Mendral

Privacy Policy

Effective Date: December 29, 2025
Last Updated: December 29, 2025
Company: Mendral, Inc. ("Mendral," "we," "us," "our")
Website: mendral.com
Product/Service: Mendral (the "Service")
Contact: legal+privacy@mendral.com
Mailing Address: 2035 Belle Monti Ave, Belmont CA 94002

This Privacy Policy explains how Mendral collects, uses, discloses, and protects information when you access or use our website, applications, and Service. It also describes choices and rights that may be available to you under applicable U.S. privacy laws.

1. Scope

This Privacy Policy applies to:

  • Visitors to our website(s)
  • Users who create accounts or use the Service
  • Individuals who communicate with us (for example, support and sales)

This Privacy Policy does not apply to:

  • Third-party sites and services you access via links from our Service
  • Content or data processed by our customers outside our role as a service provider or processor, if applicable

2. Definitions

  • “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an individual or household.
  • “Customer Logs” means logs and related operational metadata generated through use of the Service, which may include identifiers, timestamps, and activity context.
  • “Usage Data” means information about how the Service is accessed and used, such as events, feature usage, device and browser details, and performance metrics.
  • “Customer Code” means source code belonging to a customer that may be processed to provide the Service.

3. Information We Collect

We collect information from (a) you, (b) your device or browser, and (c) third parties, as described below.

3.1 Information you provide to us

Examples may include:

  • Account information. Name, email address, organization name, role. ****
  • Authentication information. Authentication is handled via WorkOS. We may receive and store identifiers needed to manage access (for example, user ID, organization ID, SSO identifiers, and session metadata). We do not receive or store your WorkOS passwords.
  • Support communications. Messages you send to us, including tickets and emails, plus any attachments you provide.

3.2 Billing and payments

Payments are processed by Stripe. We do not store full payment card numbers. We may store billing-related information needed to administer subscriptions (for example, Stripe customer ID, subscription status, invoices, and billing contact information).

3.3 Information we collect automatically

Examples may include:

  • Identifiers. IP address, device identifiers, cookie IDs, and similar identifiers.
  • Device and browser data. Browser type, OS, language, and related technical information.
  • Service activity. Feature usage, pages or screens viewed, timestamps, and interaction events.
  • Performance and security data. Crash reports, diagnostics, and security signals.

3.4 Product analytics (PostHog Cloud)

We use PostHog Cloud for product analytics. PostHog Cloud may receive Usage Data and device or browser identifiers depending on your configuration.

3.5 Customer Logs storage (ClickHouse Cloud)

We store Customer Logs in ClickHouse Cloud for up to 3 months, then delete or de-identify them in accordance with our retention practices described below.

3.6 Customer Code processing

We do not store Customer Code on Mendral systems as part of normal Service operation.

To provide the Service, we may process Customer Code transiently using a sandboxed execution environment provided by Blaxel sandbox service. Customer Code processed in this environment is destroyed after it runs.

We may retain outputs that do not include Customer Code, such as Customer Logs, execution status, and derived metadata needed to operate and secure the Service.

3.7 Information we receive from third parties

Examples may include:

  • Authentication and SSO assertions from WorkOS
  • Payment and subscription confirmations from Stripe
  • Product analytics from PostHog Cloud

4. How We Use Information

We use Personal Information for the following purposes:

  1. Provide and operate the Service
    • Create and manage accounts, authenticate users, deliver features
  2. Billing and subscription management
    • Process payments, administer subscriptions, manage invoicing, prevent fraud
  3. Customer support and communications
    • Respond to inquiries, provide product updates, send administrative notices
  4. Security, integrity, and abuse prevention
    • Detect, prevent, and investigate spam, abuse, and security incidents
  5. Analytics and product improvement
    • Understand usage trends, improve functionality, performance, and reliability
  6. Legal and compliance
    • Enforce our terms, comply with legal obligations, resolve disputes

5. Legal Bases (U.S. Notice)

Where required by applicable law, we process Personal Information consistent with:

  • Providing services you request or authorize
  • Our legitimate business purposes (for example, security, reliability, and product improvement)
  • Compliance with legal obligations
  • Your consent, where required (for example, certain cookies or marketing)

6. How We Disclose Information

We may disclose Personal Information to the following categories of recipients:

6.1 Service providers and subprocessors

We use vendors to help operate the Service. They may process Personal Information on our behalf under contractual restrictions.

Known vendors include:

  • Google Cloud Platform (Cloud Run). (cloud hosting and infrastructure). Data: Personal Information, Usage Data, and Customer Logs processed to host and operate the Service (compute, networking, and storage), including transient processing of Customer Code where applicable. Primary region: us-east.
  • Vercel (frontend hosting and delivery). Data: Personal Information and Usage Data processed to serve the web application (for example, IP address, device and browser metadata, request logs, and any account-related data submitted through the frontend), and to provide performance and security features. Primary region: us-east.
  • Stripe (payments). Data: billing contact details, subscription status, invoices, and billing identifiers.
  • WorkOS (authentication and SSO). Data: user and organization identifiers, SSO assertions, and session and access metadata.
  • PostHog Cloud (product analytics). Data: Usage Data and related identifiers as configured.
  • ClickHouse Cloud (log storage). Data: Customer Logs and operational metadata retained up to 3 months.
  • Blaxel sandbox service (ephemeral code execution). Data: Customer Code processed transiently for execution. Code is destroyed after runtime completion.
  • Anthropic (AI model provider). Data: prompts and related inputs sent to generate outputs for the Service, if applicable. Anthropic is configured with Zero Data Retention per our settings.

6.2 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

6.3 Legal requirements

We may disclose information if required by law or if we reasonably believe disclosure is necessary to:

  • Comply with legal process
  • Protect rights, property, or safety of users, customers, or the public
  • Investigate fraud or security issues

6.4 With your direction or consent

We may disclose information when you instruct us to do so or provide consent.

7. Cookies, Tracking, and Analytics

We and our vendors may use cookies, SDKs, pixels, and similar technologies.

7.1 What we use

  • Strictly necessary technologies. Authentication, security, and session management.
  • Analytics technologies. Product analytics through PostHog Cloud to understand feature usage and improve the Service.

7.2 Your choices

You can control cookies through browser settings and, where implemented, in-product cookie preferences. Some features may not work properly if you disable cookies.

7.3 “Do Not Track” signals (California notice)

Some browsers offer a “Do Not Track” (DNT) signal. At this time, the Service does not respond to DNT signals. We may update our approach as standards evolve.

8. Data Retention

We retain Personal Information for as long as necessary to:

  • Provide the Service
  • Meet legal, accounting, or reporting obligations
  • Resolve disputes and enforce agreements
  • Maintain security and prevent fraud

Specific retention practices:

  • Customer Logs. Retained for up to 12 months, then deleted or de-identified.
  • Account information. Retained while an account is active and thereafter as needed for legal, security, or billing purposes.
  • Billing records. Retained as required for accounting and tax purposes.
  • Backups. We maintain backups of certain systems and data to support service continuity, disaster recovery, and security. Backups are kept for 12 months.

9. Security

We implement reasonable administrative, technical, and organizational measures designed to protect Personal Information. However, no security measures are perfect.

10. Your Rights and Choices (U.S. State Privacy Laws)

Depending on where you live, you may have rights regarding your Personal Information, such as:

  • Right to know or access
  • Right to delete
  • Right to correct
  • Right to data portability
  • Right to opt out of certain processing (for example, targeted advertising, and “sale” or “sharing” where applicable)
  • Right to non-discrimination for exercising privacy rights

10.1 How to submit a request

Submit requests to legal+privacy@mendral.com with subject “Privacy Request.”
We may need to verify your identity and, if applicable, your authority to act on behalf of an organization.

10.2 Authorized agents (if applicable)

If permitted by law, you may use an authorized agent to submit requests on your behalf. We will require verification of the agent’s authority and your identity.

10.3 Appeals (if applicable)

If your request is denied, you may appeal by contacting legal+privacy@mendral.com with subject “Privacy Appeal.”

11. California Privacy Notice (CCPA/CPRA)

This section applies to California residents to the extent the California Consumer Privacy Act, as amended by the CPRA (“CCPA/CPRA”), applies.

11.1 Categories of Personal Information collected

We may collect the following categories of Personal Information:

  • Identifiers. Name, email address, IP address, account IDs, cookie IDs.
  • Commercial information. Subscription status, billing contact information, invoices, and transaction records.
  • Internet or network activity information. Usage events, logs, and interaction data with the Service.
  • Approximate location information. Derived from IP address, if collected.

11.2 Purposes of collection and disclosure

We collect and disclose Personal Information for the business and commercial purposes described in Section 4 and Section 6 above.

11.3 “Sale” or “Sharing” of Personal Information

We do not sell Personal Information.
We do not share Personal Information for cross-context behavioral advertising.

If we ever change our practices in a way that constitutes “selling” or “sharing” under applicable law, we will update this Privacy Policy and provide required opt-out mechanisms.

11.4 Retention

See Section 8. Customer Logs are retained up to 3 months. Other categories are retained as described in our retention criteria and as required by law.

11.5 Exercising California rights

See Section 10 for submitting requests.

12. Children’s Privacy

The Service is not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information, contact us at legal+privacy@mendral.com and we will take appropriate steps.

13. AI and Model Training

We do not use Customer Code to train machine learning models.

If the Service uses Anthropic to generate outputs, we may send limited inputs to Anthropic to perform that function. Anthropic is configured with Zero Data Retention per our settings.

14. International Users

The Service is intended for use in the United States. Our vendors may process information in the United States and in other jurisdictions where they operate or store data. We do not currently offer specific data residency or cross-border transfer commitments beyond those described in this Privacy Policy and our agreements with service providers.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last Updated” date.