Privacy Policy

Last updated: May 2026

mizuiro is a people management platform built for organizations that want to take care of their teams. We take privacy seriously - this policy explains what information we collect, how we use it, and what rights you have over it. We've written it to be readable, not to obscure anything.

mizuiro is operated by neoncrayon, based in Ontario, Canada. Questions about this policy: privacy@mizuiro.app.

Our commitments - the short version

We will never sell your data. Not to anyone, not for any price.
We will never sell or share your email addresses with third parties for marketing, advertising, or any other commercial purpose.
We will never use your data to train AI models - not our own, and not anyone else's.
mizuiro is not intended for storing sensitive regulated records. Do not store legal records, health records, social insurance numbers, credit card numbers, or health insurance information in this platform.

1. Who this applies to

This policy applies to everyone who interacts with mizuiro:

Account holders (managers) - people who register a company account and administer the platform for their organization.
Team members (supervisors and employees) - people whose information is managed within a company's mizuiro account.
Visitors - people who browse mizuiro.app without creating an account.

Important: mizuiro is a business-to-business tool. When a company uses mizuiro to manage their employees, the company is the data controller for their employees' personal information. mizuiro acts as the data processor on the company's behalf. Employees with questions about how their employer uses their data should contact their employer directly.

2. Who can use mizuiro

mizuiro is intended for use by adults (18 years of age or older) on behalf of businesses and organizations. It is not a consumer product and is not designed or intended for use by minors. By creating an account, you confirm that you are at least 18 years old and are acting on behalf of a business or organization. If we become aware that an account has been created by or for a minor, we will terminate that account.

3. What information we collect

Account and identity information

When a manager registers a company account, we collect:

Name and email address
Company name
A password (stored as a one-way hash - we cannot read it)
A TOTP authenticator secret (encrypted at rest - mandatory two-factor authentication)

Employee records

Managers and supervisors enter information about their team members, which may include:

Name, email address, job title, and employment dates
Performance reviews and notes
Incident records and workplace events
Training records and conference attendance
Expense reports
Awards and recognition records
Leave and attendance information
Date of birth (optional; used for retirement planning features)

mizuiro is not designed or intended to store: social insurance numbers, government-issued ID numbers, credit card or banking details, health or medical records, health insurance information, or legal records of any kind. Please do not enter that type of information into the platform.

Usage and technical data

When you use mizuiro, we automatically collect:

IP address and approximate geographic location (country level)
Browser type and version
Login timestamps and session activity
Actions taken within the application (retained in an immutable audit log for security purposes)

We do not use third-party analytics, advertising trackers, or cookies beyond what is strictly necessary to keep you signed in.

4. How we use your information

We use the information we collect to:

Provide, operate, and improve the mizuiro platform
Authenticate you and keep your account secure (including two-factor authentication)
Send transactional emails - account setup, password resets, and invitations. No marketing email.
Enforce IP and geographic access restrictions configured by your organization
Maintain audit logs for security and compliance purposes
Respond to support requests
Comply with legal obligations

We will never sell your data, sell or share your email addresses with third parties for commercial purposes, or use your data to train AI models. These are not negotiable positions that change with business circumstances - they are commitments.

5. Who we share information with

We share data only with the third-party services necessary to operate the platform:

Digital Ocean - cloud infrastructure. Application servers and managed database are hosted on Digital Ocean. Data may be stored in regions including Canada and the United States. mizuiro stores structured HR data only - it is not a file storage platform and does not host uploaded documents or attachments.
Mailgun - transactional email delivery. Email addresses are shared with Mailgun only to deliver account-related emails. We do not use Mailgun for marketing.
Stripe - payment processing. Billing information is handled directly by Stripe and is not stored on mizuiro servers.

We may also disclose information if required by law, court order, or to protect the rights and safety of our users or the public.

6. How we protect your data

Passwords are stored as one-way cryptographic hashes and cannot be recovered - only reset
Sensitive fields are encrypted at rest using AES-256. This includes account credentials (email addresses, TOTP authenticator secrets, and backup codes) as well as the content of sensitive HR records - task details and discussion, training notes, expense notes, kudos messages, conference attendance notes, and award records. These fields are decrypted only when accessed by an authenticated user with permission to view them.
All connections use HTTPS (TLS 1.2+)
Two-factor authentication is mandatory for all accounts
Session tokens are stored only as cryptographic digests - the raw token is never persisted
Per-company IP and geographic access controls are available
Immutable audit logs record all security-relevant actions

No system is perfectly secure. If you believe you've found a security vulnerability, please contact us at security@mizuiro.app before disclosing it publicly.

7. Cookies

mizuiro uses cookies only for essential functions - specifically, to keep you signed in between page loads. We do not use advertising cookies, tracking cookies, or any third-party analytics cookies. No cookie consent banner is required because we don't use cookies for anything beyond keeping the service working.

If you disable cookies in your browser, you will not be able to stay signed in to mizuiro.

8. Data retention

We retain your data for as long as your account is active. If you cancel your subscription or your trial ends without subscribing, your data goes through three stages:

30-day grace period - read-only access so you can export your data or resubscribe.
Locked - no access, but your data is retained for one year. Resubscribing restores everything.
Purged - after one year, all HR data is permanently and irreversibly deleted.

If you actively delete your account (rather than letting the subscription lapse), your HR data is removed immediately. We cannot recover deleted data in either case.

Platform security audit logs (login events, access attempts, and administrative actions) associated with a deleted or purged company are retained for up to three years for security, fraud prevention, and legal compliance purposes, after which they are purged.

Important for account holders: Many jurisdictions - including Ontario, Canada under the Employment Standards Act - require employers to retain employment records for a minimum period (typically three years) regardless of whether they continue using a particular software platform. This is your obligation as the employer, not mizuiro's. If you have ongoing legal record-keeping requirements, please export your data before your account is purged. We cannot recover data after deletion.

For a full data removal request, contact privacy@mizuiro.app.

9. Your rights

Canadian users (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access personal information we hold about you, request corrections to inaccurate information, withdraw consent to our use of your information (subject to legal and contractual restrictions), and file a complaint with the Office of the Privacy Commissioner of Canada.

European Economic Area users (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access - You may request a copy of the personal data we hold about you.
Right to rectification - You may request that we correct inaccurate or incomplete personal data.
Right to erasure ("right to be forgotten") - You may request that we delete your personal data, subject to our legal obligations.
Right to restriction of processing - You may request that we limit how we use your data in certain circumstances.
Right to data portability - You may request a copy of your data in a structured, machine-readable format.
Right to object - You may object to our processing of your personal data where we rely on legitimate interests as our legal basis.
Right to withdraw consent - Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@mizuiro.app. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

Note for employees: Because your employer controls the data entered about you in mizuiro, some requests (such as correcting your records) should be directed to your employer first.

10. Changes to this policy

We may update this policy as the product evolves. If we make material changes, we will notify account holders by email before the changes take effect. The date at the top of this page reflects when it was last updated.

Contact

Questions, requests, or concerns about this policy:
privacy@mizuiro.app

neoncrayon, Ontario, Canada

← Back to home Terms of Service →