How we handle account, billing, and app data.

Multilo ("Multilo", "we", "us") provides the Multilo website, desktop application, and related academic-writing services, and is the controller responsible for the personal information described in this policy. For privacy questions or to exercise your rights, contact us at support@multilo.com.

This policy covers personal information we process when you visit the website, create an account, download or use the desktop app, subscribe to a paid plan, connect third-party services such as GitHub, or contact support. It does not cover third-party websites or services that have their own privacy policies, or content you choose to share with third parties through integrations you enable.

We collect the information needed to operate the website, desktop app, subscriptions, and support workflows.

Information you provide

• Account details such as name, email address, profile image, sign in provider, role, and account status.
• Messages, files, prompts, or other content you choose to submit through the app or connected features.

Information collected automatically

• Desktop app information such as account connection events, app version, operating system details, project details, agent usage, model selections, timestamps, and diagnostics or crash reports when you choose to enable them.
• An approximate country (for example “United States”) derived from your IP address when you sign in or your desktop app connects. We store only the resulting country code for product analytics, security, and regional compliance — we do not keep the raw IP address alongside your account.

Information from third parties

When you sign in with Google or connect GitHub, we receive basic profile information (such as your name, email, and avatar) from that provider. When you subscribe, Stripe shares billing status and identifiers with us. We combine this with your account so the service works.

• Subscription records such as plan, status, Stripe customer ID, Stripe subscription ID, price ID, renewal period, and cancellation status.
• Optional GitHub connection information when you connect GitHub for project creation.

• Authenticate users and connect the desktop app.
• Provide AI agent, model access, usage, and project features.
• Manage free and paid subscription limits.
• Process billing events, cancellations, and account support.
• Understand which countries our users are in to prioritise features, languages, and regional compliance.
• Diagnose errors, prevent abuse, and improve reliability.
• Comply with legal, tax, security, and payment obligations.

Depending on where you live, you may have rights to access, know, correct, delete, export, restrict, or object to certain processing of personal information. You may also have rights to withdraw consent where processing is based on consent.

For EEA, UK, and similar privacy-law users, our legal bases may include performance of the service contract, consent, legitimate interests in security and product operation, and compliance with legal obligations. For California and similar state-law users, we do not sell personal information or share it for cross-context behavioural advertising.

We share limited personal information with vendors that process it on our behalf to run the service. Each is bound by contract to use the data only to provide their service to us. We do not sell personal information to any of them.

We may add or change providers as the product evolves. We update this list when our core processors change.

Payments are processed by Stripe. We do not store full credit card numbers or bank account details on our servers. Stripe provides us with billing status, subscription identifiers, customer identifiers, and related payment details so we can provision and support paid plans.

We keep our use of browser storage minimal and do not use third-party advertising cookies.

• Essential cookies — used to keep you signed in and secure your session on the website. The service does not work without these.
• Local storage on your device — remembers your theme, interface language, and which legal and AI-processing notices you have accepted. This stays on your device.
• Device identifier — when you opt in to desktop telemetry, the app generates a random identifier stored locally. It is never linked to your email, account, or hardware, and you can delete it any time in Settings → Privacy.

Because we do not use advertising trackers, we treat a Global Privacy Control or "Do Not Track" signal as an opt-out of any non-essential analytics where applicable.

The Multilo desktop app can send anonymous usage data so we can fix what breaks and ship features that get used. We ask you to choose on first launch between three options: Standard only (recommended), Standard + crash diagnostics, or No telemetry. Whichever you choose can be changed any time in Settings → Privacy.

• Standard tier sends: app version, operating-system label (e.g. “Windows 11”), CPU architecture, locale, primary screen size, daily counts of named events from a closed allow-list (e.g. doc.opened, citation.inserted), tagged events for the update funnel and AI completions with small allow-listed property bags (e.g. modelId, latencyMs), and session start/end markers.
• Crash diagnostics tier adds short error messages and reason strings to crash events. These sometimes include file paths from your machine, which is why this tier is a separate opt-in and OFF by default.
• Every payload is tied to a random per-device identifier that we generate locally on first opt-in. It is never linked to your email, account, or hardware. We never receive document content, AI prompts, file names, project paths, or your IP address (the server sees IP via TCP but does not log it).

Raw events and counts are retained for 90 days, then automatically deleted by a daily cron. Per-device fingerprints (without raw event history) are retained for the life of the device. Aggregated daily snapshots (DAU/MAU, version distribution) are retained indefinitely for trend analysis — these never contain per-device data.

You can delete every row tied to your device id with one click in Settings → Privacy. The full catalogue of event names and property keys is at /privacy/telemetry.

To improve Multilo and the AI features in it, we may collect the content of your chat messages and the text context sent for inline AI suggestions, tied to your account. This is separate from the anonymous telemetry described above, and you control it:

• It is opt-out. You can turn it off at any time in the desktop app under Settings → Data Controls. When off, no chat or suggestion content is collected for improvement.
• Education and enterprise plans are excluded by default — content from those accounts is not collected for improvement unless separately agreed.
• Collected content is retained for a limited period (about 30 days by default) and then automatically deleted, and it is removed entirely if you delete your account.
• We use it to understand what users ask for, fix failures, and improve our models and features. We do not sell it or use it for advertising.

We may process and store information in countries other than where you live. When legally required, we use appropriate safeguards for cross-border transfers, such as contracts, vendor terms, or other recognised transfer mechanisms.

We keep account, billing, usage, telemetry, and support records for as long as needed to provide the service, comply with obligations, resolve disputes, and maintain security. You can ask us to access, correct, export, or delete personal information, subject to legal and operational retention requirements.

The desktop app asks for required legal and AI-processing consent before completing account connection. Diagnostic telemetry and crash reporting are optional and can be changed from desktop settings. Extension installs require a separate permission review.

Subject to your location and applicable law, you have the following rights over your personal information. We will not discriminate against you for exercising them.

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion — ask us to delete your personal information, subject to legal retention limits.
• Portability — receive certain information in a portable, machine-readable format.
• Restriction and objection — ask us to limit or stop certain processing, including processing based on legitimate interests.
• Withdraw consent — where processing is based on consent (such as product-improvement collection or optional telemetry), withdraw it at any time without affecting prior processing.
• Complain — lodge a complaint with your local data protection authority.

How to exercise your rights

Email support@multilo.com or use the controls in your account and the desktop app. We may need to verify your identity before acting on a request. We respond within the timeframe required by applicable law. You can authorise an agent to make a request on your behalf where the law allows.

If you are a California resident, the CCPA/CPRA gives you the rights to know, access, correct, and delete your personal information, and to limit the use of sensitive personal information. We do not sell your personal information and do not share it for cross-context behavioural advertising, so there is no "sale" or "share" to opt out of. We do not use or disclose sensitive personal information for purposes that require an opt-out. You may exercise these rights using the contact details below, and we will not discriminate against you for doing so.

Residents of states with comprehensive privacy laws (such as Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, or certain profiling. We do not sell personal data or use it for targeted advertising. Contact us to exercise these rights; where required, you may appeal a decision by replying to our response.

You can delete your account from your account settings or by emailing support@multilo.com. When you delete your account we cancel any active subscription, send you a confirmation, and remove your personal records from our systems in bounded batches. Some data may be retained only as long as required for legal, tax, security, or dispute-resolution purposes, after which it is deleted. Anonymous telemetry tied to a device identifier can be deleted separately from Settings → Privacy.

We use automated checks for usage limits, fraud and abuse prevention, and rate limiting. These do not produce legal or similarly significant effects about you without human involvement. AI features generate suggestions, not decisions about you — you remain in control of whether to use their output.

We use reasonable administrative, technical, and organisational safeguards for customer information. No online service can guarantee absolute security, so customers should use strong account credentials and protect desktop connection credentials.

Multilo is intended for students, researchers, and adult academic users. It is not directed to children under 13. Do not submit personal information from children under 13 unless you have the authority and verified consent required by applicable law. Minors should use the service only with appropriate parent, guardian, school, or institutional permission.

We may update this policy as the product and the law change. We will post the updated version here with a new "last updated" date, and for material changes we will provide additional notice where appropriate. Your continued use of the service after an update means you accept the revised policy.

For privacy requests, email support@multilo.com. You can also review our Terms, Refund Policy, and Contact page.