Privacy Policy

Last updated: 2026‑05‑10

This Privacy Policy explains how Mainframe Computer, Inc. ("Mainframe", "we") collects, uses, shares, and protects personal data when you use our service. The service includes mainframe.app and its subdomains (including mcp.mainframe.app), the Mainframe GitHub App, and related APIs (the "Service"). This Policy is part of the Terms of Service.

In plain English. When you sign up, upload, generate, install the GitHub App, or use any other part of the Service, we collect what you give us and what the Service produces. We use it to run, secure, and improve the Service for you. We use third‑party model providers, hosting, and payment processors listed in Subprocessors. Unless you opt out in writing, we may use Customer Content — excluding biometric and likeness materials — to improve Mainframe's AI features, prompts, evals, generation quality, model routing, and models. Voice and face are biometric data — see Biometric notice. Your rights are in Your rights.

Who is responsible

Mainframe is multi‑tenant. For most personal data we touch, the organization that subscribes is the controller (or "business" under CCPA/CPRA), and we are the processor (or "service provider"). The DPA sets the processor obligations. We are the controller for data we collect for our own purposes — account holder information, billing, security logs, marketing‑page visits, and aggregated, de‑identified telemetry. This Policy is also the transparency notice for individuals whose data we process on a customer's behalf.

What we collect

Account and identity — name, email, profile image, identifiers from your identity provider (currently WorkOS), Workspace membership and role, authentication and integration tokens.
Customer Content you provide — videos, audio, images, text, prompts and parameters, voice samples and avatar images (see Biometric notice), brand assets, comments, reactions, sharing settings, metadata.
Content the Service generates — Outputs of generative features, voice and avatar models fitted from your materials, embeddings, aggregated and de‑identified telemetry.
Integration data — events, repositories, pull requests, and comments accessible to a Mainframe GitHub App installation; OAuth claims; webhook payloads to endpoints you configure.
Billing — plan, billing contact, history, and limited card metadata that Stripe returns to us. Stripe collects full payment instrument data.
Device, log, and security — IP, device and browser identifiers, OS, time zone, language, request metadata, application and audit logs.
Marketing pages — visitor analytics, form submissions, and email subscriptions on the marketing pages of mainframe.app.
Communications — messages you send to support, sales, abuse, security, or legal, and our responses.

We don't knowingly collect personal data of children under 13 (US) or under 16 (EEA, where the local minimum is 16). The Service is for businesses and other organizations.

How we use it

To provide the Service — authenticate, store, transcode, generate Outputs, route to subprocessors, operate sharing, send transactional notices.
To secure it and prevent abuse — detect and respond to incidents and policy violations, with limited human review under appropriate confidentiality obligations. Content flagged for safety or security review may be analyzed to improve abuse detection and enforcement. Content you explicitly submit as feedback may be used to improve the Service.
To improve the Service through telemetry — compute aggregated, de‑identified telemetry on usage, performance, and errors.
To improve AI features through Data contribution — unless you opt out in writing, we may use Customer Content, excluding biometric and likeness materials, to improve Mainframe's AI features, prompts, evals, generation quality, model routing, and models. You may opt out by emailing help@mainframe.app. We will apply your opt‑out prospectively within 30 days. Voiceprints, facial geometry, voice models, avatar models, and likeness materials are excluded unless you give separate, specific written permission for that use.
To bill and account — payments through Stripe, usage metering, invoicing, taxes, enforcement.
To communicate — support, sales, security, abuse, and (where you've opted in or where permitted) marketing. You can unsubscribe from marketing any time.
To comply with law — respond to lawful requests and defend legal claims.

Legal bases (UK and EEA)

Contract — to provide the Service.
Legitimate interests — to secure it, prevent abuse, compute aggregated telemetry, comply with non‑EU law, and operate the business.
Consent — for non‑essential cookies, marketing, voice and avatar capture (see Biometric notice), and anything else where we ask. You can withdraw consent any time.
Legal obligation — for tax, accounting, security, and law‑enforcement obligations.
Special category data — for biometric processing, our basis is your explicit consent under Article 9(2)(a) GDPR, unless another Article 9 basis applies.

Subprocessors listed below.
Within your Workspace, as your Admin and audience setting allow.
In the audiences you choose — Link or Public videos are accessible to anyone in that audience.
Through integrations you authorize — for example, the GitHub App posts Outputs to repositories at your direction.
Professional advisors under confidentiality.
Government, law enforcement, and others as required by law — we'll notify the affected customer first where we're permitted.
In a corporate transaction — merger, acquisition, financing, reorganization, or sale of assets — with notice as required.

We don't sell personal data and don't share it for cross‑context behavioral advertising under CCPA/CPRA and similar US state laws.

International transfers

We operate from the United States and use subprocessors elsewhere. For transfers out of the EEA, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK IDTA, and the EU‑U.S. Data Privacy Framework (and the UK and Swiss Extensions) where Mainframe or the relevant subprocessor is certified. Where required, we run transfer impact assessments and apply additional measures.

Retention

Data	We keep it
Account and identity	For the life of the account; deleted within 30 days of Workspace deletion.
Customer Content (videos, prompts, Outputs, comments)	Until you delete it or your Workspace is deleted; backups expire within an additional 30 days.
Voice models and avatar models	Until you delete them, your Workspace is deleted, or 3 years after your last interaction — whichever is first. Deleted on request as in Biometric notice.
Integration data	Only as long as needed to deliver the related feature; older events are pruned.
Billing records	At least 7 years for tax and accounting.
Security and audit logs	Up to 12 months, longer if needed to investigate an incident.
Aggregated, de‑identified telemetry	Indefinitely — no longer linked to an identifiable individual.

We may keep limited information after deletion to defend legal claims, comply with law, or enforce the Terms.

Security

We use administrative, technical, and physical safeguards — encryption in transit and at rest, role‑based access, audit logging, secret management through Infisical, vendor reviews. No method is perfectly secure.

If we confirm a security incident affecting your Customer Content, we'll notify the affected Workspace Admin without undue delay and, where feasible, within 72 hours of confirmation.

Report vulnerabilities to help@mainframe.app; we won't pursue good‑faith research conducted in line with our coordinated disclosure policy.

Cookies

We use a small number of strictly necessary cookies and storage entries to operate the Service, plus limited analytics on the marketing pages of mainframe.app. We don't use cookies for cross‑context behavioral advertising. We honor the Global Privacy Control signal as a request to opt out of "sale" or "share" under US state privacy laws.

Subprocessors

We give 30 days' notice before adding a new subprocessor by updating this list and emailing the subscribers of our subprocessor change list — email help@mainframe.app to be added. You can object to a new subprocessor as the DPA describes.

Subprocessor	Purpose
Cloudflare, Inc.	Edge compute (Workers, Durable Objects), database (D1), key‑value (KV), object storage (R2), queues, CDN, security.
Modal Labs, Inc.	Sandboxed compute for video generation.
WorkOS, Inc.	Identity and SSO/SAML.
Stripe, Inc.	Subscription billing and payments.
OpenAI, L.L.C.	AI model provider.
Anthropic, PBC	AI model provider.
Google LLC	AI model provider (Gemini).
Infisical, Inc.	Secrets management.
Braintrust Data, Inc.	AI evaluation and observability. Production Customer Content is not enrolled by default.

We also engage routine business subprocessors for email, error monitoring, customer support tooling, and corporate IT.

Biometric notice

This is a notice under Illinois BIPA (740 ILCS 14), Texas CUBI (Bus. & Com. §503.001), Washington HB 1493, the "sensitive personal information" provisions of US state privacy laws, and GDPR Article 9 where applicable.

When you record a voice sample or upload an avatar image, we collect and process biometric identifiers and biometric information derived from it — a voiceprint and a facial geometry representation — to fit a voice model and an avatar model the Service uses to generate your Outputs. The sole purpose is to provide the Service to you. We don't sell, lease, or trade biometric data, and we don't commercialize your voice or likeness on a standalone basis without your separate written permission.

By submitting voice or face material, you give your explicit consent to this collection and processing. If the material depicts another person, you confirm you have their express written authorization, and you provide that authorization to us by submission. You can withdraw consent any time as below.

We retain biometric data for the shorter of: until you delete it; until the Workspace is deleted; three years after your last interaction with the Service; or any shorter period required by law. After that, we destroy it using industry‑standard methods. To delete a voice model or avatar model, use the in‑product controls or email help@mainframe.app — we action verified requests within 72 hours, with backups expiring within an additional 30 days.

We disclose biometric data only (i) to a subprocessor in Subprocessors acting on our behalf under written confidentiality and use restrictions, (ii) where required by law, or (iii) with your separate written consent.

Your rights

To exercise a right, use the in‑product controls or email help@mainframe.app. We may need to verify your identity. Where Mainframe is a processor for a customer, we route your request to that customer.

You generally have the right to access, correct, delete, port, and restrict your personal data; to withdraw consent; to object to processing based on legitimate interests (including direct marketing); not to be subject to a decision based solely on automated processing with legal or similarly significant effects (the Service doesn't make those); and to lodge a complaint with your supervisory authority or state attorney general — though we encourage you to contact us first.

California (CCPA / CPRA). You also have the right to know, port, correct, limit the use of sensitive personal information, non‑discrimination for exercising rights, and to opt out of "sale" or "share" or cross‑context behavioral advertising. We don't sell or share in those senses. We honor the Global Privacy Control signal. You can designate an authorized agent — we'll require evidence of authorization.

Other US states. If you reside in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, or Rhode Island (and other states with comprehensive privacy laws as they take effect), you have substantially the same rights, including the right to appeal a denial.

Biometric. You also have the rights in Biometric notice.

We respond to verified requests within the period required by law — generally 30 days for GDPR and 45 days for US state requests, with one extension where reasonable. Biometric deletion requests, within 72 hours.

Changes

We may update this Policy. We'll post the new version with a new Last updated date and, for material changes, give 30 days' notice through the Service or to your Workspace Admin. Continued use after the effective date is acceptance.

Contact

For anything — privacy and data subject requests, security disclosures, subprocessor change notifications, legal — email help@mainframe.app.

Mainframe Computer, Inc., 36 E. 23rd St. #4F, New York, NY 10010, United States.

EEA / UK representative — [to be appointed if Mainframe falls within scope of GDPR Article 27 / UK GDPR Article 27]. Data Protection Officer — [to be confirmed].