Privacy Policy · Mairit

1. Overview

This Privacy Policy explains how Humai FZCO ("Mairit", "we", "us") collects, uses, shares, and safeguards personal data when you use the Mairit service, visit mairit.ai, or otherwise interact with us. Mairit routes AI-generated work to qualified human reviewers inside your AI agent via the Model Context Protocol (MCP).

2. What we collect

Information you provide

Account data — name, work email, company, role, password hash, authentication tokens.
Pilot request data — information submitted via the "Request a pilot" form, including company size and review domain interest.
Review content — AI-generated work submitted for review, reviewer notes, rubric responses, and resulting attested output.
Payment data — processed by Stripe; we do not store full card numbers.

Information collected automatically

Service telemetry — request metadata (timestamps, IP, user agent) for reliability and abuse prevention.
Audit log entries — every material action in the service generates a tamper-evident audit record, which customers can export.
Cookies — essential session cookies only on mairit.ai. No advertising cookies.

3. How we use your data

To provide and operate the service — routing reviews, matching reviewers, generating attestations.
To authenticate users and enforce access controls.
To process payments and reviewer payouts.
To respond to support requests and communicate service changes.
To produce audit records for your compliance and internal governance.
To detect abuse, debug issues, and improve reliability.

We never use customer data to train models. Review content, reviewer notes, and AI-generated artifacts submitted through Mairit are never included in any model training pipeline — ours or a third party's. This is a product commitment, not a setting you can accidentally disable.

4. Legal bases (GDPR)

Where the EU General Data Protection Regulation applies, we rely on the following legal bases:

Contract — processing necessary to provide the service under our agreement with your employer.
Legitimate interests — service reliability, security, abuse prevention, product improvement.
Consent — for optional marketing communications, which you can withdraw at any time.
Legal obligation — to comply with applicable law.

5. Sharing

We share personal data only with:

Your reviewers — internal reviewers you authorize, and external specialists you route reviews to. External reviewers see only the specific review assigned to them and cannot see broader customer context.
Sub-processors — hosting (Supabase), payments (Stripe), identity (WorkOS), and email providers. A full list is available on request.
Legal — where required by law, regulation, or valid legal process.
Corporate events — in connection with a merger, acquisition, or asset sale, subject to this Policy continuing to apply.

We do not sell personal data. We do not share personal data with advertisers.

6. International transfers

Mairit is operated by Humai FZCO in DMCC, Dubai. Data may be processed in the United States, the European Union, and other jurisdictions where our sub-processors operate. Where EU or UK data is transferred, we rely on Standard Contractual Clauses or equivalent mechanisms.

7. Retention

Review content and attestations — retained for the life of the customer relationship and then for the retention period required by applicable law or specified in the customer agreement (typically 7 years for audit purposes).
Audit logs — retained per customer agreement; never edited in place, never batch-deleted.
Pilot request data — retained for up to 24 months from submission.
Account data — retained for the duration of the account, then deleted within 90 days of closure.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. To exercise these rights, email privacy@mairit.ai. We will respond within 30 days.

If you are using Mairit through your employer, some requests may need to be directed to your employer as the data controller.

9. Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256). We scope reviewer access to the specific review assigned. We maintain an internal audit log of material actions. We are pursuing SOC 2 Type I certification, with Type II targeted for year two. For more detail see our Security Policy.

10. Children

Mairit is a B2B service not directed to children under 16. We do not knowingly collect personal data from children.

11. Changes

We may update this Policy from time to time. Material changes will be communicated by email to account administrators at least 30 days before taking effect.

12. Contact

Humai FZCO
DMCC, Dubai, United Arab Emirates
Email: privacy@mairit.ai