Privacy Policy

Last Updated: April 2026

Quick Summary

• Mio is an AI coworker that lives in your Slack workspace. It reads what you ask it to read, and acts on that knowledge.
• Mio only sees messages and shared files in channels where Mio is invited, and in DMs with the Mio app itself — it cannot read private DMs between users, or any channel Mio hasn’t been invited to.
• Optional integrations — Notion, Linear, HubSpot, Google Workspace (Gmail, Drive, Calendar), Calendly, Asana, GitHub, PostHog, Sentry, and Supabase — only run if you explicitly connect them.
• Your data is processed on Google Cloud Platform infrastructure in Paris, France (region europe-west9) with encryption at rest and in transit.
• Integration credentials are encrypted with per-workspace keys managed by Google Cloud KMS.
• We never use your data to train AI models.
• Mio employees with appropriate access can view your data for operational purposes — debugging, abuse response, and customer support.
• A workspace owner can delete all of their workspace’s data at any time from the Mio dashboard.
• To ask questions or manage your data, contact us at art@mio.xyz.

Privacy Policy

Welcome to Mio (“we”, “us”, or “our”), an AI coworker that lives in your Slack workspace. This Privacy Policy explains how we collect, use, store, and protect your data when you use Mio. We are committed to respecting your privacy and giving you control over your data.

1. What Information We Collect

We collect information from you when you install and use Mio in your Slack workspace. Specifically:

• Slack Workspace Data. With explicit authorisation from a workspace admin via Slack OAuth, we access messages and shared files in channels where Mio is invited, and in DMs between users and the Mio app itself. We do not access private DMs between users, or any channel Mio has not been invited to. We also read the workspace user directory (names, emails, avatars, timezones) and metadata about channels Mio is a member of (names, types, memberships), and we see message reactions and threads Mio participates in.
• Optional Integration Data. When a user connects an optional integration, we access only the resources the granted scopes allow. Integrations currently supported:
  • Productivity & knowledge: Notion, Google Workspace (Gmail, Google Drive, Google Calendar), Calendly, Asana
  • Work & customer tracking: Linear, HubSpot, GitHub
  • Developer & observability tooling: PostHog, Sentry, Supabase
  For each integration, Mio sees only what the user grants during that provider’s OAuth consent — for example, Notion pages the user can read, Drive files shared with the user, Calendar events on the user’s connected calendars, GitHub repos the user has installed the Mio GitHub App on, and so on. Mio does not retrieve data outside the requested scopes, and does not access integrations the user has not connected.
• Account Data. For workspace admins and dashboard users: name, email, Slack team ID, and authentication identifiers.
• Technical Data. We collect limited metadata — browser type, operating system, timestamps of queries, trace IDs, error traces — to improve product performance and reliability.
• No Other Data. We do not collect additional personal information beyond what the integrations you authorise expose, and we do not access data outside the requested scopes.

2. How We Collect Your Information

• Slack OAuth. A workspace admin authorises Mio’s Slack app, granting the scopes listed in our App Directory page. Mio exchanges the OAuth code for bot tokens, which are encrypted with Google Cloud KMS before storage.
• Integration OAuth. Each additional integration runs its own consent flow — you see and approve the exact scopes at each provider’s consent screen before Mio accesses any data. Most integrations use standard OAuth 2.0; the GitHub integration uses a GitHub App scoped to the repositories a user explicitly selects at install time.
• Encrypted Transfer. All data in transit between Slack, integration providers, and Mio is encrypted via TLS 1.2+.

3. How We Use Your Information

We process your Slack and integration data on Google Cloud Platform infrastructure in europe-west9 (Paris, France). Specifically:

• To answer your queries. When you address Mio, we use the data you’ve authorised us to see to produce a helpful response grounded in your workspace’s context.
• To operate the service. We process your data to deliver, maintain, and improve Mio — including reliability, security, performance, and support.
• Tenant and channel boundaries. Your workspace’s data is never shared with another workspace, and Mio never surfaces content from a more restricted context (e.g. a private channel or DM) in a less restricted one (e.g. a public channel).
• Operational access. Mio employees with appropriate credentials can access data for debugging, abuse response, and customer support. Access is logged.

4. No Usage of Data for Training AI/ML Models

• No AI/ML Training. We do not use your Slack data, integration data, or messages to develop or train generalised or non-personalised AI/ML models.
• Third-Party AI Providers. We send user queries and retrieved context to Anthropic (Claude model inference) and OpenAI (embeddings) under each provider’s standard commercial terms. Under those terms, your data is not used to train the providers’ models. Each provider may retain API traffic for a limited period (typically up to 30 days) for abuse monitoring and trust & safety.
• Observability. We use Langfuse to store LLM traces (prompts, completions, and latency metrics) for debugging and quality monitoring. Langfuse does not train on or resell this data.
• Personal Use Only. Data processing happens only to answer your queries and personalise your experience within your workspace.

5. Data Storage and Retention

• Encryption at Rest. We store data in Google Cloud SQL for PostgreSQL (messages, embeddings, metadata) and Google Cloud Storage (files), both encrypted with Google-managed keys.
• Credential Encryption. Integration tokens (Slack bot tokens, Notion tokens, and similar) are additionally encrypted with a Mio-managed key in Google Cloud KMS before they are written to the database.
• Encryption in Transit. TLS 1.2+ for all external traffic.
• Primary Data Location. All primary storage and compute resides in europe-west9 (Paris, France). Sub-processors outside the EU — Anthropic (LLM inference), OpenAI (embeddings), Langfuse (observability) — process data under Standard Contractual Clauses for EU-to-US transfers.
• Backups. Automated encrypted backups are retained for up to 14 days for disaster recovery. Backups are encrypted with Google Cloud KMS.
• Deletion. A workspace owner can delete their workspace and all associated data from the Mio dashboard at any time. Deletion is immediate from our production database and object storage. Encrypted backups may contain data for up to 14 days after deletion, after which they are automatically purged. Uninstalling the Slack app alone does not currently delete your data — please use the dashboard, or email art@mio.xyz, to request deletion.

6. Data Sharing and Disclosure

• Internal Access. Mio employees with appropriate credentials can access your data for operational purposes, debugging, and customer support. Access is logged and limited to authorised personnel.
• Third-Party Services. We use the following providers to process data on our behalf:
  • Google Cloud Platform — hosting, databases, object storage, and key management (EU region)
  • Slack — the primary channel for the product; subject to Slack’s own privacy policy
  • Anthropic — Claude model inference
  • OpenAI — text embeddings
  • Langfuse — LLM observability and tracing
  • PostHog (EU) — product analytics
  • Tavily — web-search grounding (no workspace data is transmitted; queries only)
  • Integration providers — Notion, Linear, HubSpot, Google Workspace (Gmail / Drive / Calendar), Calendly, Asana, GitHub, PostHog, Sentry, Supabase, if connected by a user
• No Marketing or Sales. We do not sell or share your data with third parties for marketing or advertising purposes.
• Legal Requirements. We may disclose your information if required by law, court order, or government request, subject to applicable law.

7. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption at Rest. Google Cloud SQL for PostgreSQL and Google Cloud Storage are encrypted with Google-managed keys. Integration credentials are additionally wrapped with a Mio-managed Cloud KMS key.
• Encryption in Transit. All external traffic uses TLS 1.2+.
• Network Security. Services run inside an isolated GCP VPC in europe-west9. Ingress and egress are limited to known providers and user traffic.
• Access Controls. Slack OAuth with industry-standard token handling. Admin dashboard access uses SSO. Production credentials are stored in Google Cloud Secret Manager.
• Tenant Isolation. Workspace boundary checks and per-channel visibility filters are enforced on every query path and are covered by dedicated test suites.
• Monitoring & Logging. Cloud Audit Logs, VPC Flow Logs, and application logs are retained for security monitoring and incident response.
• Regular Backups. Automated daily encrypted backups with point-in-time recovery.

However, please note that Mio employees with appropriate access can view your decrypted data when performing operational tasks, debugging, or providing customer support.

8. Your Rights and Choices

You have control over your data. Depending on your location, you may have the right to:

• Access. Request a copy of the data we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Request deletion of your personal data.
• Portability. Request your data in a commonly used format (e.g. JSON).
• Withdraw Consent. Uninstall Mio from your Slack workspace at any time via Slack’s App Management page, and delete your workspace’s data from the Mio dashboard. Revoke any optional integration at the provider’s own settings page (Notion, Google, Linear, HubSpot).

To exercise these rights, contact us at art@mio.xyz.

9. Third-Party Services

Mio integrates with third-party services that process data under their own privacy policies. Users who connect these services should review the relevant policies:

• Slack Privacy Policy
• Google Privacy Policy (for Gmail, Drive and Calendar integrations)
• Notion Privacy Policy
• Linear Privacy Policy
• HubSpot Privacy Policy
• Calendly Privacy Policy
• Asana Privacy Policy
• GitHub Privacy Policy
• PostHog Privacy Policy
• Sentry Privacy Policy
• Supabase Privacy Policy
• Anthropic Privacy Policy
• OpenAI Privacy Policy
• Langfuse Privacy Policy

10. Children’s Privacy

Mio is not intended for children under 13 (or 16 in some regions). We do not knowingly collect data from children.

11. Changes to This Privacy Policy

We may update this policy as we introduce new features or integrations. We will notify workspace admins of material changes via email and in-app notification.

12. Contact Us

For privacy questions or to exercise your data rights, email us at art@mio.xyz.