Mica Privacy Policy
Effective Date: June 1, 2026 Last Updated: June 1, 2026
This Privacy Policy explains how GraniteAI, LLC ("GraniteAI", "we", "us", or "our") collects, uses, shares, and protects personal information in connection with Mica (the "Service") — the autonomous social media platform marketed at mica.graniteai.co and delivered at social.graniteai.co.
This policy is written for U.S.-based readers and is designed to comply with the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the FTC Act, and equivalent U.S. state privacy laws (including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and Texas TDPSA) to the extent they apply. If you are outside the U.S., do not use the Service.
By using the Service, you confirm you have read this policy.
1. Who We Are and Whose Information This Covers
GraniteAI is the business that determines the purposes and means of processing the personal information described here. We sell to small businesses ("Customers") under the Mica brand. Information covered by this policy comes from three groups of people:
| Group | Who they are | What we typically have about them |
|---|---|---|
| Account users | Owners and (eventually) team members of a Customer who sign in to the Mica dashboard | Name, email, password hash, login activity, billing details, tenant configuration choices |
| Subjects in uploaded photos | People who appear in or can be identified from photos a Customer uploads (employees, customers, passers-by, voice donors) | Image, voice, sometimes GPS location and capture time from EXIF |
| End viewers | The general public who see content the Service publishes on Facebook, Instagram, or other connected platforms | We do not collect information about viewers directly; whatever the platform exposes (likes, comments, follows) stays on the platform |
This policy applies whether you arrive at our website, sign up for a trial, become a paying Customer, or appear in content a Customer uploads.
2. What We Collect and Why
We do not sell personal information for money. We do not run cross-context behavioral advertising. The categories below are written using CCPA/CPRA's vocabulary so you can map them to the rights described in Section 6.
2.1 Information you give us directly
| Category (CCPA) | Specific examples | Why we collect it |
|---|---|---|
| Identifiers | Name, email, password (hashed), tenant slug | Create your account; let you sign in; bill you |
| Commercial information | Subscription plan, plan history, payment status | Operate the trial-to-paid lifecycle and apply access gates |
| Customer record information | Business name, business description, service area, ICP, brand voice rules, banned phrases, Instagram handle, Publer workspace ID | Configure how Mica writes about your business |
| Geolocation (precise) | GPS latitude/longitude embedded in EXIF of photos you upload | Inform the planner that groups photos by burst and location; stripped before publishing |
| Visual information | Photos and videos you upload | Used by the AI vision pass to classify subject, scene, quality, and privacy concerns; used as input to carousels and reels |
| Audio information | Voice samples for the optional voice-cloning feature (Chatterbox engine) | Generate spoken voiceovers for your reels |
| Inferences | AI-generated descriptions of your photos, perceptual hashes, "buyer segment" inferences from your positioning | Drive editorial-coverage rotation and content quality gates |
2.2 Information we collect automatically when you use the dashboard
| Category | Examples | Why |
|---|---|---|
| Internet activity | Pages visited, clicks, requests, timestamps, user-agent | Operate and secure the dashboard |
| Device & log data | IP address (truncated where feasible), browser type, error logs | Debug, prevent fraud, comply with security obligations |
| Cookies / similar | Session cookies set by Clerk for sign-in; functional cookies for the dashboard | Authentication and session continuity (see Section 9) |
2.3 Information generated by the Service about your tenant
- Generated content (captions, slides, voiceovers, video renders) — produced by AI from your inputs.
- Telemetry — model used, input/output token counts, cached token counts, pass duration, and pass success/failure. We use this to operate the Service and track costs.
- Editorial history — a 20-entry rolling log of topics, intents, and "signature phrases" used in recent posts, so the AI doesn't repeat itself.
- Judge / claim-guard logs — pass/fail records and per-axis scores for our quality gates.
2.4 What we deliberately do NOT collect
- We do not collect government IDs, Social Security numbers, financial account numbers, biometric identifiers (other than the voice samples you optionally provide), precise geolocation about you as a user (we only see EXIF from photos you upload), health information, or information about your sexual orientation, religion, race, or political views.
- We do not run third-party advertising trackers on the dashboard.
- We do not buy personal information from data brokers.
If you upload photos that incidentally contain sensitive information (e.g., a screenshot of your business bank account, a photo of an employee's medical chart, a customer's driver's license), our automated preflight flags many such cases and quarantines the photo. But the safest practice is not to upload them in the first place.
3. Sources of Personal Information
We get personal information from:
- You, directly — what you type, upload, and configure.
- Our identity provider, Clerk, when you sign in — name, email, and authentication metadata.
- Our billing provider, Stripe (via Clerk Billing) — payment status and the last four digits of your payment card (we never see the full card).
- Our AI subprocessor, OpenAI — model outputs (which we treat as Generated Content); OpenAI does not give us personal information about other people.
- Connected social platforms (Facebook, Instagram, etc.) through Publer — limited account metadata needed to publish (e.g., the account ID, account name, posting status).
4. How We Use Personal Information
We use the information described above to:
- Operate and provide the Service, including running the daily content-generation cron, publishing your content through Publer, and giving you a working dashboard.
- Bill you and manage subscriptions and trials.
- Improve the Service — fix bugs, tune prompts, measure cache-hit rate, track which configurations produce better content. We do this using aggregated telemetry and limited samples, not by training foundation models on your content (see Section 5.2).
- Communicate with you — operational emails (billing receipts, trial-ending notices), security notices, and (only with your opt-in or where allowed by law) product update emails.
- Detect and prevent abuse, fraud, and violations of our Terms, including content the claim-guard flags as risky.
- Comply with law and respond to lawful requests from authorities.
- Enforce our agreements and defend ourselves in legal disputes.
We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals.
5. AI Processing — Specific Disclosures
Because Mica is, at its core, an AI-driven service, we give you the specifics.
5.1 Who runs the models
Our content-generation, vision, judge, and claim-guard passes are run via OpenAI's API. Our optional voice features use the open-source Kokoro model and, for voice-cloning, the Chatterbox model from Resemble AI. Both voice models run on our own infrastructure — voice samples and voiceover text are not sent to Resemble AI or to a model-hosting service to produce audio. Word-level caption timings come from the open-source faster-whisper model, also running on our infrastructure.
5.2 No training on your content
We send your Customer Inputs to OpenAI's API with the standard API setting that excludes the data from being used to train OpenAI's models. We do not separately license a copy of your data to any AI vendor for model training. If we ever change this, we will update this policy and the Terms, give you notice, and let you opt out.
5.3 What the AI sees
- The vision pass sees photos you upload and writes a structured classification (subject, scene type, quality, privacy flags such as "screen with data" or "competitor branding", tags).
- The carousel and reel writers see your brand config, ICP, positioning, intents, pillars, prior topics, and a structured photo summary — and produce slide copy or a voiceover script.
- The judge and claim-guard see the writer's output and score it against rules we define.
5.4 Caching and the layered-context architecture
To reduce cost, we order prompts so that the static prefix (tenant configuration, daily snapshot) can be cached by the API provider. Cached prompts are still your data; caching is operational, not a separate use.
5.5 No persona attribution to real people
The Service may write in a "voice influenced by" a style direction you choose, but it does not generate content attributed as the words of a real, named third-party person.
6. Your Rights and How to Exercise Them
If you are a California resident, you have specific rights under CCPA/CPRA. Residents of Virginia, Colorado, Connecticut, Utah, and Texas have very similar rights under their state laws. We extend these rights to every U.S. resident because it is simpler and the right thing to do.
6.1 Your rights
- Right to know what personal information we have about you, where we got it, why we have it, who we shared it with, and to receive a copy.
- Right to delete the personal information we have about you, subject to exceptions in law (for example, we must keep payment records for tax purposes).
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell personal information for money and do not share it for cross-context behavioral advertising. You can still send us this signal; the answer will be "we already aren't."
- Right to limit use of sensitive personal information. The only sensitive personal information we knowingly collect is the optional voice sample for voice cloning; you can ask us to stop using it and delete it.
- Right to non-discrimination for exercising these rights — we will not deny service, charge a different price, or degrade quality because you asked.
- Right to an authorized agent to submit a request on your behalf.
6.2 How to submit a request
Email privacy@graniteai.co with the subject "Privacy Request" and tell us which right you want to exercise. We will:
- Acknowledge within 10 business days.
- Verify your identity using information you already have with us (account email plus, where needed, additional non-burdensome verification).
- Respond substantively within 45 calendar days of receipt. If we need more time, we will tell you and may take up to 45 additional days.
For account users, you can also delete most of your data directly from the dashboard by deleting your tenant.
6.3 If you are a subject in an uploaded photo
If you are not a Customer of ours but you believe a photo of you (or other personal information about you) is in our system because someone else uploaded it, write to privacy@graniteai.co. We will work with the relevant Customer to remove it, subject to legitimate operational needs and law.
6.4 If you disagree with our response
You can contact us to ask us to reconsider, and you can lodge a complaint with your state's Attorney General or, if you are in California, the California Privacy Protection Agency.
7. How We Share Personal Information
We share personal information only with the following categories of recipients, and only for the purposes identified:
| Recipient | What they get | Why |
|---|---|---|
| Clerk Corporation | Account identifiers, sign-in metadata, subscription status | Authentication, session management, billing checkout |
| Stripe, Inc. (via Clerk Billing) | Payment card details (collected by Stripe directly), billing email | Process subscription payments |
| Publer | Generated images/videos, captions, hashtags, target account IDs, scheduling metadata | Publish your content to Facebook, Instagram, and other connected platforms |
| OpenAI | Customer Inputs and intermediate prompts/completions for each pipeline pass | Run the AI passes that generate, judge, and revise content |
| Neon, Inc. | All structured data we store (tenants, posts, media metadata, telemetry) | Database hosting |
| Vercel, Inc. | The dashboard application and the binary blobs of uploaded/generated media | Web hosting and object storage |
| Connected social platforms (Meta for Facebook/Instagram, and others as you connect them) | Whatever the platform's API requires for publishing | Publish on your accounts |
| Professional advisers (lawyers, accountants, auditors) | The minimum needed for the engagement | Routine legal, tax, and compliance work |
| Authorities and other parties under law | The minimum required by a valid request | Comply with law; protect rights; respond to emergencies |
| Acquirers in a corporate transaction (merger, acquisition, asset sale) | Reasonable diligence and transition data | Sell or transfer the business; the successor will be bound by this policy or one at least as protective |
A current, more detailed subprocessor list — with links to each subprocessor's privacy/security page — is available at social.graniteai.co/subprocessors (or by writing to privacy@graniteai.co).
We do not share personal information with marketing or advertising networks.
8. How Long We Keep Information
| Type of information | Retention |
|---|---|
| Account profile (Clerk) | While your account is active; deleted within 30 days of account deletion, except where Clerk retains records for its own legitimate purposes |
| Billing records | 7 years after the last transaction (tax/accounting) |
| Tenant configuration (brand, ICP, positioning, etc.) | While your account is active; deleted within 30 days of tenant deletion |
| Uploaded photos and videos | While referenced by a post or kept by you in the media library; otherwise pruned by the 14-day blob-retention sweep; deleted within 30 days of tenant deletion |
| Photo EXIF (GPS, timestamps) | Same as the photo, but stripped from the published version |
| Generated posts and captions | While your tenant exists; deleted within 30 days of tenant deletion |
| AI pass telemetry | 24 months, then aggregated to monthly counts |
| Editorial history (20 most recent posts) | Rolling — older entries are trimmed automatically |
| Logs and security events | Up to 12 months |
| Backups | Rotated out within 90 days |
| Data subject to legal hold or litigation | Until the hold is lifted |
Published content on Facebook, Instagram, and other platforms is governed by those platforms' retention practices, not ours.
9. Cookies and Similar Technologies
We use cookies and similar technologies that are necessary to operate the Service:
- Session cookies set by Clerk to keep you signed in.
- CSRF tokens to protect form submissions.
- Functional preferences (e.g., last-viewed tenant).
We do not use third-party advertising or behavioral-tracking cookies. We do not use a session replay tool that records dashboard interactions. If we add analytics in the future, we will update this policy first.
You can control cookies through your browser. Blocking session cookies will prevent sign-in.
10. Security
We use technical and organizational measures designed to protect personal information, including encryption in transit (HTTPS to and from the dashboard and to our subprocessors), encryption at rest (provided by Neon and Vercel Blob), least-privilege access controls, separation of secrets via environment variables, banned-phrase guards and claim-guards on AI output, and monitoring through our hosting providers.
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and any required authority in accordance with applicable U.S. state breach-notification laws.
11. International Users; U.S.-Only Service
The Service is intended for U.S. users and U.S. businesses. Our infrastructure is hosted in the United States. If you access the Service from outside the U.S., you understand and consent that your information will be processed in the U.S., where data-protection laws may differ from those of your country. We do not currently offer the Service to E.U./E.E.A., U.K., Swiss, or Canadian residents, and these Terms and this policy are not drafted to comply with GDPR, U.K. GDPR, FADP, PIPEDA, or other non-U.S. regimes.
12. Children
The Service is for businesses. It is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, write to privacy@graniteai.co.
Customers are responsible for not uploading personal information about children (see Section 4.7 of the Terms).
13. Do Not Track and Global Privacy Control
The dashboard does not respond to browser "Do Not Track" signals because it does not engage in tracking that DNT was designed to limit. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing where applicable — and, again, we do not sell or share personal information for cross-context behavioral advertising in the first place.
14. Changes to This Policy
We may update this policy from time to time. If we make a material change, we will notify you by email (to the address on file) and/or by an in-dashboard notice at least 15 days before the change takes effect, except where a shorter period is required by law. The "Last Updated" date at the top of the page reflects the most recent change.
15. Contact
To exercise your rights, ask a question about this policy, or report a concern:
- Email:
privacy@graniteai.co - General contact:
guru@graniteai.co - Postal: GraniteAI, LLC, Attn: Privacy — Mica, 145 Lakeside Dr, Manchester, NH 03104
For California residents, GraniteAI is the business under CCPA/CPRA.
Appendix A — CCPA/CPRA Disclosures at a Glance (last 12 months)
| CCPA/CPRA item | Disclosure |
|---|---|
| Categories of personal information collected | Identifiers; commercial information; customer records; precise geolocation (only as embedded in uploaded photo EXIF); visual information; audio information (voice samples only); internet/network activity; inferences derived from the above |
| Sources | You; Clerk; Stripe (via Clerk Billing); OpenAI (returns model outputs only); connected social platforms via Publer |
| Business purposes | Service delivery; billing; security and fraud prevention; product improvement using aggregated/anonymized data; legal compliance |
| Categories of recipients | Subprocessors listed in Section 7; professional advisers; legal authorities under valid process |
| Sale of personal information | None. |
| Sharing for cross-context behavioral advertising | None. |
| Use of sensitive personal information | Limited to operating the voice-cloning feature you opt into, if any |
| Categories retained | See Section 8 retention table |