Privacy Policy

For purposes of this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings ascribed to them below:

• "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Data Controller" means Mithra Labs LLC, a limited liability company organized under the laws of the United States, which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
• "Data Processor" means a natural or legal person which Processes Personal Data on behalf of the Data Controller.
• "Service" means the AI-powered timeshare contract analysis platform, including but not limited to all software, applications, APIs, databases, machine learning models, and related infrastructure operated by Mithra Labs LLC.

We Process Personal Data only where we have a lawful basis for doing so under applicable data protection laws, including:

We Process Personal Data for the following purposes:

• To provide, operate, maintain, and improve the Service and its functionality
• To process uploaded contracts using artificial intelligence, machine learning, and natural language processing technologies
• To generate analysis reports, exit probability scores, and legal recommendations
• To train, test, and improve our machine learning models and algorithms
• To authenticate users and maintain account security
• To process payments, manage subscriptions, and issue invoices
• To communicate with users regarding their accounts, services, and support requests
• To send transactional emails, service updates, and administrative notices
• To conduct marketing activities including email campaigns, targeted advertising, and promotional offers (with consent where required)
• To perform analytics and generate aggregate statistics about Service usage
• To detect, prevent, and investigate fraud, security breaches, and other malicious activities
• To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service
• To resolve disputes and enforce our agreements
• To conduct research and development for new features and services
• To facilitate corporate transactions including mergers, acquisitions, asset sales, or bankruptcy proceedings

We implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• Encryption: All data in transit is protected using Transport Layer Security (TLS) 1.2 or higher with strong cipher suites. Data at rest is encrypted using AES-256 encryption or equivalent.
• Access Controls: Implementation of role-based access control (RBAC), principle of least privilege, multi-factor authentication for administrative access, and regular access reviews.
• Network Security: Deployment of firewalls, intrusion detection and prevention systems (IDS/IPS), virtual private networks (VPNs), and network segmentation.
• Application Security: Regular security assessments, penetration testing, vulnerability scanning, secure coding practices, and input validation.
• Monitoring and Logging: Comprehensive logging of access to Personal Data, security information and event management (SIEM) systems, and automated anomaly detection.
• Incident Response: Documented incident response procedures, breach notification protocols, and regular incident response drills.
• Business Continuity: Regular data backups, disaster recovery procedures, redundant infrastructure, and failover mechanisms.
• Vendor Management: Due diligence assessments of third-party service providers, contractual data protection obligations, and ongoing monitoring.

Notwithstanding the foregoing, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee its absolute security. You acknowledge and agree that you provide Personal Data at your own risk.

We retain Personal Data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods are based on the following criteria:

• Account Data: Retained for the duration of the account relationship and for a period of seven (7) years following account closure for legal compliance and dispute resolution purposes.
• Contract Documents: Retained for seven (7) years after upload or until account deletion, whichever occurs first, subject to legal hold requirements.
• Financial Records: Retained for a minimum of seven (7) years in accordance with tax and accounting regulations.
• Communication Records: Retained for six (6) years for customer service quality assurance and legal compliance.
• Technical Logs: Retained for periods ranging from ninety (90) days to two (2) years depending on log type and purpose.
• Marketing Data: Retained until consent is withdrawn or for three (3) years of inactivity, whichever occurs first.

Upon expiration of applicable retention periods, Personal Data will be securely deleted or anonymized such that it can no longer be associated with an identified or identifiable natural person. Deletion procedures include overwriting storage media, cryptographic erasure, and physical destruction where appropriate.

We employ cookies, web beacons, pixel tags, local storage objects, and similar tracking technologies to collect and store information about your interactions with the Service. These technologies serve various purposes including:

You may refuse or delete cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of the Service. For more information about cookies and how to manage them, please visit www.allaboutcookies.org.

We engage third-party service providers to perform functions on our behalf and process Personal Data pursuant to our instructions. These Data Processors are contractually obligated to:

• Process Personal Data only in accordance with our documented instructions
• Implement appropriate technical and organizational security measures
• Maintain confidentiality of Personal Data
• Assist us in responding to Data Subject requests
• Delete or return Personal Data upon termination of services
• Submit to audits and inspections as required

Categories of Data Processors include:

• Cloud infrastructure and hosting providers
• Content delivery networks (CDNs)
• Payment processors and financial institutions
• Email service providers and communication platforms
• Customer relationship management (CRM) systems
• Analytics and business intelligence providers
• Advertising networks and marketing automation platforms
• Security and fraud prevention services
• Customer support and helpdesk software
• Document storage and management systems

Your Personal Data may be transferred to, stored at, and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those of your jurisdiction.

Where we transfer Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules where applicable
• Reliance on adequacy decisions where available
• Additional supplementary measures to ensure appropriate protection

By using the Service, you acknowledge and consent to such transfers, processing, and storage of your Personal Data in accordance with this Privacy Policy.

Depending on your jurisdiction, you may have certain rights regarding your Personal Data under applicable data protection laws, including:

To exercise any of these rights, please submit a verifiable request to [email protected]. We will respond to your request within the timeframe required by applicable law (typically 30 days, extendable by an additional 60 days where necessary). We may request additional information to verify your identity before fulfilling your request.

Please note that certain rights may be limited or unavailable in certain circumstances, such as where Processing is necessary for compliance with legal obligations or establishment, exercise, or defense of legal claims.

We use automated decision-making processes, including machine learning algorithms and artificial intelligence systems, to analyze uploaded contracts and generate exit probability scores. These automated processes may involve:

• Clause identification and classification
• Risk assessment calculations
• Prediction of exit success probability
• Generation of recommendations
• User segmentation and personalization

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, except where such processing is:

• Necessary for entering into or performance of a contract between you and us
• Authorized by applicable law
• Based on your explicit consent

Where automated decision-making occurs, you have the right to obtain human intervention, express your point of view, and contest the decision. To exercise this right, please contact [email protected].

The Service is not directed to individuals under the age of eighteen (18) years, or the age of majority in their jurisdiction, whichever is greater. We do not knowingly collect, use, or disclose Personal Data from children. If we become aware that we have collected Personal Data from a child without verifiable parental consent, we will take steps to delete such information as quickly as possible.

If you are a parent or guardian and believe that your child has provided Personal Data to us, please contact us immediately at [email protected].

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request disclosure of the categories and specific pieces of Personal Data we have collected, the sources from which it was collected, the purposes for collection, and the third parties with whom it was shared.
• Right to Delete: You have the right to request deletion of Personal Data we have collected, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate Personal Data.
• Right to Opt-Out: You have the right to opt-out of the sale or sharing of Personal Data and the use of sensitive Personal Data for purposes other than those permitted by law.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive Personal Data.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

Do Not Sell or Share My Personal Information: We do not sell Personal Data in the traditional sense. However, certain data sharing practices may constitute a "sale" or "sharing" under California law. You may opt-out by clicking [Do Not Sell or Share My Personal Information] or by contacting [email protected].

Shine the Light Law: California residents may request information about disclosures of Personal Data to third parties for their direct marketing purposes. To make such a request, please contact [email protected].

In the event of a data breach involving Personal Data that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within the timeframe required by applicable law (typically within 72 hours of becoming aware of the breach). Such notification will include:

• The nature of the breach and categories and approximate number of Data Subjects affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its adverse effects
• Contact information for further inquiries

We maintain comprehensive incident response procedures and will take all appropriate remedial measures to minimize harm resulting from any breach.

We reserve the right to modify, amend, or update this Privacy Policy at any time at our sole discretion. Changes will be effective immediately upon posting of the revised Privacy Policy on the Service, unless otherwise specified. The "Last updated" date at the top of this Policy indicates when it was last revised.

Material changes that significantly impact your rights will be communicated through prominent notice on the Service, email notification, or other appropriate means at least thirty (30) days prior to the change taking effect, where required by law.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Policy, you must discontinue use of the Service and may request deletion of your Personal Data.

This Privacy Policy and any disputes arising out of or related to the Processing of Personal Data shall be governed by and construed in accordance with the laws of the United States and the state in which Mithra Labs LLC is organized, without regard to conflict of law principles.

Any dispute, controversy, or claim arising out of or relating to this Privacy Policy shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, except where prohibited by law or where you have the right to bring claims before a supervisory authority.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, or wish to exercise any of your rights, please contact us at:

We will respond to your inquiry within a reasonable timeframe and no later than required by applicable law. For requests requiring identity verification, we may request additional information to protect against fraudulent requests.