Privacy Policy
Effective date: 25 June 2026
Template — pending legal review. This document is a good-faith GDPR/CCPA-aware draft for the Elerion platform. Bracketed fields must be completed and the text reviewed by qualified counsel before it is relied upon in production.
1. Who we are
Elerion is an AI-assisted online dispute-resolution and mediation platform, available at elerion.ai and elerion.io, operated by Mylo Prime LLC ("Elerion", "we", "us", "our"). This Privacy Policy explains what personal data we collect, how we use and protect it, who we share it with, and the rights you have. For any privacy question or to exercise your rights, contact us at legal@myloprime.com.
Where Elerion is provided to you through a law firm, mediation centre, court, or other organisation (our customer), that organisation is generally the controller for the mediation records, and Elerion acts as a processor under its instructions and our data processing terms. For our own account, billing, and operational data we act as a controller. If you are unsure which organisation is responsible for your data, contact us and we will help you direct your request.
2. Data we collect
- Account data — name, email address, organisation, role, and authentication identifiers. Staff and administrators authenticate through Google Identity Platform / Firebase; participants typically sign in through a single-use magic link sent to their email.
- Mediation content — messages, offers, proposed terms, agreements, uploaded documents, and (where enabled) session audio and transcripts you submit or generate during a dispute-resolution session.
- Confidential caucus content — material you share privately with the mediator in a caucus. Caucus rooms are cryptographically separated, and this content is never disclosed to other parties or used to generate messages visible to them.
- Payment data — for paid plans, billing details are collected and processed by our payment processor (Stripe). We do not store full card numbers; we receive limited transaction and subscription metadata to operate billing.
- Usage and device data — log data, IP address, browser and device type, timestamps, and interactions with the service, used for security, diagnostics, and to operate the platform.
- Cookies and similar technologies — see our Cookie Policy.
3. How we use data
- To provide and operate mediation sessions, AI facilitation, and agreement drafting.
- To authenticate users and secure the platform, including audit logging and abuse prevention.
- To process payments, manage subscriptions, and provide customer support.
- To communicate with you about the service, including transactional notices sent by email.
- To meet our legal, regulatory, and contractual obligations.
- With an appropriate legal basis, to maintain, troubleshoot, and improve the product.
We do not sell personal data, and we do not use mediation content for advertising. The AI model providers we use process content solely to generate responses for your session; under our agreements with them, your content is not used to train their general models.
4. Legal bases (GDPR / UK GDPR)
- Contract — to deliver the service you or your organisation requested.
- Legitimate interests — security, fraud prevention, service operation, and improvement, balanced against your rights and freedoms.
- Consent — for non-essential cookies and optional analytics, where applicable; you may withdraw consent at any time.
- Legal obligation — where retention or disclosure is required by law.
5. Sharing and sub-processors
We share personal data with vetted sub-processors who help us run the service. Each is bound by data processing terms that restrict their use of the data to providing services to us. Our current sub-processors include:
- Anthropic and OpenAI — AI models that power facilitated dialogue, summaries, and drafting.
- Deepgram — speech-to-text transcription, where session transcription is enabled.
- Stripe — payment processing and subscription billing.
- SendGrid — transactional and magic-link email delivery.
- Google Cloud Platform — cloud hosting and infrastructure; Google Identity Platform / Firebase for staff authentication.
We may also disclose data where required by law, to comply with legal process, or to protect the rights, property, or safety of Elerion, our users, or others. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred subject to this Policy. We will keep an up-to-date list of sub-processors available on request, and a published sub-processor list and notification process should be finalised before launch.
6. International transfers
We and our sub-processors may process personal data in countries other than the one in which you are located, including the United States. Where data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with supplementary measures where needed. You may contact us for more information about the safeguards in place.
7. Retention
Where Elerion acts as a processor, we retain mediation records for as long as your organisation's account requires and in line with its data-retention configuration, then delete or anonymise them in accordance with our agreement. Where we act as a controller, we retain account, billing, and operational records for as long as needed to provide the service and to meet legal, tax, and accounting obligations, after which we delete or anonymise them. Specific retention periods should be confirmed by counsel and documented in a retention schedule before launch.
8. Your rights
Depending on where you live and applicable law (including the GDPR, UK GDPR, and the California Consumer Privacy Act as amended by the CPRA), you may have the right to access, correct, delete, or port your personal data, to restrict or object to certain processing, to withdraw consent, and to opt out of the "sale" or "sharing" of personal information. We do not sell personal information. We will not discriminate against you for exercising these rights.
To exercise a right, contact legal@myloprime.com. Where Elerion acts as a processor for an organisation, we will route your request to that organisation, which is responsible for responding. If you are in the EEA or UK, you may also lodge a complaint with your local supervisory authority.
9. Security
We protect personal data using measures such as encryption in transit and at rest, role-based access control, tenant isolation, cryptographic separation of caucus rooms, audit logging, and least-privilege access for our personnel. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. We maintain an incident-response process and will notify affected users and authorities of a personal-data breach where required by law.
10. Children
Elerion is intended for use by adults and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time and will revise the effective date above. If we make material changes, we will provide notice through the service or by email where appropriate. Your continued use of the service after an update takes effect indicates your acknowledgement of the revised policy.
12. Contact
Mylo Prime LLC is responsible for this service. For privacy questions, requests, or complaints, contact us at legal@myloprime.com.