Midus is a product operated by AgentCore LLC ("AgentCore," "we," "us," or "our"). This Privacy Policy explains what personal data we collect, how we use it, how we share it, and the choices you have. It also describes your rights under laws like the GDPR and the California Consumer Privacy Act (as amended by the CPRA).

If you do not agree with this Policy, do not use Midus websites, apps, or related services (collectively, the "Service").

1) Key Definitions

• Account: a unique Midus login tied to a user identity.

• Administrator: a user designated by a Customer to manage an Organization, billing, and settings.

• Customer or you: the company or person that has accepted our Terms and is responsible for Authorized Users.

• Organization: a workspace provisioned by or for a Customer where Authorized Users collaborate.

• Authorized User: any individual who accesses the Service under a Customer Account, including employees, contractors, and invited guests.

• Customer Content: content and data that you upload or connect to the Service (for example, files, documents, prompts, chat messages, links, metadata, and information ingested from third‑party systems).

• Service Data: operational data we collect about how the Service is accessed and performs (for example, telemetry, device info, cookies, diagnostics, usage logs, and billing events).

• Output: responses or artifacts produced by the Service for the Customer, including AI‑generated content.

• Third‑Party Services: products or services not provided by AgentCore that you choose to connect to the Service (for example, model providers, identity providers, cloud storage, CRM, and data sources).

2) Scope and Roles

• For Customer Content and Output, we act as a processor and the Customer acts as the controller. We process that data to provide the Service and only under your instructions, as described in this Policy, our Terms, and the Data Processing Addendum ("DPA").

• For Service Data, we act as a controller.

  
  

This Policy applies to personal data we process in connection with the Service and our marketing sites. It does not apply to Third‑Party Services that you connect. Their privacy practices are governed by their own policies.

3) What We Collect

We collect the following categories of data, depending on your use of the Service:

a) Account and Contact Information

• Name, email address, username, phone number

• Company name and role, company location

• Authentication and security information (hashed passwords, tokens)

b) Organization and Billing Information

• Organization name, plan, seat counts

• Billing contact, billing address

• Payment method tokens (stored by our payment processor), transaction history, invoices and receipts

c) Service Data (Telemetry and Logs)

• App and API usage logs, feature interactions, timestamps

• IP address, general location derived from IP, device and browser type, operating system, language, time zone

• Cookie identifiers, session identifiers, crash reports, performance data

d) Customer Content (Processor Role)

• Files, text, prompts, chat messages, links, metadata, tags

• Content ingested from Third‑Party Services you connect (for example, documents, knowledge bases, tickets)

• Output generated for you by the Service

e) Support and Communications

• Emails and messages you send to us, support tickets, feedback, survey responses, call recordings if you consent to recording

f) Recruitment and Vendor Data

• If you apply to work with us or provide services to us, we may collect resume or vendor details, references, and related information

g) Cookies and Similar Technologies

• See Section 12 for details about cookies, local storage, and similar technologies

h) Sensitive Data

• Do not upload special categories of data (for example, health information or biometric identifiers) unless the DPA allows it and we have agreed in writing. The Service is not intended for HIPAA‑regulated data.

i) Children’s Data

• The Service is not directed to children and may not be used by anyone under the age of 16. We do not knowingly collect data from children under 16.

4) Sources of Personal Data

• You and your Authorized Users, when you create an Account or use the Service

• Administrators who invite or manage Authorized Users

• Third‑Party Services you connect to Midus

• Public sources or service providers that help us verify identity, prevent fraud, or enrich business profiles

5) How We Use Personal Data

We use personal data for the following purposes:

1. Provide and maintain the Service: create and manage Accounts and Organizations, authenticate users, process requests, route prompts to model providers, generate Output, enable collaboration, and provide support.

2. Security and abuse prevention: protect Accounts, investigate suspicious activity, prevent fraud and misuse, and enforce policies.

3. Product improvement: analyze Service usage and performance to fix bugs and improve features. We use aggregated and de‑identified Service Data for this purpose. We do not use Customer Content or Output to train foundation models unless you opt in.

4. Communications: send service‑related messages, updates, and administrative notices. We may send you marketing about our own products and features. You can opt out of marketing at any time.

5. Billing and account management: process payments, provide invoices, and maintain accounting records.

6. Compliance: comply with law, legal process, and enforce our Terms.

6) Legal Bases (EEA/UK/Switzerland)

When required by law, we rely on these legal bases:

• Performance of a contract: to deliver the Service you requested.

• Legitimate interests: to secure and improve the Service, to prevent abuse, and to market our own products to business users where allowed.

• Consent: for certain cookies or where local law requires consent.

• Legal obligation: to comply with applicable laws and regulations.

• Vital interests: to protect the safety of a person, in rare cases.

7) Sharing of Personal Data

We share personal data as follows:

• Subprocessors: trusted service providers that host infrastructure, provide analytics, support, email delivery, logging, and similar services. We require contracts with confidentiality, security, and privacy commitments.

• Model providers: when you or your Organization enable routing to third‑party AI models, we transmit relevant prompts and context as your processor. We contractually restrict providers from using Customer Content for their own training unless you opt in.

• Third‑Party Services you connect: if you connect a service (for example, cloud storage or an identity provider), data flows to and from that service under your separate agreement with them. They act as independent controllers for their processing.

• Enterprise administrators: Organization Administrators can access certain usage information, manage users, export data, and enforce policies within their Organization.

• Corporate transactions: personal data may be disclosed as part of a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

• Legal, safety, and rights: to comply with law or legal process, respond to lawful requests, protect the rights and safety of our users, the public, or AgentCore, and enforce our Terms.

• With your direction: where you instruct us to share data with a third party.

We do not sell personal information. We do not share personal information for cross‑context behavioral advertising without your consent where required.

8) International Data Transfers

We operate primarily in the United States. When personal data is transferred internationally, we use appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. We also implement technical and organizational measures to protect transferred data.

9) Retention

We keep personal data for as long as necessary to provide the Service and for legitimate business needs, such as security, compliance, and recordkeeping. Our typical retention periods are:

• Customer Content: available for export during a paid subscription. After termination, retained for up to 30 days unless you request earlier deletion or law requires otherwise. Backups are purged in the ordinary course.

• Service logs and telemetry: generally kept up to 24 months.

• Billing and accounting records: kept for up to 7 years, as required by tax and accounting rules.

• Support tickets and communications: generally kept up to 24 months.

We may anonymize data for statistical use. We will not attempt to re‑identify anonymized data.

10) Security

We use technical and organizational safeguards designed to protect personal data, including encryption in transit and at rest for primary storage, access controls, network protections, and regular reviews. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

If we become aware of unauthorized access to personal data in our possession, we will notify affected Customers without undue delay and share information we can reasonably disclose, consistent with law and security needs.

11) Your Rights

Depending on where you live, you may have the following rights:

• Access: request a copy of your personal data.

• Correction: ask us to fix inaccurate or incomplete data.

• Deletion: ask us to delete personal data, subject to legal and contractual limits.

• Restriction: ask us to limit processing in certain cases.

• Portability: receive personal data you provided in a structured, commonly used format.

• Objection: object to processing based on our legitimate interests, including marketing.

• Consent withdrawal: withdraw consent where processing is based on consent.

To exercise rights, contact your Organization Administrator or email privacy@heymidus.com or legal@heymidus.com. We will verify your identity before fulfilling requests. For requests about Customer Content, we may redirect you to the relevant Customer, as they are the controller.

If you are in the EEA, UK, or Switzerland, you can lodge a complaint with your supervisory authority. We would appreciate the chance to address your concerns first.

12) Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to:

• Keep you signed in and maintain sessions

• Remember preferences

• Measure usage and performance

• Diagnose and fix issues

• Support security and fraud prevention

Types of cookies:

• Essential: required for the Service to function

• Functional: remember settings

• Analytics: help us understand how the Service is used

• Advertising: used on marketing sites to measure campaigns, if enabled

You can manage preferences in your browser or through our cookie banner where available. If you block cookies, some features may not work. We honor Global Privacy Control signals for California residents on our marketing sites where technically feasible.


13) California Privacy Disclosures (CCPA/CPRA)

This section applies to California residents.

a) Categories of Personal Information

In the last 12 months, we collected:

• Identifiers such as name, email, IP address, cookie ID

• Customer records such as billing details

• Commercial information such as transaction history

• Internet or network activity such as usage data and logs

• Geolocation derived from IP, coarse only

• Professional or employment information such as role and company

• Inferences from Service use such as feature adoption

We do not collect precise geolocation, protected characteristics, or biometric data through the Service.

b) Purposes and Sources

See Sections 4 and 5.

c) Disclosure of Personal Information

We disclose personal information to service providers and contractors for business purposes as described in Section 7. We do not sell personal information. We do not share personal information for cross context behavioral advertising without your consent where required.

d) Your California Rights

You have the right to know, correct, delete, opt out of sale or sharing, and to limit use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information for purposes that require a right to limit under the CPRA. You will not be discriminated against for exercising your rights.

To exercise rights, follow the steps in Section 11 or use the “Do Not Sell or Share My Personal Information” link where available.


14) Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Oregon, Texas, and other states may have similar rights to access, correct, delete, opt out of targeted advertising, and opt out of certain profiling. Use the methods in Section 11 to make a request. We will verify and respond consistent with applicable law.


15) Automated Decision Making and Profiling

We do not use automated decision making that produces legal or similarly significant effects without human involvement. Customers may configure workflows that rely on Output for their internal decisions. Customers are responsible for their own compliance when using Output.


16) Do Not Track and Global Privacy Control

We do not respond to Do Not Track signals. We honor Global Privacy Control signals for California residents on our marketing sites where technically feasible.


17) Third Party Sites and Services

The Service may link to Third Party Services. Their privacy practices are governed by their own policies. We are not responsible for their content or practices.


18) Subprocessors and Model Providers

A current list of our subprocessors and model providers is available upon request at legal@heymidus.com. We will provide notice of new subprocessors and give you an opportunity to object on reasonable grounds related to data protection.


19) International Representatives

If we appoint an EU or UK representative, we will update this Policy with their contact details. Until then, you can contact us at legal@heymidus.com for any questions related to EU or UK privacy rights.


20) Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy with a new effective date. If a change materially affects how we process personal data, we will provide notice. Your continued use of the Service after the effective date means you accept the changes.


21) Data Processing Addendum

If you are a controller under applicable law and use the Service for business purposes, our Data Processing Addendum applies to our processing of personal data on your behalf. Contact legal@heymidus.com to obtain a copy and execute it. The DPA includes the EU Standard Contractual Clauses and the UK Addendum where applicable.


22) Verifying Requests and Authorized Agents

When you submit a privacy rights request, we will verify your identity using information associated with your Account, which may include email verification or additional documentation. You may authorize an agent to make a request on your behalf, subject to verification and proof of authorization.


23) Data Portability and Deletion for Connected Services

If you connected Third Party Services to Midus, you can disable the connection at any time. Deleting Customer Content from Midus does not delete copies stored by the Third Party Service. Manage retention and deletion with those providers directly.


24) Region Specific Terms

If local laws require terms beyond this Policy, we will publish region specific addenda. Where there is a conflict between an addendum and this Policy, the addendum controls for users in that region.


25) Contact Us

AgentCore LLC

Operating Midus

8 The Green, Suite A, Dover, DE 19901, USA

Email: privacy@heymidus.com or legal@heymidus.com