This Privacy Policy explains how Mitsolab ("Mitsolab," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use Portal (our shared inbox and CRM), AI Agents and Dispatchers, and the Mitsolab Dashboard, available at mitsolab.com, app.mitsolab.com, portal.mitsolab.com, and api.mitsolab.com (together, the "Services"). It applies to workspace administrators and team members who create Mitsolab accounts ("Customers" or "you"), and, where noted, to the end customers who message a business through channels Mitsolab powers ("End Users").
Mitsolab is a B2B software provider. Businesses ("Customers") sign up for a workspace to run Portal (shared inbox and CRM) and to configure AI Dispatchers and AI Agents that communicate with the Customer's own end customers ("End Users") over channels the Customer connects, such as WhatsApp, Instagram, Messenger, live chat widgets, email, and SMS.
For data Customers submit about their End Users (contact details, messages, order details, notes), Mitsolab generally acts as a data processor / service provider on the Customer's behalf, and the Customer is the data controller responsible for its own end customers under applicable law. For account, billing, and usage data about the Customer's own workspace and team members, Mitsolab acts as a data controller. Where a separate Data Processing Addendum ("DPA") has been executed with a Customer, that DPA governs in the event of a conflict with this section.
When a Customer's end customer messages them through a connected channel, or a Customer imports or creates a CRM record, the following may be collected and stored in the Customer's workspace:
If a Customer connects a third-party account (see Section 7), we receive limited data from that provider — such as an access token, page/business identifiers, and the fields required to operate the integration (e.g., a HubSpot contact ID after we create a lead, or a Stripe usage count after an action runs).
Portal and AI Agents can connect to Meta Platforms, Inc. products, including WhatsApp Business, Instagram, and Facebook Messenger, through Meta's Graph API and Business Login. When a Customer connects one of these channels:
pages_show_list,
pages_read_engagement, pages_manage_metadata,
instagram_basic, instagram_manage_messages, and
business_management — to list connected Pages, subscribe to message
webhooks, and send/receive messages on the Customer's behalf.Similar principles apply to other channel integrations (SMS, email, and web chat widgets), each of which is governed by that channel provider's own terms in addition to this Policy.
AI Dispatchers and AI Agents use a large language model to read conversation content and generate responses, route conversations, or trigger connected actions (for example, creating a CRM lead or a Stripe charge). To provide this functionality:
The Dashboard lets Customers optionally connect their own third-party accounts, including Stripe (via a Customer-supplied restricted secret API key, used to authorize specific payment actions the Customer enables — such as generating a payment link), HubSpot and Zoho (via OAuth, to create or sync CRM leads/contacts), and channel or productivity tools such as Gmail, Google Calendar, Slack, Notion, and Make. Each connection is initiated and authorized by the Customer, uses only the scopes/permissions necessary for the feature enabled, and can be disconnected by the Customer at any time from the Dashboard. Where a Customer stores a third-party credential (such as a Stripe key) with us, it is encrypted at rest and used only to execute the actions the Customer has explicitly enabled; the Customer remains responsible for that third-party account and its own compliance obligations. Use of these third-party services is also governed by each provider's own terms and privacy policy.
We retain workspace, contact, and conversation data for as long as the Customer's account is active, plus a reasonable period afterward to allow account recovery, fulfill legal obligations, resolve disputes, and enforce agreements. Customers can request deletion of their workspace data by contacting us at privacy@mitsolab.com; we will delete or anonymize data within a reasonable time, except where retention is required by law or for legitimate business purposes such as fraud prevention and financial recordkeeping.
We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction, including encryption in transit, database-level row security scoping data to each workspace, and access controls limiting internal access to what is needed to operate the Services. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Mitsolab is based in Jordan, and our infrastructure providers may process and store data in other countries, including the United States and the European Economic Area. Where we transfer personal data internationally, we rely on appropriate safeguards (such as our providers' standard contractual clauses or equivalent mechanisms) required under applicable data protection law.
Depending on your location and role, you may have the right to request access to, correction of, deletion of, or a copy of personal information we hold about you, and to object to or restrict certain processing. If you are an End User messaging a Mitsolab Customer, please direct data requests to that business first, since they control their own customer records; if you are unable to reach them, contact us at privacy@mitsolab.com and we will assist or route your request. Customers can access, export, or delete most workspace data directly from the Dashboard or Portal, or by contacting support.
The Services are intended for business use by adults and are not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us so we can delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will notify Customers by email or through a notice within the Dashboard or Portal before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
Questions about this Privacy Policy or our data practices can be sent to privacy@mitsolab.com or sales@mitsolab.com. Mitsolab is based in Jordan.