Privacy Policy

This Privacy Policy explains how [Company name] collects, uses, stores, processes and shares personal information in connection with the Milo platform.

This policy applies to platform users, administrators, browser extension users, customer contacts, website visitors, pilot participants and any person whose information is processed through the Service.

[Company name] may act as a controller with respect to account information, contact details, login data, support data, security data and platform usage data.

With respect to information entered by the Customer into the platform, information collected from the Customer work environment, action recordings, end customer data, business processes, documents and Workflow data, [Company name] will generally act as a processor on behalf of the Customer according to the Customer instructions and the data processing agreement.

Account details: name, email, role, organization, permissions and user status.

Login and security data: IP address, user agent, session, login identifiers and security events.

Organization data: organization name, teams, permissions, policies, join codes and connected devices.

Browser extension data: installation identifier, device identifier, extension version, connection status and sync events.

Action data: clicks, inputs, field selections, URLs, screen titles, copy or paste actions and process steps.

Workflow data: process names, steps, triggers, conditions, approval points, status and versions.

Logs: run logs, audit events, errors, approvals, rejections, execution results and user feedback.

Business content: texts, fields, documents or data entered, uploaded or processed by the user or organization.

Support and marketing data: requests, correspondence, contact forms, demo registrations, cookies and analytics.

The platform may be exposed to sensitive information such as customer details, documents, financial data, insurance details, contact details, identification numbers, vehicle data, policy details, insurance history or other information depending on the Customer use case.

As a general approach, the platform will prefer to store sensitive information as masked data, hash, summary or metadata where sufficient for operating the process.

Users should not enter passwords, tokens, cookies, API keys, full payment card data or unnecessary sensitive information into the Service.

Information will be processed for creating accounts and managing users, identity verification and permissions, providing the Service, operating platform components, detecting repetitive actions, suggesting Workflows, recording approved actions, running Workflows, presenting previews, maintaining audit trails, security, support, maintenance, service improvement, usage analysis and compliance with law and agreements.

The platform may send information to AI models where needed for understanding an action, summarizing a process, extracting fields, creating a draft, classifying risk or suggesting a Workflow.

The platform will follow data minimization principles and avoid sending sensitive information to an AI model where not needed.

Use of AI models may involve processing by external AI providers according to agreements with such providers, security policies and the sub processor list.

Where applicable law requires a legal basis, processing may rely on performance of a contract, legitimate interests, consent, compliance with a legal obligation or Customer instructions where the company acts as processor.

Information may be shared with sub processors for cloud hosting, database services, user authentication, AI services, system messages, monitoring, security, support, analytics and professional advice.

The sub processor list will be published or made available to the Customer upon request: [complete sub processor list].

Information may be processed in Israel, Europe, the United States or other countries where service providers operate.

Such transfers will be carried out according to applicable law, appropriate agreements, security measures and customary contractual protections.

Information will be retained for the period required for the purposes for which it was collected, for providing the Service, security, audit, compliance with law, dispute resolution and protection of rights.

Suggested default retention: Audit Logs for [12 to 36 months], Run Logs for [12 months], action recordings for [30 to 180 days], account data while the account is active and for [X] after termination, support data for [24 months], marketing data until unsubscribe or deletion.

Exact retention periods must be completed according to business and legal decisions.

The platform implements organizational and technical security measures, including user authentication, permission management, tenant separation, database RLS, encryption in transit and at rest where supported by infrastructure, hashed token storage, rate limiting, controlled CORS, audit logs and prevention of storage of certain sensitive fields.

No system is completely secure. In case of a material security incident, the company will act according to applicable law and customer agreements.

Subject to applicable law, a person whose personal information is processed in the platform may have the right to request access, correction, deletion, restriction, objection, portability or additional information about the processing.

Where information is processed on behalf of an organizational customer, requests will generally be directed to the Customer, which determines the purposes and means of processing. The company will assist the Customer with handling requests according to the agreement and applicable law.

The platform may operate in employee work environments and record digital actions.

The Customer is responsible for informing employees, obtaining consents where required, updating internal policies and ensuring that use of the platform complies with employment law, privacy law, information security requirements and relevant agreements.

The website and portal may use cookies or similar technologies for login, security, preferences, usage measurement, product improvement and support.

Cookies can be managed through the browser. Blocking certain cookies may affect platform functionality.

The Service is intended for professional organizational use and is not intended for personal use by minors.

The company may update this policy from time to time. A material change will be displayed in the platform or sent to customers using available contact details.

Continued use of the platform after an update constitutes acceptance of the updated policy, subject to applicable law.

Privacy inquiries should be sent to [privacy@company.com].

Security reports should be sent to [security@company.com].