Privacy Policy

This Privacy Policy describes how Mumara collects, uses, shares, retains, and protects personal information in connection with our websites (including www.mumara.com, school.mumara.com, support.mumara.com, and any other site we operate that links to this Policy), our cloud and self-hosted products (collectively, the "Services"), and our marketing, sales, and support activities. Mumara has been operating since 2012 and serves more than 21,000 businesses worldwide; this Policy is written so that any of those customers — and their subscribers — can understand exactly what we do with personal data.

In this Policy, "Mumara", "we", "us", and "our" refer to the Mumara entity that provides the Services to you. "You" and "your" refer to (a) the individual or organization that registers a Mumara account (a "Member"), (b) a person who visits our marketing websites, or (c) an individual whose personal data is uploaded to Mumara by a Member (a "Contact" — for example, a subscriber on a Member's email list or a recipient of a Member's SMS campaign).

Where Mumara processes personal data of Members, our marketing-site visitors, and direct prospects, we act as a data controller. Where Mumara processes personal data that a Member has uploaded into our Services in order to send email or SMS to Contacts, we act as a data processor on the Member's behalf. The Member is the controller of Contact data and is responsible for the lawful basis to process it. This dual role is important and is explained in detail in Section 3.

1. Definitions

For clarity, the following terms have the meanings set out below throughout this Policy:

• Member — a natural person or organization that registers an account to use the Services (whether on a paid plan, free plan, or trial).
• Contact — a natural person whose personal data a Member adds, imports, or otherwise stores in the Services for the purpose of sending email, SMS, or other communications.
• Personal Information (used interchangeably with personal data) — any information relating to an identified or identifiable natural person, as that term is defined under the GDPR, CCPA/CPRA, and similar laws.
• Member Data — Personal Information about Members (account holders), such as name, email, billing details, sign-in credentials, profile data, and account-level usage data.
• Contact Data — Personal Information about Contacts that a Member uploads, imports, or generates while using the Services (subscriber lists, custom fields, engagement events, opt-in proof, suppression lists).
• Service Data — operational data we generate while running the Services (sending logs, bounce records, complaint records, IP and routing metadata, audit logs, product telemetry).
• Bridges — Mumara's term for the SMTP and API endpoints that route a Member's sending traffic through dedicated IP addresses, IP pools, or external sending nodes (such as Amazon SES, SendGrid, or Mailgun) configured by the Member.
• Mumara ONE — our cloud-hosted email service provider product.
• Mumara Campaigns — our self-hosted email platform, including the optional managed-hosting variant we call Mumara Machine.
• Mumara SMS and Mumara SMS+ — our SMS marketing products.
• Mumara AI — the AI-powered features inside our products (AI Email Builder, AI Content Tags, and similar functionality), available across the Mumara AI Fast, Mumara AI, and Mumara AI Advanced tiers.

2. Scope of this Policy

This Policy applies to:

• Personal Information we collect from visitors to our marketing websites and resource sites (mumara.com, school.mumara.com, support.mumara.com, and campaign / landing pages we run).
• Personal Information collected when you create or use a Mumara account (Mumara ONE, Mumara Campaigns, Mumara Machine, Mumara SMS, Mumara SMS+).
• Personal Information we receive from prospects, customers, partners, applicants, vendors, and members of the public who interact with our sales, support, or community channels.
• Personal Information processed on a Member's behalf as part of running the Services (sub-processor activity for that Member's Contacts).

This Policy does not govern:

• A Member's own privacy practices toward their Contacts. Members are responsible for their own privacy notices, consent collection, and data subject responses.
• Third-party websites we link to, or integrations a Member chooses to connect to their account. Each third party operates under its own privacy policy.
• Personal information processed by a Member's self-hosted Mumara Campaigns instance running on infrastructure that the Member controls — Mumara has no operational visibility into those installations unless the Member has subscribed to Mumara Machine or is sharing data with us under a separate arrangement.

3. Our roles: controller and processor

3.1 When Mumara is a controller

Mumara acts as a data controller when we determine the purpose and means of processing Personal Information. This includes:

• Member account data (registration, billing, support).
• Marketing-site visitor data.
• Sales and prospect interactions.
• Personal data of our employees, contractors, and applicants.
• Aggregated and de-identified data we generate to operate and improve the Services.

3.2 When Mumara is a processor

Mumara acts as a data processor for Contact Data — the subscriber lists, contact records, custom fields, and engagement events that a Member uploads or generates in our Services. The Member is the controller of that data; Mumara processes it under the Member's documented instructions to deliver the Services. Our processor obligations are set out in our Data Processing Agreement.

3.3 Why this matters

If you are a subscriber on a Member's list and you want to access, correct, or delete your data, you should normally contact the Member first — they are the controller and they hold the relationship with you. We can pass requests to the Member, but in most jurisdictions a processor cannot fulfil a controller's data subject obligations without instructions.

4. Personal information we collect

4.1 Information you provide directly

Account registration and profile

• Full name and business name.
• Email address (used as your sign-in identifier).
• Password (stored hashed and salted; we never store plaintext passwords).
• Country, timezone, and preferred language.
• Phone number, where you provide it for two-factor authentication or account verification.
• Company size, industry, and intended use, where you supply this in onboarding forms.

Billing and payment

• Billing contact name, billing email, and billing address.
• Tax identifiers (VAT, GST, EIN) where required for invoicing and tax compliance.
• Payment instrument identifier and last-four digits returned by our payment-processing partner. Mumara does not see or store full card numbers, CVVs, or banking credentials — these are tokenized by our PCI-DSS compliant payment-processing partner.
• Invoice history and subscription state.

Sender domains and authentication

• Sending domains, SPF / DKIM / DMARC records, return-path / bounce domain, and DNS state relating to sender authentication.
• Bridge configuration, including credentials for external sending nodes you connect (stored encrypted at rest).
• Sender identity information (postal address, "From" name, reply-to) used to comply with the identification requirements of CAN-SPAM, CASL, and similar laws.

Customer support and communications

• Messages you send via our contact form, email, support portal, or chat.
• Recordings or transcripts of voice/video calls where you have agreed to recording.
• Screenshots, log excerpts, and attachments you share to troubleshoot a case.

Member-uploaded Contact Data

Members upload, import, or sync data about their Contacts in order to use the Services. This Contact Data is controlled by the Member; the categories typically include:

• Email addresses, phone numbers, and other direct identifiers.
• Names, job titles, employer, and similar profile attributes.
• Custom fields the Member chooses to store (e.g. purchase history, lifecycle stage, tags, segments, preference center selections).
• Opt-in proof — date, time, source URL, IP address at sign-up, consent text shown.
• Suppression / unsubscribe records and bounce / complaint state.
• Engagement events generated by the Services (opens, clicks, replies, conversions).

Members must not upload special-category data (health, biometrics, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sexual orientation, criminal convictions) unless they have a lawful basis and have a written agreement with Mumara that specifically permits it. By default, the Services are not configured for special-category data.

4.2 Information collected automatically

Device and connection data

• IP address, approximate location (country / region) derived from IP, ASN.
• Browser type and version, operating system, device model.
• Pages visited, referring URL, time on page, and clickstream within our marketing site.
• Service usage telemetry (login times, feature interactions, error events).

Email and SMS engagement events

When a Member sends a campaign through the Services, we generate engagement records that may constitute Personal Information of Contacts:

• Open events (via tracking pixel — disclosable and disablable per campaign).
• Click events (via tracked links — disclosable and disablable per campaign).
• Bounce, complaint, and unsubscribe events.
• Delivery and disposition records returned by destination servers and Bridges.
• SMS delivery receipts where supported by the SMS provider.

Cookies and similar technologies

See Section 7 and our dedicated Cookie Policy for the exact list, including the categories that require your consent before they load.

4.3 Information from third parties

• Resellers and partners — when you sign up via a Mumara reseller, partner, or referral, that party may share your name, contact details, and usage information with us so we can provision your account.
• Single sign-on (SSO) and OAuth providers — if you choose to sign in via a third-party identity provider, we receive the profile information you authorize them to share (typically name and email).
• Anti-fraud and security providers — limited risk signals (e.g. IP reputation, device fingerprint hashes) used to detect abuse, fraudulent signups, and account takeover.
• Public sources — we may consult public business directories, our customers' websites, and similar sources to verify information you provide (for example, when you ask us to enable a high-risk industry on your account).
• Recipient feedback loops — we receive complaint and feedback-loop data from mailbox providers (Gmail, Microsoft, Yahoo, etc.) that allows us to identify Contacts who flagged a campaign as spam and protect deliverability.

5. How we use personal information

5.1 To deliver the Services

• Authenticate you, maintain sessions, and authorize actions in your account.
• Send campaigns you create, schedule, or trigger.
• Process Contacts according to your list, segment, and automation logic.
• Show you reports, analytics, and engagement data.
• Operate Bridges, sending IP pools, and IP warming on your behalf.
• Provide AI features when you invoke them (see Section 6).

5.2 To run our business

• Bill you, collect payments, and issue invoices, refunds, and credits.
• Provide customer support and respond to your requests.
• Send service messages — security alerts, billing notices, policy changes, downtime advisories, sub-processor change notifications.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal, tax, accounting, anti-money-laundering, and audit obligations.
• Enforce our Terms of Service and Acceptable Use Policy.
• Defend ourselves in legal claims and respond to lawful requests.

5.3 To improve and develop the Services

• Measure feature usage, error rates, performance, and reliability.
• Test product changes, run A/B experiments, and roll out new features.
• Build aggregated and de-identified insights (e.g. industry-wide deliverability benchmarks).
• Train internal heuristics for spam detection and abuse prevention.

We do not use Member campaign content or Contact Data to train external, public-facing AI models. See Section 6 for details.

5.4 To market our products

• Send Members and prospects information about new features, plans, events, and webinars where you have opted in or where allowed by applicable law as a soft opt-in.
• Personalize the marketing site and ads where you have given marketing consent.
• Run referral, partner, and reseller programs.

You can opt out of marketing emails at any time using the unsubscribe link in any marketing message or by emailing us via /contact/.

5.5 Lawful bases (for EEA / UK / Switzerland)

Where the GDPR or UK GDPR applies, we rely on the following lawful bases:

• Performance of a contract — to deliver the Services you have subscribed to and respond to your requests.
• Legitimate interests — to operate, secure, and improve the Services; to protect the deliverability of our shared infrastructure; to send limited direct marketing to existing customers; to defend against legal claims. We balance these interests against your rights and freedoms.
• Consent — for non-essential cookies, certain marketing communications, and anywhere else consent is the appropriate basis. You can withdraw consent at any time.
• Legal obligations — to comply with tax, accounting, anti-fraud, court orders, and other legal duties.

6. Mumara AI and personal information

Mumara AI features (AI Email Builder, AI Content Tags, and the wider feature set across the Mumara AI Fast, Mumara AI, and Mumara AI Advanced tiers) generate content from prompts you supply. We treat AI processing with extra care because of the sensitivity of the data flowing through it.

6.1 What gets processed

When you use a Mumara AI feature, the prompt content you generate (including any text you paste or merge tags you apply against a sample Contact) is processed solely for the purpose of generating the requested output. We do not proactively forward your full subscriber lists, behavioural data, or full campaign archives into Mumara AI.

6.2 No model training on your data

Mumara does not use your AI prompts or generated outputs to train any model that is exposed outside your account.

6.3 Output review

AI-generated content can be inaccurate, biased, or out of date. You are responsible for reviewing AI output before sending it to Contacts. Mumara is not responsible for the accuracy of AI-generated content you choose to send, and AI output does not constitute legal, financial, medical, or other professional advice.

6.4 AI credits and metering

AI usage is metered in credits. We retain call-level metadata (timestamp, feature, credit cost, and a request identifier) to bill, prevent abuse, and troubleshoot issues. We do not retain full prompt content beyond the time necessary to generate the output and to investigate any abuse complaint relating to that call.

7. Cookies and similar technologies

Our marketing sites use cookies, local storage, and similar tracking technologies. Cookies are grouped into four categories:

Category	Examples	Default
Necessary	Session, CSRF, language, consent state	Always on (cannot be disabled)
Functional	Live chat session (Gleap)	Off — opt-in
Analytics	Cloudflare Web Analytics (cookieless), Google Analytics 4	Off — opt-in
Marketing	Facebook Pixel	Off — opt-in

For performance and privacy, marketing and analytics scripts are offloaded to a web worker via Partytown so they cannot block page rendering. They only load after you opt into the relevant category. The full breakdown — including specific cookie names, lifetimes, and the third party that sets each one — is in our Cookie Policy.

You can change your choices at any time via the cookie preferences link in the footer.

8. How we share personal information

We share personal information only in the limited circumstances described below.

8.1 With our sub-processors

Mumara operates its own production infrastructure — owned servers and IPs across our own colocation and cloud — so the application that processes your campaigns and Contacts is not hosted on a third-party public cloud. We engage a small set of third-party sub-processors for specific operational functions only — edge security and content delivery for our marketing site, payment processing, customer support tooling, and (where you opt in) marketing-site analytics. The current list, including each one's purpose and region, is at /legal/sub-processors/. Each sub-processor is bound by a written contract that imposes data-protection obligations no less protective than those in this Policy and our DPA.

8.2 With our affiliates

We may share personal information with Mumara group affiliates that operate under common control, where they perform services on our behalf (engineering, support, sales, finance) under obligations consistent with this Policy.

8.3 With your direction

Members may direct Mumara to send Contact Data to integrations they enable — for example, external sending nodes, webhook endpoints, CRM integrations, DNS providers (when using our Auto DNS addon), and SMS gateways. These integrations are not Mumara sub-processors; the Member has a direct relationship with each provider and is responsible for that provider's terms.

8.4 For legal and safety reasons

We may share personal information when we reasonably believe it is necessary to:

• Comply with a law, regulation, court order, subpoena, or other legal process.
• Respond to lawful requests from public authorities (including national security or law-enforcement requirements).
• Enforce our Terms, this Policy, or other agreements.
• Protect the rights, property, or safety of Mumara, our Members, our Members' Contacts, or the public.
• Detect, prevent, or otherwise address fraud, abuse, security, or technical issues.

Where permitted, we will challenge requests we believe to be overbroad and we will notify the affected Member unless we are legally prohibited from doing so.

8.5 In a corporate transaction

If Mumara is involved in a merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be transferred to the successor or acquirer as part of that transaction, subject to standard confidentiality protections. We will notify you of any such change and any choices you may have.

8.6 With your consent

We share personal information for any other purpose only with your consent.

8.7 We do not sell or share for cross-context behavioural advertising

Mumara does not sell personal information for money, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA / CPRA. We do not rent Member or Contact data to third parties.

9. Sub-processors

The current list of authorized sub-processors — including the purpose for which each one is engaged and the region in which it processes data — is maintained at /legal/sub-processors/. We notify Members of material changes (additions, removals, or substantive scope changes) at least 30 days in advance per our DPA. Members who object to a new sub-processor can terminate their subscription per the DPA's objection process.

10. International data transfers

Mumara operates globally. Personal information may be processed in the country where you live and in other countries where Mumara, our affiliates, or our sub-processors operate. We use the following safeguards for international transfers:

• Standard Contractual Clauses (SCCs) — for transfers from the EEA to third countries that have not received an adequacy decision. We incorporate the European Commission's 2021 SCCs into our DPA.
• UK International Data Transfer Addendum — for transfers from the UK, the Information Commissioner's Office IDTA / addendum to the SCCs.
• Swiss-specific provisions — for transfers from Switzerland, references to the Swiss Federal Data Protection Act and the Swiss Federal Data Protection and Information Commissioner.
• Supplementary measures — where required following the Schrems II ruling, including encryption in transit and at rest, access controls, and review of government access requests.

A copy of the SCCs we rely on is available on request via /contact/.

11. Data retention

11.1 Member account data

We retain Member account data for as long as your Mumara account is active. After your account is closed (by you or by us), we retain account data for a reasonable period to satisfy legal, accounting, and tax obligations and to defend against legal claims. Typical retention is up to 7 years for billing, tax, and audit records.

11.2 Contact Data uploaded by Members

Contact Data is retained for as long as the Member's account is active and the Member chooses to keep it. Members can delete Contacts, lists, and segments at any time via the product. On account termination, Member-uploaded Contact Data is deleted within the timeframes set out in our DPA, unless we are legally required to retain it.

11.3 Sending logs and engagement events

Sending logs and engagement events are retained per the log-retention configured on your plan. Aggregated counts (e.g. total opens, total clicks per campaign) may be retained longer for historical reporting; row-level engagement records that include Contact identifiers follow the plan retention.

11.4 Marketing-site visitor data

Cookie-based identifiers expire per the lifetimes documented in the Cookie Policy (typically up to 24 months for analytics, shorter for marketing pixels).

11.5 Support communications

We retain support tickets, chat transcripts, and call recordings for up to 5 years to operate our support knowledge base, train our team, and investigate recurring issues.

11.6 Legal holds

We may retain personal information beyond the periods above where required by law, court order, or to defend or pursue a legal claim.

12. Information security

We use a layered set of technical and organizational measures to protect personal information, including:

• Encryption in transit (TLS 1.2+) for all public-facing endpoints.
• Encryption at rest for production databases, backups, and stored credentials.
• Hashed and salted password storage; we never log plaintext passwords.
• Two-factor authentication available on all accounts.
• Role-based access control with least-privilege defaults across our internal tooling.
• Audit logging of administrative actions and access to sensitive systems.
• Vulnerability management, dependency scanning, and regular security review of code changes.
• Incident response plan covering detection, containment, eradication, recovery, and post-incident review.
• Vendor security review for new sub-processors before they handle Member or Contact data.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately via /contact/ and we will investigate.

13. Your rights and choices

Depending on where you live, you have some or all of the rights below. Some rights only apply to Member Data (where Mumara is the controller). For Contact Data, you should contact the Member that holds the relationship with you; if the Member is unresponsive, we can help relay or escalate.

13.1 Access

You can ask for a copy of the personal information we hold about you and confirmation of how we use it.

13.2 Correction

You can ask us to correct inaccurate or incomplete personal information.

13.3 Deletion / erasure

You can ask us to delete personal information in certain circumstances, including where the data is no longer needed for the purpose collected.

13.4 Restriction

You can ask us to restrict processing of your personal information in certain circumstances (e.g. while we verify accuracy).

13.5 Objection

You can object to processing based on legitimate interests, including direct marketing.

13.6 Portability

You can ask for your personal information in a structured, commonly used, machine-readable format and to have it transmitted to another controller, where technically feasible.

13.7 Withdraw consent

Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

13.8 Opt out of marketing

You can unsubscribe from marketing emails at any time using the link in any marketing message, by adjusting your account preferences, or by contacting us.

13.9 Opt out of cookies and similar technologies

You can manage cookies via the cookie preferences link in our footer or via your browser controls.

13.10 Lodge a complaint

You can lodge a complaint with your local supervisory authority (e.g. an EU/UK Data Protection Authority, the California Attorney General, or your state regulator).

13.11 How to exercise these rights

Email /contact/ with the subject line "Privacy request" and indicate which right you want to exercise. We may need to verify your identity before fulfilling a request — for Members we typically verify via the registered email; for Contacts we may ask for additional information sufficient to confirm we hold data about you. We respond within the timeframes required by applicable law (typically within 30 days under the GDPR, with the possibility of a 60-day extension where the request is complex; within 45 days under the CCPA/CPRA, with a possible 45-day extension).

Authorized agents acting on a consumer's behalf must provide written authorization signed by the consumer and proof of registration with the relevant authority where required.

We will not discriminate against you for exercising any of these rights.

14. EEA, UK, and Swiss disclosures (GDPR)

14.1 Controller of record

For Member Data and marketing-site visitor data, Mumara is the controller. For Contact Data that a Member uploads, the Member is the controller and Mumara is the processor.

14.2 Lawful bases

See Section 5.5 for the lawful bases we rely on, by purpose.

14.3 Right to lodge a complaint

You have the right to lodge a complaint with the Data Protection Authority in the EU/EEA Member State where you live, work, or where the alleged infringement occurred. In the UK, contact the Information Commissioner's Office (ICO). In Switzerland, contact the Federal Data Protection and Information Commissioner (FDPIC).

14.4 EU/UK representative

Where required, Mumara maintains representatives under Article 27 GDPR and the UK GDPR. Contact details are available on request via /contact/ with subject line "Article 27 representative".

14.5 Data Protection Officer

Our Data Protection Officer can be reached via /contact/ with the subject line "DPO" or "GDPR".

15. California disclosures (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Policy.

15.1 Categories of personal information collected

Category (CCPA §1798.140)	Examples	Collected?
A. Identifiers	Name, email, IP, account ID	Yes
B. Customer records	Billing address, phone, payment instrument identifier	Yes
C. Protected classification	Age, gender (only if you provide them)	Limited
D. Commercial information	Subscription history, plan	Yes
E. Biometric	—	No
F. Internet / network activity	Pages visited, click events, device data	Yes
G. Geolocation	Approximate location from IP	Yes (coarse)
H. Sensory data	Support call recordings (with notice)	Limited
I. Professional / employment	Job title, company size (if provided)	Yes
J. Education	—	No
K. Inferences	Lifecycle stage, segment	Limited
L. Sensitive personal information	Account credentials	Yes (only as required to operate the Services)

15.2 Purposes

See Section 5. We use these categories for the business and commercial purposes listed there.

15.3 Sources

See Section 4.

15.4 Recipients

See Section 8 and our sub-processors list.

15.5 Sale or sharing

Mumara does not sell personal information for monetary value. Mumara does not "share" personal information for cross-context behavioural advertising. We have not done so in the preceding 12 months.

15.6 Sensitive personal information

We do not use or disclose sensitive personal information for purposes other than those permitted by §1798.121 (i.e. as necessary to provide the Services, prevent fraud, ensure security, etc.). California residents have the right to limit our use of sensitive personal information.

15.7 Your California rights

• Right to know — categories and specific pieces collected, sources, purposes, recipients.
• Right to delete personal information collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing (we do not sell or share, but the right exists).
• Right to limit use of sensitive personal information.
• Right to non-discrimination for exercising any of the above.

To exercise any right, follow the procedure in Section 13.11.

15.8 Authorized agents

California consumers may use an authorized agent. The agent must provide written authorization signed by the consumer and proof of registration. We may contact you to verify the request.

15.9 Shine the Light

California's "Shine the Light" law (Cal. Civ. Code §1798.83) does not apply to Mumara because we do not share personal information with third parties for their direct marketing purposes.

16. Other US state disclosures

Residents of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have rights similar to those described in Section 13 and Section 15, including the right to access, correct, delete, opt out of targeted advertising and sale, and appeal a denied request. To exercise these rights, follow the procedure in Section 13.11. If we deny your request, you can appeal by replying to our denial within 60 days; we will respond to the appeal within the timeframes set by your state's law.

17. Brazil disclosures (LGPD)

Brazilian data subjects have rights under the Lei Geral de Proteção de Dados (LGPD), including confirmation of processing, access, correction, anonymization or deletion of unnecessary or excessive data, portability, deletion of data processed on consent, information about sharing, information about consequences of refusing consent, and revocation of consent. Our basis for processing is determined per Article 7 LGPD (consent, legal obligation, contract, legitimate interest, etc.). To exercise these rights, follow the procedure in Section 13.11.

18. Children's privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected personal information from a child under 16, contact us via /contact/ and we will delete it. Where a Member operates a service that collects information from minors, the Member is responsible for compliance with COPPA, the GDPR's child-consent rules (Article 8), and other applicable children's privacy laws.

19. Third-party links and services

Our marketing sites may link to third-party sites, blogs, partner pages, or social-media platforms. Our Services may also offer integrations to third-party services that you choose to enable. We do not control these third parties; their privacy practices are governed by their own privacy policies. We encourage you to review them before using a third-party site or integration.

20. Automated decision-making

Mumara uses automated systems for spam-detection, fraud-prevention, abuse scoring, and deliverability protection. These systems may automatically throttle, queue, or pause sending when patterns suggest abuse or compromise. They are designed to protect deliverability for all Members. A human reviewer is involved in any decision that has a significant or legal effect (such as account suspension or termination). You can ask for human review of an automated decision via /contact/.

21. Changes to this Policy

We may update this Policy as our Services evolve and as the law changes. The "Last updated" date at the top of this page reflects the latest revision. For material changes, we will give you reasonable notice — typically by email to the registered Member email and via an in-app notice — before they take effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

22. Contact us

To contact Mumara about this Policy, your privacy, or to exercise your rights:

• Web — /contact/
• Support portal — support.mumara.com
• Postal mail — request our current postal address via the contact form

For DPO and GDPR-specific requests, mark the subject line "DPO" or "GDPR". For California privacy requests, mark "CCPA". For Article 27 representative information (EU/UK), mark "Article 27 representative". We aim to acknowledge privacy emails within 5 business days and fully respond within the timeframes required by applicable law.