inputs or outputs to train models. They may retain inputs for up to 30 days for safety purposes.

3.3 Hetzner (Server Provider)

What they host: Your dedicated VPS running Mycelium agents.

Location: Germany (Falkenstein, Nuremberg) and Finland (Helsinki).

3.4 Messaging Platforms (If Connected)

If you connect Telegram, Discord, or WhatsApp, messages flow through that platform's infrastructure. The platform retains a copy under their own terms. We receive a copy for processing.

4. Encryption and Security

Encryption at rest: Data encrypted per-record using AES-256-GCM. Your master key exists only on your server and never leaves it. Cloudflare stores only ciphertext.

Encryption in transit: All data transmitted via TLS (HTTPS).

Authentication: Passkeys (WebAuthn) — your private key never leaves your device. HttpOnly session cookies. Scoped agent tokens.

Isolation: Each managed hosting customer has a dedicated server, separate database, and separate encryption scope.

5. How We Use Your Data

Purpose	Legal Basis (GDPR)
Providing the AI assistant service	Performance of contract (Art. 6(1)(b))
Generating embeddings and organizing knowledge	Performance of contract (Art. 6(1)(b))
Account security and authentication	Legitimate interest (Art. 6(1)(f))
Service-related communications	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

We do NOT use your data for: Training AI models, advertising, marketing profiling, selling to third parties, or behavioral analytics.

6. Data Retention

Data Type	Retention
Messages and documents	Until you delete them or close your account
Files and attachments	Until you delete them or close your account
Embeddings	As long as source content exists
After account closure	All data deleted within 30 days

7. Your Rights (GDPR)

You have the right to: Access your data, Rectify inaccuracies, Delete your data (within 30 days), Export in machine-readable format, Restrict processing, Object to processing, and Withdraw consent.

8. Data Transfers

As an Estonian (EU) company, your data is protected under GDPR. International transfers are covered by adequacy decisions, standard contractual clauses, or equivalent measures (GDPR Chapter V).

9. Security Incidents

If we become aware of a security incident affecting your data, we will notify you within 72 hours. We will describe the incident, data affected, and measures taken.

Your responsibility: The security of your devices, credentials, and encryption keys is your responsibility. If your encryption key is lost, we cannot recover your encrypted data.

10. Children

Mycelium is not intended for anyone under 18. We do not knowingly collect data from minors.

11. Changes

We may update this policy with 30 days' notice for material changes.

Data Flow Diagram

YOUR DEVICE
  |
  |-- Portal (browser) ---- HTTPS ----+
  |-- Telegram ---- Telegram servers --+
  |-- Discord ----- Discord servers ---+
  |-- WhatsApp ---- WhatsApp servers --+
                                       |
                                       v
                             YOUR MYCELIUM SERVER
                             (Hetzner VPS, Germany)
                               |
                               |-- Encrypts (AES-256)
                               |-- Processes with Claude (Anthropic API)
                               |     Sends: message text + context
                               |     Receives: AI response
                               |
                               +-- Stores via Cloudflare
                                    |-- D1: Encrypted structured data
                                    |-- R2: Encrypted files
                                    |-- Vectorize: Embedding vectors
                                    +-- Workers AI: Embeddings, transcription
                                       (processed, not stored)

Contact & Supervisory Authority

Data Controller: [COMPANY LEGAL NAME], Estonia
business@curiouslife.is

Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — aki.ee

This Privacy Policy is a draft and should be reviewed by qualified legal counsel before publication.