Privacy Policy

This Privacy Policy describes how Avery Intelligence, Inc. d/b/a Momental ("Momental", "we", "us") collects, uses, and shares information when you use our platform and services (the "Services").

The Services are an AI-powered platform that processes workspace content through large language models and creates structured context representations from organizational knowledge.

Data Roles. For the purposes of applicable data protection laws (including GDPR), Momental acts as a data processor when processing Customer workspace content on behalf of Customer, and as a data controller for account registration data, billing information, and platform usage analytics.

1. Information We Collect

Information You Provide

• Account information (name, email, company name, billing information)
• Workspace content (messages, documents, files shared in accessible channels)
• Configuration data (workspace settings, preferences)
• Support communications

Information We Create

• Context atoms (extracted signals, learnings, decisions, principles)
• Relationships between context items (supports, contradicts, supersedes)
• Conflict records when contradictions are detected
• Strategic alerts generated from analysis

Information Collected Automatically

• Usage data (features used, interaction patterns, timestamps)
• Device information (browser type, OS, IP address, general location)
• Performance data (response times, error logs)
• Cookies (session management, authentication, analytics)

Information from Third Parties

• Workspace platform data authorized by Customer (user profiles, channel lists)
• Payment transaction information from Stripe (we do not store full credit card numbers)

Proactive Monitoring. AI features continuously observe all messages in channels where they are present, not just direct mentions. AI builds understanding of conversations, decisions, and team dynamics through this observation and may proactively initiate conversations or offer insights without being explicitly asked. Customer controls which channels AI features can access.

What Is NOT Monitored. Private direct messages between human users (unless an AI feature is explicitly added to the conversation), channels where AI features have not been invited, and content in platforms or tools not connected to the Services.

2. How We Use Your Information

We use information to:

• Provide, maintain, and improve the Services
• Create structured context representations to power platform features
• Detect conflicts and contradictions in workspace content
• Process uploaded documents and extract learnings
• Analyze information across teams to detect strategic misalignment
• Communicate service updates, security alerts, and billing notifications
• Detect and prevent unauthorized access, abuse, and security incidents
• Fulfill legal obligations

No Model Training. Momental will not train AI models on Customer Content submitted through the Services. We may use aggregate, anonymized data for product development.

Legal Bases (GDPR). Where GDPR applies, we process Personal Data on the following bases: (a) performance of our contract with Customer (account management, service delivery); (b) legitimate interests (security, fraud prevention, product improvement), balanced against data subject rights; (c) legal obligation (tax records, law enforcement requests); and (d) consent (where specifically requested, which may be withdrawn at any time).

3. Third-Party AI Processing

Customer Content is processed by third-party AI model providers:

• Providers are bound by Data Processing Agreements
• Providers do not use Customer data for model training
• Anthropic automatically deletes API inputs and outputs within 30 days of processing under its standard API policy. Data may be retained longer only if flagged for usage policy enforcement or as required by law
• Google AI processes embedding requests without retaining inputs or outputs

4. Data Storage and Security

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.2+ (TLS 1.3 enabled)
• Tenant isolation: Database-level and application-level controls ensure one team cannot access another team's data
• Infrastructure: SOC 2 Type II and ISO 27001 certified cloud infrastructure, United States
• Access controls: Role-based access, principle of least privilege, audit logging
• AI output validation: Responses scanned for prompt injection, data exfiltration, and unsafe content

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification. In the event of a data breach, we will notify affected customers within 72 hours of becoming aware, in compliance with GDPR and applicable laws. Notification will include the nature of the breach, categories of data affected, and steps taken to mitigate harm.

5. Data Sharing

We share information only in the following circumstances:

Service Providers. Trusted third-party providers who assist in operating the Services, including cloud infrastructure, AI model providers, and payment processors. All are contractually obligated to protect data. A current list of sub-processors is available at momentalos.com/security.

Legal Requirements. We may disclose information if required by valid legal process, government requests, or to protect our rights, users, or the public. We will notify affected customers unless prohibited by law.

Business Transfers. In connection with a merger, acquisition, or sale of assets, with notice to Customer and the opportunity to delete accounts before transfer.

With Consent. For other purposes with Customer's explicit consent.

6. Data Retention

Data Type	Retention
Account data	Active account + 30 days after termination
Workspace content & context library	Active account; deleted within 30 days of termination
Usage data & logs	24 months
Billing records	7 years (tax compliance)
Legal hold	As required by legal process

Customer can delete individual context items at any time through the platform. Upon termination, Customer has 30 days to export data before deletion.

Prohibited data types are described in our Usage Policy. If prohibited data is accidentally submitted, contact [email protected] immediately.

7. Your Rights

All Customers

• Access, correct, or delete your personal information
• Request data in a structured, machine-readable format (JSON or CSV)
• Object to certain processing
• Request restriction of processing

GDPR (EEA/UK/Swiss Customers)

• Right to withdraw consent at any time
• Right to lodge a complaint with your supervisory authority (edpb.europa.eu)
• Right not to be subject to solely automated decision-making with legal effects
• Automated features assist human decision-making but do not make legally binding decisions

CCPA/CPRA (California Customers)

• Right to know what personal information we collect, use, and share
• Right to delete, correct, and limit use of sensitive personal information
• We do not sell or share personal information for cross-context behavioral advertising

Categories of Personal Information Collected (CCPA Disclosure)

• Identifiers (name, email address, IP address)
• Commercial information (subscription plan, billing history, payment method tokens)
• Internet or network activity (usage logs, feature interactions, clickstream data)
• Professional or employment information (job title, company name)
• Communications content (workspace messages, documents, files)
• Inferences (AI-generated context atoms, strategic alignments, conflict detections)

To exercise your rights: [email protected]. Include "GDPR Request" or "California Privacy Request" in the subject line. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA). For complex requests, we may extend by an additional 60 days (GDPR) or 45 days (CCPA/CPRA) with notice.

Appeals. If we deny your request in whole or in part, you may appeal by replying to our response with "Appeal" in the subject line. We will review appeals within 30 days.

8. International Data Transfers

All Customer data is stored in the United States. For transfers from the EEA/UK, we use:

• EU Standard Contractual Clauses (2021 version)
• UK International Data Transfer Agreement
• Supplementary measures including encryption, access controls, and data minimization

9. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal information from children under 13 (COPPA). If we become aware of such collection, we will delete it within 48 hours.

10. Cookies

We use essential cookies for authentication and session management. We do not use non-essential cookies (analytics, marketing, tracking) without prior consent where required by applicable law. We do not use cookies for cross-site tracking or behavioral advertising. You can control cookies through browser settings.

11. Changes

We may update this Privacy Policy. Material changes will be communicated via email at least 30 days before taking effect. Material changes include new categories of data collected, new processing purposes, new third-party recipients, and reduced privacy protections. Customer may terminate with a pro-rata refund if it disagrees with changes.

12. Contact