Privacy Policy
Effective April 11, 2026
1. What We Collect
- Account information: email address, first name, company/facility name (provided during signup)
- Payment information: processed and stored by Stripe. We never see or store your card number.
- Equipment manuals: PDFs and documents you upload for MIRA to index
- Usage data: diagnostic queries you submit and MIRA's responses
- Technical data: IP address, browser type, device type (server logs only, no tracking cookies)
2. How We Use Your Data
- Account info: to identify your account, send transactional emails (signup confirmation, payment receipts, Loom nurture sequence), and personalize MIRA's responses
- Equipment manuals: indexed into your tenant's private knowledge base to power MIRA's diagnostic responses. Your manuals are never shared with other tenants.
- Diagnostic queries: processed in real-time via Claude API (Anthropic) to generate responses. Queries are not stored by Anthropic for training per our DPA.
- Usage data: to improve MIRA's response quality and monitor for abuse
3. Sub-processors
The full and current list lives at /trust. The most material processors are:
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic (Claude API) | AI inference for chat, diagnosis, citations | USA |
| NeonDB (Neon Inc.) | Tenant data, knowledge base, audit log | AWS us-east-1, USA |
| DigitalOcean | Application hosting | USA |
| Stripe | Payment processing, subscription management | USA |
| Resend | Transactional email delivery | USA |
| Google (Gmail + Apps Script) | Magic email inbox for manual ingestion (HMAC-signed) | USA |
| Langfuse | LLM call observability (telemetry only) | EU (Germany) |
4. Data Retention
- Account data: retained while subscription is active + 30 days after cancellation
- Equipment manuals & knowledge entries: deleted within 30 days of account termination
- Diagnostic query logs: retained for 90 days for quality monitoring, then deleted
- Payment records: retained per Stripe's data retention policy and tax/legal requirements (typically 7 years)
- Server logs: retained for 30 days
5. Your Rights
FactoryLM is built for North American manufacturers and our data store is in the United States. California residents have the following rights under CCPA:
- Right to know: request a copy of personal information we hold about you
- Right to delete: request deletion of your account and associated personal data
- Right to correct: update inaccurate personal information
- Right to opt out of sale: we do not sell personal information; this right is automatic
- Right to non-discrimination: we will not retaliate for exercising any CCPA right
To exercise any right, email privacy@factorylm.com. We respond within 30 days.
If you're located outside the United States, contact us at the same address and we'll coordinate on a case-by-case basis. We do not currently offer service in the European Union, so we are not registered as a GDPR data controller.
6. Cookies & Tracking
We do not use cookies for tracking. We do not use Google Analytics or any third-party tracking scripts. Session state is managed via JWT tokens stored in browser sessionStorage (cleared when you close the tab).
7. Security
- All data transmitted over HTTPS/TLS
- Database connections encrypted (SSL required)
- Secrets managed via Doppler (not stored in code)
- Tenant isolation: each customer's knowledge base is scoped by tenant ID
8. Children
FactoryLM is a B2B industrial maintenance tool. We do not knowingly collect data from anyone under 18.
9. Changes
We may update this policy. Material changes will be communicated via email to active subscribers. The "Effective" date at the top will be updated.
10. Contact
For privacy inquiries: privacy@factorylm.com
FactoryLM, Inc. — Delaware, USA