Privacy Policy

Mandate Labs, Inc. ("Mandate Labs," "we," "us," or "our") is committed to protecting the privacy of individuals and organizations that use our services. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at mandatelabs.ai (the "Site") or use our application programming interfaces and related services (collectively, the "Services").

1. Information We Collect

Information You Provide

• Account Information: When you register for an API account, we collect your name, email address, organization name, country, and billing information.
• Communications: When you contact us, we collect the content of your messages, your email address, and any other information you choose to provide.
• API Configuration: Agent identifiers, mandate definitions, and transaction parameters you configure through our Services.

Information Collected Automatically

• Usage Data: API call volumes, response times, error rates, and endpoint usage patterns.
• Transaction Metadata: Decision quality scores, authorization decisions, and behavioral telemetry data generated by our Services when processing agent transactions. We do not store the underlying financial transaction details (card numbers, bank accounts, etc.).
• Device and Log Information: IP address, browser type, operating system, referring URLs, and access timestamps when you visit our Site.
• Cookies and Similar Technologies: We use essential cookies to maintain session state and analytics cookies to understand Site usage. See Section 7 for details.

Information from Third Parties

• Identity Verification Providers: If you use our KYC/KYB passthrough feature, we receive verification status and reference identifiers from your designated provider. We do not receive or store the underlying identity documents.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the Services, including processing authorization requests and generating decision quality scores.
• Research and Development: To develop and improve our decision quality scoring models, behavioral telemetry, and agent verification algorithms. Data used for research is aggregated and de-identified.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Communications: To send service-related notices, respond to inquiries, and provide technical support.
• Compliance: To comply with applicable laws, regulations, and legal processes.
• Analytics: To understand how our Site and Services are used and to improve user experience.

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

• Service Providers: With vendors who perform services on our behalf (cloud hosting, analytics, payment processing), subject to confidentiality obligations.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Protection of Rights: To protect the rights, property, or safety of Mandate Labs, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With Your Consent: When you direct us to share information with third parties.

We do not share raw transaction data or decision quality scores with parties other than the principal (account holder) who submitted the authorization request.

4. Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. Specifically:

• Account Information: Retained while your account is active and for 30 days following deletion request.
• Authorization Logs: Retained for 90 days in identifiable form, then aggregated and de-identified for research purposes.
• Behavioral Telemetry Data: Retained in de-identified, aggregated form indefinitely for model training and research.
• Communications: Retained for 2 years after last interaction.

We may retain certain information as required by law or for legitimate business purposes (fraud prevention, dispute resolution, enforcement of agreements).

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• API key hashing using industry-standard algorithms
• Role-based access controls and audit logging
• Regular security assessments and penetration testing
• Infrastructure hosted on SOC 2 compliant cloud providers

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your Rights and Choices

All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Data Portability: Request your data in a structured, machine-readable format.
• Opt-Out of Analytics: Disable non-essential cookies through your browser settings.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• No Sale of Personal Information: We do not sell personal information as defined by the CCPA. We do not sell personal information of minors under 16.

To exercise your rights, contact us at [email protected]. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

Categories of Information Collected (CCPA Disclosure)

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), commercial information (transaction metadata), internet activity (usage data, API logs), and professional information (organization name, role). These are collected from you directly and from your use of our Services, and are used for the business purposes described in Section 2.

7. Cookies and Tracking Technologies

Our Site uses the following types of cookies:

• Essential Cookies: Required for Site functionality (session management, security). Cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our Site. You may opt out through your browser settings or by using the cookie banner on our Site.

We do not use advertising cookies or third-party tracking pixels. We do not respond to Do Not Track (DNT) signals at this time, as there is no industry-standard implementation.

8. International Data Transfers

Our Services are operated from the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to such transfers.

9. European Economic Area (GDPR)

Mandate Labs, Inc. processes personal data on behalf of customers who operate in the European Union and European Economic Area (EU/EEA). Where we act as a data processor, we process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and our Data Processing Agreements with customers.

Legal Bases for Processing

We rely on the following legal bases when processing personal data of EU/EEA data subjects:

• Contract Performance: Processing necessary to perform our obligations under a service agreement with you or your organization (Article 6(1)(b)).
• Legitimate Interests: Processing necessary for our legitimate interests, including service improvement, fraud prevention, and security, where those interests are not overridden by your data protection rights (Article 6(1)(f)).
• Consent: Where required, we obtain your explicit consent before processing personal data for specific purposes such as analytics cookies (Article 6(1)(a)). You may withdraw consent at any time.

EU Data Subject Rights

If you are located in the EU/EEA, you have the following rights under the GDPR:

• Right of Access: Request a copy of the personal data we hold about you (Article 15).
• Right to Rectification: Request correction of inaccurate or incomplete personal data (Article 16).
• Right to Erasure: Request deletion of your personal data, subject to legal retention obligations (Article 17).
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Article 20).
• Right to Restriction of Processing: Request that we restrict processing of your personal data in certain circumstances (Article 18).
• Right to Object: Object to processing of your personal data based on legitimate interests or for direct marketing purposes (Article 21).

International Data Transfers

When personal data of EU/EEA data subjects is transferred to the United States, we implement appropriate safeguards in accordance with GDPR Chapter V. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for EU-to-US data transfers, supplemented by additional technical and organizational measures where appropriate.

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at [email protected].

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of the rights described above, contact us at [email protected] with the subject line "GDPR Request."

10. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete it promptly.

11. Third-Party Links

Our Site may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Site with a revised "Last Updated" date. For material changes affecting your rights, we will provide notice via email to the address associated with your account at least 30 days before the changes take effect.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

For CCPA-specific requests, you may also contact us at [email protected] with the subject line "CCPA Request."