Privacy Policy — Munin Cloud
Last updated: 2026-04-30
This policy covers Munin Cloud — the hosted SaaS at app.getmunin.com and its API endpoints (api.getmunin.com, mcp.getmunin.com). It is published by Apps AS, registered at Vulkan 16, 0178 Oslo, Norway ("we", "us", "Munin").
For the public marketing site at getmunin.com and the open-source distribution, see the separate getmunin.com Privacy Policy.
1. The two roles we play
Munin Cloud handles personal data in two distinct capacities:
- Data processor. For business data your organisation puts into Munin Cloud — knowledge-base articles, customer conversations, contacts, deals, CMS entries, audit logs, end-user records — your organisation is the controller and we process the data on your instructions, under a Data Processing Agreement that forms part of our Terms of Service.
- Data controller. For data we collect to operate the service itself — account credentials, billing information, support correspondence, security and abuse logs — we are the controller. The rest of this policy describes those flows.
If you are an end-user of one of our customers (e.g. you submitted a support request through a customer's chat widget), the customer is the controller of that interaction. Direct privacy requests about that data to them. We will refer such requests on to the customer.
2. Data we collect as controller
| Category | Data | When collected | | --- | --- | --- | | Account | Email, name, hashed password (BetterAuth), organisation membership, role | Sign-up and team-invitation flow | | Authentication | Session tokens, OAuth 2.1 tokens issued to your connected agents, hashes (never plaintext) of API keys you mint | Sign-in and key minting | | Billing | Plan, usage counters (MCP calls, embeddings, voice minutes when applicable, storage), invoices, payment method (held by our payment processor; we receive only token references and the last 4 digits) | When you subscribe to a paid plan | | Support | Name, email, message content | When you contact support@getmunin.com or use in-product help | | Operational logs | Request timestamps, IP, user agent, response status, correlation id, audit-log entries (tool name, arguments, result code, actor, organisation) | Automatically on every API and MCP request |
We do not read or analyse the content of customer business data (KB documents, conversations, contacts, deals, CMS entries) to operate the service, except where strictly necessary to provide a feature you've enabled (e.g. generating embeddings for kb_search) or to investigate a confirmed abuse or security report.
3. Why we process this data (legal basis)
| Purpose | Legal basis (GDPR Art. 6) | | --- | --- | | Providing the service to your organisation | Performance of contract (Art. 6(1)(b)) | | Billing and invoicing | Performance of contract; legal obligation for tax records (Art. 6(1)(b),(c)) | | Security, abuse prevention, fraud detection | Legitimate interest (Art. 6(1)(f)) | | Audit log retention | Legitimate interest, and (where required) legal obligation | | Support correspondence | Performance of contract; legitimate interest (Art. 6(1)(b),(f)) | | Service announcements (security, breaking changes, billing) | Legitimate interest; performance of contract | | Marketing emails | Consent (Art. 6(1)(a)); you can opt out at any time |
We do not sell personal data, and we do not use customer business data to train AI models.
4. Subprocessors
We rely on the following processors to run Munin Cloud. Material changes will be announced at least 30 days in advance.
| Subprocessor | Role | Data category | Region |
| --- | --- | --- | --- |
| Scaleway SAS | Hosting (Postgres + pgvector, application servers, object storage, backups) | All processed data | EU (France, Netherlands, or Poland — selected per tenant; defaults to fr-par) |
| Resend, Inc. | Outbound email delivery (transactional and channel sends via the mailer provider) | Sender, recipient, subject, body | US, with Standard Contractual Clauses |
| OpenAI, L.L.C. | Embedding generation for KB and CMS hybrid search (text-embedding-3-small) | The text you store in kb_documents and cms_entries, sent transiently for vector generation; OpenAI does not retain or train on API requests per its API data policy | US, with SCCs and OpenAI's data-processing addendum |
| Twilio Inc. (when voice or SMS adapters are enabled on your channel) | Telephony / SMS transport | Phone numbers, call/SMS metadata and content for that channel only | EU/US, with SCCs |
| Stripe, Inc. (paid plans only) | Payments | Cardholder data (we do not see PAN), billing address, invoice records | EU/US, with SCCs |
| GitHub, Inc. | OSS source, issue tracker, packages | Public-facing only | US, with SCCs |
A current subprocessor list is available at any time on request. Self-hosters who connect their own SMTP, IMAP, embedding provider, or telephony do not flow that data through our subprocessors.
5. International transfers
Cloud infrastructure runs in the EU (Scaleway). For subprocessors based outside the EEA we rely on the European Commission's Standard Contractual Clauses and, where adopted, additional supplementary measures. We do not transfer customer business data outside the EU other than for the specific subprocessor flows listed above.
6. Retention
| Data | Default retention | | --- | --- | | Account, organisation, membership records | Active for the life of the account; deleted within 30 days of account closure (longer if required by law, e.g. invoicing records) | | Audit log | 90 days, then automatic purge. Configurable per plan up to 13 months. | | Customer business data (KB, CRM, conversations, CMS entries) | Until you delete it or close your account. On account closure, deleted within 30 days; backups roll off within 35 days | | Operational logs | 30 days | | Invoices and tax records | 5 years (Norway bookkeeping law) or as required by your jurisdiction | | Support correspondence | 24 months from last interaction | | Backup snapshots | 35 days rolling |
7. Customer data ownership and export
You own the customer business data you put into Munin Cloud. At any time you can:
- export your data via the export endpoints (
/api/v1/export/*) and the dashboard; - request deletion of specific records via the relevant MCP tools (
kb_delete_document,cms_delete_entry, etc.) or by contacting privacy@getmunin.com; - close the account, which triggers deletion within 30 days.
8. Security
- TLS for all connections; HSTS enforced on app.getmunin.com.
- Postgres row-level security (RLS) enforces tenancy boundaries on every read and write; service-role queries bypass RLS only for narrow infrastructure paths and are audited.
- Channel credentials (SMTP, IMAP) are encrypted at application level (AES-GCM) before storage.
- API keys are stored only as salted hashes; the plaintext is shown to you once at mint time.
- End-user delegated MCP tokens are short-lived and scoped to a single end-user; their tools see only that end-user's own contact and conversations, enforced by RLS, not by client-side filtering.
- OAuth 2.1 with PKCE for admin agent authorisation.
- Backups encrypted at rest. Disaster-recovery procedures tested at least annually.
- Vulnerability disclosure: security@getmunin.com, acknowledgement within 72 hours, remediation timeline within 7 days for confirmed issues. See SECURITY.md.
We do not query Anthropic's Claude memory, chat history, conversation summaries, or files you've uploaded to Claude. The MCP tools operate exclusively on data within your Munin organisation.
9. Prompt injection and connected agents
Inbound channel content (emails, chat-widget messages, future voice/SMS) may include attempts to manipulate connected AI agents. We apply defences (sanitisation, constrained tool surfaces, scoped delegated tokens, audit logging) but cannot guarantee absolute prevention. If a connected agent acts on instructions delivered through inbound content, the customer remains responsible for those actions. We will work with you in good faith to investigate any incident.
10. Your rights
You have the right to access, correct, delete, restrict, port, and object to processing of your personal data. EU/EEA residents may lodge a complaint with their supervisory authority — for users based in Norway this is Datatilsynet (datatilsynet.no). California residents have CCPA/CPRA rights including the right to know and delete; we do not sell or share personal information as those terms are defined under California law.
To exercise these rights, email privacy@getmunin.com from the address associated with your account. We respond within 30 days and may extend by up to 60 additional days in complex cases.
If you are an end-user of one of our customers, contact that customer first; we will assist them in fulfilling your request.
11. Children
Munin Cloud is a B2B service not directed at children under 16; we do not knowingly create accounts for children. If you believe we hold data about a child, contact privacy@getmunin.com and we will delete it.
12. Cookies
Munin Cloud sets only the cookies required to operate the service:
| Cookie | Purpose | Duration |
| --- | --- | --- |
| NEXT_LOCALE | Remember language choice | 12 months |
| __Host-munin-session | Authenticated session (BetterAuth) | Session duration, sliding |
| CSRF tokens | Cross-site request forgery protection | Session |
We do not run third-party analytics, ad pixels, or session-replay tools on app.getmunin.com.
13. Changes
We will post material changes here and update the "Last updated" date. For substantive changes affecting how we process data, we will email account admins at least 30 days in advance.
14. Contact and DPA
For privacy enquiries, requests to exercise your rights, or to request our Data Processing Agreement (DPA):
Apps AS Vulkan 16, 0178 Oslo, Norway privacy@getmunin.com
A standard DPA is available on request and is incorporated by reference into our Terms of Service for paying customers.