Privacy Policy

Effective: 18 July 2026

Mulberry Inc. is the controller for the personal data described here.
Contact: privacy@mulberry.fit

1. Two roles, kept separate

  • As controller — your account, verification, billing and support data. This policy covers it.
  • As processor — the personal data inside the traffic you send through us (message content, recipient numbers, call metadata, AI prompts). We process that only on your documented instructions. You are the controller for it, and your own privacy notice must cover it.

2. What we collect

CategoryExamplesSource
AccountName, work email, company, role, password hashYou
Verification (KYB/KYC)Legal entity name, registration number, registered address, beneficial owner details, government-issued ID, proof of addressYou; registries; verification vendor
BillingBilling address, tax ID, invoices, payment status, last-4 and card brandYou; our payment processor
Usage / metadataNumbers allocated, message and call detail records (sender, recipient, timestamp, duration, segments, status), API call volume, token countsGenerated by the Services
Content (as processor)Message bodies, recordings, transcripts, AI prompts and completionsYou
TechnicalIP address, browser, device, pages viewedAutomatically
SupportEmails, tickets, correspondenceYou

We do not intentionally collect special-category data. Do not send it to us outside the AI Services, and where you do send it through the Services, ensure you have a lawful basis under Art. 9 GDPR.

3. Why, and on what legal basis (GDPR Art. 6)

PurposeLegal basis
Provide the Services, allocate numbers, meter usageContract (Art. 6(1)(b))
Verify your identity; sanctions screening; AML/CTF and telecoms KYCLegal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) — preventing fraud and misuse of allocated numbers
Billing, tax, accounting recordsLegal obligation + contract
Security, abuse detection, fraud preventionLegitimate interests — protecting our platform, our customers, and the public
Responding to law enforcement / regulatorsLegal obligation
Product analytics and improvementLegitimate interests, or consent where cookies are involved
Marketing emailsConsent, or soft opt-in for existing customers. Unsubscribe in every email.

Where we rely on legitimate interests we have balanced them against your rights, and you may object (§7).

4. Retention

DataRetained for
Account dataLife of the account + 12 months
Verification documents & sanctions screening records5 years after the relationship ends (AML/telecoms recordkeeping)
Billing & tax records7 years (statutory)
Call & message detail records (metadata)12 months
Message content / recordings / transcripts30 days by default, or the retention you configure. Zero-retention available on Business and above.
AI prompts & completions30 days by default for debugging and abuse detection; zero-retention available. Never used for training.
Security & access logs12 months
Abuse investigation records2 years, to detect repeat offenders

After the period, data is deleted or irreversibly anonymised.

5. Who we share with

  • Sub-processors — hosting, verification, payments, AI service providers, carriers. All are under a data processing agreement and security-reviewed; the current list is available from privacy@mulberry.fit.
  • Carriers and telecoms partners — necessary to route messages and calls, and to satisfy regulatory registration.
  • Payment processor — an independent controller for card data.
  • Professional advisers — legal, accounting, insurance, under confidentiality.
  • Authorities — only on valid legal process.
  • Corporate transaction — an acquirer, under equivalent protections and with notice to you.

We do not sell personal data. We do not share it for cross-context behavioural advertising. We never have.

6. International transfers

Our sub-processors may operate in countries other than yours. Transfers out of the EEA or UK are made under an adequacy decision, or under the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Addendum, with a transfer impact assessment on file. Ask privacy@mulberry.fit for a copy of the relevant safeguards.

7. Your rights

If you are in the EEA or the UK (GDPR): access · rectification · erasure · restriction · portability · objection (including to legitimate-interests processing) · withdrawal of consent at any time · not to be subject to solely automated decisions with legal or similarly significant effects.
Exercise them at privacy@mulberry.fit. We respond within 30 days, free of charge. You may also complain to your supervisory authority — in the EU, your national DPA; in the UK, the Information Commissioner's Office (ico.org.uk).

If you are in California (CCPA/CPRA): right to know the categories and specific pieces collected, to delete, to correct, to opt out of sale or sharing (we do neither), to limit use of sensitive personal information, and not to be discriminated against for exercising any of these. Submit at privacy@mulberry.fit. An authorised agent may act for you with written proof.

We may ask for information to verify your identity before acting — we won't act on an unverified request about someone else's data.

8. Security

Encryption in transit and at rest; MFA and least-privilege access; logging and monitoring; a documented incident response plan. If a personal data breach affects you, we notify the relevant supervisory authority within 72 hours where required, and we notify you without undue delay.

9. Children

The Services are for businesses. We do not knowingly collect personal data from anyone under 18. If you believe we have, write to privacy@mulberry.fit and we will delete it.

10. Cookies

See the Cookie Policy.

11. Changes

We will post any change here and, for material changes, email you at least 30 days in advance.

Contact: privacy@mulberry.fit · Mulberry Inc.