Privacy Policy

The data controller for the purposes of GDPR is Mobness Ltd, Athanasiou Diakou 21, 3032 Limassol, Cyprus. Contact: privacy@mttrly.com

Account Information. When you create an account, we collect your email address, name (optional), organization name (optional), and messenger identifiers (Telegram, Slack, Discord, or WhatsApp usernames/IDs).

Payment Information. Payment data is collected and processed directly by Stripe Inc. We receive only the last four digits of your card number, card type and expiration date, billing address (if provided), and Stripe customer ID. We do not store full credit card numbers, CVV codes, or other sensitive payment data on our servers.

Server Data (Customer Data). When you connect servers to the Service, the Agent may collect:

• System metrics (CPU, RAM, disk usage, network traffic, process lists)
• Log file contents (within the scope you configure)
• Service/application status information
• Command execution outputs and results
• Configuration file contents (when accessed during diagnostics or remediation)
• SSH connection metadata

The scope of data collection from your servers is determined by your configuration. You control which logs, services, and metrics the Agent can access.

Usage Data. We automatically collect IP address, browser type and version, pages visited, referral sources, feature usage patterns, commands and Playbooks executed, and error logs related to Service operation.

Cookies and Tracking. Please refer to our Cookie Policy for details.

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your account, and process payments.

Legitimate interests (Art. 6(1)(f) GDPR): Processing for Service improvement, security, fraud prevention, and analytics, where our interests do not override your fundamental rights.

Consent (Art. 6(1)(a) GDPR): For marketing communications and non-essential cookies. You may withdraw consent at any time.

Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with tax, accounting, or other legal requirements.

• Provide the Service: Monitor your servers, execute diagnostics and remediation, deliver alerts through your configured messengers
• Process payments: Manage subscriptions, billing, and invoicing through Stripe
• Communicate: Send transactional emails and, with consent, marketing communications
• Improve the Service: Analyze usage patterns, identify bugs, optimize performance
• Ensure security: Detect and prevent unauthorized access, abuse, or fraud
• Comply with law: Meet tax, accounting, and regulatory obligations

Infrastructure. Our Service infrastructure is hosted in the European Union. Customer Data is processed and stored within EU data centers.

Retention Periods:

Upon account termination, we delete your personal data and Customer Data within 30 days, except where retention is required by law.

We share your data only with the following categories of recipients, and only to the extent necessary:

Service Providers:

• Stripe Inc. (payment processing) — US-based, EU-US Data Privacy Framework certified
• PostHog (product analytics) — EU-hosted instance
• Google Analytics (website analytics) — with IP anonymization enabled
• Messenger platforms (Telegram, Slack, Discord, WhatsApp) — only the data you choose to send/receive

AI Providers (BYOK Feature). If you use the Bring Your Own Key feature, diagnostic queries may be sent to your configured AI provider (OpenAI or Anthropic). This processing occurs under your direct relationship with that provider, using your own API key. We do not share your data with AI providers unless you explicitly enable this feature.

Legal Requirements. We may disclose information if required by law, legal process, or governmental request.

Business Transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer.

We do not sell your personal data to third parties.

Data Processing Agreements. All third-party service providers that process personal data on our behalf have executed Data Processing Agreements (DPAs) in compliance with GDPR Article 28. Copies are available upon request at privacy@mttrly.com.

Our primary data processing occurs within the EU. When data is transferred outside the EU (e.g., to US-based service providers), we ensure appropriate safeguards:

• EU-US Data Privacy Framework certification (where applicable)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• SSH key-based authentication for Agent connections (no password storage)
• Principle of least privilege for Agent access (dedicated service users with restricted sudo permissions)
• Audit logging of all Agent actions
• Regular security assessments
• Access controls and authentication for internal systems
• Incident response procedures

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@mttrly.com. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or your local supervisory authority.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

With your consent, we may send you marketing emails about new features, tips, and promotions. You can opt out at any time by clicking the "unsubscribe" link in any marketing email, contacting privacy@mttrly.com, or updating your preferences in Account settings.

Opting out of marketing does not affect transactional communications (billing, security alerts, service updates).

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or a prominent notice on the Service. Your continued use after the effective date constitutes acceptance.