Privacy Notice

Who this notice covers

This notice applies to two distinct groups of users, who have meaningfully different privacy footprints:

Platform users — teams and individuals using the Mediumroast competitive intelligence workbench. You upload proprietary business documents, contracts, competitive analyses, and strategic research. You have the highest level of data exposure under this notice, and Sections 1–10 apply to you in full.

Data product buyers — individuals or organizations evaluating and purchasing Mediumroast open data products via the Explorer. Your interaction with us is primarily transactional. You provide contact and billing information; you browse schemas, coverage summaries, and previews. Sections 1, 5, 6, 7, 9, 10, 11, 12, and 13 apply to you. Section 4 describes how we source and govern the data products themselves.

If you are unsure which category applies to you, or if you are both, treat yourself as a platform user.

1. What information we collect

1a. Information platform users provide directly

• Account information: name, email address, company name, job title, and other contact details provided at registration
• Uploaded content: documents, contracts, competitive analyses, win/loss research, pricing models, and any other materials you submit to the Services
• Workspace configuration: playbooks, templates, and settings you define within your account
• Communications: messages you send us via email or support channels

1b. Information we collect automatically (all users)

• Usage data: pages visited, features used, session duration, and interaction logs
• Technical data: IP address, browser type, device type, operating system, and referral URLs
• Cookies and similar technologies: see Section 7 below

1c. Information from third-party integrations (platform users)

If you connect third-party integrations — such as Slack, Box, Microsoft 365, Jira, or CRM platforms — we may receive data from those services as authorized by you at the time of connection.

1d. Information from publicly available sources (data products)

Our open data products are derived from publicly available or licensed sources, including government filings, market registries, company databases, and open-license datasets. See Section 4 for a full explanation of how we source, document, and govern this data.

2. How we use your information

We use your personal information only for the following purposes:

• To provide and operate the Services, including processing competitive intelligence workflows and analyses
• To improve and develop the Services based on aggregated, de-identified usage patterns
• To communicate with you about your account, product updates, and support requests
• To send promotional communications — you can opt out at any time (see Section 9)
• To comply with legal obligations and enforce our Terms of Service
• To detect and prevent fraud, abuse, or security incidents

We do not sell your personal information.

We do not use your uploaded content to train AI models without your explicit consent.

Mediumroast does not collect, use, or sell sensitive personal information as defined by California law (including precise geolocation, biometric data, health information, race, religion, or financial account credentials).

Account isolation and competitive confidentiality

Competitive intelligence content is inherently sensitive business information. We treat it accordingly:

• Customer uploaded content is logically isolated per account. No content from your workspace is visible to, or retrievable by, any other customer.
• We do not use content from one customer account to train models, generate outputs, or improve results delivered to any other customer account.
• Employees and contractors who access content for support, debugging, or security purposes are bound by confidentiality obligations and access is logged.

3. AI and automated processing

Our Services use artificial intelligence and large language model (LLM) technology to process and analyze content you upload. Here is exactly how that works:

• Documents and data you submit are processed by AI systems to generate competitive intelligence outputs on your behalf
• We use Anthropic's Claude models as a core part of our platform. Anthropic processes API-submitted content under terms that prohibit Anthropic from using API content for model training
• Content submitted for AI processing is not retained by us beyond the time required to generate the output, or the duration of your active session, whichever is shorter — unless you explicitly save it to your account workspace
• We do not share content from one customer's workspace with any AI call originating in another customer's workspace. Cross-account isolation is enforced at the API call level
• AI-generated outputs belong to you. We do not use them for any purpose other than delivering the Services

You should not upload content that contains information you are not authorized to share with a third-party AI provider. Please review our Terms of Service for acceptable use guidelines.

4. Our data products and their sources

This section is specific to Mediumroast open data products available through the Explorer.

How we source our data products

Our data products are derived from publicly available or licensed sources — including government and regulatory filings, commercial registries, industry databases, and datasets released under open licenses. We do not scrape personal social media profiles, purchase behavioral advertising data, or acquire data through means that obscure its origin.

Lineage and provenance

Every Mediumroast data product carries documented provenance. Before purchase, buyers can inspect the schema, coverage summary, source metadata, and collection methodology. This is a core product commitment, not an afterthought.

Incidental personal information

Some public-record datasets incidentally contain personal information — for example, a named executive in a government filing or a founder's name in a company registry. When this occurs:

• We treat such data as public-record information consistent with its original context
• We do not combine it with platform user account data
• We do not use it for profiling, advertising targeting, or any purpose beyond the data product itself
• We do not cross-reference open data products with individual user account data under any circumstances

No data product contains information sourced from platform user uploads. The two data environments are fully separated.

5. How we share your information

We do not sell your personal information. We share your information only in the following circumstances:

• Service providers: third-party vendors who help us operate the Services (e.g., cloud hosting, analytics, customer support tools). These providers are contractually bound to protect your data and use it only as directed by us
• AI processing partners: including Anthropic and other LLM providers necessary to deliver core platform functionality, under data processing terms consistent with this notice
• Legal requirements: when required by law, court order, or government authority, or to protect our legal rights
• Business transfers: in connection with a merger, acquisition, or sale of assets, with advance notice to you
• With your consent: for any other purpose you explicitly authorize

We require all third-party service providers to maintain data protection standards consistent with this notice.

6. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Services:

• Account data is retained for the duration of your account plus 90 days following deletion
• Uploaded content is retained while your account is active; you may delete content at any time through the Services
• AI processing inputs are not retained beyond your active session unless explicitly saved (see Section 3)
• Usage logs and technical data are retained for up to 12 months
• Inactive accounts: if your account has had no activity for 36 months, we will notify you by email and begin deletion 30 days later unless you confirm continued use
• We may retain certain data longer if required by law or for legitimate purposes such as fraud prevention or resolving disputes

To request deletion of your data, contact us at hello@mediumroast.io.

7. Cookies and tracking technologies

We use cookies and similar tracking technologies to operate and improve the Services:

• Essential cookies: required for the Services to function (e.g., session management, authentication). These cannot be disabled without affecting Service functionality
• Analytics cookies: help us understand how users interact with the Services (e.g., page views, feature usage). We use privacy-respecting analytics tools that do not build cross-site profiles
• Preference cookies: remember your settings and preferences across sessions

We do not use advertising cookies or cross-site tracking technologies.

Global Privacy Control (GPC): Our website detects and honors GPC browser signals. If your browser sends a GPC signal, we will disable all non-essential cookies for your session, including analytics and preference cookies. To enable GPC, use a compatible browser or extension such as Privacy Badger or Brave.

You can also control cookies through your browser settings independent of GPC.

8. Cross-border data transfers

Mediumroast is based in the United States. If you access our Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We rely on the following mechanisms to ensure those transfers are lawful:

• Standard Contractual Clauses (SCCs): We use SCCs pre-approved by the European Commission as the primary legal basis for transferring personal data from the EEA and UK to the United States
• EU-US Data Privacy Framework: We are in the process of certifying under the EU-US Data Privacy Framework (DPF). We will update this section upon certification
• Swiss-US transfers: We use SCCs adapted for Swiss law pending updated guidance from the Swiss Federal Data Protection and Information Commissioner
• FTC enforcement: As a US-based company, Mediumroast is subject to the investigatory and enforcement powers of the US Federal Trade Commission

For questions about international data transfers or to request a copy of the applicable SCCs, contact us at hello@mediumroast.io.

9. Your rights and choices

All users

• Opt out of promotional emails: click "Unsubscribe" in any marketing email or contact hello@mediumroast.io
• Access your data: request a copy of the personal information we hold about you
• Correct your data: update inaccurate or incomplete information
• Delete your data: request deletion of your account and associated personal information

California residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

• Right to know: what personal information we collect, use, share, and sell (we do not sell)
• Right to delete: request deletion of your personal information, subject to certain exceptions
• Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioral advertising
• Right to correct: request correction of inaccurate personal information
• Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined by California law
• Right to non-discrimination: we will not penalize you for exercising any of these rights

Authorized agents: A California resident may designate an authorized agent — such as a company privacy officer or legal counsel — to submit CCPA requests on their behalf. Please include "Authorized Agent Request" and the name of the consumer being represented in your subject line.

To exercise your CCPA rights, contact us at hello@mediumroast.io with the subject line "CCPA Request." We will respond within 45 days.

European residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights:

• Lawful basis: we process your personal data based on contract performance (to provide the Services), legitimate interests (to improve and secure the Services), and compliance with legal obligations
• Right to object: to processing based on legitimate interests
• Right to restriction: to limit how we process your data in certain circumstances
• Right to portability: to receive your data in a structured, machine-readable format
• Right to withdraw consent: where processing is based on consent, you may withdraw at any time without affecting prior processing
• Right to lodge a complaint: with your local data protection supervisory authority

For GDPR-related requests, contact hello@mediumroast.io with the subject line "GDPR Request."

10. Data security

We implement industry-standard technical and organizational measures to protect your personal information:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls limiting data access to authorized personnel only, with access logging
• Logical account isolation preventing cross-customer data access
• Regular security assessments and vulnerability reviews
• Incident response procedures for detecting, containing, and notifying affected users of data breaches

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at hello@mediumroast.io.

11. Children's privacy

The Services are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly. If you believe a child has provided us personal information, contact us at hello@mediumroast.io.

12. Updates to this notice

We may update this Privacy Notice to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Post the updated notice on our website with a new effective date
• Notify you by email or prominent in-product notice at least 14 days before changes take effect

Your continued use of the Services after the effective date constitutes acceptance of the updated notice.

13. Contact us

Questions, concerns, or requests regarding this Privacy Notice or our privacy practices:

Mediumroast, Inc.
Email: hello@mediumroast.io

• For CCPA requests, use subject line: "CCPA Request"
• For GDPR requests, use subject line: "GDPR Request"
• For transfer mechanism questions, use subject line: "Data Transfer Inquiry"