Mountain Theory, Inc. Privacy Policy

Effective Date: February 13, 2026

 

1. Introduction

Mountain Theory, Inc. (“Mountain Theory,” “we,” “us,” or “our”) is committed to protecting the privacy and security of individuals who use our tools, software, and related services (collectively, the “Service”), visit our website at mountaintheory.ai (the “Website”), or otherwise interact with us. This Privacy Policy describes how we collect, use, disclose, and safeguard your information.

Mountain Theory provides AI Infrastructure Defense™ technology that operates inside AI reasoning processes to protect developers and organizations from AI-related security threats, including prompt injection attacks, unauthorized data access, and unintended destructive actions. Our patent-pending architecture is designed with privacy at its core: raw customer data never leaves your environment.

This Privacy Policy applies to all users of the Service, including free-tier and paid-tier users, and covers data collected through the Service, Website, and any related communications.

 

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for an account, configure the Service, contact us, or otherwise interact with us:

 

    • Account Information: Name, email address, username, and password when you create an account.
    • Profile Information: Organization name, job title, and professional details you choose to provide.
    • Payment Information: For paid tiers, billing address and payment method details. Payment processing is handled by our third-party payment processor; we do not store full credit card numbers.
    • Communications: Information you provide when you contact our support team, submit feedback, or participate in surveys.
    • Integration Configuration: API keys, workflow platform credentials (e.g., n8n, Zapier, Make.com tokens), and security policy configurations you set within the Service.

 

2.2 Information Collected Automatically

When you access or use the Service or Website, we automatically collect certain information:

 

    • Usage Data: Features used, actions taken within the Service, frequency and duration of use, and error logs.
    • Device and Connection Information: IP address, browser type, operating system, device identifiers, and general location derived from IP address.
    • Log Data: Server logs including access times, pages viewed, referring URLs, and system activity.
    • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to maintain sessions, remember preferences, and understand usage patterns. See Section 9 for details.

 

2.3 AI Security Telemetry Data

Our Service processes data in the course of providing AI Infrastructure Defense. It is critical to understand how this data is handled:

 

    • Threat Signatures (Anonymized): When our Guardian AI detects a potential security threat, it extracts anonymized behavioral patterns and threat signatures. All personally identifiable information (PII) and protected health information (PHI) is stripped locally before any data is transmitted to Mountain Theory systems, when known.
    • Security Event Metadata: Anonymized metadata about security events, including threat type, severity classification, and response action taken. This data contains no customer-specific content.
    • Performance Metrics: Aggregated statistics on response times, detection accuracy, and system health to improve Service reliability.

 

2.4 Information from Third Parties

We may receive information about you from third-party sources, including workflow automation platforms you integrate with the Service (e.g., n8n, Zapier, Make.com), identity providers if you use single sign-on (SSO), and publicly available professional information (e.g., LinkedIn) for business development purposes.

 

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery and Improvement

 

    • Provide, maintain, and improve the Service, Website, and related features.
    • Process transactions and manage your account and subscriptions.
    • Develop new features and enhance our AI Infrastructure Defense capabilities based on anonymized, aggregated threat intelligence.
    • Train and refine our Adjudicator AI and Policy AI models using only anonymized security telemetry data to improve threat detection across all users.

Security and Compliance

 

    • Detect, prevent, and respond to security threats, fraud, and abuse.
    • Monitor system integrity and enforce our Terms of Service.
    • Comply with legal obligations and respond to lawful requests from authorities.

Communications

 

    • Send transactional messages such as account confirmations, security alerts, and service updates.
    • Provide customer support and respond to your requests.
    • Send marketing communications about new features or services (with your consent where required; you may opt out at any time).

Analytics and Research

 

    • Analyze usage patterns to understand how the Service is used and identify areas for improvement.
    • Conduct research on AI security threats using aggregated, de-identified data to advance the field of AI Infrastructure Defense.

 

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

 

Legal Basis Applicable Processing Activities
Contract Performance Providing the Service, processing payments, managing your account, and delivering AI security protection as described in our Terms of Service.
Legitimate Interests Improving the Service, conducting analytics, preventing fraud, ensuring network security, and developing anonymized threat intelligence. We balance our interests against your rights and freedoms.
Consent Sending marketing communications, placing non-essential cookies, and processing data for purposes beyond what is necessary for service delivery. You may withdraw consent at any time.
Legal Obligation Complying with applicable laws, regulations, and legal processes, including tax, accounting, and data breach notification requirements.

 

5. How We Share Your Information

We do not sell your personal information. We share information only in the following limited circumstances:

 

    • Service Providers: We engage trusted third-party companies to perform services on our behalf, such as cloud hosting, payment processing, email delivery, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we specify.
    • Workflow Platform Integrations: When you connect the Service to third-party platforms (n8n, Zapier, Make.com, or others), data necessary for the integration to function is shared with those platforms in accordance with their respective privacy policies.
    • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
    • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
    • Aggregated or De-identified Data: We may share aggregated, anonymized threat intelligence data that cannot reasonably be used to identify you. This data is used to improve AI security across the ecosystem.
    • With Your Consent: We may share your information for other purposes with your explicit consent.

 

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

 

    • Account Information: Retained for the duration of your account and for up to 90 days following account deletion to facilitate account recovery.
    • Usage and Log Data: Retained for analytics and service improvement, then aggregated or deleted.
    • Security Telemetry (Anonymized): Anonymized threat signatures and security metadata may be retained indefinitely as they contain no personally identifiable information and are essential for improving global AI security.
    • Payment Records: Retained as required by applicable tax and accounting regulations (typically 7 years).
    • Communications: Support correspondence is retained for up to 24 months following resolution.

When personal data is no longer needed, we securely delete or anonymize it using industry-standard methods.

 

7. Data Security

We implement robust technical and organizational measures to protect your information, designed to meet or exceed SOC 2 Type II standards:

Technical Safeguards

 

    • Encryption in Transit: All data transmitted between your systems and Mountain Theory is encrypted using TLS 1.2 or higher.
    • Encryption at Rest: Data stored on Mountain Theory systems is encrypted using AES-256 encryption or better.
    • Edge-First Architecture: When enabled, our Guardian AI processes sensitive data locally within your environment. Raw prompts, responses, and source code never leave your infrastructure.
    • Local Anonymization: PII and PHI are stripped at the edge by an automated preprocessing service before any metadata is transmitted to Mountain Theory cloud services.
    • VPC Service Controls: Cloud resources are protected by Virtual Private Cloud security perimeters to prevent unauthorized data exfiltration.
    • Mutual TLS (mTLS): All communications between edge deployments and cloud services use mutual TLS authentication.

Organizational Safeguards

 

    • Access Controls: Strict role-based access controls limit employee access to personal data on a need-to-know basis.
    • Multi-Tenancy Isolation: Each customer environment is logically isolated to ensure no cross-tenant data access.
    • Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with applicable laws.
    • Vendor Management: Third-party service providers are subject to security assessments and contractual data protection obligations.

While we strive to protect your data using commercially reasonable measures, no method of transmission or storage is 100% secure. We encourage you to take steps to protect your account credentials.

 

8. Your Rights and Choices

8.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

 

    • Right of Access: Request a copy of the personal data we hold about you.
    • Right to Rectification: Request correction of inaccurate or incomplete personal data.
    • Right to Erasure: Request deletion of your personal data, subject to certain legal exceptions.
    • Right to Restrict Processing: Request limitation of how we process your personal data.
    • Right to Data Portability: Receive your personal data in a structured, machine-readable format.
    • Right to Object: Object to processing based on legitimate interests, including direct marketing.
    • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
    • Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, please contact us at privacy@mountaintheory.ai. We will respond to verified requests within 30 days.

 

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

 

    • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
    • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
    • Right to Correct: Request correction of inaccurate personal information.
    • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a clear opt-out mechanism.
    • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
    • Right to Limit Sensitive Personal Information: You may limit our use of sensitive personal information to what is necessary to provide the Service.

To submit a request, contact us at privacy@mountaintheory.ai or call us at a number we will provide upon request. We will verify your identity and respond within 45 days. You may designate an authorized agent to make a request on your behalf.

 

8.3 General Choices

 

    • Account Settings: You may update or correct your account information at any time through your account settings.
    • Marketing Opt-Out: You may unsubscribe from marketing emails by clicking the unsubscribe link in any marketing message or contacting us directly.
    • Cookie Preferences: You may manage cookie preferences through your browser settings or our cookie preference center on the Website.

 

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service and Website:

 

Cookie Type Purpose Duration
Essential Authentication, session management, security, and load balancing. Required for the Service to function. Session to 12 months
Functional Remembering preferences, language settings, and configurations. Up to 12 months
Analytics Understanding usage patterns, feature adoption, and Service performance. Data is aggregated. Up to 24 months
Marketing Only with your explicit consent. Used to measure the effectiveness of our communications. Up to 12 months

You can control cookies through your browser settings. Disabling essential cookies may impair the functionality of the Service.

 

10. International Data Transfers

Mountain Theory is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on the following safeguards:

 

    • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers to ensure adequate data protection for international transfers.
    • Data Processing Agreements: All sub-processors are bound by data processing agreements that include appropriate technical and organizational safeguards.
    • Adequacy Decisions: Where applicable, we transfer data to countries recognized by the European Commission as providing adequate data protection.

You may request a copy of the safeguards we use for international transfers by contacting us at privacy@mountaintheory.ai.

 

11. Children’s Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at the address below.

 

12. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party platforms (such as n8n, Zapier, and Make.com). This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you connect to the Service. Mountain Theory is not responsible for the privacy practices of third-party services.

 

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by posting the updated policy on our Website with a revised “Effective Date” and, where required by law, by sending you an email notification or providing an in-Service alert. We encourage you to review this Privacy Policy periodically.

 

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

 

Mountain Theory, Inc.
Attn: Privacy Team
Email: privacy@mountaintheory.ai
Website: mountaintheory.ai
For GDPR inquiries, you may also contact your local data protection authority.

 

Scroll to Top