Privacy Policy

Nine Suns Inc. (“Mighty,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Citadel AI Security Gateway service.

This Privacy Policy applies to the hosted Citadel service. If you use the open source (OSS) version, you control the hosting environment and data handling; your privacy practices are governed by your own deployment and policies.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, organization name, and billing information. We use this to provide and bill for our services.

Google OAuth Data

When you sign in with Google, we access the following data from your Google account:

• First name and last name -- used to create and display your Citadel account profile
• Email address -- used as your unique account identifier and for account-related communications

We do not access any other Google data such as your contacts, calendar events, Google Drive files, Gmail messages, photos, YouTube data, or any other Google services. We request only the minimum scopes necessary to authenticate you and create your account.

GitHub OAuth Data

When you sign in with GitHub, we access the following data from your GitHub account:

• Name and email address -- used to create and display your Citadel account profile

We do not access your repositories, gists, organizations, or any other GitHub data.

Billing & Payment Processing

Payment details are processed by our payment provider (Stripe). We do not store full card numbers. We may store limited billing metadata such as payment status, customer IDs, and transaction references to manage your subscription, invoices, and support requests.

Usage Data

We collect information about how you use our service, including API calls, request metadata, timestamps, and threat detection results. This helps us improve our security models and provide analytics.

Technical Data

We automatically collect IP addresses, browser type, device information, and cookies to ensure security and optimize our service.

Analytics

We use analytics tools (such as PostHog) to understand product usage and improve the service. These tools may collect usage events, device details, and interaction data.

2. How We Use Your Information

General Usage

• Provide, maintain, and improve our AI security gateway service
• Process transactions and send related billing information
• Detect and prevent security threats, fraud, and abuse
• Train and improve our threat detection models (using anonymized data only)
• Communicate with you about service updates, security alerts, and support
• Send product and marketing updates (you can opt out at any time)
• Comply with legal obligations

Google User Data Usage

Data obtained through Google OAuth (your name and email address) is used solely for the following purposes:

• Account creation: Your name and email are used to create your Citadel user account
• Authentication: Your email is used to verify your identity when you sign in
• Profile display: Your name is displayed within the application as your account profile name. You can update your name at any time from your account settings.
• Account communications: Your email is used to send essential account-related notifications such as security alerts, billing confirmations, and service updates

We do not use Google user data for advertising, marketing to third parties, training AI or ML models, or any purpose unrelated to providing our core Citadel security service. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

3. Data Storage and Protection

General Security Measures

We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), regular security audits, SOC 2 Type II compliance, and access controls. However, no method of transmission over the Internet is 100% secure.

Google User Data Storage

Your Google account data (name and email address) is stored in our secure PostgreSQL database hosted on Google Cloud Platform with AES-256 encryption at rest. Access to this data is restricted to authenticated sessions through our application and is protected by our authentication and authorization system.

We do not store Google OAuth access tokens or refresh tokens beyond the initial authentication exchange. After your account is created, authentication is handled by our own session system.

Confidential Compute

When using our Confidential Compute feature, your data is processed within a Trusted Execution Environment (TEE) and is encrypted in memory. We have no access to unencrypted data during processing.

Content Processing

Content you send through our API for scanning is processed in real-time and is not retained after the request completes. We do not store the content of your prompts or AI responses unless you explicitly enable logging features.

4. Data Sharing

We do not sell your personal information. We may share data with:

• Service Providers: Cloud hosting (Google Cloud), payment processing (Stripe), and email services (Mailjet) -- these providers process data on our behalf under strict confidentiality agreements
• Analytics Providers: Product analytics (PostHog)
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Google User Data Sharing

We do not share, sell, or transfer Google user data to any third parties except:

• With your explicit consent
• To comply with applicable law or valid legal process
• To our service providers (listed above) who process data on our behalf under strict confidentiality agreements and solely for the purpose of providing our services

Google user data is never used for advertising purposes or shared with data brokers.

5. Data Retention and Deletion

Retention Periods

• Account data (including Google OAuth data): Retained while your account is active
• Usage analytics: Aggregated and anonymized data retained for up to 2 years
• Audit logs: Retained for 90 days (or longer for Enterprise plans)
• Billing records: Retained as required by law (typically 7 years)

Google User Data Retention and Deletion

Data obtained from Google (your name and email address) is retained only while your Citadel account remains active. You may update your name at any time from your account settings.

Upon account deletion, all Google user data is permanently removed from our systems within 30 days. You may request immediate deletion of your data at any time by contacting us at privacy@trymighty.ai. We will process deletion requests in compliance with applicable local laws.

6. Your Rights

Depending on your location, you may have the right to:

• Access your personal data, including any data obtained from Google
• Correct inaccuracies -- you can update your name directly in your account settings
• Delete your data -- request account and data deletion at any time
• Export your data in a portable format
• Opt out of marketing communications
• Restrict or object to certain processing
• Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@trymighty.ai. We will respond to all requests in compliance with applicable local laws.

7. International Transfers

Your data may be transferred to and processed in the United States. We use Standard Contractual Clauses and other safeguards to ensure adequate protection for international transfers.

8. Cookies and Tracking

We use essential cookies for authentication and security. Analytics cookies are optional and can be disabled. We do not use third-party advertising trackers.

9. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children under 16.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our service. Your continued use after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Nine Suns Inc.
Delaware, USA

Privacy inquiries: privacy@trymighty.ai
Security issues: security@trymighty.ai