Privacy Policy

1. Who we are

This Privacy Policy describes how Munshot Technologies Private Limited (“Munshot”, “we”, “us”, or “our”) collects, uses, discloses, and protects information in connection with the website at muns.io (the “Site”), the Munshot platform (the “Platform”), and any related products and services we provide (collectively, the “Services”).

Munshot is a company incorporated in India with corporate identification number U62091DL2024PTC440064 and registered office at N-146 (2F), Panchsheel Park, New Delhi 110016, India. By accessing or using the Services, or by submitting information to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

2. Scope of this Policy

This Privacy Policy applies to information we collect through (i) the Site, (ii) the Platform, (iii) marketing and sales communications, (iv) customer support interactions, and (v) any other channel where we reference or link to this Policy.

For customers who have signed a Subscription Agreement, Order Form, Data Processing Addendum, or other written contract with us (each, an “Agreement”), this Privacy Policy supplements the Agreement. In the event of any conflict between this Privacy Policy and an Agreement, the Agreement will prevail to the extent of that conflict.

This Privacy Policy does not apply to third-party websites, services, or applications that link to or integrate with the Services. Those third parties are governed by their own privacy practices, and we encourage you to review them.

3. Information we collect

Account and profile information. When you create an account, request a demo, sign up for a trial, subscribe to communications, or contact us, we may collect your name, business email, job title, employer, country, phone number, and any other information you choose to provide.

Customer Data. When authorised users of a customer organisation use the Platform, those users may upload, input, generate, or otherwise submit data, files, prompts, queries, configurations, and outputs (collectively, “Customer Data”). Customer Data is processed on behalf of the customer organisation in accordance with the applicable Agreement and this Policy.

Usage and telemetry data. We collect information about how you interact with the Services, including pages and screens viewed, features used, queries made, response times, errors encountered, configuration choices, session duration, click streams, and similar event data.

Device and connection data. We collect information about the devices and connections used to access the Services, including IP address, browser type and version, operating system, device identifiers, language preferences, screen resolution, time-zone setting, and referring URLs.

Communications. When you correspond with us by email, chat, support ticket, social media, or telephone, we collect the contents of those communications and any attachments.

Third-party integrations. If you connect a third-party account or data source to the Services (for example, Google, Microsoft, LinkedIn, or another OAuth-based identity or data provider), we may receive identifiers, profile information, contact information, calendar entries, file metadata, file contents, and other data that you authorise the third party to share with us. The scope of that data is governed by the permissions you grant and by the third party’s terms.

Cookies and similar technologies. We and our service providers use cookies, pixels, local storage, and similar technologies to operate the Services, remember preferences, measure usage, and improve the experience. See “Cookies and tracking” below.

Information from public and third-party sources. We may obtain information from publicly available sources, business directories, lead-generation providers, data vendors, and analytics partners, and combine it with information we already hold.

4. How we use information

We use the information we collect to:

• provide, operate, maintain, and improve the Services;
• create, authenticate, and administer accounts and Authorized Users;
• process transactions and manage billing in accordance with the applicable Agreement;
• provide customer support and respond to enquiries;
• send service messages, security alerts, and administrative notifications;
• monitor and protect the security, integrity, and availability of the Services, including detecting, preventing, and responding to fraud, abuse, security incidents, and violations of our policies;
• evaluate, debug, test, train, and improve models, algorithms, prompts, retrieval systems, and features on the Platform, subject to the safeguards described in “AI and model training” below;
• analyse aggregate usage patterns and conduct research and development;
• personalise content, recommendations, and product experiences;
• comply with applicable law, court orders, lawful requests by public authorities, and internal policies;
• enforce our terms, agreements, and policies;
• market the Services and send promotional communications (subject to your right to opt out);
• support corporate transactions such as mergers, acquisitions, financings, restructurings, or divestitures; and
• carry out any other purpose disclosed to you at the time we collect the information or for which you provide your consent.

We may use information in additional ways that are consistent with this Privacy Policy or, where required by applicable law, with notice to you and your consent.

5. AI and model training

Customer Data submitted under a signed Agreement is not used to train foundation models that are made available to third parties. We may use Customer Data in de-identified, aggregated, or pseudonymised form to evaluate, debug, test, secure, and improve our Platform, including its underlying models, retrieval and ranking systems, prompt engineering, and operational performance.

We apply reasonable technical and organisational measures designed to ensure that this use does not expose Customer Data, identify specific individuals, or reveal Customer-specific information to other customers or to the public. If a Customer requires bespoke restrictions on the use of its Customer Data for model evaluation or improvement, those restrictions must be set out in the Customer’s executed Agreement and will prevail to the extent of any conflict with this section.

6. Legal bases for processing

Where applicable law (such as the GDPR in the European Economic Area or the UK GDPR in the United Kingdom) requires a legal basis for processing personal data, we rely on one or more of the following:

• Performance of a contract — where processing is necessary to provide the Services to you or your organisation, or to take steps at your request before entering into a contract;
• Legitimate interests — where processing is necessary for our legitimate interests in operating, securing, marketing, and improving the Services and in preventing fraud, and those interests are not overridden by your rights and freedoms;
• Consent — where you have given us consent for a specific purpose, such as certain marketing communications or non-essential cookies; and
• Legal obligation — where processing is necessary to comply with applicable law.

You have the right to withdraw consent at any time where processing is based on consent; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. How we share information

We do not sell personal information for monetary or other valuable consideration. We share information only as follows:

Service providers and sub-processors. We share information with vendors and contractors that provide hosting, infrastructure, storage, analytics, communications, customer support, billing, identity, authentication, security, and similar services. These providers are permitted to use information only to provide services to us and in accordance with our written instructions and applicable confidentiality and data-protection obligations.

Affiliates. We may share information with our parent, subsidiary, and affiliated entities for the purposes described in this Policy.

Professional advisers. We may share information with lawyers, accountants, auditors, bankers, and insurers under appropriate confidentiality obligations.

Corporate transactions. If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, asset sale, or other change of control, information may be transferred as part of that transaction, subject to standard confidentiality undertakings.

Legal and protective. We may disclose information when we believe in good faith that disclosure is necessary to (i) comply with applicable law, regulation, legal process, or governmental request; (ii) enforce our terms; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) protect the rights, property, or safety of Munshot, our users, or the public; or (v) defend against legal claims.

With your direction. We may share information with third parties at your direction or with your consent, including when you connect or authorise a third-party integration.

8. International data transfers

Munshot is headquartered in India. We and our service providers may process information in India, the United States, the European Economic Area, the United Kingdom, and other jurisdictions in which we or our providers operate. Where required by law, we implement appropriate safeguards for cross-border transfers, including the European Commission’s Standard Contractual Clauses or equivalent transfer mechanisms.

9. Cookies and tracking

We use cookies and similar technologies to (i) operate essential features of the Services, such as session management and security, (ii) remember your preferences, (iii) measure and analyse use of the Site and Platform, and (iv) improve performance. We use Vercel Analytics and may use additional analytics, attribution, error-monitoring, and performance tools from time to time.

You can control cookies through your browser settings. Some browsers offer a “Do Not Track” signal; we currently do not respond to DNT signals in a way that goes beyond the controls described in this section. If we deploy a cookie-consent banner in a particular jurisdiction, your choices through that banner will govern in that jurisdiction.

10. Data retention

We retain information for as long as is needed to provide the Services, to comply with our legal, accounting, or reporting obligations, to resolve disputes, to enforce our agreements, and to operate our business. Retention periods vary by data category and context.

For Customer Data submitted under a signed Agreement, retention, deletion, return, and post-termination obligations are governed by that Agreement. Where an Agreement is silent, we retain Customer Data for a reasonable period to allow for transition, dispute resolution, and back-up cycles, after which we delete or de-identify it in accordance with our standard practices.

11. Security

We implement administrative, technical, and physical safeguards designed to protect information against loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. Our security programme is designed to align with widely recognised industry frameworks, including SOC 2, ISO 27001, the GDPR, and the CCPA.

No system, however, is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and for promptly notifying us of any suspected unauthorised use of, or other security incident affecting, your account.

12. Your rights

Depending on where you reside and the laws that apply, you may have the following rights with respect to your personal information:

• Access — request a copy of personal information we hold about you;
• Correction — request that we correct inaccurate or incomplete information;
• Deletion — request that we delete personal information, subject to applicable exceptions;
• Portability — request that personal information be provided in a structured, commonly used, machine-readable format;
• Restriction or objection — request that we restrict or object to certain processing;
• Withdraw consent — withdraw consent where processing is based on consent; and
• Lodge a complaint — file a complaint with a competent supervisory authority in your jurisdiction.

To exercise these rights, contact us at ceekay@muns.io. We may need to verify your identity before responding and may decline a request to the extent permitted by law.

Where Customer Data is processed on behalf of a customer organisation, individual rights requests are routed to that organisation as the controller of the data; we will reasonably assist the organisation as required by the applicable Agreement.

13. Region-specific disclosures

European Economic Area and the United Kingdom. If you are located in the EEA or the UK, Munshot is the controller of personal information collected through the Site and through our direct sales, marketing, and support activities. For Customer Data, the customer organisation is the controller and Munshot acts as the processor. You have the rights listed above and may lodge a complaint with your national supervisory authority.

California, United States. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”), provides additional rights, including the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information as those terms are defined under the CCPA), and the right to limit the use of sensitive personal information. To exercise these rights, contact us at ceekay@muns.io.

India. Munshot processes personal data in accordance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). You may contact us at ceekay@muns.io to exercise any rights available under the DPDP Act, including correction, erasure, grievance redressal, and nomination.

14. Google API Services — Limited Use disclosure

Munshot’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• data obtained through Google APIs is used only to provide or improve the user-facing features of the Munshot Services that are visible and prominent in the requesting interface;
• such data is not transferred to others except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
• such data is not used or transferred for serving advertisements, including retargeting, personalised, or interest-based advertising; and
• no human reads such data unless we have your affirmative consent for specific data, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or as part of Munshot’s internal operations, in which case the data is aggregated and anonymised to the extent practicable.

15. Children’s data

The Services are intended for business and enterprise use and are not directed to individuals under 18. We do not knowingly collect personal information from anyone under 18. If you believe that a child has provided us with personal information, please contact us at ceekay@muns.io and we will take appropriate steps to delete it.

16. Third-party links and integrations

The Services may contain links to, or integrate with, third-party websites, applications, or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy notices of any third party before providing information or connecting an account.

17. Automated decision-making

The Services may produce outputs through automated processing, including AI models. These outputs are advisory and are intended to support, not replace, human decision-making by you or your organisation. You remain responsible for the use of, and any decisions you make based on, outputs generated through the Services. We do not make decisions that produce legal or similarly significant effects on individuals based solely on automated processing without meaningful human involvement.

18. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy on this page and revise the “Last updated” date. Material changes will be communicated to customers through the Services, by email, or through other reasonable means. Your continued use of the Services after an update means you accept the updated Policy.

19. Contact us

For privacy questions, data-subject requests, or grievances, please contact: