Michi
Sign inStart free trial

Privacy Policy

Effective 2026-05-21. Version 1.0.

1. Who we are

Michi is operated by Sila Technologies B.V., a private company incorporated in Belgium. Registered office: [Sila Technologies office address]. VAT: [BE-VAT].

Our Data Protection Officer can be reached at dpo@michiplatform.com.

2. What this policy covers

This policy explains how we collect, use, store, and share personal data about visitors to michiplatform.com and customers who use the Michi CRM service. By using Michi, you agree to this policy. A separate Terms of Service governs your contractual relationship with us.

3. Personal data we collect

From visitors: anonymous page-view events (via PostHog, cookieless by default) and server logs containing IP address and user agent (retained 30 days for security).

From customers:

  • Account: email address, full name, organisation name, hashed password.
  • Billing: company name, billing email, payment method (stored by Stripe — we receive only the last 4 digits + brand).
  • Usage: feature events, login timestamps, IP address, browser.
  • CRM content you create or import: company / contact / deal records, meeting notes and transcripts you ingest, email integrations you authorise.
  • Support: messages you send via Crisp chat or email to support@.

4. Legal basis (GDPR Article 6)

  • Contract: processing necessary to provide the service you signed up for.
  • Legitimate interests: service security, fraud prevention, product improvement using aggregated anonymised data.
  • Consent: optional analytics cookies and marketing emails — easily withdrawn.
  • Legal obligation: tax records (10 years).

5. How long we keep data

See our full retention schedule. In summary: most customer data is kept until you delete it. Backups rotate after 30 days. Audit logs are kept 24 months. Billing records 10 years (legal requirement).

6. Who sees your data

Within Michi, only engineers with operational need (audit-logged access). Outside Michi, only the sub-processors listed at /security/sub-processors — and only the minimum necessary to deliver their service.

We do not sell personal data, ever. We do not use customer content to train AI models.

7. International transfers

Primary data storage is in the EU. Some sub-processors (notably Anthropic for AI inference) operate in the US. For those transfers we rely on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses (SCC, Commission Decision 2021/914). For details see our DPA.

8. Your rights (GDPR Articles 15–22)

  • Access: Settings → Security & Privacy → Export.
  • Rectification: edit in-product, or email dpo@.
  • Erasure: Settings → Security & Privacy → Delete my data.
  • Restriction / objection: email dpo@.
  • Portability: export is provided in machine-readable JSON.
  • Right to lodge a complaint: with the Belgian Data Protection Authority (dataprotectionauthority.be) or your local supervisory authority.

9. Security

AES-256-GCM encryption at rest for sensitive content; TLS 1.2+ in transit; row-level tenant isolation enforced by PostgreSQL; optional TOTP-based 2FA; audit log of administrative actions. Full details on our Security page.

10. Breach notification

If a personal-data breach affects you, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, per Article 33 GDPR. See INCIDENT_RESPONSE.md in our public repository for the full procedure.

11. Children

Michi is a B2B product not intended for users under 18. We do not knowingly collect data about children.

12. Cookies

We use two strictly-necessary cookies: sb-* (Supabase auth session) and mc-csrf (CSRF protection). Analytics cookies (PostHog) run only if you click "Accept all" on the banner; the default is cookieless tracking.

13. Changes to this policy

Material changes are emailed to all customers at least 30 days in advance. Non-material changes (typos, clarifications) take effect immediately. Version history is visible in the public git repository.

14. Contact

Email dpo@michiplatform.com for all privacy-related requests.