— Privacy Policy
How we handle your data.
Effective: 2026-05-20 · Last updated: 2026-05-20
1. Who we are
Mallín is the operating layer of the revenue organization — an AI agent that helps sales reps prepare for, run, and follow up on customer calls. The product is operated by [Mallín Inc.] (the "Company", "we", "us"), a company in formation. Our contact email for all privacy matters is hello@mallin.io.
2. What data we collect
Account data
When you create a Mallín account, we collect: your name, email address, company name, role/title, and authentication credentials (managed by our auth provider — see Subprocessors). If you enable multi-factor authentication, we additionally store the TOTP secret or recovery codes associated with your account.
Deal data
Mallín collects data about the deals you work — account information, opportunity records, stakeholder names and titles, call transcripts (when you load them), notes, stakeholder interactions, and any custom fields you populate. This data either originates inside Mallín (when you write a note or load a transcript) or is synced from your CRM when you connect one.
CRM-connected data
If you connect Mallín to a CRM (HubSpot, Salesforce, Pipedrive), we read deal, contact, account, and activity data from your CRM to populate Mallín's working surfaces. We also write back to your CRM: notes you create in Mallín, action items you save, drafted emails. We never modify CRM data that wasn't explicitly produced or approved in Mallín.
Usage data
We collect telemetry about how you use Mallín: which pages you visit, which features you engage with, errors you encounter, the timing of those interactions. This data is used to operate, debug, and improve the product. Telemetry is associated with your account but is not sold to or shared with advertising networks.
3. How we use your data
- Deliver the service: generate pre-call briefs, surface stakeholder intelligence, draft follow-ups, and write back to your CRM.
- Learn within your tenant: notes you save become context that shapes future briefs for your account only. We do not train shared models on your data.
- Customer support: respond to your questions, debug issues, send service-related communications.
- Security & compliance: detect abuse, prevent fraud, meet legal obligations.
- Improve the product: aggregate, anonymized usage patterns inform engineering priorities.
We do not: sell your data, share it with advertising networks, or use your deal content to train shared AI models. See our AI Governance Policy for the specific rules around the AI layer.
4. Who we share data with
We share data only with the subprocessors required to operate the service. Each one has a specific role and a data-processing relationship with us. The complete list, with location and purpose, is at /subprocessors.
We do not share your data with third parties for any other purpose. We will not share your data with law enforcement without legal process; if we are compelled by valid legal process, we will notify you unless prohibited from doing so.
5. How long we keep your data
- Account data: retained while your account is active. Deleted within 30 days of account closure (or sooner on written request).
- Deal data: retained until you delete the deal or close your account. Soft-deleted records purged within 30 days.
- Backups: our database provider (Supabase) retains point-in-time recovery snapshots for up to 30 days. Deleted data is removed from active systems immediately and from backups within 30 days.
- Logs & telemetry: retained for up to 90 days for operational debugging, then deleted.
- Audit logs: retained for the life of the account for compliance and security review.
6. Your rights
Depending on where you live, you have some or all of the following rights:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: have your data deleted (subject to legal retention requirements).
- Portability: receive your data in a structured, machine-readable format.
- Restriction: ask us to limit how we process your data.
- Objection: object to specific processing activities.
- Withdrawal of consent: where processing is based on your consent, withdraw it at any time.
To exercise any of these rights, email hello@mallin.io. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.
7. Where your data is stored
Your data is stored on infrastructure operated by our subprocessors. Primary storage (Supabase, Vercel) is in United States data centers (AWS US-East). Some metadata (authentication tokens, session state) may transit through globally-distributed edge networks for performance.
For customers in the European Economic Area, the United Kingdom, or Switzerland, transfers of personal data outside those regions are protected by the standard contractual clauses where applicable. Contact us if you need a Data Processing Addendum (DPA).
8. Security
See our Security & Trust page for the full picture. In short: data is encrypted in transit (TLS 1.3) and at rest (AES-256 via our infrastructure providers); multi-tenant isolation is enforced at the database row level; access controls are role-based with audit logging; multi-factor authentication is available on all accounts.
9. Children
Mallín is a business tool. It is not directed to, and not intended for use by, children under the age of 16. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, contact us and we will delete it.
10. Changes to this policy
We'll update this policy as Mallín evolves. The "Last updated" date at the top reflects the most recent change. Material changes — anything that meaningfully expands the data we collect or how we use it — we notify you of by email before they take effect.
11. Contact
Privacy questions, requests, complaints: hello@mallin.io.