Privacy Policy
Effective: 18 July 2026
Mulberry Inc. is the controller for the personal data described here.
Contact: privacy@mulberry.fit
1. Two roles, kept separate
- As controller — your account, verification, billing and support data. This policy covers it.
- As processor — the personal data inside the traffic you send through us (message content, recipient numbers, call metadata, AI prompts). We process that only on your documented instructions. You are the controller for it, and your own privacy notice must cover it.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account | Name, work email, company, role, password hash | You |
| Verification (KYB/KYC) | Legal entity name, registration number, registered address, beneficial owner details, government-issued ID, proof of address | You; registries; verification vendor |
| Billing | Billing address, tax ID, invoices, payment status, last-4 and card brand | You; our payment processor |
| Usage / metadata | Numbers allocated, message and call detail records (sender, recipient, timestamp, duration, segments, status), API call volume, token counts | Generated by the Services |
| Content (as processor) | Message bodies, recordings, transcripts, AI prompts and completions | You |
| Technical | IP address, browser, device, pages viewed | Automatically |
| Support | Emails, tickets, correspondence | You |
We do not intentionally collect special-category data. Do not send it to us outside the AI Services, and where you do send it through the Services, ensure you have a lawful basis under Art. 9 GDPR.
3. Why, and on what legal basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the Services, allocate numbers, meter usage | Contract (Art. 6(1)(b)) |
| Verify your identity; sanctions screening; AML/CTF and telecoms KYC | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) — preventing fraud and misuse of allocated numbers |
| Billing, tax, accounting records | Legal obligation + contract |
| Security, abuse detection, fraud prevention | Legitimate interests — protecting our platform, our customers, and the public |
| Responding to law enforcement / regulators | Legal obligation |
| Product analytics and improvement | Legitimate interests, or consent where cookies are involved |
| Marketing emails | Consent, or soft opt-in for existing customers. Unsubscribe in every email. |
Where we rely on legitimate interests we have balanced them against your rights, and you may object (§7).
4. Retention
| Data | Retained for |
|---|---|
| Account data | Life of the account + 12 months |
| Verification documents & sanctions screening records | 5 years after the relationship ends (AML/telecoms recordkeeping) |
| Billing & tax records | 7 years (statutory) |
| Call & message detail records (metadata) | 12 months |
| Message content / recordings / transcripts | 30 days by default, or the retention you configure. Zero-retention available on Business and above. |
| AI prompts & completions | 30 days by default for debugging and abuse detection; zero-retention available. Never used for training. |
| Security & access logs | 12 months |
| Abuse investigation records | 2 years, to detect repeat offenders |
After the period, data is deleted or irreversibly anonymised.
5. Who we share with
- Sub-processors — hosting, verification, payments, AI service providers, carriers. All are under a data processing agreement and security-reviewed; the current list is available from privacy@mulberry.fit.
- Carriers and telecoms partners — necessary to route messages and calls, and to satisfy regulatory registration.
- Payment processor — an independent controller for card data.
- Professional advisers — legal, accounting, insurance, under confidentiality.
- Authorities — only on valid legal process.
- Corporate transaction — an acquirer, under equivalent protections and with notice to you.
We do not sell personal data. We do not share it for cross-context behavioural advertising. We never have.
6. International transfers
Our sub-processors may operate in countries other than yours. Transfers out of the EEA or UK are made under an adequacy decision, or under the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Addendum, with a transfer impact assessment on file. Ask privacy@mulberry.fit for a copy of the relevant safeguards.
7. Your rights
If you are in the EEA or the UK (GDPR): access · rectification · erasure · restriction · portability · objection (including to legitimate-interests processing) · withdrawal of consent at any time · not to be subject to solely automated decisions with legal or similarly significant effects.
Exercise them at privacy@mulberry.fit. We respond within 30 days, free of charge. You may also complain to your supervisory authority — in the EU, your national DPA; in the UK, the Information Commissioner's Office (ico.org.uk).
If you are in California (CCPA/CPRA): right to know the categories and specific pieces collected, to delete, to correct, to opt out of sale or sharing (we do neither), to limit use of sensitive personal information, and not to be discriminated against for exercising any of these. Submit at privacy@mulberry.fit. An authorised agent may act for you with written proof.
We may ask for information to verify your identity before acting — we won't act on an unverified request about someone else's data.
8. Security
Encryption in transit and at rest; MFA and least-privilege access; logging and monitoring; a documented incident response plan. If a personal data breach affects you, we notify the relevant supervisory authority within 72 hours where required, and we notify you without undue delay.
9. Children
The Services are for businesses. We do not knowingly collect personal data from anyone under 18. If you believe we have, write to privacy@mulberry.fit and we will delete it.
10. Cookies
See the Cookie Policy.
11. Changes
We will post any change here and, for material changes, email you at least 30 days in advance.
Contact: privacy@mulberry.fit · Mulberry Inc.