Privacy Policy
Privacy Policy
Effective Date: March 10, 2026 Last Updated: March 10, 2026
M Intelligence ("M Intelligence," "we," "us," or "our") provides an AI-powered marketing intelligence platform (the "Platform") accessible at client.mintel.app. This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you use the Platform or interact with us.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must not use the Platform.
1. Definitions
"Customer" means the organization that has entered into a subscription agreement with M Intelligence.
"Authorized User" means an individual invited by a Customer's administrator to access the Platform.
"Customer Data" means all data that a Customer or its Authorized Users upload, connect, input, or generate through the Platform, including connected data source content, queries, and AI-generated outputs.
"Personal Data" means any information that identifies, relates to, or could reasonably be linked to an identified or identifiable individual.
"Platform Data" means data generated by the operation of the Platform itself, such as system logs, performance metrics, and aggregated usage statistics that cannot be used to identify any individual or reconstruct any Customer Data.
2. Information We Collect
2.1 Account Information
When a Customer administrator invites you to the Platform, we collect:
Email address
Display name
Role title (e.g., CEO, Marketing Director, Analyst)
Organization name, industry classification, and company size
2.2 Usage Information
Through your use of the Platform, we collect:
Natural language queries submitted to the AI engine
Dashboard configurations and saved views
Agent run requests, parameters, and approved actions
Data source connection metadata (connection type, sync schedule, schema structure)
Feedback on AI-generated results (e.g., marking a query result as correct or incorrect)
2.3 Authentication & Security Information
Login timestamps and IP addresses
Multi-factor authentication method selection
Session identifiers
Administrative actions (invitations sent, roles changed, connections added or removed)
2.4 Connected Data Source Content
When you connect external data sources (databases, marketing platforms, CRM systems), the Platform accesses and caches data from those sources within your isolated tenant environment for the purpose of answering your queries and generating insights.
2.5 Information We Do NOT Collect
Passwords. Authentication is managed entirely by Microsoft Entra ID. We never receive, store, or have access to your password.
Social media login credentials. The Platform does not offer social login (Google, Facebook, etc.).
Advertising identifiers or tracking pixels. We do not serve ads and do not participate in ad networks.
Biometric data.
Precise geolocation data.
Financial payment information. Billing is handled through separate invoicing; we do not process credit cards through the Platform.
3. How We Use Your Information
We process your information solely for the following purposes:
PurposeData UsedLegal Basis (GDPR)Provide and operate the PlatformAccount info, usage data, connected source dataPerformance of contractProcess your queries and generate AI insightsQuery text, schema context, connected source dataPerformance of contractImprove query accuracy for your organization onlyYour feedback on results (correct/incorrect markings)Legitimate interest (service improvement scoped to your tenant)Enforce security and tenant isolationAuthentication data, IP addresses, audit logsLegitimate interest (security)Send transactional communicationsEmail addressPerformance of contractComply with legal obligationsAs requiredLegal obligationRespond to your support requestsAccount info, usage contextPerformance of contract
3.1 What We Do NOT Do With Your Information
We do not sell your Personal Data. We have never sold Personal Data and have no plans to do so.
We do not sell your Customer Data.
We do not use your Customer Data to train, fine-tune, or improve any AI or machine learning model — ours or any third party's. See Section 5 for details.
We do not share your data across tenants. One Customer's data is never visible to, used for, or blended with another Customer's data.
We do not use your data for advertising, profiling, or behavioral targeting.
We do not share your data with data brokers.
4. Tenant Data Isolation
Each Customer operates in a fully isolated environment within the Platform. This means:
Separate infrastructure. Each tenant has its own database, encryption keys, credential vault, and storage containers.
No cross-tenant data access. AI models process each tenant's queries in isolation. The AI cannot access, reference, or be influenced by another tenant's data, queries, feedback, or results.
Scoped AI learning. When you mark a query result as correct, that feedback improves accuracy only within your tenant's environment. It is never used to benefit other tenants or to train general-purpose models.
Scoped administrative access. Customer administrators can only manage users, connections, and settings within their own tenant.
5. AI and Machine Learning: How Your Data Is Processed
This section addresses how the Platform's AI components interact with your data.
5.1 Query Processing
When you submit a natural language query, the Platform:
Generates a mathematical embedding of your query text (using Azure OpenAI) to retrieve relevant schema context and prior verified query pairs from your tenant's index only
Assembles a prompt containing your query, relevant schema context, and any matching verified query pairs
Sends this prompt to Anthropic's Claude API to generate a SQL query and insight
Executes the generated SQL against your tenant's connected data sources only
Returns the result to you
5.2 What Is Sent to Third-Party AI Providers
Anthropic (Claude): Your natural language query, database schema descriptions (table names, column names, data types), and relevant contextual metadata. Raw business data (actual row values from your databases) is not included in AI prompts unless required to answer your specific query, in which case only the minimal necessary data is included and is not retained by Anthropic beyond the API request.
Azure OpenAI: Your query text is converted into a numerical vector for semantic search. The text is not retained by Microsoft beyond the API request.
5.3 Third-Party AI Provider Data Policies
Anthropic's API does not use customer inputs or outputs to train models. See Anthropic's Commercial Terms for details.
Azure OpenAI Service does not use customer data to train, retrain, or improve foundation models. See Microsoft's Data, Privacy, and Security documentation for details.
5.4 No Model Training
To be explicit: Your data is not used to train, fine-tune, improve, or develop any AI model, whether operated by M Intelligence, Anthropic, Microsoft, or any other party. AI providers process your data solely to return a response to your specific request and do not retain it for training purposes.
6. Data Sharing and Disclosure
We do not share your Personal Data or Customer Data except in the following limited circumstances:
6.1 Sub-Processors
We use the following sub-processors to operate the Platform. Each is bound by a data processing agreement that restricts their use of your data to providing their service to us.
Sub-ProcessorServiceData ProcessedLocationMicrosoft AzureCloud infrastructure, compute, storage, networkingAll Platform and Customer Data (encrypted)United States (East US)Microsoft Entra IDAuthentication and multi-factor authenticationEmail, display name, authentication eventsUnited StatesAzure Communication ServicesTransactional email deliveryRecipient email address, email contentUnited StatesAnthropicAI reasoning (Claude API)Query text, schema context (see Section 5.2)United StatesAzure OpenAISemantic search embeddingsQuery text for vector conversionUnited States
We will update this list if we add new sub-processors that access Personal Data or Customer Data. Material changes will be communicated per Section 14.
6.2 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to:
Comply with a subpoena, court order, or similar legal process
Enforce our Terms of Service
Protect the rights, property, or safety of M Intelligence, our Customers, or the public
Where legally permitted, we will notify the affected Customer before making such disclosure.
6.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify affected Customers before any such transfer and before your information becomes subject to a different privacy policy.
6.4 With Your Consent
We may share information with third parties when we have your explicit consent to do so.
6.5 No Other Sharing
We do not share your data with any party not listed above. We do not participate in data cooperatives, data exchanges, or data enrichment services.
7. Data Retention
Data CategoryRetention PeriodDeletion MethodAccount informationDuration of subscription + 30 daysAutomated deletion upon account terminationQuery history and AI resultsDuration of subscriptionDeleted with tenant environment upon terminationVerified query pairs (feedback)Duration of subscriptionDeleted with tenant search index upon terminationAgent run logs12 months from run date (audit purposes)Automated purgeConnected source cached dataDuration of active connectionImmediate deletion upon disconnectionAuthentication logs12 monthsAutomated purgeSystem and security logs12 monthsAutomated purgeTransactional email records90 daysAutomated purge
Upon termination of a Customer's subscription:
All Customer Data, including connected source caches, query history, agent run logs, AI feedback pairs, dashboard configurations, and user accounts, is permanently deleted within 30 days.
Deletion includes removal from all databases, search indices, storage containers, and backups.
We will provide written confirmation of deletion upon Customer request.
8. Data Security
We implement the following technical and organizational measures to protect your data:
Encryption
All data is encrypted in transit using TLS 1.2 or higher
All data is encrypted at rest using AES-256 encryption
Database connections use SSL-enforced encrypted channels
Access Control
Multi-factor authentication is enforced for all Platform users (no exceptions)
Role-based access control with principle of least privilege
Per-tenant Azure Key Vault for credential and secret management
Administrative actions are logged with immutable audit trails
Network Security
Backend API services are deployed within a virtual network with no public internet access
Only the frontend application is publicly accessible; all API communication occurs over internal network channels
Operational Security
Infrastructure is managed through infrastructure-as-code with version-controlled deployments
Secrets are stored in hardware security module (HSM)-backed vaults and are never committed to source code or stored in environment files in production
Incident Response
In the event of a confirmed data breach affecting your Personal Data, we will notify the affected Customer's administrator without undue delay and no later than 72 hours after becoming aware of the breach (as required under GDPR Article 33)
Notification will include the nature of the breach, categories of data affected, estimated number of individuals affected, and measures taken to address and mitigate the breach
9. Cookies and Tracking Technologies
The Platform uses only strictly necessary cookies required for authentication session management (Microsoft Entra ID session tokens). These cookies are essential for the Platform to function and cannot be disabled.
We do not use:
Analytics cookies
Advertising or retargeting cookies
Third-party tracking pixels
Fingerprinting or similar tracking technologies
Social media widgets or embedded content that sets cookies
Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR/ePrivacy Directive. However, we disclose their use here for transparency.
10. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your Personal Data:
10.1 Rights Under GDPR (EEA, UK, Switzerland)
Access: Request a copy of the Personal Data we hold about you
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your Personal Data ("right to be forgotten")
Restriction: Request that we limit processing of your data in certain circumstances
Portability: Request your data in a structured, commonly used, machine-readable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
10.2 Rights Under CCPA/CPRA (California Residents)
Right to Know: Request disclosure of the categories and specific pieces of Personal Data we have collected
Right to Delete: Request deletion of your Personal Data
Right to Correct: Request correction of inaccurate Personal Data
Right to Opt-Out of Sale: We do not sell Personal Data; this right is not applicable
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
CCPA Disclosure: In the preceding 12 months, we have collected the categories of Personal Data described in Section 2. We have not sold any Personal Data. We have not shared Personal Data for cross-context behavioral advertising. We have disclosed Personal Data to sub-processors as described in Section 6.1 solely for the business purposes described in Section 3.
10.3 Rights Under PIPEDA (Canada)
Right to access your Personal Data held by us
Right to challenge the accuracy and completeness of your data and have it amended
Right to withdraw consent for non-essential processing
10.4 How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@mintel.app. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.
If you are an Authorized User, certain requests (such as account deletion) may need to be initiated by your Customer's administrator, as the Customer is the data controller for their organization's data.
10.5 Complaints
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
11. Data Controller and Data Processor Roles
For Customer Data: The Customer is the data controller. M Intelligence acts as a data processor, processing Customer Data solely on the Customer's instructions as set forth in our subscription agreement and Data Processing Agreement (DPA).
For Account and Usage Data: M Intelligence is the data controller for Personal Data we collect to operate the Platform (e.g., account information, authentication logs).
Customers who require a signed Data Processing Agreement may request one at privacy@mintel.app.
12. International Data Transfers
All data processing occurs within the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.
For transfers from the EEA, UK, or Switzerland, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission
Our sub-processors' own data transfer mechanisms (Microsoft's EU Data Boundary commitments; Anthropic's DPA and SCCs)
13. Children's Privacy
The Platform is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16, we will delete that data promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
Material changes (changes to data collection categories, new sub-processors with access to Personal Data, changes to data sharing practices) will be communicated via email to Customer administrators at least 30 days before they take effect.
Non-material changes (clarifications, formatting, typographical corrections) may be made without prior notice.
The "Last Updated" date at the top of this policy indicates the most recent revision. Continued use of the Platform after changes take effect constitutes acceptance of the revised Privacy Policy.
15. Third-Party Links
The Platform may contain links to third-party websites or services (e.g., connected data sources). We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.
16. Aggregated and De-Identified Data
We may create aggregated, de-identified, or anonymized data from Platform Data for internal purposes such as analyzing Platform performance and usage patterns. This data cannot be used to identify any individual or reconstruct any Customer Data. This aggregated data is not considered Personal Data or Customer Data under this Privacy Policy.
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
M Intelligence Email: privacy@mintel.app
For data protection inquiries from the EEA, UK, or Switzerland, please direct your correspondence to the same address and reference "GDPR Inquiry" in the subject line.