- you visit or interact with our websites and online properties;
- you create, manage, or use a Molin AI Customer account;
- you communicate with us through support channels or marketing interactions;
- you use the Molin AI platform, including AI Agents, workflows, dashboards, analytics, and other features;
- you engage with Molin AI through our supported communication channels, including:
- Chat (web chat, in-app chat),
- Social Messaging (WhatsApp, Facebook Messenger, Instagram),
- Email (two-way forwarding and replies),
- Phone (inbound and outbound calls),
- SMS (two-way messaging).
- Customers (organizations using Molin AI Services);
- Customer administrators and team members;
- Website visitors and prospective customers;
- Individuals who interact with Customer’s AI Agents (“End Users”).
When Molin AI processes personal data on behalf of a Customer as a Processor (for example, chat transcripts, emails, or end-user interactions with Customer AI Agents), such processing is governed by the Molin AI Data Processing Addendum (“DPA”), which prevails in case of conflict.
Capitalised terms used but not defined herein have the meanings given in our Terms of Service (available at: https://docs.molin.ai/legal/terms-of-service) or in the DPA. 2. Our Roles Under Data Protection Law Molin AI acts either as Controller or Processor depending exclusively on the purposes for which personal data is processed. The same category of data (for example, technical metadata or communication logs) may fall under different roles depending on whether Molin AI determines the purposes and means of the processing, or whether Molin AI processes the data strictly in accordance with Customer instructions.
2.1 When Molin AI Acts as a Controller
Molin AI is the Controller when we determine the purposes and means of processing personal data. This includes: a) Website & Marketing Activities
We collect and process personal data when you visit our websites, submit forms, subscribe to communications, or engage with our marketing content. b) Customer Account & Workspace Administration
We process personal data of Customer administrators and invited users to:
- create and manage accounts and workspaces;
- authenticate users;
- control permissions and roles;
- manage billing, invoicing, and subscription settings;
- maintain security logs and audit trails.
We process personal data to operate, optimize, and improve the functionality of the Services, including measuring usage patterns, feature performance, and reliability. d) Security and Fraud Prevention
We process data to protect our systems and users from malicious activity, enforce access controls, prevent abuse, and maintain service integrity. e) Molin Account
Molin AI acts as an independent Controller for the processing of personal data associated with the creation and operation of optional Molin Accounts. 2.2 When Molin AI Acts as a Processor
We act as a Processor when we process Customer Personal Data strictly based on the Customer’s documented instructions and in accordance with the DPA. This includes personal data processed through the following channels: a) Chat
- Web chat, embedded chat widgets, in-app chat.
- Conversation content, attachments, and metadata.
- WhatsApp, Facebook Messenger, Instagram Direct.
- Message content, timestamps, platform IDs, names (if available).
- Incoming emails may be ingested and displayed to the Customer for review. Molin may generate AI-assisted draft replies, but all outbound emails require human review and are only sent by the Customer or its authorized users.
- Headers, subject, recipients, attachments.
- Phone numbers, call logs, timestamps, call status.
- Call recordings and optional transcriptions when explicitly enabled.
- SMS content, phone numbers, delivery metadata.
- Prompts (inputs), uploaded files, context history.
- AI-generated outputs (responses, summaries, classifications). Molin AI does not send email replies autonomously on behalf of Customers unless explicitly configured.
- Workflow triggers and variables.
- CRM imports or synchronizations.
- Contact lists, CSV uploads.
- Stored knowledge bases, documents, or business data.
- Product data.
Customers are responsible for:
- determining the appropriate legal basis for processing End User data;
- providing required privacy notices to their End Users;
- complying with applicable communications laws (e.g. PECR, ePrivacy, anti-spam rules, telecom regulations);
- meeting channel-specific obligations (WhatsApp/Meta/Twilio policies, etc.);
- configuring retention, deletion, and workflow logic within Molin AI appropriately.
Customers are responsible for informing End Users when interactions involve AI-generated responses, where required by applicable law or under the Terms of Service. 3. Information We Collect
The following categories of personal data may be collected depending on your interaction with Molin AI. 3.1 Website Visitor & Marketing Interaction Data (Controller)
When you interact with our sites or emails, we may collect:
- IP address, device type, OS, browser type;
- language preferences, time zone;
- screen resolution and display settings;
- referring URL (site you visited before ours);
- pages viewed, navigation paths, scroll depth;
- time spent per page or screen;
- links and UI elements clicked;
- email interaction data (opens, clicks);
- cookies and storage identifiers;
- diagnostic, performance, and error logs.
We process:
- name, email address, role, workspace affiliation;
- hashed authentication credentials;
- multi-factor authentication settings;
- billing details and invoicing contacts;
- workspace configuration, team membership, role assignments;
- activity logs, security logs, access timestamps.
We process, on behalf of the Customer:
- AI agent inputs (prompts, questions, uploaded documents, context);
- AI-generated outputs (responses, summaries, classifications);
- conversation transcripts, message contents, files, images;
- context variables and workflow logic;
- Customer-configured business rules and routing instructions.
Depending on the channels Customers enable:
Chat
- Chat messages, attachments, timestamps, session identifiers.
- platform user IDs, display names (if provided), message content, attachments.
- email content, metadata, headers, attachments, automatically generated replies.
- phone numbers, call metadata and optional call recordings or transcriptions when the Customer explicitly enables recording features.
- message bodies, phone numbers, delivery receipts.
We may process data Customers choose to import or connect, including:
- CRM data from platforms like HubSpot, Salesforce, Intercom;
- contact lists, segmentation groups;
- uploaded files, documents or knowledge base content used to power AI Agents;
- data passed via APIs or integrations.
- authentication logs, access logs;
- device metadata, IP address, browser characteristics;
- performance metrics, latency, throughput;
- crash logs, diagnostic traces;
- session identifiers and device fingerprints.
We also collect Usage Data relating to how the Services are accessed and used, including:
- feature usage metrics;
- performance events;
- workflow execution counts;
- API usage;
- latency & reliability metrics;
- configuration choices and interaction patterns within the dashboard.
Where Customers enable performance analytics, Molin AI may process metadata such as response times, interaction statistics, sentiment indicators, and conversation quality metrics. Customers are responsible for ensuring compliance with employment and monitoring laws regarding their personnel. Where performance indicators or interaction metadata relate to specific Customer conversations, Molin AI processes such metadata as Customer Personal Data under the DPA. 3.8 End-User Molin Account Data (Controller)
If End Users choose to create a Molin Account, we process:
- name, email address, phone number;
- authentication credentials (hashed);
- account preferences and communication settings;
- saved interaction history, previous AI Agent conversations, or user-defined preferences;
- identifiers linking the End User to multiple Customer websites or applications where Molin is enabled (subject to user consent).
Molin AI does not intentionally collect or process special categories of personal data (e.g., health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) or other sensitive personal information. Customers must not submit such data unless expressly permitted in writing under the DPA. 4. How We Use Personal Data
Molin AI uses personal data for the following purposes and legal bases: 4.1 When We Act as Controller
4.1.1 Providing and Operating the Services
We use personal data to:
- create and manage Customer accounts and workspaces;
- authenticate users and maintain secure login sessions;
- provide access to the Molin AI platform, AI Agents, workflows, and integrations;
- enable communication features (such as dashboards, analytics, and workspace settings).
We process personal data to:
- detect and prevent fraud, spam, abuse, or security threats;
- enforce access controls and verify credentials;
- maintain platform reliability and service integrity;
- audit system activity and maintain compliance records.
We analyze product usage and performance data to:
- improve existing features;
- troubleshoot and resolve bugs;
- optimize routing, latency, uptime, and resource usage;
- understand product engagement patterns;
- train internal systems using anonymized or aggregated datasets.
Legal basis: Legitimate interests.
Customers may review conversation histories for quality assurance and service improvement. Molin AI may provide aggregated insights, topic summaries, or trend analytics to support such evaluations. 4.1.4 Marketing & Communications
We use personal data to:
- send product updates and service notifications;
- communicate with Customers regarding improvements or new features;
- send marketing communications where legally permitted.
Where individuals subscribe to newsletters or marketing updates, Molin AI may contact them with product news, offers, and promotional communications, in accordance with applicable laws. Marketing communications are sent based on consent or, where permitted, legitimate interest (e.g., existing customer soft opt-in). Subscribers may withdraw consent at any time. 4.1.5 Compliance With Legal Obligations
We process certain data to:
- comply with tax, accounting and regulatory requirements;
- respond to lawful requests from public authorities;
- enforce our Terms and investigate potential violations.
Where End Users choose to create a Molin Account, we process personal data to:
- create and maintain the End User’s Molin profile;
- enable recognition of the user across Customer websites or applications as part of the Molin Account functionality;
- provide personalized or persistent conversation context to AI Agents;
- store user preferences, history, or interaction settings;
- allow the user to access, view, manage, or delete their profile and associated data.
When Customers configure AI Agents or communicate via supported channels, Molin AI processes Customer Personal Data strictly in accordance with:
- Customer instructions, and
- the Molin AI Data Processing Addendum (“DPA”).
- generating AI responses;
- routing messages through chat/social/email/phone/SMS;
- performing context lookups and maintaining conversation state;
- executing Customer-defined workflows and automations;
- enabling Customer dashboards, reporting, auditing, and analytics;
- managing retention and deletion as configured by the Customer.
Molin AI may process certain technical signals, usage patterns, metadata, or system-generated indicators to detect spam, abuse, fraud, harmful content, or violations of our security requirements.
Such processing is carried out either as a Controller for security and integrity purposes or as a Processor when it forms part of Customer-defined instructions. 4.4 AI-Specific Uses
Molin AI uses data processed through the AI Agent features to:
- generate responses, summaries, classifications, suggestions, and actions;
- maintain context across multi-step conversations;
- enable workflow logic such as lead capture, bookings, routing or verification;
- prevent harmful, abusive, or policy-violating content;
- ensure safety, stability, fairness, and correct functioning of the AI.
The Services are not intended for high-risk or regulated uses such as medical diagnosis, clinical decision-making, or processing subject to health-specific regulations, unless expressly agreed in writing with Molin AI.
Model Training
Unless explicitly stated otherwise and enabled by the Customer:
- Molin AI does not use identifiable Customer Personal Data to train general-purpose machine learning models.
- We may use anonymized or aggregated usage data to improve model performance in a manner that does not identify any individual.
The Services allow Customers to perform manual review of data (such as reviewing AI-generated email drafts or taking over live chats). These actions are performed solely by the Customer or its authorized users, not by Molin AI.
Molin AI may permit limited human access to Customer Personal Data solely where necessary to: (i) provide support requested by Customer, (ii) maintain, secure, or improve the Services, (iii) detect or address service errors, incidents, misuse, or abuse, or (iv) comply with legal obligations. All such access is restricted to authorized personnel, logged, and subject to confidentiality and security controls.
Molin AI does not conduct human review of messages, conversations, or emails on behalf of Customers, except where a Customer explicitly instructs Molin to assist with support or troubleshooting. 4.6 Automated Decision-Making
Molin AI does not engage in solely automated decision-making that produces legal or similarly significant effects on individuals.
If Customers configure workflows that may have such effects (e.g. automated eligibility outcomes), they are responsible for:
- ensuring transparency to data subjects;
- providing a lawful basis;
- complying with Article 22 UK/EU GDPR where applicable;
- building appropriate human review into their processes.
Molin AI shares personal data only as necessary to offer the Services, or when legally required. 5.1 Sub-Processors (Processor Role)
We use carefully selected sub-processors to support infrastructure and operations, including:
- cloud hosting providers,
- email delivery and routing tools,
- SMS and telecom carriers,
- analytics and logging services,
- content moderation services (if configured).
https://docs.molin.ai/legal/subprocessors
All sub-processors are bound by:
- confidentiality obligations,
- technical and organizational measures,
- data processing agreements,
- and international data transfer safeguards.
When Customers connect communication channels, we share data with:
- WhatsApp / Meta Platforms,
- Facebook Messenger,
- Instagram Messaging,
- email providers,
- telephony/SMS carriers.
- phone numbers,
- message content,
- attachments,
- message metadata.
When Customers enable AI features, Molin AI may transmit inputs, prompts, and contextual data to trusted large language model (LLM) providers acting as Sub-processors.
These providers process such data solely for the purpose of generating outputs requested by the Customer and are contractually prohibited from:
- using Customer Personal Data for training large language models;
- using Customer Personal Data for their own purposes;
- retaining Customer Personal Data beyond the processing window necessary to generate the output.
As a Controller, we share limited data with providers who help us:
- send emails and notifications,
- host our websites and apps,
- analyze website and product performance,
- manage billing and payments,
- provide security monitoring.
If an End User creates a Molin Account and chooses to enable cross-site recognition, we may share limited identifiers (such as a hashed user token or preferences) with Customer websites or applications that have integrated Molin, solely to recognise the user and to provide the Molin Account features the user has opted into. If an End User subscribes to optional features such as price alerts or product interest notifications, Molin AI may share limited preference data with participating Customers to provide the requested service. Such sharing occurs only with End User’s explicit opt-in.
We do not share conversation histories between Customers.
End Users can disable cross-site recognition or delete their Molin Account at any time. 5.6 Legal Requests and Compliance
We may disclose personal data where required to:
- comply with laws and regulations;
- respond to valid legal requests;
- prevent harm or criminal activity;
- protect our rights or those of users or the public.
Molin AI does not engage in cross-context behavioral advertising.
Molin AI does not sell personal data, and does not share personal data for cross-context behavioral advertising or similar purposes as defined under applicable privacy laws. 6. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- enable website functionality;
- maintain session authentication;
- remember preferences;
- measure website performance;
- analyze engagement and traffic patterns;
- debug and secure the platform.
Where required by applicable law (e.g., EEA, UK), we use analytics and marketing cookies only with your prior consent.
You may change or withdraw your cookie preferences at any time through our cookie banner or settings link available on our website.
For more information, see our Cookie Policy. Categories of Cookies We Use
- Strictly necessary cookies
- Performance and analytics cookies
- Functional cookies
- Marketing cookies (where permitted)
Molin AI is based in the United Kingdom, and some of our service providers and sub-processors may be located in other countries.
We take steps to ensure that any international transfers comply with applicable data protection laws. 7.1 Data Transfers Outside the United Kingdom
When data is transferred to a country without a UK adequacy regulation, we rely on appropriate safeguards, including:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses;
- the EU Standard Contractual Clauses (2021) as recognized by UK law;
- or another mechanism permitted under the UK GDPR.
If personal data originating from the EEA is transferred to a non-EEA country, we rely on:
- the 2021 EU Standard Contractual Clauses (“SCCs”);
- European Commission adequacy decisions;
- appropriate technical and organizational measures.
For personal data subject to the Swiss Federal Act on Data Protection (FADP):
- we use the EU SCCs with Swiss-specific modifications (e.g., references to Swiss authority, Swiss law).
Some of our sub-processors and service providers may be located in the United States.
Where applicable, we rely on:
- the provider’s certification under the EU–U.S. Data Privacy Framework (“DPF”), the UK Extension to the DPF, or the Swiss–U.S. DPF; or
- Standard Contractual Clauses together with the UK Addendum.
For Customer Personal Data, the DPA contains the binding transfer mechanisms, including:
- SCCs
- UK Addendum
- Swiss modifications
- safeguards and supplementary measures
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or as required by law. 8.1 Retention of Data Where We Act as Controller
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:
Account & Billing Data
Kept until your account is closed, and thereafter for a period required to comply with legal and tax obligations, typically not exceeding 6 years unless a longer period is required by law.
Website & Analytics Data
Retained for a limited period based on our analytics systems and operational needs.
Security Logs
Typically retained 90–365 days, depending on log purpose and threat monitoring requirements.
Marketing Data
Kept until you unsubscribe or request deletion, or until we determine that the data is no longer needed.
We maintain suppression lists to record opt-outs.
Molin Account Data — retained until the End User deletes their Molin Account or requests deletion, after which data is deleted without undue delay. 8.2 Retention of Customer Personal Data (Processor Role)
Retention of Customer Personal Data is determined by Customer configuration and the DPA:
- Customers decide how long conversation history, channel logs, AI Agent data, and workflow data are retained (where configurable).
- Molin AI retains Customer Personal Data only for the duration of the Customer’s subscription and as permitted by the DPA.
- Where the Customer requests deletion, Molin AI deletes Customer Personal Data without undue delay and within 60 days.
- Upon account termination, if no instruction is received, Customer Personal Data is automatically deleted from active systems within 90 days of account termination.
- Copies in backup systems are overwritten in the ordinary course of backup rotation and deleted within 30–45 days thereafter (and in any case no later than 90 days).
Molin AI implements appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction.
These measures include, but are not limited to:
Technical Measures
- encryption in transit and at rest,
- secure TLS communication channels,
- role-based access control,
- multi-factor authentication for internal systems,
- network segmentation and firewalls,
- secure credential hashing and password storage,
- automated monitoring for abuse and anomalies.
- employee confidentiality obligations,
- role-based access permissions,
- background checks where legally permitted,
- mandatory privacy and security training.
- audit logging,
- vulnerability scanning and patch management,
- incident detection and response procedures,
- disaster recovery and business continuity plans.
Individuals have the following rights regarding their personal data, subject to applicable law: 10.1 Rights Under UK/EU GDPR
- Right of access – to request copies of your personal data.
- Right to rectification – to correct inaccurate or incomplete data.
- Right to erasure – to request deletion in certain circumstances.
- Right to restriction – to limit processing where legally allowed.
- Right to data portability – to receive certain data in machine-readable form.
- Right to object – to object to processing based on legitimate interests or for direct marketing.
- Right not to be subject to certain automated decisions – to require human review for decisions that have significant effects.
- Right to withdraw consent — where you have enabled cross-site recognition for your Molin Account, you may withdraw consent at any time through your account settings.
We may need to verify your identity before responding. 10.2 Additional Rights for U.S. Residents (U.S. State Laws)
Residents of certain U.S. states (including California, Colorado, Virginia, Connecticut, Utah, and others) may have additional rights under applicable privacy laws, such as:
- right to access and delete personal information;
- right to correct inaccuracies;
- right to opt out of the sale or sharing of personal information;
- right to opt out of targeted advertising;
- right to limit the use of sensitive personal information.
These rights apply only to residents of applicable U.S. states and do not apply to Customer Personal Data handled under the DPA. 10.3 Rights Concerning Customer Personal Data (Processor Role)
If you interact with a Customer’s AI Agent or channels:
- Molin AI processes your data on behalf of the Customer;
- Molin AI cannot directly modify or delete this data without the Customer’s instruction;
- We will forward your request to the applicable Customer whenever possible.
You may lodge a complaint with:
United Kingdom
Information Commissioner’s Office (ICO) – https://ico.org.uk
European Union
List of supervisory authorities – https://edpb.europa.eu/about-edpb/board/members_en
If you have concerns, we encourage you to contact us first so we can address them. 11. Children’s Data
Molin AI’s Services are designed for business and professional use and are not intended for children or individuals under the age of digital consent as defined by applicable law (typically 13–16 years old).
- We do not knowingly collect or process children’s personal data.
- If we learn that we have inadvertently collected personal data of a child, we will take reasonable steps to delete it as soon as possible.
- Customers are responsible for ensuring that their own use of the Services, including AI Agent interactions and omnichannel communications, does not target children unless they comply with all applicable laws governing the processing of children’s data.
We may update this Privacy Policy from time to time to reflect changes to our Services, technologies, legal requirements, or privacy practices. 12.1 How We Notify You
If we make material updates, we will provide notice through one or more of the following:
- post the updated version on our website;
- through the Service;
- notify Customer administrators by email or through in-Service notifications (where appropriate);
- or by other appropriate means;
Unless a different date is stated in the notice, updates to this Privacy Policy become effective when the updated version is posted.
Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.
Where applicable law requires consent for specific changes, we will seek that consent separately. 13. Contact Us
If you have questions or concerns regarding this Privacy Policy or our privacy practices, you may contact us at:
Molin AI Ltd
Email: [email protected]
Address: 124 City Road, London, EC1V 2NX, England
Website: https://molin.ai
If you are an end-user interacting with a Customer’s AI Agent or communication channel, please direct any rights requests or privacy questions to the Customer, as they are the Controller of that data. We will assist the Customer where required by law or the DPA. Appendix A — Glossary
This Glossary supplements the Policy by clarifying key terms.
Where a term is defined in the Molin AI Data Processing Addendum (“DPA”), the definition in the DPA prevails.
“Account Data”
Information associated with Customer accounts and administrator users, including email addresses, authentication credentials (hashed), role assignments, workspace configuration, and billing contacts.
“AI Agent Data”
Prompts, user messages, AI-generated responses, conversation context, uploaded documents, and workflow-related information processed by Molin AI on behalf of a Customer.
“Controller”
The entity that determines the purposes and means of processing personal data. Molin AI acts as a Controller only for specific categories of data (e.g., website, account, analytics, security).
“Customer”
An organization that subscribes to or uses Molin AI Services and controls how Customer Personal Data is processed.
“Customer Personal Data”
Personal data processed by Molin AI as a Processor on behalf of the Customer through chat, social messaging, email, phone, SMS, or AI Agent interactions.
“End User”
An individual who interacts with a Customer’s AI Agent or communication channel.
“Personal Data”
Information relating to an identified or identifiable individual, as defined under applicable data protection laws.
“Processing”
Any operation performed on personal data, including collection, storage, structuring, transmission, retention, deletion, disclosure, or analysis.
“Services”
The Molin AI platform and related features, including AI Agents, workflows, dashboards, analytics, and all supported communication channels (chat, social messaging, email, phone, SMS).