Privacy Policy

Mutable State Inc. ("Ensue," "we," "us," or "our") provides a shared memory network where users and AI agents can store, retrieve, and share contextual data ("Service"). This Privacy Policy describes how we collect, use, and share personal data in connection with the Service, our website, and related activities.

Where we process personal data on behalf of a business customer, such processing is governed by our Data Processing Agreement and the customer's instructions.

1. Data We Collect

Data you provide to us, including: contact data (name, email, organization); account credentials and profile data; memory entries, structured data, and associated metadata; permissions and access control configurations; payment and billing data (processed by Stripe); communications with us (support requests, feedback); and any other content you submit to the Service.

Data collected automatically, including: request metadata (timestamps, endpoints, response codes); performance and usage metrics; authentication and security logs; device and browser data (IP address, user agent, device type); and general location data inferred from IP address.

Data from third parties, including: public sources and data providers; authentication services you use to log in; business partners and service providers; and parties involved in corporate transactions.

2. How We Use Your Data

We use your data to:

Provide and operate the Service — store and retrieve memories, enforce access controls, enable sharing features, provide APIs and dashboard access, and communicate Service-related updates.

Maintain and secure the Service — monitor performance, debug issues, prevent abuse and fraud, and respond to support requests.

Improve and develop the Service — analyze usage patterns, optimize performance, develop new features, and conduct research and development.

Comply with legal obligations — respond to lawful requests, protect rights and safety, and enforce our terms.

We do not sell your identified personal data to advertisers or data brokers.

3. Artificial Intelligence

We may use artificial intelligence tools and services, including large language models and other machine learning technologies, to operate, improve, and enhance the Service.

We may create and use aggregated, de-identified, or anonymized data for any lawful business purpose, including analytics, research, product improvement, and training or fine-tuning AI models.

4. How We Share Your Data

With service providers. We share data with service providers who help us operate the Service, including cloud infrastructure, payment processing, monitoring, and analytics providers.

With your direction. We share data with third parties where you instruct us or provide consent, including through integrations you configure.

With affiliates and business partners. We may share data with our corporate affiliates and business partners.

For legal and safety reasons. We may disclose data when required by law, regulation, or legal process, or when we believe disclosure is necessary to protect rights, safety, or property, prevent fraud, or enforce our terms.

In a business transfer. Your data may be transferred in connection with a merger, acquisition, sale of assets, financing, bankruptcy, or similar transaction. We will make reasonable efforts to notify you of material changes.

5. Where Your Data Lives

Our infrastructure is hosted on AWS across multiple regions globally. Data may be replicated across regions for performance, redundancy, and disaster recovery. By using the Service, you acknowledge that your data may be transferred, stored, and processed in countries other than your own. For transfers from the EEA/UK, we rely on Standard Contractual Clauses and applicable adequacy mechanisms.

If you require a Data Processing Agreement, contact ops@ensue.dev.

6. Data Retention

We retain your data as follows: memory content is stored until you delete it or close your account; account data is retained while your account is active and for a reasonable period after; deleted data is removed from active systems within a reasonable timeframe but may persist in backups and disaster recovery systems for up to 90 days subject to rotation schedules; de-identified or aggregated data may be retained indefinitely; and data shared with third-party providers follows their retention policies.

Operational logs, analytics data, and security logs are retained for reasonable periods for debugging, security, and legal compliance. Financial records are retained as required by law.

7. Security

We employ reasonable technical, organizational, and physical safeguards to protect your data, including encryption at rest and in transit, role-based access controls, monitoring and alerting systems, and authentication mechanisms including OAuth and API key management.

No system is completely secure. Security risk is inherent in all internet and information technologies, and we cannot guarantee the security of your data. You are responsible for securing your own API keys, credentials, and access controls.

If a security incident affects your data, we will investigate, notify affected users as required by law, and work to mitigate the impact.

8. Your Rights and Choices

You may: access and request a copy of your data; correct inaccurate data; delete memories or close your account; export data in portable format where feasible; restrict or object to certain processing; and opt out of non-essential analytics.

To exercise your rights, email ops@ensue.dev. We will respond within 30 days or as required by applicable law.

For EU/UK users (GDPR): You have additional rights including the right to lodge a complaint with your supervisory authority, data portability, objection to automated decision-making, and withdrawal of consent. Our legal bases for processing include contract performance, legitimate interests, consent, and legal obligations.

For California users (CCPA/CPRA): You have the right to know what personal data we collect, request deletion, and opt out of the sale or sharing of personal data. We do not sell your personal data. To exercise your rights, email ops@ensue.dev. We will not discriminate against you for exercising your privacy rights.

Cookies: We use essential cookies for authentication and session management and analytics cookies on our website. We do not use advertising cookies or cross-site trackers. You can manage cookie preferences in your browser settings.

Communications: You may opt out of marketing emails by following the unsubscribe instructions or contacting us. You will continue to receive Service-related communications.

9. Special Considerations

Children. The Service is not intended for anyone under 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from minors. If we learn we have collected such data, we will delete it promptly.

Organizations and admins. If you use the Service on behalf of an organization, you are responsible for managing permissions, ensuring authorization to store and share content, and complying with applicable laws.

10. Other Sites and Services

The Service may contain links to websites, applications, and services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third-party services and are not responsible for their actions. We encourage you to review the privacy policies of any third-party services you use.

11. Do Not Track

Some browsers may transmit "Do Not Track" signals to websites. We currently do not respond to Do Not Track signals. To learn more, visit allaboutdnt.com.

12. Changes to This Policy

We may update this policy at any time. Material changes will be communicated through the Service or other appropriate means. Continued use after changes take effect constitutes acceptance. If you disagree with changes, you may delete your account and stop using the Service.

13. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware. EU/UK users retain their statutory rights under applicable law.

14. Contact Us

For privacy inquiries, DPA requests, or security issues: ops@ensue.dev