Privacy Policy
Last updated July 13, 2026
Overview
Malv provides an assistant service at https://malv.ai. This Privacy Policy explains what information Malv collects, how we use it, and the choices available to you when you use the service.
Information we collect
We collect information you provide directly, including messages, workspace files, configuration, capability settings, support requests, and other content you choose to submit to Malv.
When you sign in with Google or GitHub, we receive basic account information from that provider so we can create and secure your Malv account. For Google sign-in, Malv requests the openid email profile scopes. Your browser receives a Malv-owned session cookie instead of provider access tokens.
We also collect limited technical information needed to operate and protect the service, such as session state, authentication events, device and browser information, IP address, request metadata, diagnostics, and service logs.
For paid workspace subscriptions, we collect and retain billing identifiers and status needed to operate the subscription, such as the workspace, selected tier, Stripe Customer and Subscription identifiers, payment or subscription status, billing period dates, pending plan changes, and webhook processing records. Malv does not receive or store full payment card numbers.
Malv also keeps workspace credit records, including the tier and weekly allowance snapshot, period dates, reservations, committed amounts, capability and consumption-type labels, the initiating account, source (Agent, Page, API, or system), adjustments, and billing-event deduplication receipts. We do not put prompts, provider payloads, payment details, or capability transport URLs in the usage feed.
Connected services and OAuth permissions
Malv may let you connect third-party services or capability workers. Those connections are optional and may request additional permissions when you choose to enable them.
Identity sign-in is separate from capability permissions. For example, Google sign-in is used to verify your identity, while Google Workspace permissions are requested separately only when a connected capability needs them. Capability tokens and refresh tokens, when authorized, are stored service-side and scoped to the relevant Malv account and connected capability.
You can revoke provider access through the relevant provider account settings, such as your Google Account or GitHub account settings.
How we use information
We use information to provide, maintain, secure, and improve Malv. This includes authenticating users, keeping sessions active, routing requests to the correct account, storing chats and workspace data, operating connected capabilities, preventing abuse, debugging issues, and responding to support or legal requests.
We do not sell personal information.
Sharing information
We share information only as needed to operate Malv, comply with law, protect rights and safety, or support services you choose to connect. This may include infrastructure providers, authentication providers, connected third-party services, and professional advisers.
When you connect a third-party service, information may be sent to that service as needed to complete the action you requested. Third-party services process information under their own policies.
Stripe processes payments, tax and subscription administration for Malv. When you start Checkout or use the Customer Portal, Stripe may collect contact, billing, tax, device, fraud-prevention, payment-method, transaction, and subscription information. Stripe may act as a processor and/or independent controller depending on the activity. See Stripe’s Privacy Policy and Privacy Center.
Retention
We keep detailed credit usage for 24 months and ordinary authentication and operational logs for 90 days. Billing identifiers, invoice references, entitlement receipts, and webhook-processing records may be retained for 7 years where needed for accounting, tax, audit, dispute, and legal obligations. Raw Stripe webhook bodies are not retained by Malv’s billing ledger. Other personal information is kept only as long as needed to provide and secure Malv, resolve disputes, enforce agreements, and meet legal obligations. Stripe may retain transaction information under its own legal and regulatory obligations. You can request deletion of account-related information by contacting us, subject to legal and operational retention requirements.
Security
We use reasonable technical and organizational safeguards to protect personal information. No online service can guarantee absolute security, so you should use strong account security practices and promptly report suspected unauthorized access.
Your choices
You may stop using Malv at any time. You may also revoke OAuth access through your provider account settings, clear browser cookies, or contact us to request access, correction, export, or deletion of personal information.
Children
Malv is not intended for children under 13. If you believe a child has provided personal information to Malv, contact us so we can take appropriate action.
Changes
We may update this Privacy Policy from time to time. When we make material changes, we will update the date above and provide additional notice when appropriate.
Contact
For privacy questions or requests, contact us at [email protected].