Back to Home

Privacy Policy

Last updated: January 18, 2026

Nine Suns Inc. ("Mighty," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Citadel AI Security Gateway service.

This Privacy Policy applies to the hosted Citadel service. If you use the open source (OSS) version, you control the hosting environment and data handling; your privacy practices are governed by your own deployment and policies.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, organization name, and billing information. We use this to provide and bill for our services.

OAuth / Single Sign-On

If you sign in with Google or GitHub, we receive basic profile information (such as your name, email address, and account identifiers) to authenticate you and link your account. We do not access your private content.

Billing & Payment Processing

Payment details are processed by our payment provider (Stripe). We do not store full card numbers. We may store limited billing metadata such as payment status, customer IDs, and transaction references to manage your subscription, invoices, and support requests.

Usage Data

We collect information about how you use our service, including API calls, request metadata, timestamps, and threat detection results. This helps us improve our security models and provide analytics.

Technical Data

We automatically collect IP addresses, browser type, device information, and cookies to ensure security and optimize our service.

Analytics

We use analytics tools (such as PostHog) to understand product usage and improve the service. These tools may collect usage events, device details, and interaction data.

2. How We Use Your Information

  • Provide, maintain, and improve our AI security gateway service
  • Process transactions and send related billing information
  • Detect and prevent security threats, fraud, and abuse
  • Train and improve our threat detection models (using anonymized data only)
  • Communicate with you about service updates, security alerts, and support
  • Send product and marketing updates (you can opt out at any time)
  • Comply with legal obligations

3. Data Processing and Retention

Content Processing

Content you send through our API for scanning is processed in real-time and is not retained after the request completes. We do not store the content of your prompts or AI responses unless you explicitly enable logging features.

Confidential Compute

When using our Confidential Compute feature, your data is processed within a Trusted Execution Environment (TEE) and is encrypted in memory. We have no access to unencrypted data during processing.

Retention Periods

  • Account data: Retained while your account is active, plus 30 days after deletion
  • Usage analytics: Aggregated and anonymized data retained for up to 2 years
  • Audit logs: Retained for 90 days (or longer for Enterprise plans)
  • Billing records: Retained as required by law (typically 7 years)

4. Data Sharing

We do not sell your personal information. We may share data with:

  • Service Providers: Cloud hosting (Google Cloud), payment processing (Stripe), and email services (Mailjet)
  • Analytics Providers: Product analytics (PostHog)
  • Legal Requirements: When required by law, court order, or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

5. Security

We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), regular security audits, SOC 2 Type II compliance, and access controls. However, no method of transmission over the Internet is 100% secure.

6. Your Rights

Depending on your location, you may have the right to:

  • Access, correct, or delete your personal data
  • Export your data in a portable format
  • Opt out of marketing communications
  • Restrict or object to certain processing
  • Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@trymighty.ai.

7. International Transfers

Your data may be transferred to and processed in countries other than your own. We use Standard Contractual Clauses and other safeguards to ensure adequate protection for international transfers.

8. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children under 16.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our service. Your continued use after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Nine Suns Inc.

Email: privacy@trymighty.ai

For security issues: security@trymighty.ai