Privacy Policy
Effective: 11 April 2026
This Privacy Policy describes how Ontology Labs (Pty) Ltd ("Ontology Labs", "we", "us") collects, uses, and protects information when you use mxto.ai and the mx2ai tools ("Service").
We are committed to protecting your privacy and complying with applicable data protection legislation, including the Protection of Personal Information Act (POPIA) of South Africa and the General Data Protection Regulation (GDPR) of the European Union.
1. Information We Collect
| Data Type | What We Collect | Purpose |
|---|---|---|
| Contact information | Email address (when you request early access) | Communication about the Service |
| Usage telemetry | Tool invocations, query types, session duration (anonymised) | Service improvement, capacity planning |
| Error diagnostics | Error messages, stack traces (no model data) | Bug fixes, reliability |
2. Information We Do NOT Collect
We do not collect, store, or have access to your Mendix™ credentials, Personal Access Tokens, application models, source code, or business data.
Specifically, mxto.ai does not:
- Store or proxy your Mendix™ Personal Access Token (PAT).
- Retain copies of your Mendix™ application models after your session ends.
- Access the Mendix™ platform using our own credentials on your behalf.
- Transmit your application model data to third parties.
- Use your application data for training AI models.
3. How Application Models Are Processed
When you connect a Mendix™ application to the Service:
- Connection: You authenticate directly with the Mendix™ platform using your own credentials. The Mendix™ Model SDK runs in your local environment.
- Analysis: Application model data is processed in memory on your local machine via MCP tools. Semantic analysis, complexity metrics, and other computations occur locally.
- Ephemeral processing: No application model data is persisted to disk or transmitted to Ontology Labs servers unless you explicitly choose to export analysis results.
- Session end: When your Claude Code session ends, all in-memory application data is discarded.
4. Cookies and Tracking
The mxto.ai website uses:
- No tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking services.
- No third-party advertising. We do not serve ads or share data with advertisers.
- Essential cookies only: If we introduce user accounts in future, we may use session cookies strictly for authentication. We will update this policy before doing so.
5. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Contact information | Until you request removal or 24 months of inactivity | Manual deletion on request |
| Usage telemetry | 12 months (anonymised, aggregated) | Automatic expiry |
| Error diagnostics | 90 days | Automatic expiry |
| Application model data | Session only (ephemeral) | Discarded on session end |
6. Your Rights
Under POPIA (South Africa)
You have the right to:
- Request access to your personal information we hold.
- Request correction or deletion of your personal information.
- Object to the processing of your personal information.
- Lodge a complaint with the Information Regulator.
Under GDPR (European Union)
If you are located in the EU/EEA, you additionally have the right to:
- Data portability — receive your data in a structured, machine-readable format.
- Restriction of processing.
- Withdraw consent at any time (where processing is based on consent).
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at [email protected].
7. Data Security
We implement appropriate technical and organisational measures to protect the information we process, including:
- Encryption in transit (TLS 1.3) for all web communications.
- No centralised storage of application model data.
- Access controls and audit logging for internal systems.
- Regular review of security practices.
8. International Transfers
The Service is operated from South Africa. If you access the Service from outside South Africa, your contact information may be transferred to and processed in South Africa. We ensure that any such transfers comply with applicable data protection laws.
9. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Effective" date at the top of this page indicates when the policy was last revised.
11. Contact
For privacy-related questions or to exercise your data rights:
- Email: [email protected]
- General: [email protected]
- Company: Ontology Labs (Pty) Ltd, South Africa