Legal
Privacy Policy
Last updated: June 1, 2026
1. Who we are
Mila ("Mila", "we", "us") provides an AI companion designed to support people building a life in a new country. This Privacy Policy explains what personal data we collect when you use Mila, why we collect it, how long we keep it, and the rights you have under the privacy laws that apply to you — including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Singapore's Personal Data Protection Act (PDPA), Brazil's LGPD, and similar laws in other jurisdictions.
2. Data we collect
- Account data: email address, authentication identifiers, and (if you use social sign-in) the basic profile your provider returns.
- Onboarding answers: first name, home country, current country, arrival year, primary language, career field, goals, and challenges you choose to share.
- Conversations: messages you send to Mila, Mila's responses, and the long-term memories the assistant saves about you to provide continuity.
- Usage data: device type, language, locale, approximate region, and basic diagnostic information.
- Billing data: if you subscribe, our payment processor (Stripe) handles your card details. We only receive subscription status, plan, and the last four digits of the card.
3. How we use your data
- To run the service, personalise Mila's responses, and remember context across sessions.
- To authenticate you and keep your account secure.
- To process payments and manage subscriptions.
- To improve the product, debug issues, and prevent abuse.
- To comply with legal obligations.
We do not sell your personal data, and we do not use your conversations to train third-party foundation models.
4. Legal bases (GDPR / UK GDPR)
If you are in the EU, UK, EEA, or Switzerland, we rely on the following bases:
- Contract — to provide the service you signed up for.
- Consent — for optional features such as personalised memory, marketing emails, and analytics. You can withdraw consent at any time.
- Legitimate interests — to secure the service and improve it.
- Legal obligation — to meet tax, accounting, and law-enforcement requirements.
5. International transfers
Mila is operated globally. Your data may be processed in the United States, the European Union, and other regions where our infrastructure and sub-processors operate. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and additional safeguards. For users in Singapore, transfers comply with PDPA's "comparable protection" requirement.
6. Region-specific rights
European Union, UK, EEA, Switzerland (GDPR)
You have the right to access, rectify, erase, restrict, or object to processing, request data portability, and lodge a complaint with your local supervisory authority.
California (CCPA / CPRA)
You have the right to know what we collect, to delete it, to correct it, to opt out of "sale" or "sharing" (we do neither), and to limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.
Singapore (PDPA)
You have the right to withdraw consent, request access to and correction of your personal data, and ask about the ways we have used or disclosed it in the past year.
Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), and others
Equivalent rights apply. To exercise any of these rights, email hello@themila.ai or use the in-app data controls in Settings → Privacy.
7. Data retention and deletion
- Account & profile: kept while your account is active.
- Conversations & memories: kept while your account is active. You can delete individual messages, individual memories, or wipe all conversation history from Settings → Privacy.
- Onboarding answers: kept until you delete your account.
- Billing records: kept for up to 7 years to meet tax and accounting obligations.
- Diagnostic logs: kept for up to 30 days.
- Account deletion: when you delete your account, we erase your profile, conversations, memories, and onboarding answers within 30 days, except where law requires longer retention. Backups are purged on a rolling 90-day cycle.
8. Sub-processors
We use a small set of vetted sub-processors for hosting, authentication, AI inference, email, and payments. A current list is available on request at hello@themila.ai.
9. Children
Mila is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Security
We use industry-standard safeguards including encryption in transit (TLS), encryption at rest, row-level access controls, and least-privilege keys. No online service is perfectly secure, but we work hard to protect your data.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.
12. Contact
Email hello@themila.ai for any privacy question or to exercise your rights.
See also our Terms of Service.