Privacy policy

Mitigate AI Platform

Platform: ai-platform.mitigate.dev

Approved: March 2026. Next review: no later than March 2027.

This Privacy Policy describes how SIA Mitigate (Reg. No. 50103381201) and Mitigate AI Services SIA (Reg. No. 40203603914), registered address: Gustava Zemgala gatve 74A, Riga, LV-1039, Latvia (hereinafter collectively referred to as "Mitigate" or "we"), collect, use, disclose and protect personal data processed through the Mitigate AI Platform (hereinafter — the "Platform"). Both companies are joint operators of the Platform. All data processing is carried out in accordance with the General Data Protection Regulation (GDPR).

Platform operators: The Platform is jointly maintained and operated. Depending on the contractual relationship, the direct service provider for your Organization may be SIA Mitigate or Mitigate AI Services SIA. Both companies apply the same data protection standards.

Roles in data processing: The Organization that registers on the Platform is the data controller — it determines the purposes and means of data processing, adds and manages Users, uploads documents, and configures data retention periods. Mitigate acts as the data processor, processing data on behalf of the Organization and ensuring the technical operation of the Platform. Mitigate is the data controller only with respect to technical data (e.g., server logs, IP addresses) necessary for maintaining and securing the Platform.

For any questions, please contact us at: datuapstrade@mitigate.dev.

1. How we collect your data

  1. You submit your data when registering on the Platform or authenticating via OpenID Connect (SSO);
  2. You upload documents or add websites for building the knowledge base;
  3. You use the AI conversation functionality (chat messages and responses);
  4. You connect external services through connectors (e.g., Google, Microsoft, Atlassian, Slack);
  5. Your data is submitted by a representative of your organization;
  6. Technical data is collected automatically when you use the Platform.

2. What personal data we process

Data category What we collect Purpose
Account data Name, email address, organization name, role (Owner, Administrator, Member). In case of SSO — identification data from the identity provider. Account creation, authentication, access management
Conversation data Chat messages, AI responses, conversation history Providing the AI service, maintaining context
Knowledge base data Uploaded documents, indexed website content Building and maintaining the AI knowledge base
Connector data Authorization credentials (OAuth) connecting external services (Google Workspace, Microsoft 365, Atlassian, Slack, etc.). Each user authorizes the connection individually. Integration with external services on the user's behalf
AI interaction data Queries, AI model responses, workflow execution data Service delivery, quality improvement
Usage data Login activity, actions performed on the Platform, workspace usage Service delivery, platform improvement
Technical data IP address, browser type, device information, access date and time Security, troubleshooting, service optimization

3. Legal basis for data processing

  1. Performance of a contract (GDPR Art. 6(1)(b)) — to provide Platform services, process documents, maintain knowledge bases, and deliver AI responses;
  2. Legitimate interests (GDPR Art. 6(1)(f)) — to improve our services, ensure security, prevent fraud, and provide support;
  3. Legal obligation (GDPR Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements;
  4. Consent (GDPR Art. 6(1)(a)) — when a User connects external services through connectors, they provide consent for the processing of the relevant data.

4. How we use your data

Documents uploaded to the Platform, conversation content, and knowledge base data are processed solely for the purpose of providing the AI service. We:

  1. Do not use your data for AI model training;
  2. Do not share your data with other organizations or third parties;
  3. Do not access your data for any purpose other than service delivery;
  4. Ensure complete data isolation between organizations and workspaces.

Organization's responsibility: The Organization, as the data controller, is responsible for the lawfulness of data processing within its workspace, including User management, compliance of uploaded content with applicable regulations, and data deletion. Mitigate provides the technical means for data management (configurable retention periods, deletion functionality, access controls) but does not assume responsibility for the Organization's decisions regarding data content and processing.

5. AI processing and LLM service providers

The Platform uses large language model (LLM) technology to provide AI conversation services, analyze documents, and execute workflows. No automated decisions with legal effect are made. All AI outputs are informational in nature and require human review.

Choice of AI service provider: The Platform supports multiple third-party LLM service providers. The Organization or its Users may select the preferred AI service provider from the options available on the Platform. Data processing is carried out in accordance with the terms of the selected service provider, and Mitigate ensures that data processing agreements are in place with all AI sub-processors.

Supported LLM service providers:

Service provider Data processing location Notes
OpenAI USA (with EU safeguards) API data is not used for model training
Anthropic USA (with EU safeguards) API data is not used for model training
Google (Gemini) USA / EU (depending on configuration) API data is not used for model training
Mistral EU (France) API data is not used for model training
OpenRouter USA (with EU safeguards) Proxy service for multiple models

The Organization is responsible for selecting an AI service provider appropriate to its needs, taking into account the data processing location and applicable regulatory requirements. By using the Platform, the User also undertakes to comply with the terms of use and data processing policies of the selected AI service provider.

6. Connectors and external service integration

The Platform provides connectors (MCP — Model Context Protocol) that allow the AI agent to access external services on the User's behalf. Connectors operate as follows:

  1. Each User authorizes the connection with their personal authorization credentials (OAuth) — no other user can access their data through the connector;
  2. Data from external services is processed only within the AI conversation context and is not permanently stored outside of conversation history;
  3. Mitigate does not access the User's external service data — access occurs only through the User's authorized connection;
  4. Available connectors: Google Workspace (Calendar, Drive, Mail), Microsoft 365 (Outlook Calendar, Outlook Mail, SharePoint), Atlassian (Jira, Rovo), GitHub, Slack, Zendesk, Sentry, Redmine, etc.

7. Data sharing with third parties

We do not sell your personal data, but we may share it with:

  1. LLM service providers — for AI conversation processing (see Section 5). Data is sent only to the service provider selected by the Organization or User;
  2. Cloud infrastructure providers — for hosting and data storage (EU-based);
  3. Monitoring service providers — Langfuse (LLM metrics), Sentry (error logging) — for service quality assurance;
  4. Document processing services — Docling (document processing and conversion);
  5. Law enforcement authorities — if required by applicable regulations.

Mitigate carefully vets all sub-processors that process personal data on its behalf and ensures that they apply appropriate security measures in accordance with the GDPR.

8. Data security

Mitigate applies appropriate technical and organizational measures to protect your data:

  1. Encrypted data transmission (TLS/SSL);
  2. Encrypted data storage;
  3. Role-based access control (Owner, Administrator, Member);
  4. Workspace isolation — data is fully separated between organizations and workspaces;
  5. Connector authorization data isolation — individual connections per user;
  6. OpenID Connect (SSO) support for secure authentication;
  7. JWE encryption for embedded chat communication;
  8. Regular security audits and employee training.

Mitigate is not liable for unauthorized access to personal data if it is beyond Mitigate's control (e.g., due to User fault or negligence).

9. Data retention periods

  1. Conversation history — the retention period is configurable at the Organization level. The Organization may set automatic deletion after a specified period (weeks, months, or years);
  2. Knowledge base data and documents — deleted upon Organization's request or together with the workspace;
  3. Account data — deleted within 30 (thirty) days after account closure or automatically if the User has not used the account for 12 (twelve) months;
  4. Technical logs — retained for up to 12 months;
  5. Connector authorization data — deleted when the User disconnects the connector or when the User's account is deleted.

To request data deletion, contact datuapstrade@mitigate.dev.

10. Your rights

Under the GDPR, you have the right to request access to your personal data, its rectification or erasure, to restrict or object to processing, and to receive your data in a portable format. If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You have the right to lodge a complaint with the Data State Inspectorate (www.dvi.gov.lv).

Contact us at: datuapstrade@mitigate.dev. We will respond within 30 days.

11. International transfers

The Platform infrastructure is located in the European Union. Your data is primarily processed within the EU/EEA. However, depending on the AI service provider selected by the Organization, data may be transferred outside the EU/EEA for processing (see Section 5 table). In such cases, we ensure appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions). The Organization is informed of the data processing location when selecting an AI service provider.

12. Cookies

The Platform uses only essential cookies for authentication and session management. The Platform does not use tracking or advertising cookies.

13. Embedded chat

The Platform provides embedded chat functionality that can be integrated into third-party websites. The embedded chat can operate in three modes:

  1. Authenticated — the user is identified through an encrypted token (JWE) provided by the website where the chat is integrated;
  2. Guest registration — the user provides their name and email address;
  3. Anonymous — no personal data is collected.

Data collected in guest and anonymous modes is processed in accordance with this Privacy Policy, and the third-party website operator is responsible for providing appropriate information to their users.

14. Updates

We may periodically update this Privacy Policy. Significant changes will be communicated via email or through the Platform. The latest version is always published on the Platform. Previous versions are available upon request at: datuapstrade@mitigate.dev.

15. Contact information

SIA Mitigate
Reg. No.: 50103381201
Gustava Zemgala gatve 74A, Riga, LV-1039, Latvia

Mitigate AI Services SIA
Reg. No.: 40203603914
Gustava Zemgala gatve 74A, Riga, LV-1039, Latvia

Data processing inquiries: datuapstrade@mitigate.dev
Legal inquiries: legal@mitigate.dev
Technical support: ai@mitigate.dev