Privacy Policy
Last updated: March 28, 2026
MythOS ("we," "us," or "our") is operated by One Inc. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the MythOS platform ("Service"). It applies to all users, including those in the European Economic Area (EEA), and describes your rights under the General Data Protection Regulation (GDPR).
1. Data Controller
One Inc is the data controller responsible for your personal data. For questions or to exercise your rights, contact us at: [email protected]
2. Data We Collect
Account Data
- Username, display name, email address
- Password (hashed, stored by Supabase Auth)
- Profile photo, bio, social links
- Address and zip code (optional)
Content Data
- Memos, daily journal entries, and their metadata (titles, tags, entities)
- Comments on community posts
- Community posts and contributions
- Templates you create
Usage Data
- Memo view counts and analytics
- Login sessions (IP address, browser, device type, timestamps)
- AI chat conversations and token usage
AI Configuration
- If you provide your own API keys (BYOK), they are encrypted at rest using AES-256-CBC and used solely to make API calls on your behalf. We never share your keys with third parties.
3. Legal Basis for Processing
We process your data based on the following legal grounds:
- Contract performance (Article 6(1)(b)): To provide your account, store your content, and operate the Service.
- Legitimate interest (Article 6(1)(f)): For security, fraud prevention, and service improvement.
- Consent (Article 6(1)(a)): For optional analytics and marketing tracking. You can withdraw consent at any time via Settings > Privacy.
4. How We Use Your Data
- Authenticate and secure your account
- Store and display your content
- Power AI-assisted features (RAG search, chat) using your chosen AI provider
- Send transactional emails (collaboration invites)
- Generate analytics and improve the platform (with consent)
- Enforce rate limits and prevent abuse
5. Third-Party Services (Subprocessors)
We share data with the following service providers, each under appropriate data processing agreements:
| Service | Purpose | Location |
|---|---|---|
| Supabase (GoTrue) | Authentication | Self-hosted / EU |
| MongoDB Atlas | Primary database | Configured region |
| Cloudflare R2 | Image and media storage | Global (edge) |
| Sentry | Error tracking | United States |
| Google Tag Manager | Analytics (consent required) | United States |
| Vercel Analytics | Performance analytics (consent required) | United States |
| SendGrid | Transactional email | United States |
For US-based services, we rely on Standard Contractual Clauses (SCCs) to ensure adequate data protection for international transfers.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and content data | Until you delete your account |
| Login sessions | 6 months |
| Memo view analytics | 13 months |
| Consent records | Duration of account + 3 years |
| Deleted account content | Anonymized and retained (author identity removed) |
7. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Settings > Privacy > Download My Data)
- Rectify inaccurate data (Settings > Account)
- Erase your account and personal data (Settings > Privacy > Delete Account). Your content will be anonymized, not deleted — see Section 8.
- Restrict processing by contacting us at [email protected]
- Data portability — export your data in JSON format
- Object to processing based on legitimate interest
- Withdraw consent for analytics/marketing at any time
To exercise any right, use the in-app tools or email [email protected]. We respond within 30 days.
8. Account Deletion
When you delete your account:
- Your profile, email, username, photo, bio, social links, AI keys, contacts, sessions, and templates are permanently deleted.
- Your username is permanently retired and cannot be re-registered by anyone.
- Your memos, comments, and community posts are anonymized — they remain visible but are attributed to "[Deleted User]" with no link to your identity.
- There is a 7-day grace period before deletion is finalized. Contact us to cancel during this period.
9. Cookies and Tracking
We use localStorage for authentication sessions (no HTTP cookies for auth). Optional tracking scripts (Google Tag Manager, Vercel Analytics) only load after you give explicit consent via the cookie banner.
10. Security
- API keys encrypted with AES-256-CBC at rest
- JWT-based authentication with 1-hour token expiration
- Two-factor authentication (TOTP) available
- Sensitive data scrubbed from error tracking (Sentry)
- Rate limiting on all API endpoints
11. Children
MythOS is not intended for children under 16. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this policy from time to time. We will notify registered users of material changes via email or in-app notification. Continued use after notification constitutes acceptance.
13. Contact
For privacy inquiries or to exercise your data rights:
Email: [email protected]
Data Controller: One Inc
You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.