Myrmid

Privacy

Privacy policy

This privacy policy explains what personal data Myrmid processes through this site, on which lawful basis, for how long, and how to exercise your data-subject rights under the GDPR and the French Loi Informatique et Libertés.

Controller

The data controller is Myrmid SAS (in formation), 138 Avenue Victor Hugo, 75016 Paris, France.

For all data-subject-rights requests (access, rectification, erasure, portability, restriction, objection), contact: privacy@myrmid.ai.

We respond to data-subject-rights requests within 30 days of receiving a verifiable request, in line with NFR-C1 of our internal compliance baseline. If your request is unusually complex we may extend the response window by up to two further months and will tell you in the initial reply.

Data flows

This site processes personal data through four flows. Each flow is listed below with the data captured, the purpose, the lawful basis, and the retention window.

1. Plausible Analytics (page views, web-vitals)

  • Data captured: anonymous page views and Core Web Vitals samples (LCP, INP, CLS, TTFB, FCP). No cookies, no fingerprinting, no IP addresses retained, no cross-site tracking.
  • Purpose: site quality + understanding which pages help visitors find what they need.
  • Lawful basis: legitimate interest (GDPR Art. 6(1)(f)). The processing is privacy-preserving by design (cookieless, consent-exempt under ePrivacy guidance), serves a legitimate operational purpose, and the visitor's reasonable expectations are met by the no-cookies, no-fingerprinting design.
  • Retention: Plausible aggregates indefinitely; no individual session record is retained beyond the beacon hop.
  • Recipient: Plausible Insights OÜ, Estonia (EU-resident processor).

2. Sentry error monitoring

  • Data captured: runtime error stack traces, browser version, page URL, anonymous session identifier. Only fires after the visitor explicitly opts in via the privacy-preferences dialog.
  • Purpose: diagnosing site bugs that visitors encounter in production.
  • Lawful basis: explicit consent (GDPR Art. 6(1)(a)). Sentry processing is gated behind opt-in; the visitor's choice is stored locally and can be reversed any time via the persistent privacy-preferences trigger.
  • Retention: Sentry default retention (90 days) on the EU data region.
  • Recipient: Functional Software Inc. d/b/a Sentry, EU data region.

3. Design-partner intake (cohort 1)

  • Data captured: the information you submit through the partner-cohort application (your name, organisation, role, the workflow you would build, contact email).
  • Purpose: evaluating fit for the design-partner cohort and following up with you in line with the cohort's 48-hour personal-reply commitment.
  • Lawful basis: pre-contractual measures at your request (GDPR Art. 6(1)(b)). You submit the application; we process it to decide whether to enter a partnership with you.
  • Retention: active applications retained for 12 months from submission. Declined applications retained for 6 months for reference, then deleted unless you ask for earlier deletion.
  • Recipient: the application form is hosted by Typeform (Spain, EU-resident processor); the resulting record is reviewed by Myrmid founders.

4. Lucie conversation summaries (when the widget is enabled)

  • Data captured: when you use the Lucie chat widget, the conversation transcript and any summaries the widget retains.
  • Purpose: answering your question in the moment and helping you find the right next step on the site.
  • Lawful basis: legitimate interest (GDPR Art. 6(1)(f)) for in-conversation processing; explicit consent for any post-conversation retention beyond the session.
  • Retention: in-conversation only by default; longer retention requires your explicit consent at the start of the session.
  • Recipient: processed on Enterprise Mesh under European jurisdiction; never sent to third-party model providers without explicit policy permission.

Your rights

Under the GDPR and the French Loi Informatique et Libertés, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase data we hold about you ("right to be forgotten") subject to applicable retention obligations.
  • Restrict processing in specific circumstances.
  • Object to processing based on legitimate interest.
  • Portability: receive your data in a structured, commonly-used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr, if you believe your rights are not being respected.

Operator-mediated DSR workflow at MVP

We operate the data-subject-rights workflow as a documented operator process at MVP-0:

  1. You email privacy@myrmid.ai with your request.
  2. We confirm receipt within 2 business days.
  3. We verify your identity to the extent the request requires it.
  4. We satisfy the request (or explain why we cannot, with the legal basis for the refusal) within 30 days from the original request.

This process is operator-mediated rather than self-service at this stage of the company. As we scale the platform, in-product self-service tooling will follow; the email contact above remains valid throughout.

International transfers

We do not transfer personal data outside the European Economic Area for the data flows described above. Where a flow would require such a transfer (for example, a visitor accessing the site from outside the EEA), the transfer rests on the standard contractual safeguards (Art. 46 GDPR) negotiated between us and the relevant processor.

Updates

This policy is updated as our processing changes. The "last updated" date at the top reflects the most recent change. Material changes are surfaced in the privacy-preferences dialog so existing visitors are not surprised.