Evermuse
    HomeFeaturesMCPPricingContact

    Privacy Policy

    Usermuse, Inc., a Delaware public benefit corporation, doing business as Evermuse ("Evermuse," "we," "us," or "our")

    Last updated: January 25th, 2026

    1. Introduction

    This Privacy Policy explains how Evermuse collects, uses, discloses, and protects information when you visit our websites (including evermuse.com and app.evermuse.com), use the Evermuse platform and related services, connect Evermuse to other tools (including through the Evermuse MCP server), or otherwise interact with us (collectively, the "Service").

    This Policy applies to everyone who interacts with Evermuse, including website visitors, prospective customers, account holders, authorized users of a customer's workspace, and people who reach Evermuse through an AI assistant or other connected application.

    This Policy works alongside two related documents:

    • Our Terms of Service, which govern your use of the Service.
    • Our Data Processing Addendum (DPA), which governs our processing of personal data contained in Customer Data on a customer's behalf. Where the DPA applies, it controls over this Policy with respect to that processing.

    2. Our role: when we are a controller and when we are a processor

    Evermuse plays two different roles depending on the data involved.

    We act as a controller for personal data we determine the purposes and means of processing — for example, account registration details, billing information, website and product usage data, marketing communications, and support interactions. This Policy describes that processing.

    We act as a processor (a "service provider" under U.S. state laws) for the content that a customer submits to or generates within the Service — including interviews, sales and meeting recordings and transcripts, uploaded documents, notes, feedback, quotes, and similar materials ("Customer Data"). For Customer Data, the customer is the controller and decides how that data is used; we process it only on the customer's documented instructions under our DPA. If you are an individual whose personal data appears in Customer Data (for example, a participant in a recorded call) and you wish to exercise your rights, please contact the relevant customer (the controller); we will assist them as described in the DPA and Section 13 below.

    3. Information we collect

    3.1 Information you provide to us

    • Account and profile information: name, email address, password or single sign-on identifiers, organization/workspace, role, and similar details when you create an account or are invited to one.
    • Billing information: billing contact details and transaction records. Payment card details are handled by our payment processor; we do not store full card numbers.
    • Communications and support: information you provide when you contact us, request a demo, respond to a survey, or submit a support request.
    • Content you submit as a user: information you choose to provide when using the Service outside of Customer Data (for example, configuration, tags, and preferences).

    3.2 Customer Data (processed on a customer's behalf)

    When you or your organization use the Service, the Service ingests, transcribes, stores, and analyzes Customer Data such as call and meeting recordings, transcripts, chat and support messages, documents, audio and voice data, associated metadata (such as timestamps and participant lists), and outputs generated from that data. We process Customer Data as a processor under the DPA. Customers are responsible for the personal data they submit and for providing any notices and obtaining any consents required from the individuals involved (including meeting and call participants).

    3.3 Information we collect automatically

    When you use the Service, we and our analytics providers may collect usage and device information such as IP address, browser and device type, pages and features viewed, actions taken, referring URLs, and timestamps, including through cookies and similar technologies (see Section 7).

    3.4 Information from third parties

    • Authentication and integrations: when you sign in with a third-party identity provider or connect a third-party tool (for example, via OAuth), we receive information needed to establish and maintain that connection.
    • Service providers and partners: we may receive limited business-contact or enrichment information from partners and data providers for sales, marketing, and security purposes.

    4. How we use information

    We use information that we control to:

    • provide, operate, maintain, and secure the Service;
    • create and administer accounts and authenticate users;
    • process payments and manage billing;
    • respond to inquiries and provide customer support;
    • analyze and improve the Service, including evaluating the performance, accuracy, and quality of features;
    • communicate with you about the Service, including service-related and, where permitted, marketing messages;
    • detect, investigate, and prevent fraud, abuse, and security incidents; and
    • comply with legal obligations and enforce our agreements.

    We process Customer Data only to provide and support the Service and as otherwise instructed by the customer under the DPA.

    5. Legal bases for processing (EEA/UK/Switzerland)

    Where data protection law requires a legal basis, we rely on: performance of a contract (to provide the Service and accounts); our legitimate interests (to operate, secure, analyze, and improve the Service and for direct B2B marketing), balanced against your rights; your consent (where required, for example certain cookies and marketing); and compliance with legal obligations. For Customer Data, the customer is responsible for establishing the legal basis for the processing it instructs.

    6. Artificial intelligence and machine learning

    The Service uses AI and large-language-model (LLM) providers as subprocessors to transcribe, analyze, cluster, and generate outputs from Customer Data.

    • We do not train our own models on Customer Personal Data.
    • We maintain contractual agreements with the AI and LLM providers we engage that prohibit them from using Customer Personal Data to train their models and that require that no Customer Personal Data is retained by those providers after the relevant processing is complete.

    Our current AI/LLM subprocessors are listed, and kept up to date, at evermuse.com/data-subprocessors.

    7. Cookies and similar technologies

    We and our providers use cookies and similar technologies to operate the site, remember preferences, measure usage, and improve the Service. You can control cookies through your browser settings and, where offered, our cookie controls. Some cookies are necessary for the Service to function.

    8. How we disclose information

    We disclose information in the following circumstances:

    • Service providers and subprocessors: vendors that provide hosting, infrastructure, analytics, communications, payment processing, AI/LLM processing, and support, under contractual data-protection obligations. A current list of subprocessors is maintained at evermuse.com/data-subprocessors.
    • At your direction: when you connect or instruct the Service to share data with third-party tools (for example, delivering Customer Data and outputs to integrations you enable).
    • Legal and safety: to comply with law, respond to lawful requests, protect rights, safety, and property, and enforce our terms.
    • Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
    • With your consent: for any other purpose disclosed at the time of collection.

    We do not sell personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA) and similar U.S. state laws. As a service provider, we do not retain, use, or disclose Customer Data for any purpose other than performing the Service.

    9. Integrations, connectors, and the Evermuse MCP

    The Service can connect to AI assistants and other applications, including through the Evermuse MCP server (an OAuth 2.1, HTTP-based Model Context Protocol endpoint) and other integrations.

    • Access runs under your own permissions. When you connect Evermuse to an AI client (such as Claude, ChatGPT, or Cursor) or another tool, you authenticate via OAuth and grant access under your own account permissions. The connected client can access only the data your account is permitted to access, and you can revoke access at any time from your account settings or the third-party tool.
    • What the connection can do. Connected clients can read your customer evidence (such as search results, quotes, transcripts, roadmap, and shaping notes) and, where you use write-enabled tools, add sources or take actions you direct in tools you have separately connected.
    • Zero data retention by AI clients. The Evermuse MCP is designed so that AI clients do not retain Evermuse data beyond what is necessary to complete your request in the session.
    • Third-party clients have their own terms. Data you choose to send to or pull into a third-party AI client is also subject to that provider's terms and privacy policy.

    10. International data transfers

    We are based in the United States and use service providers in various locations. Where we transfer personal data internationally, we use appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent mechanisms for Switzerland and other jurisdictions, as further described in our DPA.

    11. Data retention

    We retain personal data for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements, after which we delete or de-identify it.

    For Customer Data, and consistent with the DPA: upon termination or expiration of a customer's agreement, we make Customer Data available for export for thirty (30) days, then delete it from active systems within sixty (60) days and from backups in the ordinary course of our backup and retention cycle. Where deletion is technically infeasible (for example, within backups), we isolate, protect, and de-identify the data where appropriate until deletion is possible.

    12. Security

    We maintain administrative, technical, and organizational measures designed to protect personal data, including encryption in transit and at rest, role-based and least-privilege access controls, logging and monitoring, and a vulnerability and penetration-testing program. We maintain a SOC 2 Type II program (audited by Sensiba) with continuous control monitoring (via Drata). For more detail, see our Data Protection Policy. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

    13. Your rights and choices

    Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, to object to certain processing, and to withdraw consent. Subject to applicable law:

    • To exercise rights regarding data we control (such as your account or marketing data), contact us at privacy@evermuse.com (see Section 17). We will verify your request and respond within the time required by law. You will not be discriminated against for exercising your rights.
    • To exercise rights regarding Customer Data (data processed on a customer's behalf), please contact the relevant customer (the controller). If you direct such a request to us, we will, unless legally required to act, refer you to the customer and assist them as described in the DPA.
    • Marketing: you can opt out of marketing emails at any time using the unsubscribe link or by contacting us. We may still send service-related messages.
    • California residents: you have the right to know, delete, and correct personal information, and to opt out of sale/sharing (we do not sell or share). See Section 8 and contact us to exercise these rights; you may use an authorized agent.
    • EEA/UK/Switzerland: you may lodge a complaint with your local supervisory authority. The controller for data we control is Usermuse, Inc. d/b/a Evermuse.

    14. Children's privacy

    The Service is intended for business use and is not directed to children. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

    15. Third-party links and services

    The Service may link to or interoperate with third-party websites and services that we do not control. Their privacy practices are governed by their own policies, and we encourage you to review them.

    16. Changes to this Policy

    We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where required, provide additional notice. Your continued use of the Service after an update means you accept the revised Policy.

    17. How to contact us

    Usermuse, Inc., a Delaware public benefit corporation, d/b/a Evermuse Privacy contact: privacy@evermuse.com · Legal: legal@evermuse.com Mailing address: 224 W 35th St, Ste 500 #300, New York, NY 10001, US

    Appendix A — Categories of personal information (U.S. state-law notice)

    For the preceding 12 months, the categories of personal information we may have collected, the sources, the business purposes, and the categories of recipients are described in Sections 3, 4, and 8. In summary, we may collect: identifiers (e.g., name, email, IP address); commercial/billing information; internet and device activity; professional or employment-related information; audio/voice and the contents of communications (primarily within Customer Data, as a service provider); and inferences drawn to provide and improve the Service. We do not sell or share personal information.

    Appendix B — Quick reference for reviewers/integrations

    • Data the Evermuse MCP can return to a connected AI client: customer evidence the authenticated user is permitted to access — search results, needs, pain points, feedback, verbatim quotes, meeting/transcript content, competitor capabilities, research questions, roadmap, and shaping notes — plus confirmations of write actions the user directs (e.g., adding a source).
    • Authentication: OAuth 2.1; access is scoped to the user's own permissions and revocable at any time.
    • Retention by AI clients: none beyond what is necessary to complete the in-session request.
    • AI subprocessors: contractually prohibited from training on or retaining Customer Personal Data; listed at evermuse.com/data-subprocessors.
    Evermuse
    Monitored by Drata - SOC 2
    Sensiba - SOC 2 Type 2 certified
    GDPR Ready

    Solutions

    • For UX Researchers
    • For Developers
    • For Product Managers
    • For Sales & CS
    • AI Research Agency
    • Use Cases
    • Enterprise

    Compare

    • vs. Generic AI
    • vs. Claude
    • vs. ChatGPT
    • vs. Gemini
    • vs. Dovetail
    • vs. Gong
    • vs. Productboard
    • vs. Notion

    Get Started

    • Book a UXR Demo
    • Book a Developer Demo
    • Book a Product Manager Demo
    • Contact Sales

    Product

    • Features
    • Pricing
    • Integrations
    • Zoom Integration
    • MCP
    • Changelog
    • Resources
    • Webinars

    Company

    • About
    • Blog
    • Press
    • Partner Program
    • Contact
    • Media Kit
    • Workshops

    Support

    • Help Center
    • FAQ
    • System Status
    • Report a Bug
    • Security & Trust
    • Data Subprocessors
    • Privacy Policy
    • Terms of Service
    • Data Processing Addendum
    • Data Protection Policy

    © 2026 Usermuse, Inc. All rights reserved.