Mondrio Inc. Privacy Policy

Effective Date: January 2026

Last Updated: February 2026

1. Introduction

This Privacy Policy ("Policy") describes how Mondrio Inc. ("Mondrio", "we", "us", or "our") collects, uses, discloses, and protects personal information in connection with our cloud services, software, applications, websites, and related offerings (collectively, the "Product"). This Policy applies to individuals who visit our websites, use our Product, or otherwise interact with us.

Mondrio is committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection and privacy laws (collectively, "Applicable Data Protection Laws").

2. Data Controller and Data Processor Roles

2.1 When Mondrio Acts as Data Controller

Mondrio acts as a data controller when we collect and process personal information for our own purposes, such as:

  1. Managing your account and providing the Product;
  2. Communicating with you about the Product;
  3. Processing payments;
  4. Marketing and promotional activities (with your consent where required);
  5. Improving and developing the Product; and
  6. Complying with legal obligations.

2.2 When Mondrio Acts as Data Processor

When you use the Product to process personal data on behalf of your organization (for example, Customer Content containing personal data of your employees or customers), Mondrio acts as a data processor. In such cases, you act as the data controller and determine the purposes and means of processing. Our processing activities as a data processor are governed by our Data Processing Agreement.

3. Personal Data We Collect

3.1 Information You Provide

We collect personal information that you provide directly to us, including:

  1. Account Information: Name, email address, postal address, telephone number, company name, job title, and account credentials.
  2. Payment Information: Billing address and payment details (processed through secure third-party payment processors).
  3. Customer Content: Data, information, or materials you submit to the Product. Customer Content may include personal data about your employees, customers, or other individuals. In the context of Mondrio's Product, Customer Content primarily consists of pricing and product data that may incidentally contain personal data (e.g., customer names associated with pricing records).
  4. Communications: Information you provide when you contact us for support, send us inquiries, or otherwise communicate with us.
  5. Feedback: Suggestions, feedback, or comments about the Product or related offerings.

3.2 Information We Collect Automatically

When you use the Product, we automatically collect certain information, including:

  1. Usage Data: Data and information about the provision, use, and performance of the Product based on your use of the Product, including features accessed, actions taken, time spent, and frequency of use.
  2. Device Information: Device type, operating system, browser type, unique device identifiers, and IP address.
  3. Log Data: Server logs, access times, pages viewed, and referring URLs.
  4. Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to collect information about your interactions with the Product. See Section 9 (Cookies and Similar Technologies) for more information.

3.3 Information from Third Parties

We may receive personal information from third parties, including:

  • Business partners and service providers;
  • Publicly available sources; and
  • Third-party authentication services if you choose to link your account.

4. How We Use Personal Data

4.1 Purposes of Processing

We use personal information for the following purposes:

  1. Providing the Product: To provide, maintain, and improve the Product, including to process transactions, authenticate users, and provide customer support.
  2. Communications: To send you service-related communications, respond to your inquiries, and provide information you request.
  3. Analytics and Improvement: To understand how you use the Product, identify trends, and improve and develop our products and services.
  4. Machine Learning: To develop, train, or enhance artificial intelligence or machine learning models that are part of our products and services. We use only aggregated and de-identified Usage Data and Feedback for training purposes. We do NOT use Input, Output, or Customer Content to train models unless separately authorized by the customer in a written agreement.
  5. Security: To detect, prevent, and address technical issues, security incidents, and fraudulent or illegal activity.
  6. Legal Compliance: To comply with applicable laws, regulations, court orders, and other legal requirements.
  7. Marketing: With your consent where required, to send you marketing communications about our products, services, and events.

4.2 Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

PurposeLegal BasisDetails
Providing the ProductArt. 6(1)(b) — Performance of ContractProcessing necessary to perform our contract with you, including providing the Product, processing transactions, and user authentication.
Analytics and ImprovementArt. 6(1)(f) — Legitimate InterestProcessing necessary for our legitimate interest in understanding Product usage and improving our services. You may object to this processing.
Machine Learning (aggregated/de-identified data)Art. 6(1)(f) — Legitimate InterestTraining and improving AI models using aggregated and de-identified Usage Data and Feedback. Data is aggregated and de-identified to minimize impact on individuals. You may object to this processing.
SecurityArt. 6(1)(f) — Legitimate InterestDetecting, preventing, and addressing security incidents and fraudulent activity.
Legal ComplianceArt. 6(1)(c) — Legal ObligationProcessing necessary to comply with our legal obligations.
MarketingArt. 6(1)(a) — ConsentMarketing communications sent only with your consent, which you may withdraw at any time.

5. How We Share Personal Data

5.1 Categories of Recipients

We may share personal information with the following categories of recipients:

Service Providers (Sub-processors): Third-party vendors, contractors, and service providers who perform services on our behalf. These service providers are contractually bound to protect personal information and may only use it for the purposes for which it was disclosed. Our key sub-processors include:

Sub-processorServiceLocation
MongoDB AtlasDatabase servicesUnited States or Belgium, depending on customer data residency selection
Google Cloud PlatformCloud hosting and infrastructureUnited States or Belgium, depending on customer data residency selection
Google Vertex AIAI processing (EU-plan customers)Belgium (europe-west1)
Gemini API (Google AI)AI processing (non-EU customers)United States
WorkOSAuthenticationUnited States

A full and maintained list of our sub-processors is available at trust.mondrio.io.

  • Affiliates: Our corporate affiliates for purposes consistent with this Policy.
  • Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred to the acquiring entity.
  • Legal Requirements: To comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our agreements; or to protect the rights, privacy, safety, or property of Mondrio, our users, or others.
  • With Your Consent: With your consent or at your direction.

5.2 Aggregated and De-identified Data

We may share aggregated or de-identified information that does not identify you with third parties for any purpose. Such information is not subject to this Policy.

6. International Data Transfers

6.1 Data Residency

Mondrio's core infrastructure is hosted on Google Cloud Platform. Default infrastructure is hosted in the United States (us-central1). EU data residency (Belgium, europe-west1) is available for customers on the EU plan. Database services are provided by MongoDB Atlas in the same region as the customer's selected data residency (United States or Belgium). AI processing uses Google Vertex AI (EEA) for EU-plan customers and Gemini API (United States) for all other customers. Authentication services are provided by WorkOS in the United States (limited to authentication credentials; no Customer Content is processed by WorkOS). Default data residency is the United States. EU data residency is available upon request for eligible plans.

6.2 Transfer Mechanisms

If you are located outside the United States, your personal information may be transferred to and processed in the United States or other countries that may have different data protection laws than your country of residence.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries not deemed to provide an adequate level of protection, we implement appropriate safeguards, including:

  1. EU Standard Contractual Clauses approved by the European Commission;
  2. UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses;
  3. Swiss Standard Contractual Clauses; or
  4. Other lawful transfer mechanisms.

6.3 Data Processing Agreement

Customers subject to GDPR or other Applicable Data Protection Laws are required to enter into our Data Processing Agreement before transferring Personal Data to Mondrio. The DPA includes the Standard Contractual Clauses and other contractual commitments required by Applicable Data Protection Laws. The DPA is available at mondrio.io/legal/dpa and is incorporated by reference into our Terms of Service.

7. Data Retention

7.1 Retention Periods

We retain personal information for the periods outlined below. Specific retention periods may vary based on legal obligations and legitimate business needs.

Data CategoryRetention Period
Account InformationDuration of your account plus 30 days after account closure.
Customer ContentDeleted within 30 days after termination of your account. Exports available on request prior to deletion.
Usage Data24 months from collection.
Payment RecordsAs required by applicable tax and financial regulations (up to 7 years).
Log Data90 days.
Communications / Support RecordsDuration of your account plus any applicable legal retention period.

7.2 Sub-processor Retention After Mondrio's Deletion

After Mondrio completes its deletion of your data, certain sub-processors may retain residual data:

  • MongoDB Atlas: Data deleted promptly upon Mondrio's instruction; encrypted backups purged within approximately 30 days.
  • Google Cloud Platform: Secrets and stored data deleted promptly; system logs retained 30–90 days per GCP's standard policy, then automatically purged.
  • Google Vertex AI: Transient processing only — no data is stored after processing is complete.

7.3 Criteria for Retention

In determining the appropriate retention period, we consider:

  1. The nature and sensitivity of the personal information;
  2. The purposes for which we process the personal information;
  3. Applicable legal requirements;
  4. The potential risk of harm from unauthorized use or disclosure; and
  5. Whether the purposes can be achieved by other means.

8. Data Security

8.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  1. Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
  2. Access controls and authentication mechanisms;
  3. Security assessments and vulnerability scanning, with penetration testing conducted as part of the SOC 2 program;
  4. Employee training on data protection and security;
  5. Incident response procedures; and
  6. Physical security measures for our facilities.

8.2 SOC 2 Compliance

Mondrio is SOC 2 Type II certified and maintains a security program audited against the SOC 2 trust services criteria (security, availability, processing integrity, confidentiality, and privacy). Our current security status and compliance reports are available at trust.mondrio.io.

8.3 Data Breach Notification

In the event of a Personal Data Breach affecting your personal information, we will notify you and the relevant supervisory authority as required by Applicable Data Protection Laws. We will provide sufficient information to allow you to meet any obligations to report or inform affected individuals of the Personal Data Breach.

9. Cookies and Similar Technologies

9.1 Cookie Consent

When you first visit our website, we present a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time using the link in our website footer. Essential cookies required for the Product to function are always active.

9.2 Types of Cookies

  1. Essential Cookies: Necessary for the Product to function and cannot be disabled. They include cookies for authentication and security.
  2. Analytics Cookies: Help us understand how you use the Product by collecting information about pages visited, features used, and errors encountered. These cookies are only set with your consent.
  3. Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences. These cookies are only set with your consent.

9.3 Managing Cookies

You can manage your cookie preferences through:

  1. Our cookie consent banner (displayed on first visit);
  2. The cookie preferences link in our website footer;
  3. Your browser settings; or
  4. Industry opt-out mechanisms for analytics and marketing cookies.

Please note that disabling certain cookies may affect the functionality of the Product.

10. Automated Decision-Making

Mondrio's AI Services provide pricing recommendations for human review. The Product does NOT make automated decisions with legal or similarly significant effects on individuals as described in Article 22 of the EU GDPR. All AI-generated recommendations are presented to authorized users for their independent review and decision-making.

11. Your Rights and Choices

11.1 Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:

  1. Right of Access: The right to obtain confirmation of whether we process your personal data and to receive a copy of your personal data.
  2. Right to Rectification: The right to correct inaccurate personal data and to complete incomplete personal data.
  3. Right to Erasure: The right to request deletion of your personal data in certain circumstances.
  4. Right to Restriction: The right to restrict processing of your personal data in certain circumstances.
  5. Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  6. Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.
  7. Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  8. Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority.

11.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

  1. Right to Know: The right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes of collection, and the categories of third parties with whom we share personal information.
  2. Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
  3. Right to Opt-Out: The right to opt out of the "sale" of personal information. Mondrio does not sell personal information as defined by the CCPA.
  4. Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your CCPA rights.

11.3 Exercising Your Rights

To exercise your rights, please contact us using the contact information provided in Section 15 (Contact Information). We may need to verify your identity before processing your request. We will respond to your request within the timeframes required by applicable law.

11.4 Communication Preferences

You may opt out of receiving marketing communications from us by following the unsubscribe instructions in those communications or by contacting us. Even if you opt out, we may still send you service-related communications.

12. Children's Privacy

The Product is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information.

13. Third-Party Links and Services

The Product may contain links to third-party websites, applications, or services. This Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or applicable laws. If we make material changes, we will notify you by posting the updated Policy on our website and updating the "Last Updated" date. For material changes, we will provide notice at least 30 days before the changes take effect. Your continued use of the Product after such changes constitutes your acceptance of the updated Policy.

15. Contact Information

If you have questions about this Policy or our privacy practices, or if you wish to exercise your rights, please contact us:

Mondrio Inc.

8 The Green, STE B
Dover, DE 19901
United States of America

Email: privacy@mondrio.io

For all privacy and data protection inquiries, including requests to exercise your rights under GDPR or other Applicable Data Protection Laws, please email: privacy@mondrio.io

15.1 Supervisory Authority

If you are located in the EEA, United Kingdom, or Switzerland, you have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your personal data infringes Applicable Data Protection Laws.

16. Additional Information for Specific Jurisdictions

16.1 California

This section applies to California residents and supplements the information in this Policy.

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet or electronic network activity, geolocation data, and inferences.

Sources of Personal Information: We collect personal information from the sources described in Section 3 (Personal Data We Collect).

Business Purposes for Collection: We collect and use personal information for the purposes described in Section 4 (How We Use Personal Data).

Categories of Third Parties: We share personal information with the categories of third parties described in Section 5 (How We Share Personal Data).

Retention: We retain personal information as described in Section 7 (Data Retention).

Sale of Personal Information: Mondrio does not sell personal information as defined by the CCPA.

This Privacy Policy is provided for informational purposes and describes Mondrio's privacy practices. By using the Product, you acknowledge that you have read and understood this Privacy Policy.