Legal

Privacy Policy

Last updated: May 19, 2026 · Version 1.0

This Privacy Policy describes how Mirvo ([Mirvo SAS — corporate entity to be incorporated, Address TBD, France]) collects, uses, and protects your personal data when you use the Mirvo platform.

Mirvo plays two roles under GDPR: we act as data controller for the personal data of our own users (account holders, subscribers), and as data processor for the contact data that users import into the platform (prospects, email recipients). For questions about the processing of your prospects' data, see our Data Processing Addendum.

Mirvo's supervisory authority under GDPR is the Commission Nationale de l'Informatique et des Libertés (CNIL), France.

1. Definitions

—Personal Data: Any information relating to an identified or identifiable natural person.

—Data Subject: The individual whose personal data is being processed.

—User / Subscriber: An individual or organization that has created a Mirvo account.

—Data Controller: The entity that determines the purposes and means of processing.

—Data Processor: The entity that processes personal data on behalf of the Data Controller.

—Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).

—Sub-processor: A third party engaged by Mirvo to process personal data on its behalf.

—Service: The Mirvo B2B outbound platform, including all features accessible via mirvo.ai.

2. Data we collect about you

Account data

When you create an account, we collect your email address, name, company name, and professional role. This data is used to create and manage your account and to communicate with you about the Service.

Usage data

We collect data about how you use the Service: pages visited, features used, session duration, errors encountered, and in-product interactions. This is used for product improvement and support.

Payment data

Payment processing is handled by our payment processor. Mirvo does not store or have access to your full card details — we only receive a payment confirmation, subscription status, and billing metadata.

Communications data

We retain the content of support messages you send us via email or in-app, as well as automated notifications we send to you, for support and compliance purposes.

Cookie data

See our Cookie Policy for full details on what cookies are set and why.

3. How we use your data

We use your personal data for the following purposes:

—Provide and operate the Service: Creating and managing your account, running campaigns, and delivering core product features.
—Process payments: Managing your subscription, billing, invoicing, and renewal.
—Communicate with you: Sending transactional emails (receipts, alerts, security notices) and service updates. Not marketing — this is operational communication.
—Improve the product: Analyzing aggregate usage patterns to identify friction, prioritize features, and fix bugs. No individual profiling for commercial targeting.
—Security and fraud prevention: Detecting unauthorized access, abuse patterns, and compliance violations.
—Legal compliance: Meeting our obligations under French law, EU law, and contractual requirements.
—Marketing communications: Only if you have explicitly opted in. You can withdraw consent at any time.

4. Legal basis for processing

Under GDPR Article 6, we rely on the following legal bases:

Contract performance (Art. 6(1)(b))

Providing the Service you subscribed to, managing your account, and processing payments.

Legitimate interest (Art. 6(1)(f))

Product improvement, security monitoring, and fraud prevention — where our interest does not override your rights and freedoms.

Consent (Art. 6(1)(a))

Marketing communications and non-essential analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Legal obligation (Art. 6(1)(c))

Accounting records, tax documentation, and compliance with regulatory requests.

5. AI usage at Mirvo

Mirvo uses AI to help sales teams work more effectively. This section explains exactly how AI is used and what our commitments are.

What AI is used for

—Email content generation based on prospect context you provide
—Sentiment analysis on incoming email replies (to classify response intent)
—AI-powered help and guidance within the product

Anti-fabrication commitment

Mirvo's AI does not invent prospect information beyond what is provided in your imported data. We do not generate fictitious job titles, fictitious company details, or fabricate prospect signals not present in your source data. AI output is grounded in the information you supply.

No training on customer data

Customer data processed through Mirvo is not used to train AI models. We work exclusively with enterprise-grade AI providers who provide contractual no-training-on-customer-data guarantees. Your campaigns, prospects, and email content are yours and are not used to improve AI models.

EU AI Act transparency

Mirvo qualifies as a Limited Risk AI system under the EU AI Act (Regulation (EU) 2024/1689) and complies with the applicable transparency obligations. Users are informed when they are interacting with AI-generated content or AI-powered features within the product.

Human oversight

AI is decision-support, not autonomous. All AI-generated email drafts can be reviewed and edited by you before sending. No email is sent without your explicit action. The final sending decision is always yours.

AI provider transparency

Mirvo works with enterprise-grade AI providers under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). A full list of AI sub-processors is available in our Data Processing Addendum.

7. Data retention

We retain data for as long as necessary for the purpose it was collected, or as required by law.

Data type	Retention period
Active account data	Duration of subscription
Deleted account data	30-day soft-delete grace period, then hard deletion
Prospect data (imported contacts)	Duration of subscription + 30-day grace period after cancellation
Inbox messages	90 days
Admin action logs	90 days minimum
Payment records	10 years (French accounting obligation)
Analytics events	12 months
Database backups	7 days rolling

8. Your rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of them, email privacy@mirvo.ai. We will respond within 30 days as required by law.

—Right to be informed (Art. 13-14): To know what data we process and why — which is the purpose of this policy.

—Right of access (Art. 15): To request a copy of the personal data we hold about you.

—Right to rectification (Art. 16): To correct inaccurate or incomplete personal data.

—Right to erasure (Art. 17): To request deletion of your data ("right to be forgotten"), subject to legal retention obligations.

—Right to restriction (Art. 18): To restrict how we use your data while a dispute is being resolved.

—Right to data portability (Art. 20): To receive your data in a machine-readable format for transfer to another service.

—Right to object (Art. 21): To object to processing based on legitimate interest or for direct marketing.

—Automated decision-making (Art. 22): Mirvo does not make solely automated decisions with legal or similarly significant effects. AI features are decision-support tools; humans make final decisions.

You also have the right to lodge a complaint with the CNIL: www.cnil.fr.

9. International data transfers

Mirvo applies a hybrid data residency approach:

—EU-only: Your account data and product analytics are stored and processed exclusively in EU data centers (Frankfurt region). No transfer to third countries occurs for these categories.
—US providers under safeguards: AI processing, email delivery, and payment processing involve US-based providers. Transfers are covered by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914.

Full details including a Transfer Impact Assessment are available in our Data Processing Addendum.

10. Security

Mirvo implements technical and organizational security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, Row-Level Security multi-tenant isolation, hardened HTTP security headers, and automated security review on every code change.

For a complete description of our security measures, see our Security page.

11. Changes to this policy

We will notify you of material changes to this Privacy Policy at least 30 days before they take effect, via email and in-app notice. The updated policy will be published at this URL with the version date updated.

Continued use of the Service after a material change takes effect constitutes acceptance of the updated policy. If you do not accept the changes, you may terminate your subscription before the effective date.

12. Contact

Privacy and data protection inquiries: privacy@mirvo.ai

Postal: [Mirvo SAS, Address TBD, France]

CNIL (supervisory authority): www.cnil.fr