Privacy Policy for Businesses

Mimir Privacy Policy

Last updated: 26 April 2026

Mimir is an AI-enabled helpdesk system for businesses. Our service allows business customers to connect a support inbox, receive and manage customer inquiries, generate AI-assisted draft replies, and send responses through the connected email account.

This Privacy Policy explains how Mimir handles personal data, including data accessed through Google APIs when a customer connects a Gmail or Google Workspace inbox to Mimir.

1. Who this policy applies to

This policy applies to:

• Businesses that use Mimir as customers.

• Authorized users of those businesses, such as support agents and administrators.

• End customers who contact a business through a support inbox connected to Mimir.

Where Mimir processes personal data on behalf of a business customer, Mimir generally acts as a processor or service provider. The customer remains responsible for its own privacy notices, lawful basis, and instructions to Mimir. Additional terms may be governed by a signed customer agreement, Data Processing Agreement, or other written contract.

2. Data we collect and process

Mimir processes data needed to provide the helpdesk service, including:

• Business account information, such as company name, user names, email addresses, roles, and settings.

• Helpdesk content, such as customer inquiries, email messages, replies, internal notes, labels, status, assignments, and conversation history.

• Connected inbox data from Gmail or Google Workspace when authorized by the customer.

• Usage and technical data, such as login activity, audit logs, feature usage, device/browser information, error logs, and security events.

• Billing and contract information, where applicable.

3. Google Gmail data we access

When a customer connects a Gmail or Google Workspace inbox to Mimir, Mimir requests access to the Gmail API scope:

https://www.googleapis.com/auth/gmail.modify

Mimir connects to Gmail and Google Workspace inboxes through Google OAuth. Mimir uses Nylas, an email API provider, exclusively to operate the email connection, synchronize messages, and deliver mailbox event webhooks to Mimir.

Google describes this scope as allowing an application to read, compose, and send email from the connected Gmail account. The scope does not allow immediate, permanent deletion of threads and messages bypassing Trash.

Mimir uses this scope to read support emails, synchronize message and thread state, apply or read labels and read/unread state where needed for the helpdesk workflow, and send replies through the connected Gmail account. Mimir does not create Gmail drafts, archive Gmail messages, move Gmail messages to Trash, or permanently delete Gmail messages. Deleting a conversation in Mimir does not delete the corresponding conversation from Gmail or move it to Trash.

Mimir uses this access only for the connected support inbox chosen by the customer. Mimir does not use Google OAuth to access unrelated personal Gmail accounts unless the account owner or authorized business user connects that mailbox to Mimir.

Mimir requests gmail.modify because narrower Gmail scopes do not support the complete helpdesk workflow:

• gmail.send would allow Mimir to send replies, but would not allow Mimir to read incoming support emails.

• gmail.readonly would allow Mimir to read support emails, but would not allow Mimir to send replies or update mailbox state.

• gmail.compose would not allow Mimir to read full inbound support conversations and keep message or thread state synchronized.

• gmail.metadata would not provide the message bodies and attachments needed to display support inquiries and generate AI-assisted draft replies.

• https://mail.google.com/ is broader than Mimir needs because Mimir does not require immediate, permanent deletion of Gmail messages bypassing Trash.

Depending on how the customer uses Mimir, Gmail data accessed by Mimir may include:

• Email message headers, such as sender, recipient, subject, timestamps, and message IDs.

• Email message bodies.

• Email threads and conversation history.

• Attachments included in support inquiries or replies.

• Gmail labels, read/unread state, thread state, and similar mailbox metadata.

• Messages sent through Gmail from Mimir.

• OAuth tokens needed to maintain the authorized Gmail connection.

4. Why we access Gmail data

Mimir accesses Gmail data only to provide and improve the customer-facing helpdesk features visible in Mimir, including:

• Importing and displaying support emails inside Mimir.

• Keeping the connected Gmail inbox and Mimir helpdesk synchronized.

• Organizing, labeling, assigning, and tracking support conversations.

• Generating AI-assisted draft replies to customer inquiries.

• Allowing authorized users to review, edit, approve, and send replies.

• Sending approved replies through the connected Gmail account.

Mimir does not request Gmail access for advertising, data brokerage, credit scoring, or unrelated analytics.

5. AI use of Gmail data

Mimir may use the contents of support conversations to generate draft replies, summarize inquiries, suggest classifications, or otherwise assist authorized support users.

AI-generated output is provided to the customer as part of the Mimir helpdesk workflow. Customers and their authorized users remain responsible for reviewing AI-generated responses before sending them, unless the customer has explicitly enabled an automation feature under its agreement with Mimir.

Mimir only uses AI providers that are subject to data protection terms intended to support GDPR compliance. These providers are contractually restricted from using customer data submitted through Mimir to train or improve their general-purpose models. Provider-specific details, subprocessors, transfer mechanisms, and other AI data processing terms are documented in the applicable customer agreement and Data Processing Agreement.

Mimir does not transfer, sell, or use Gmail data or other Google Workspace data to create, train, or improve AI or machine learning models beyond the specific customer-facing Mimir feature for the customer using the service. Gmail data is used only to provide or improve Mimir's customer-facing helpdesk features for that customer.

6. Google API Limited Use disclosure

Mimir's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

• Mimir uses Google user data only to provide or improve user-facing helpdesk features that are visible in Mimir.

• Mimir does not sell Google user data.

• Mimir does not use Google user data for advertising, retargeting, personalized advertising, or interest-based advertising.

• Mimir does not use Google user data to determine creditworthiness or for lending purposes.

• Mimir does not transfer Google user data to data brokers, advertising platforms, or information resellers.

• Mimir does not transfer, sell, or use Google user data to create, train, or improve AI or machine learning models beyond the specific customer-facing Mimir feature for the customer using the service.

• Mimir does not allow humans to read Google user data except where Mimir has obtained and documented the customer's explicit consent to read specific data, where access is necessary for security or abuse investigation, where access is necessary to comply with applicable law, or where the data has been aggregated and anonymized for permitted internal operations.

7. When humans may access support inbox data

Mimir personnel do not routinely read customer email content.

Mimir personnel may access specific customer data only where necessary and permitted, such as:

• Where Mimir has obtained and documented the customer's explicit consent to read specific data for support or troubleshooting.

• To investigate security incidents, abuse, service errors, or reliability issues.

• To comply with applicable law or legal process.

• Where data has been aggregated and anonymized for permitted internal operations.

Access is limited to personnel with a business need and is subject to confidentiality and access controls.

8. How we disclose data

Mimir does not sell personal data or Google user data.

Mimir discloses customer data only as needed to provide, secure, and support the Mimir service, including:

• The customer and authorized users within the customer's Mimir workspace.

• Subprocessors and service providers that process data on Mimir's behalf, such as hosting, database, infrastructure, logging, monitoring, security, AI service providers, and Nylas, which Mimir uses exclusively for email connection, synchronization, and mailbox event webhooks.

• Where required to comply with applicable law, legal process, or enforceable governmental request.

• Where necessary to investigate, prevent, or respond to security incidents, abuse, or service integrity issues.

Subprocessors are bound by contractual data protection obligations and may process customer data only according to Mimir's instructions and for the purposes of providing services to Mimir. Where applicable, subprocessor details are documented in the applicable customer agreement, Data Processing Agreement, or subprocessor list.

Mimir does not disclose Google user data to advertising platforms, data brokers, information resellers, or other third parties for advertising, retargeting, personalized advertising, interest-based advertising, profiling, creditworthiness, lending, or unrelated commercial purposes.

9. Data retention

Mimir retains customer data for as long as necessary to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain security.

For connected Gmail data, Mimir stores imported support conversations in Mimir's database in the European Union for the duration of the business relationship with the customer. Mimir stores this data so customers can search historical support conversations, preserve helpdesk history, and provide relevant conversation context when handling customer inquiries.

When a customer disconnects a Gmail account, terminates Mimir, or requests deletion, Mimir will delete or return customer data according to the applicable customer agreement, Data Processing Agreement, and deletion procedures.

Unless a different period is agreed in the applicable customer agreement or Data Processing Agreement:

• Active production data is deleted within 30 days after a verified deletion request, account termination, or Gmail disconnect where the customer requests deletion.

• OAuth tokens are deleted or invalidated promptly when the Gmail connection is removed, and in any case within 24 hours.

• Backup copies are deleted through Mimir's normal backup expiry process, typically within 30 to 90 days.

• Security and audit logs are retained for a limited period appropriate to security, abuse prevention, troubleshooting, and legal compliance. Mimir seeks to avoid storing email message bodies in logs where possible.

Mimir may retain limited data for longer where required by applicable law, legal process, security investigation, dispute resolution, or enforcement of customer agreements.

10. Data deletion and customer controls

Customers can request deletion of their Mimir workspace data by contacting it@trymimir.com.

Customers can disconnect Gmail access from Mimir by:

• Following the instructions at https://trymimir.com/disconnect-gmail.

• Removing the Gmail connection inside Mimir, where available.

• Revoking Mimir's access from the Google Account permissions page: https://myaccount.google.com/permissions

After access is revoked, Mimir will no longer be able to synchronize, read, modify, or send messages through that Gmail account.

Customers may also delete individual conversations in Mimir. Deleting a conversation in Mimir does not delete the corresponding conversation from the connected Gmail mailbox.

11. Security

Mimir uses technical and organizational safeguards designed to protect customer data, including:

• Encryption in transit using HTTPS/TLS.

• Encryption at rest for stored customer data.

• Encrypted storage of OAuth tokens and credentials.

• Access controls and least-privilege permissions.

• Logging and monitoring for security-relevant activity.

• Separation of customer workspaces.

• Internal confidentiality obligations for personnel with access to systems.

12. International data transfers

Mimir may process data in countries other than where the customer or end user is located. Where required, international transfers are governed by appropriate contractual and legal safeguards, such as Standard Contractual Clauses or equivalent mechanisms.

13. Children

Mimir is a business helpdesk product and is not directed to children. Customers should not use Mimir to knowingly collect personal data from children unless they have the legal authority and required notices to do so.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we materially change how we access, use, store, or share Google user data, we will update this policy and, where required, notify affected customers or request renewed consent before using Google user data for a new purpose.

15. Contact

For privacy questions, data requests, or security concerns, contact:

CognitionHub AS
Møllergata 6
0179 Oslo
Norway
it@trymimir.com