Privacy Policy

This Privacy Policy explains how Multify Inc. ("Multify," "we," "us," or "our") collects, uses, shares, and protects information when you use MULTIFY, our websites, dashboards, agents, bots, and APIs (collectively, the "Service"). It supplements our Terms of Use, which include defined terms used here.

1. Scope and Controller

Multify Inc., a Delaware corporation, is the controller of personal information processed through the Service. You can reach us at hello@superclaws.io or through our Contact page. If you are in the EU, UK, Switzerland, or another jurisdiction with similar laws, see Sections 12 and 13 for transfer mechanisms and your rights.

2. Information We Collect

We collect the following categories of information:

• Account information: name, email address, password or authentication credentials, profile preferences, and billing details (collected and stored by Stripe; we do not store full payment-card numbers).
• Telegram identifiers: Telegram user ID, username, chat IDs, and bot tokens you provide or that our managed-bot infrastructure generates on your behalf.
• Agent metadata: agent display names, configuration files (such as SOUL.md and IDENTITY.md), assigned server IPs, SSH keys, and VNC credentials. Sensitive credentials are stored encrypted.
• Conversation and command data: prompts, messages, files, code, and Outputs exchanged between you and your Agent, plus command and audit logs of agent activity.
• Connected Account credentials: OAuth tokens and API keys for third-party integrations you authorize (typically through Composio); we receive only the scopes you grant.
• Usage and telemetry: feature usage, credit consumption, session frequency, error reports, and audit events.
• Device and technical data: IP address, browser type and version, device identifiers, language, time zone, and access logs.
• Communications: support tickets, survey responses, and other correspondence with us.

3. Sources of Data

We collect information directly from you when you sign up, configure agents, or contact us; automatically when you use the Service (such as logs and telemetry); from Connected Accounts and Third-Party Services you authorize; and from our payment, infrastructure, and communication providers (such as Stripe webhooks and Telegram).

4. Legal Bases for Processing (EU/UK Users)

Where the GDPR or UK GDPR applies, we process personal information on the following bases:

• Performance of a contract: to provide the Service you request, including provisioning agents, processing payments, and responding to support requests;
• Legitimate interests: to secure the Service, prevent fraud and abuse, debug and improve the Service, and communicate with users about their accounts;
• Consent: for optional features and marketing communications, where required by law;
• Legal obligation: to comply with tax, accounting, anti-money-laundering, and other legal requirements.

5. How We Use Your Information

We use the information we collect to:

• Provide, operate, secure, and improve the Service;
• Provision, manage, and (when needed) repair agent infrastructure;
• Authenticate users and protect accounts;
• Process payments and manage subscriptions;
• Respond to support requests and communicate about your account;
• Detect, investigate, and prevent fraud, abuse, and security incidents;
• Enforce our Terms of Use;
• Comply with legal obligations and respond to lawful requests;
• Send transactional messages (such as receipts, security notices, trial reminders) and, with your consent where required, marketing messages;
• Generate aggregated, de-identified analytics about Service usage.

6. AI Model Processing and No-Training Commitment

To generate Agent responses, your prompts, conversation context, and Outputs are sent to one or more LLM providers, primarily through OpenRouter. Depending on routing, the upstream model providers may include Anthropic, OpenAI, xAI, Google, Mistral, Moonshot AI, and others. Moonshot AI is also used to generate initial agent persona files.

We use customer Content solely to generate the response or Output you requested and to operate the Service. We do not use your prompts, conversations, files, or Outputs to train or fine-tune Multify's own AI models. Where supported by an LLM or infrastructure provider, we contract for zero-data-retention and no-training treatment of customer Content. Each provider's own privacy policy applies to the data we send them; please review their policies for details.

7. How We Share Your Information

We share information only as needed to operate the Service, comply with law, or with your consent. Categories of recipients include:

• LLM and AI infrastructure providers: OpenRouter and the upstream model providers it routes to (including Anthropic, OpenAI, xAI, Google, Mistral, Moonshot AI, and others, depending on configuration); Moonshot AI directly for persona generation.
• Messaging transport: Telegram, which carries your messages to and from your Agent.
• Payment processing: Stripe.
• Transactional email: Postmark.
• Cloud and agent infrastructure: Hetzner Cloud (agent servers; EU data center option) and our database and hosting providers.
• Connected Account integration broker: Composio, which mediates third-party API integrations you authorize.
• Analytics, error monitoring, and security tooling: service providers that help us operate and secure the Service.
• Professional advisors: auditors, lawyers, and accountants.
• Legal and safety: when required by law, court order, or to protect the rights, property, or safety of Multify, our users, or the public.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, in which case we will notify you and ensure continuity of this Privacy Policy or provide a comparable replacement.
• With your consent: any other recipient you direct.

All service providers are contractually bound to protect your information and to use it only for the purposes we specify. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

8. Connected Accounts

When you authorize a Connected Account (such as a Gmail or other third-party app via Composio), we receive only the scopes you grant. Tokens and credentials are stored encrypted and used solely to perform tasks at your direction. You can revoke a Connected Account at any time, which terminates our access except as needed for legal-retention or security purposes.

9. Cookies and Similar Technologies

We use a small number of cookies and similar technologies, limited to what is necessary to operate the Service:

• Strictly necessary: session authentication, CSRF protection, and load balancing.
• Functional: remembering preferences such as theme.
• Service-provider cookies: Stripe sets cookies during checkout for fraud prevention.

We do not use third-party advertising cookies or cross-site tracking. You can control cookies through your browser settings; disabling strictly necessary cookies may break Service functionality.

10. Data Retention

We retain personal information for as long as needed to provide the Service and for the periods described below, after which we delete or de-identify it, except where longer retention is required by law:

• Account data: while your account is active; up to 30 days after account closure (longer if needed for fraud or legal-hold purposes).
• Conversation and Agent content: up to 90 days, then purged unless you have opted to extend retention for context continuity or you are subject to an active legal hold.
• System and security logs: up to 12 months.
• Billing and tax records: as long as required by tax and accounting law (typically up to 7 years).
• Backups: rolled off within 35 days.

11. Data Security

We implement reasonable technical and organizational measures designed to protect personal information, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, SSH key management, and least-privilege access for personnel. We will notify affected users of confirmed breaches of personal information without undue delay, consistent with applicable law. No security control is perfect; we cannot guarantee absolute security.

12. International Data Transfers

We are based in the United States and operate globally. Your information may be processed in the United States, the European Union (including Hetzner data centers in Germany or Finland), and other countries where our service providers operate. For transfers from the EEA, UK, or Switzerland to other jurisdictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, where applicable.

13. Your Rights and Choices

13.1 EU/UK/Swiss Residents. Subject to applicable law, you have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate or incomplete information;
• Request erasure ("right to be forgotten");
• Request restriction of processing;
• Receive a portable copy of your data in a machine-readable format;
• Object to processing based on legitimate interests;
• Withdraw consent (where processing is based on consent), without affecting prior lawful processing;
• Lodge a complaint with your supervisory authority.

13.2 California Residents (CCPA/CPRA). You have the right to know what personal information we collect, use, and disclose; to request deletion; to request correction; and to limit use of "sensitive personal information." We do not sell personal information and do not share personal information for cross-context behavioral advertising. We will not discriminate against you for exercising these rights. You may designate an authorized agent to make a request on your behalf.

13.3 Other U.S. State Laws. We honor equivalent rights provided to residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws. Mention of a state does not imply that we are subject to its specific law; rights are extended where required.

13.4 How to Exercise Rights. To exercise any of these rights, contact us at hello@superclaws.io. We will verify your identity, generally by confirming control of the account email, and respond within the timeframe required by applicable law (typically 30 days, with one extension of up to 60 days where permitted). Some rights are not absolute and may be subject to legal exceptions.

14. Automated Decision-Making

The Service uses automated systems (large language models) to generate Agent responses. These responses are advisory; you and your Agent operators retain control over what actions are taken. The Service does not use solely automated decision-making to produce legal or similarly significant effects on you within the meaning of GDPR Article 22.

15. Children's Privacy

The Service is not directed to individuals under 18, and we do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, please contact us and we will take steps to remove that information.

16. Marketing Communications

We may send you transactional communications (such as receipts, trial reminders, and security notices) regardless of marketing preferences. With your consent where required, we may also send marketing communications; you can unsubscribe at any time using the link in any marketing email or by contacting us.

17. Telegram and Bot Operation

MULTIFY Agents are accessed through Telegram. Messages sent through Telegram are routed through Telegram's infrastructure and are subject to Telegram's privacy policy in addition to ours. Please review Telegram's Privacy Policy.

18. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days' notice by email or by prominent notice within the Service before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

19. Contact Us

For questions, requests, or concerns about this Privacy Policy or our data practices, contact us at hello@superclaws.io or through our Contact page. If we are required to designate an EU/UK representative, we will identify them in this Policy.

MULTIFY is a product of MULTIFY INC, a Delaware corporation.