Legal
Privacy Policy
Effective date: 13 March 2026 · Last updated: 13 March 2026
The short version: Your data stays in the EU. It never trains AI models. It is never shared with other users. You can delete everything at any time. We charge money for our service — you are the customer, not the product.
1. Who we are
This Privacy Policy describes how Pyratz Labs SAS, a French simplified joint-stock company ("we", "us", "our"), collects, uses, and protects personal data when you use the Mr.Chief platform ("Service").
Data Controller: Pyratz Labs SAS
Privacy contact: privacy@misterchief.ai
Where we act as a data processor on your behalf — for example, when your AI Agents process personal data about third parties (your clients, contacts, etc.) under your instructions — you remain the data controller. Contact us to obtain a Data Processing Agreement (DPA).
2. What data we collect
2.1 Account data
When you register, we collect:
- Email address
- Password (stored as a salted bcrypt hash — we never see your plain-text password)
- Name (optional, used to personalise your Agent)
- Industry and role (optional, provided during onboarding)
2.2 Agent configuration data
- Agent name, persona, and autonomy settings you configure
- Integration credentials (stored encrypted at rest with AES-256)
- BYOK API keys (encrypted at rest, never logged in plaintext)
- Communication style and preference settings
2.3 Usage and interaction data
- Messages sent to and received from your AI Agents
- Tasks created, delegated, and completed
- Agent action logs (with full timestamps and context)
- Token consumption metrics
- Feature usage patterns (with your consent to analytics)
2.4 Billing data
- Subscription plan and billing history
- Payment method details — processed and stored by Stripe, Inc. We never see or store your raw card number; we only receive a Stripe payment token
- VAT number (if provided for EU business invoicing)
2.5 Technical data
- IP address (used for fraud prevention and rate limiting; not stored long-term)
- Browser type and operating system (for compatibility purposes)
- Session tokens (stored as HttpOnly cookies; expire on logout or after 24 hours)
- Error logs (anonymised where possible)
2.6 What we do NOT collect
- We do not collect special category data (health, biometric, political opinions, etc.) unless you explicitly provide it through your Agent interactions
- We do not collect data from third parties about you without your knowledge
- We do not run advertising trackers or sell data to third parties
3. Legal bases for processing (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Providing and operating the Service | Contract (Art. 6(1)(b)) |
| Processing payments and billing | Contract (Art. 6(1)(b)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and improvement | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Audit logs and dispute resolution | Legitimate interests (Art. 6(1)(f)) |
Where we rely on consent, you can withdraw it at any time from Settings > Privacy without affecting the lawfulness of processing before withdrawal.
4. How we use your data
- To provide the Service: Running your AI Agents, storing your preferences, processing tasks on your behalf.
- To operate your dedicated infrastructure: Provisioning and managing your isolated OpenClaw instance on Fly.io.
- To communicate with you: Transactional emails (account confirmation, billing receipts, security alerts). Marketing emails only with your explicit consent.
- To ensure security: Fraud detection, abuse prevention, rate limiting, audit logging.
- To improve the Service: Aggregate, anonymised analysis of feature usage (with your consent). We never use the content of your Agent conversations to train AI models.
- To comply with law: Responding to lawful requests from authorities, maintaining required records.
We never use your data to train AI models — neither our own nor those of any third-party AI provider. Your conversations and content are yours.
5. Data sharing and sub-processors
We do not sell your data. We share data only with the following sub-processors, under GDPR-compliant data processing agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Fly.io, Inc. | Agent infrastructure hosting (Firecracker microVMs) | EU regions |
| Stripe, Inc. | Payment processing and billing | USA (SCCs applied) |
| Mistral AI | Default AI model provider | EU |
| Anthropic, PBC | Optional AI model provider (BYOK) | USA (SCCs applied) |
| xAI Corp. | Optional AI model provider (BYOK) | USA (SCCs applied) |
| OpenAI, L.L.C. | Optional AI model provider (BYOK) | USA (SCCs applied) |
| Postmark (ActiveCampaign) | Transactional email delivery | USA (SCCs applied) |
SCCs = Standard Contractual Clauses (EU Commission decision 2021/914). For BYOK providers: data is sent to the provider's API only when you explicitly enable that provider. We maintain a current list of sub-processors at this page.
We may also disclose data to law enforcement or courts where required by applicable law, and to our legal or financial advisors under confidentiality obligations.
6. Data retention
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of account + 90 days after deletion |
| Agent conversation logs | Duration of account + 90 days after deletion |
| Agent action audit logs | Duration of account + 90 days (Team plan: configurable up to 90 days in-app) |
| Billing records | 10 years (French commercial law requirement) |
| Security logs (IP, access) | 90 days rolling |
| Consent records | 5 years from last update |
| Marketing preferences | Until withdrawal of consent + 3 years |
| Anonymised analytics | Up to 36 months |
When you close your account, we initiate deletion of your data within 30 days. Residual copies in backups are purged within 90 days. Billing records are retained for the period required by French accounting law (Article L123-22 of the Commercial Code).
7. International data transfers
Our primary infrastructure is located in EU regions (via Fly.io). Where we engage sub-processors located outside the EU/EEA (listed above), we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), supplemented by transfer impact assessments where required;
- The sub-processor's participation in recognised certification frameworks (e.g., EU-US Data Privacy Framework where applicable).
You may request copies of the applicable SCCs by contacting privacy@misterchief.ai.
8. Your rights under GDPR
As a data subject under the GDPR, you have the following rights. All requests are handled within 30 days (extendable by a further 60 days for complex requests, with notification).
Right of access (Art. 15)
Request a copy of all personal data we hold about you, along with information about how we process it.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete data. Most data can be updated directly in your account settings.
Right to erasure (Art. 17)
Request deletion of your personal data ('right to be forgotten'), subject to our legal retention obligations. Closing your account triggers automatic erasure.
Right to data portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON). Available from Settings > Account > Export data.
Right to restriction (Art. 18)
Request that we restrict processing of your data while a dispute is being resolved.
Right to object (Art. 21)
Object to processing based on legitimate interests, including direct marketing. Marketing opt-outs take effect immediately.
Right to withdraw consent (Art. 7(3))
Withdraw consent for analytics or marketing at any time from Settings > Privacy, without affecting prior lawful processing.
Right to lodge a complaint (Art. 77)
You have the right to file a complaint with the CNIL (France's supervisory authority) at cnil.fr, or with the supervisory authority in your country of residence.
To exercise any of these rights, contact us at privacy@misterchief.ai with subject line "GDPR Request — [Right]". We may ask you to verify your identity before processing the request.
9. Cookies and tracking
We use a minimal set of cookies, classified as follows:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| sessionid | Authenticated session management | Strictly necessary | 24 hours |
| csrftoken | Cross-site request forgery protection | Strictly necessary | Session |
| locale | Language preference | Functional | 1 year |
| _analytics | Aggregate product analytics (with consent) | Analytics | 12 months |
We do not use advertising cookies, cross-site tracking pixels, or third-party behavioral analytics. Strictly necessary cookies cannot be disabled as they are required for the Service to function. Analytics cookies can be disabled from Settings > Privacy.
10. Security measures
We implement the following technical and organisational measures to protect your data:
- Encryption in transit: All data is transmitted over TLS 1.3. HTTP connections are redirected to HTTPS.
- Encryption at rest: Integration credentials and API keys are encrypted using AES-256 (Fernet). Database encryption at rest is enforced at the infrastructure level.
- Isolated infrastructure: Each user's AI Agents run in a dedicated Firecracker microVM — your data is never co-mingled with another user's.
- Access controls: Production access is limited to a minimum number of engineers, requires MFA, and is audit-logged.
- Automated security audits: Daily automated security audits on paid plans. Monthly manual reviews.
- Vulnerability management: Security patches applied within 72 hours of critical CVE disclosure.
For our full security architecture, see our Security page.
11. Children's privacy
The Service is not directed to children under 16 years of age (or the applicable digital age of consent in your country). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it promptly. Contact us at privacy@misterchief.ai if you believe this has occurred.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email (to your registered address) and by posting a banner in the Service at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance. Where changes require fresh consent (e.g., new processing purposes), we will collect that consent explicitly before processing begins.
13. Contact and supervisory authority
For any privacy-related question, request, or complaint:
Pyratz Labs SAS
Privacy: privacy@misterchief.ai
You also have the right to lodge a complaint with the French data protection authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07