pıut.Sign In

Privacy Policy

Last updated: March 4, 2026

1. Introduction

M-Flat, Inc., a Delaware corporation doing business as pıut ("M-Flat," "pıut," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the pıut platform, website, APIs, MCP server, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: When you create an account, we collect your email address, display name, and authentication credentials. If you sign up with Google OAuth, we receive your name, email address, and profile picture from Google.
  • Context Content: The personal knowledge, preferences, background information, and other content you create, upload, or input into your Context sections (about, soul, areas, projects, memory).
  • Payment Information: When you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not store your full payment card details on our servers — we only receive and store a Stripe customer ID and subscription status.
  • Communications: When you contact us via email, we collect the content of your messages and any information you choose to provide.

2.2 Information Collected Automatically

  • Usage Data: We collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, and session duration.
  • Device and Browser Information: We collect your IP address, browser type and version, operating system, device type, and screen resolution.
  • MCP Access Logs: When AI clients access your MCP endpoint, we log the access timestamp, IP address, tools called, and response status for security and debugging purposes.
  • Cookies and Similar Technologies: We use cookies and similar technologies for authentication session management and essential Service functionality. See Section 7 for details.

2.3 Information from Third Parties

  • Google OAuth: If you authenticate via Google, we receive your name, email address, and profile picture as authorized by your Google account settings.
  • Stripe: We receive subscription status updates, payment confirmations, and billing event notifications from Stripe via webhooks.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service: Create and manage your account, store and serve your Context content, process your MCP requests, and deliver the core functionality of pıut.
  • Process payments: Manage subscriptions, process billing through Stripe, and enforce plan-based usage limits.
  • AI processing: Send your Context content to third-party AI providers (Anthropic) when you use AI-assisted features such as Context generation. This processing occurs on-demand at your request.
  • Send transactional communications: Deliver account-related emails including email verification, password reset, subscription confirmations, and billing notifications via Resend.
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access. Monitor for security threats and enforce rate limits.
  • Improve the Service: Analyze usage patterns to improve performance, fix bugs, and develop new features.
  • Comply with legal obligations: Respond to legal requests and enforce our Terms of Service.

4. How We Protect Your Information

4.1 Encryption

All Context content is encrypted at rest using AES-256-GCM encryption. Each user has a unique encryption key derived from their account. This means your Context content is stored in an encrypted format in our database and is only decrypted when accessed by you or through your authorized MCP endpoint.

4.2 Infrastructure Security

  • All data is transmitted over HTTPS/TLS encryption in transit
  • Database access is protected by Row Level Security (RLS) policies
  • MCP endpoints are protected by API key authentication and rate limiting
  • Application hosting on Vercel with enterprise-grade infrastructure security
  • Database hosting on Supabase with managed PostgreSQL security

4.3 Access Controls

Access to user data is restricted to authorized personnel who need it for Service operation. We implement the principle of least privilege for all system access.

4.4 Security Limitations

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee the absolute security of your information. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

5. Information Sharing and Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Service Providers

We share information with third-party service providers that help us operate the Service:

  • Supabase: Database hosting and authentication — stores your account data and encrypted Context content.
  • Stripe: Payment processing — receives payment information to process subscriptions.
  • Anthropic: AI processing — receives Context content when you use AI-assisted features. Anthropic does not use your data to train their models under their commercial API terms.
  • Vercel: Application hosting — processes web requests and may log IP addresses and request metadata.
  • Resend: Email delivery — receives email addresses to deliver transactional emails.
  • Google: Authentication — facilitates OAuth sign-in.

5.2 MCP Endpoint Access

When you activate your MCP endpoint, your decrypted Context content is accessible to any AI client that has your endpoint URL and API key. You control who has access to these credentials. We are not responsible for how third-party AI clients use the Context content they access through your endpoint.

5.3 Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect our rights, property, or safety; (c) prevent fraud or abuse; or (d) protect the rights, property, or safety of other users or the public.

5.4 Business Transfers

If M-Flat, Inc. is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

6. Data Retention

  • Account Data: Retained for as long as your account is active. Upon account deletion, personal data is deleted within 30 days.
  • Context Content: Encrypted Context content is retained while your account is active and deleted within 30 days of account termination.
  • Payment Records: Billing and transaction records are retained for 7 years as required for tax and accounting purposes.
  • Access Logs: MCP access logs and security logs are retained for 90 days for security monitoring purposes.
  • Backup Data: Encrypted backups may persist for up to 30 additional days after deletion from primary systems.

7. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and core Service functionality. These cannot be disabled without breaking the Service.
  • Security Cookies: Used for CSRF protection and rate limiting.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites. We do not participate in cross-site tracking or targeted advertising.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

8.1 Access and Portability

You can access your Context content at any time through the dashboard. You may request a copy of all personal data we hold about you by contacting us at contact@mflatglobal.com.

8.2 Correction

You can update your account information and Context content at any time through the Service. For other corrections, contact us.

8.3 Deletion

You may request deletion of your account and associated data by contacting us. Upon receiving a verified deletion request, we will delete your personal data within 30 days, except for data we are legally required to retain.

8.4 Opt-Out of Communications

You may opt out of promotional emails by following the unsubscribe link in any promotional message. Note that you cannot opt out of transactional emails related to your account (such as password resets, billing notifications, and security alerts).

8.5 Data Processing Objection

You may object to certain processing of your personal data. If you object, we will cease processing unless we have compelling legitimate grounds or need to process the data for legal claims.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the categories of sources, the purposes for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • No Sale of Personal Information: We do not sell your personal information as defined by the CCPA/CPRA.
  • No Sharing for Cross-Context Behavioral Advertising: We do not share your personal information for cross-context behavioral advertising purposes.

To exercise your California privacy rights, contact us at contact@mflatglobal.com. We will verify your identity before fulfilling your request.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your personal data based on: (a) your consent; (b) performance of a contract (our Terms of Service); (c) legitimate interests (security, fraud prevention, Service improvement); or (d) legal obligations.
  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restrict Processing: Request limitation of how we process your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact us at contact@mflatglobal.com. You also have the right to lodge a complaint with your local data protection authority.

International Data Transfers: Your data may be transferred to and processed in the United States. We rely on standard contractual clauses and other approved transfer mechanisms to ensure adequate protection of your data.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at contact@mflatglobal.com.

12. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Since we do not engage in cross-site tracking or targeted advertising, our Service responds to DNT signals by default — we do not track you across third-party websites regardless of your DNT setting.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

M-Flat, Inc. (DBA pıut)
2810 N. Church Street
Wilmington, DE 19802
contact@mflatglobal.com

For privacy-specific inquiries, you may also email us directly at contact@mflatglobal.com with the subject line "Privacy Inquiry."