Mjolnir Design Studios
Legal

Privacy Policy

We take your privacy seriously. This policy explains what personal information we collect, how we use it, who we share it with, your rights, and how to contact us.

Last Updated: May 28, 2026

1. Introduction & Scope

This Privacy Policy describes how Mjolnir Design Studios LLC ("Mjolnir," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit mjolnirdesignstudios.com, use our SaaS platform, interact with our products (including OdinAI Insight™, AISO™, MjolnirUI Pro, the Mjolnir Forge workshop series, and The Hammer newsletter), or otherwise engage with our services (collectively, the "Services"). Effective date: May 28, 2026.

2. Information We Collect

  • ·Account information — name and email address obtained through OAuth providers (GitHub, X/Twitter, Google) when you sign in
  • ·Profile data — full name, business name, role, time zone, and any optional details you add to your dashboard profile
  • ·Billing information — Stripe customer ID, subscription tier, billing address, last four digits of payment card, and transaction history. We never receive or store full card numbers — Stripe handles all card data under PCI DSS Level 1 compliance.
  • ·Project intake data — business information, goals, and other content you voluntarily submit through our intake form, Free Assessment, or client onboarding workflow
  • ·OdinAI Insight™ assessment data — your questionnaire responses and the resulting score and recommendations
  • ·AISO™ monitoring data — for AISO subscribers, the public URLs, brand terms, and competitor identifiers you provide for our agent to monitor across AI search platforms
  • ·Workshop & event data — Calendly booking details, dietary preferences (if voluntarily provided), and post-event survey responses
  • ·Communications — messages you send via our contact form, support email, or chat; HubSpot CRM interaction history
  • ·Newsletter data — email address and subscription preferences for The Hammer (you can unsubscribe at any time via the link in every email)
  • ·Bitcoin payment data — for our Bitcoin tier, the BTC address, transaction hash, and confirmation timestamp
  • ·Usage data — pages visited, features used, session duration, browser type, device type, and approximate location derived from IP address
  • ·Technical data — IP address, user agent, referrer URL, and log data automatically generated by Vercel and Supabase
  • ·Cookies & similar technologies — see our Cookie Policy at /legal/cookies

3. How We Use Your Information

  • ·Provide, operate, and maintain the Services
  • ·Authenticate your account and secure your session
  • ·Process payments and manage subscriptions via Stripe
  • ·Send transactional communications (receipts, booking confirmations, subscription renewals, security alerts) via Resend
  • ·Personalize your OdinAI Insight™ analysis and dashboard experience
  • ·Run AISO™ recursive monitoring loops on the public properties you authorize
  • ·Generate AI-powered outputs (OdinAI chat responses, AISO improvement recommendations, Hammer newsletter drafts) using third-party AI providers we route through the Vercel AI Gateway
  • ·Respond to support requests and feedback
  • ·Send marketing emails (only if you opt in — you can unsubscribe at any time)
  • ·Detect, prevent, and investigate fraud, abuse, security incidents, and policy violations
  • ·Comply with legal obligations and respond to lawful requests from authorities
  • ·Improve our Services through aggregated, de-identified analytics

4. Legal Bases for Processing (EEA, UK, Switzerland)

  • ·Contract — to provide the Services you signed up for and process your transactions
  • ·Legitimate interests — to secure our platform, prevent fraud, improve our products, and conduct internal analytics, provided these interests do not override your rights
  • ·Consent — to send marketing emails and use non-essential cookies (you can withdraw consent at any time)
  • ·Legal obligation — to comply with tax, accounting, and other applicable laws

5. AI & Automated Decision-Making

Several of our products use artificial intelligence to generate outputs based on your inputs. OdinAI™ chat responses, OdinAI Insight™ scores, AISO™ recommendations, and Hammer newsletter drafts are produced by large language models routed through the Vercel AI Gateway (which currently relays to Anthropic Claude, Google Gemini, xAI Grok, OpenAI GPT, and Perplexity APIs depending on the task). These outputs are advisory only. We do not make solely automated decisions that produce legal or similarly significant effects about you without human review. You retain the right to review, correct, and reject any AI-generated content before relying on it. If you are subject to GDPR Article 22, you may request human review of any automated decision by contacting us at the address below.

6. Data Sharing & Third-Party Processors

  • ·Supabase, Inc. — managed Postgres database, authentication, and storage (US-East region)
  • ·Stripe, Inc. — payment processing, subscription billing, fraud prevention (PCI DSS Level 1)
  • ·HubSpot, Inc. — CRM for contact records, deal pipeline, and intake form submissions
  • ·Resend Inc. — transactional and marketing email delivery
  • ·Vercel, Inc. — application hosting, edge functions, and Web Analytics
  • ·Calendly LLC — workshop and consultation booking scheduling
  • ·Anthropic, PBC — Claude API (routed via Vercel AI Gateway) for OdinAI, AISO recommendations, and Hammer drafting
  • ·Google LLC — Gemini API for AISO platform monitoring
  • ·xAI Corp. — Grok API for select AI workloads
  • ·OpenAI, L.L.C. — GPT API for AISO ChatGPT presence monitoring
  • ·Perplexity AI, Inc. — Perplexity API for AISO Perplexity presence monitoring
  • ·FireCrawl, Inc. — public web crawling for AISO monitoring tasks (only on URLs you authorize)
  • ·Meshy AI Inc. — 3D asset generation (only if you use our 3D generation features)
  • ·Cloudinary Ltd. — image hosting and transformation (where applicable)
  • ·Coinbase Commerce / on-chain processors — Bitcoin payment confirmation (Bitcoin tier only)
  • ·We do not sell your personal information to third parties for monetary consideration. We do not share your personal information for cross-context behavioral advertising.

7. International Data Transfers

We are based in the United States. When you use our Services from outside the U.S., your personal information will be transferred to and processed in the United States. Our processors may also process data in the European Union, United Kingdom, Australia, and other regions. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent UK and Swiss transfer mechanisms to safeguard cross-border transfers.

8. Data Retention

  • ·Active account data — retained for the duration of your account
  • ·Closed account data — deleted within 90 days of account closure, except where retention is required by law
  • ·Payment and tax records — retained for 7 years to comply with U.S. federal and Florida state tax and accounting obligations
  • ·OdinAI Insight™ and AISO™ historical scoring data — retained while your subscription is active; deleted within 90 days of cancellation unless you request immediate deletion
  • ·Marketing email lists — retained until you unsubscribe; suppression records retained indefinitely to prevent re-subscription without consent
  • ·Backups — encrypted backups are retained for up to 30 days for disaster recovery and are then overwritten
  • ·Aggregated, de-identified data — may be retained indefinitely for analytics and product improvement

9. Your Privacy Rights

  • ·Access — request a copy of the personal information we hold about you
  • ·Correction — update inaccurate or incomplete information in your profile or via written request
  • ·Deletion — request that we delete your account and personal information (subject to legal retention requirements)
  • ·Portability — receive your data in a structured, commonly used, machine-readable format
  • ·Restriction — request that we limit how we process your data
  • ·Objection — object to processing based on legitimate interests, including profiling for marketing
  • ·Withdraw consent — for processing based on consent, withdraw at any time without affecting prior lawful processing
  • ·Marketing opt-out — unsubscribe from marketing emails using the link in every email or by emailing us
  • ·Complaint — lodge a complaint with your local data protection authority
  • ·We respond to verifiable rights requests within 30 days (45 days for CCPA, extendable to 90 with notice).

10. California Residents — CCPA / CPRA Disclosures

  • ·Categories of personal information we collect — identifiers (name, email, IP), customer records, commercial information (purchase history), internet activity (usage data), professional information (business/role), and inferences (e.g., AISO scoring)
  • ·Categories of sources — directly from you, from your device, from OAuth providers (GitHub, X, Google), from our payment and CRM processors, and from public web sources for AISO monitoring
  • ·Purposes of collection — service provision, billing, security, customer support, AI-powered insights, marketing (with consent)
  • ·Categories disclosed to third parties — categories listed in Section 6 above, disclosed to service providers under contract
  • ·Sale or share of personal information — we do NOT sell personal information for monetary consideration and we do NOT share personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as an opt-out under CCPA §1798.135
  • ·Sensitive personal information — we may collect government-issued identifiers (only if you submit them on a contract) and account log-in credentials (handled by OAuth providers). We do not use sensitive PI to infer characteristics
  • ·Right to know — request specific pieces and categories of personal information collected
  • ·Right to delete — request deletion of personal information collected from you
  • ·Right to correct — request correction of inaccurate personal information
  • ·Right to opt-out — opt out of sale/sharing (we do not sell or share, but the right exists)
  • ·Right to limit — limit use of sensitive personal information
  • ·Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
  • ·To exercise these rights, email contact@mjolnirdesignstudios.com with the subject line "CCPA Rights Request" or use the rights request form in your dashboard. Authorized agents may submit requests with a signed permission letter and proof of identity.

11. European Economic Area, UK & Switzerland — GDPR Disclosures

  • ·Data controller — Mjolnir Design Studios LLC
  • ·Data Protection contact — contact@mjolnirdesignstudios.com
  • ·Legal bases — see Section 4 above
  • ·Rights — access, rectification, erasure, restriction, portability, objection, withdraw consent, lodge complaint (see Section 9)
  • ·Automated decision-making — see Section 5; right to human review on request
  • ·Cross-border transfers — see Section 7
  • ·Retention — see Section 8
  • ·Right to lodge a complaint with your supervisory authority — for example, the Information Commissioner's Office (ICO) in the UK, or the lead supervisory authority in your EU member state of residence

12. Children's Privacy

Our Services are not directed to and not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately and we will delete it. If you are between 13 and 18 (or the age of majority in your jurisdiction), you may only use our Services with the consent and supervision of a parent or legal guardian.

13. Security

We implement industry-standard administrative, technical, and physical safeguards to protect your personal information, including TLS 1.2+ encryption in transit, AES-256 encryption at rest (Supabase managed database), row-level security policies on all multi-tenant tables, principle of least privilege for staff access, mandatory two-factor authentication for all administrative accounts (Supabase, Stripe, Vercel, HubSpot), automated dependency vulnerability scanning, and regular security review of our codebase. No system is perfectly secure, but we take reasonable steps to reduce risk.

14. Data Breach Notification

In the unlikely event of a personal data breach that creates a risk to your rights and freedoms, we will notify affected users without undue delay (and, where required, within 72 hours of becoming aware of the breach) by email and through an in-product notice. We will also notify the relevant data protection authorities where required by law (including the Florida Information Protection Act, GDPR Article 33, and applicable state breach notification statutes).

15. Third-Party Links & Embedded Content

Our Services may contain links to third-party websites, services, or content (for example, Calendly booking widgets, embedded YouTube videos, or external articles referenced in The Hammer). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before interacting with them.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The 'Last Updated' date at the top of this page indicates when the policy was most recently revised. Material changes will be communicated by email (for registered users) and through an in-product notice at least 30 days before they take effect.

17. Contact Us

Mjolnir Design Studios LLC · 400 South Ashley Drive, Ste 1900, Tampa, FL 33602 · contact@mjolnirdesignstudios.com · Tel 813-955-4724 · We respond to all verified privacy requests within 30 days (45 for CCPA, with possible 45-day extension on notice).

Contact UsCookie Policy