M90

Privacy

Effective Date: March 17, 2026 | Version 1.0


M90 CORPORATION
PRIVACY POLICY
Effective Date: March 17, 2026  |  Version 1.0

M90 Corporation is committed to protecting your privacy. This Privacy Policy explains exactly what personal data we collect, why we collect it, how we use and protect it, and your rights to control it. Please read this document carefully.

QUICK SUMMARY
We know legal documents can be long. Here is a plain-English summary of the most important points. The full detail follows in the sections below — please read it entirely.

What We Collect
What We Do NOT Do
	•	Account registration data
	•	Usage and analytics data
	•	Payment information (via processor)
	•	Technical/device data
	•	Communications with us
	•	Sell your personal data — NEVER
	•	Share data with advertisers
	•	Store payment card details
	•	Serve you ads

1. WHO WE ARE AND HOW TO CONTACT US
1.1 Company Identity
M90 Corporation ("M90," "we," "us," or "our") is the data controller responsible for your personal data collected through our Services. We operate a content intelligence and viral analytics platform accessible at https://m90.ai/ and associated domains.
1.2 Contact Details
For all privacy-related questions, requests, or concerns — including exercising your legal rights, submitting a data subject access request, or filing a takedown notice — please contact us at:

Company
M90 Corporation
Privacy Contact / DPO
chat@m90.ai
DMCA / Copyright Agent
chat@m90.ai  (Subject: "DMCA Takedown Notice — M90")
Platform
https://m90.ai/

1.3 Scope of This Policy
This Privacy Policy applies to all personal data collected by M90 in connection with:
	•	The M90 platform and all associated web applications, APIs, and dashboards
	•	Your account registration and management
	•	Your Subscription and payment processing
	•	Customer support communications
	•	Marketing and promotional communications (where you have opted in)
	•	Any other interaction you have with M90
This Policy does not apply to Third-Party Platforms (such as TikTok, Instagram, YouTube, or Twitter/X) whose content may be analyzed through the Services. Those platforms have their own independent privacy policies.
1.4 Changes to This Policy
M90 may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email to the address associated with your account and/or by displaying a prominent notice within the Services. The revised Policy will be effective on the date specified in the updated document. Your continued use of the Services following notice of any change constitutes acceptance of the updated Policy.

2. PERSONAL DATA WE COLLECT
2.1 Categories of Personal Data
We collect the following categories of personal data when you use the Services:

Category
Examples
How Collected
Identity & Account Data
Full name, email address, username, password (encrypted), profile information
Provided directly by you at registration
Contact Data
Email address, any other contact details you provide
Provided directly by you
Financial & Billing Data
Subscription plan, billing history, last 4 digits of card, card expiry, cardholder name (via payment processor — M90 never stores full card details)
Provided by you and payment processor
Usage & Activity Data
Features accessed, searches conducted, content viewed in your Private Dashboard, session duration, click patterns, feature usage frequency
Collected automatically as you use the Services
Technical & Device Data
IP address, browser type and version, operating system, device identifiers, time zone, referrer URLs, crash reports
Collected automatically via cookies and server logs
Communications Data
Emails, chat messages, or other correspondence you send to M90 support
Provided directly by you
Marketing Preferences
Your opt-in/opt-out choices for marketing communications, communication preferences
Provided by you or inferred from your interactions
Aggregated / Anonymized Data
Statistical usage data, de-identified analytics, platform performance metrics
Derived from usage data; cannot identify you individually

2.2 Data We Do NOT Collect
M90 does not collect or ask you to provide:
	•	Sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or data concerning sex life or sexual orientation
	•	Government-issued identification numbers (Social Security numbers, passport numbers, etc.)
	•	Full payment card numbers, CVV/CVC codes, or full bank account numbers
	•	Data from minors — our Services are strictly for users aged 18 and over
2.3 Data About Third Parties in Collected Content
When you use M90's data collection features to analyze publicly available content from Third-Party Platforms, that content may contain personal data relating to third parties (e.g., public social media profiles, usernames, post metadata). You are the independent data controller for any such third-party personal data. M90 acts solely as a technical conduit displaying that content privately to you. Please see Section 10 for your obligations regarding third-party data.

3. HOW WE COLLECT YOUR PERSONAL DATA
3.1 Direct Collection
We collect personal data that you actively provide to us, including when you:
	•	Create an M90 account or complete your profile
	•	Subscribe to a paid plan and provide billing information
	•	Contact our support team by email or chat
	•	Respond to surveys, feedback forms, or research requests
	•	Submit suggestions, feedback, or other communications to M90
3.2 Automated Collection
We automatically collect certain technical and usage data when you access or use the Services, including through:
	•	Server logs that record your IP address, browser type, device, and pages accessed
	•	Cookies and similar tracking technologies (see Section 8 for full details)
	•	Analytics tools that measure how features are used, session durations, and error events
	•	API call logs when you access the Services programmatically
3.3 Third-Party Sources
We may receive data about you from:
	•	Payment processors (e.g., Stripe) who provide billing confirmation and masked card details
	•	Analytics providers who help us understand platform usage trends
	•	Security and fraud detection partners who help us protect the platform
We do not purchase personal data from data brokers. We may receive limited data from advertising platforms (such as Meta) where you interact with our marketing campaigns.

4. WHY WE PROCESS YOUR PERSONAL DATA — PURPOSES AND LEGAL BASES
4.1 Overview
M90 processes personal data only when we have a valid legal basis to do so under applicable data protection law. The primary legal bases we rely on are: (a) Performance of a contract with you; (b) Compliance with a legal obligation; (c) Our legitimate interests; and (d) Your consent (where required).

Purpose
Data Used
Legal Basis
Account creation and management
Identity, Contact, Technical
Contract performance
Providing and operating the Services
Identity, Contact, Usage, Technical
Contract performance
Processing Subscriptions and payments
Identity, Contact, Financial
Contract performance; Legal obligation
Customer support and resolving issues
Identity, Contact, Communications
Contract performance; Legitimate interest
Security: detecting fraud, abuse, and unauthorized access
Technical, Usage, Identity
Legitimate interest; Legal obligation
Maintaining and improving the platform
Usage, Technical (aggregated)
Legitimate interest
Sending transactional emails (account alerts, billing, security notices)
Identity, Contact
Contract performance; Legal obligation
Sending marketing emails (opt-in only)
Identity, Contact, Marketing Preferences
Consent (opt-in)
Analytics and platform performance measurement
Aggregated/anonymized Usage, Technical
Legitimate interest
Complying with legal obligations and responding to lawful requests
All categories as required
Legal obligation
Enforcing our Terms of Service and protecting M90's rights
Identity, Usage, Technical
Legitimate interest; Legal obligation
Business transfers (mergers, acquisitions)
All categories as needed
Legitimate interest; Legal obligation

4.2 Legitimate Interests
Where we rely on legitimate interests as our legal basis, we have assessed that our interests do not override your fundamental rights and freedoms. Our legitimate interests include: operating and growing a secure, high-quality platform; preventing fraud and abuse; improving our Services; and maintaining our legal and contractual rights.
4.3 Consent
Where we rely on your consent (principally for marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. You may opt out of marketing emails by clicking the unsubscribe link in any such email or by contacting us at chat@m90.ai.
4.4 What We Will NEVER Do With Your Data

M90 WILL NEVER: (1) Sell your personal data to any third party for any purpose. (2) Share your personal data with advertisers or data brokers. (3) Use your data for purposes beyond those described in this Policy without obtaining your prior consent.

5. HOW WE SHARE YOUR PERSONAL DATA
5.1 No Sale of Personal Data
M90 does not sell, rent, or trade your personal data to any third party under any circumstances. This applies regardless of whether you are a free trial user or a paying subscriber.
5.2 Service Providers and Sub-Processors
We share personal data with carefully selected third-party service providers who process data on our behalf solely to provide infrastructure and operational services to M90. These providers are contractually bound to process your data only on M90's instructions, to maintain appropriate security measures, and not to use your data for their own purposes.
Categories of service providers we engage include:
	•	Cloud hosting and infrastructure providers (to store and process platform data)
	•	Payment processors (to handle Subscription billing — they do not share full card details with M90)
	•	Customer support tools (to manage support tickets and communications)
	•	Analytics providers (to analyze platform usage in aggregated form)
	•	Email delivery services (to send transactional and marketing communications)
	•	Security and fraud detection services
5.3 Legal Disclosures
M90 may disclose your personal data to law enforcement agencies, courts, regulators, or other governmental authorities when we are legally required to do so, or when we reasonably believe that disclosure is necessary to:
	•	Comply with a binding legal obligation, regulation, or court order
	•	Enforce our Terms of Service or protect M90's legal rights
	•	Detect, prevent, or respond to fraud, security threats, or abuse of the Services
	•	Protect the rights, safety, or property of M90, our users, or the public
Where legally permissible, we will attempt to notify you before disclosing your personal data in response to legal process.
5.4 Business Transfers
In the event of a merger, acquisition, corporate restructuring, or sale of all or substantially all of M90's assets, your personal data may be transferred to the successor entity. We will notify you by email and/or prominent notice within the Services prior to any such transfer, and the successor entity will be bound to honor this Privacy Policy or notify you of any material changes.
5.5 With Your Consent
We may share your personal data with third parties beyond those described above where you have given us explicit, informed consent to do so. You may withdraw such consent at any time.

6. INTERNATIONAL DATA TRANSFERS
M90's Services may involve the storage or processing of your personal data in jurisdictions outside your country of residence, including the United States. Data protection laws vary across jurisdictions and may not provide the same level of protection as the laws of your home country.
Where we transfer personal data internationally, we take appropriate steps to ensure an adequate level of protection, which may include:
	•	Transferring data only to countries recognized by the relevant authority as providing adequate data protection
	•	Implementing Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by applicable supervisory authorities
	•	Requiring all recipients to implement appropriate technical and organizational security measures
If you would like further information about the specific mechanisms used for international transfers of your personal data, please contact us at chat@m90.ai.

7. HOW LONG WE KEEP YOUR PERSONAL DATA
7.1 Retention Principles
M90 retains your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying legal, regulatory, accounting, or reporting requirements. We consider the following factors when determining appropriate retention periods:
	•	The nature and sensitivity of the personal data
	•	The potential risk of harm from unauthorized use or disclosure
	•	The purposes for which we process the data and whether we can achieve those purposes through other means
	•	The applicable legal, regulatory, accounting, or reporting requirements

7.2 Specific Retention Periods
Data Category
Retention Period
Rationale
Account and identity data
Duration of account + 5 years after closure
Legal limitation periods for contractual claims
Financial and billing records
7–10 years from transaction date
Tax, accounting, and regulatory obligations
Usage and activity logs
Up to 24 months, then aggregated/anonymized
Platform improvement; security auditing
Technical/device data (IP logs)
12 months from collection
Security monitoring; abuse prevention
Support communications
3 years from resolution of inquiry
Quality assurance; dispute resolution
Marketing consent records
Until consent withdrawn + 3 years
Evidence of consent; regulatory compliance
Fraud / security incident data
Up to 7 years
Legal defense; regulatory obligations
Aggregated/anonymized analytics
Indefinitely (cannot identify individuals)
Platform development and research

7.3 Deletion Process
When the applicable retention period expires or you request deletion of your data, M90 will securely delete or irreversibly anonymize your personal data. Due to the nature of backup systems and data replication, deletion from all backup media may take up to 90 days following deletion from active systems.
7.4 Account Deletion
When you request deletion of your M90 account, all personal data associated with your account will be deleted or anonymized within 30 days, except where M90 is required or permitted by law to retain such data for longer (e.g., financial records, active legal proceedings, or security investigation data).

8. COOKIES AND TRACKING TECHNOLOGIES
8.1 What Cookies We Use
M90 uses cookies and similar technologies (including local storage and session tokens) to operate and improve the Services. We use the following categories:

Cookie Type
Purpose
Can You Opt Out?
Strictly Necessary
Authentication, session management, security — the Services cannot function without these
No — required for operation
Functional / Preference
Remembering your settings, language preferences, and UI customizations
Yes — via browser settings
Analytics / Performance
Understanding how the platform is used; identifying errors and performance issues (anonymized/aggregated)
Yes — via browser settings or opt-out tools
Security
Fraud detection, bot prevention, and protection against unauthorized access
No — required for security

M90 may use third-party advertising pixels (such as the Meta/Facebook Pixel) and similar tracking technologies for the purpose of measuring the effectiveness of our own marketing campaigns and reaching users who have previously visited our platform. Where such pixels are active, they may set cookies on your device. We do not use these technologies to serve you behavioral ads within the Services themselves, and you may opt out via your browser settings or the relevant platform’s ad preference tools (e.g., Meta Ad Preferences).
8.2 Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when new cookies are set. Note that disabling certain cookies may affect the functionality of the Services. For more information, refer to your browser's help documentation.

9. HOW WE PROTECT YOUR PERSONAL DATA
9.1 Security Measures
M90 implements industry-standard technical and organizational security measures designed to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure. Our security practices include:
	•	Encryption of data in transit using TLS/SSL protocols
	•	Encryption of sensitive data at rest
	•	Multi-factor authentication (MFA) for internal system access
	•	Strict role-based access controls limiting data access to authorized personnel on a need-to-know basis
	•	Regular security audits, vulnerability assessments, and penetration testing
	•	Automated monitoring and alerting for suspicious activity
	•	Regular secure backups with integrity verification
	•	Employee training on data protection and security practices
	•	Contractual data protection obligations imposed on all service providers
9.2 Data Breach Response
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, M90 will:
	•	Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law
	•	Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
	•	Take immediate steps to contain, investigate, and remediate the breach
9.3 Your Security Responsibilities
While we work hard to protect your data, you also play an important role in account security. You are responsible for maintaining the confidentiality of your login credentials and for ensuring your account is not accessed by unauthorized persons. If you suspect unauthorized access to your account, contact us immediately at chat@m90.ai.

10. YOUR RESPONSIBILITIES FOR THIRD-PARTY DATA

IMPORTANT: When you use M90 to collect or analyze content from Third-Party Platforms, YOU are the independent data controller for any personal data contained in that content. M90 displays that content privately to you as a technical service only. Your obligations are set out below.

10.1 Independent Data Controller
When you use M90's data collection features to retrieve publicly available content from Third-Party Platforms, and that content contains personal data (e.g., names, usernames, profile images, or other identifiable information), YOU are the data controller for that personal data and M90 acts solely as a data processor / technical intermediary displaying it privately to you.
10.2 Your Obligations
As the independent data controller for any third-party personal data you access through the Services, you are solely responsible for:
	•	Identifying and complying with all applicable legal bases for your collection and processing of that personal data
	•	Ensuring that your collection, analysis, and use of that data complies with all applicable data protection laws including GDPR, CCPA, and equivalent legislation
	•	Providing any required privacy notices to data subjects whose personal data you collect
	•	Honoring any data subject rights requests relating to personal data you have collected
	•	Ensuring that you do not collect personal data you are not authorized to collect
	•	Ensuring that you only use M90's Services to collect publicly available data — not data protected by authentication, login walls, or other access controls
10.3 Private Use Only
All content displayed through your Private Dashboard is for your own private use only. You must not share, distribute, publish, or make available to any third party any personal data or other content collected through the Services. Refer to Section 8 of the Terms of Service for the full private-use restriction.

11. YOUR PRIVACY RIGHTS
11.1 Overview
Depending on your location and the applicable privacy laws, you have the following rights in respect of your personal data. M90 will honor these rights and respond to verified requests within the timeframes specified below.

Right
What It Means
Applies Under
Right of Access
Receive a copy of the personal data we hold about you and information about how we process it
GDPR, CCPA, and most privacy laws
Right to Rectification / Correction
Have inaccurate or incomplete personal data corrected
GDPR, CCPA, and most privacy laws
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data where there is no overriding legal basis for continued processing
GDPR, CCPA, and most privacy laws
Right to Restrict Processing
Ask us to pause processing of your data in certain circumstances (e.g., while contesting its accuracy)
GDPR and equivalent
Right to Data Portability
Receive your personal data in a structured, machine-readable format to transfer to another provider
GDPR and equivalent
Right to Object
Object to processing based on legitimate interests or direct marketing
GDPR and equivalent
Right to Opt Out of Sale / Sharing
Opt out of sale or sharing of personal data (M90 does not sell data, but you may make this request)
CCPA/CPRA (California)
Right to Non-Discrimination
Not be discriminated against for exercising your privacy rights
CCPA/CPRA (California)
Right to Withdraw Consent
Withdraw previously given consent at any time without affecting prior processing
GDPR, CCPA, and most privacy laws

11.2 How to Exercise Your Rights
To exercise any of your rights, please submit a written request to:
	•	Email: chat@m90.ai
	•	Subject line: "Privacy Rights Request — [describe your request]"
To protect your privacy, we will verify your identity before processing your request. We may ask you to provide information sufficient to confirm you are the account holder (e.g., your registered email address and account details). We do not charge a fee for processing legitimate requests, unless a request is manifestly unfounded or repetitive.
11.3 Response Timeframes
M90 will acknowledge your request within 5 business days and will provide a substantive response within 30 days of receipt of a verified request. If your request is particularly complex or we receive multiple requests from you simultaneously, we may extend this period by up to an additional 60 days, of which we will notify you.
11.4 Right to Lodge a Complaint
If you are located in the European Economic Area or the United Kingdom and believe that we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. For users in the European Union, the relevant supervisory authority is the data protection authority in your Member State. For users in the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO) at www.ico.org.uk.
For users in California and other U.S. states with applicable privacy laws, you may also contact your state's Attorney General if you believe your privacy rights have been violated. We encourage you to contact us first so we can work to resolve your concern directly.

12. U.S. STATE PRIVACY LAWS
12.1 California
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific privacy rights, including those described in Section 11. Key disclosures under California law:
	•	M90 does not "sell" your personal information as that term is defined by the CCPA
	•	M90 does not "share" your personal information for cross-context behavioral advertising
	•	The categories of personal information we collect are described in Section 2
	•	The purposes for which we use personal information are described in Section 4
	•	The categories of third parties with whom we share information are described in Section 5
	•	We do not use sensitive personal information for purposes beyond those permitted under the CPRA
California residents may submit privacy rights requests (access, deletion, correction, opt-out) by emailing chat@m90.ai with the subject line "California Privacy Rights Request." We will respond within 45 days as required by the CCPA.
12.2 Other U.S. States
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy legislation have similar rights to those described in Section 11 to the extent applicable under their respective state laws. Please contact us at chat@m90.ai to exercise your rights.

13. EUROPEAN ECONOMIC AREA AND UK USERS — GDPR / UK GDPR
13.1 Data Controller
For users located in the European Economic Area or the United Kingdom, M90 Corporation is the data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and the UK GDPR respectively.
13.2 Legal Bases Summary
Our processing of your personal data is based on the following legal grounds under the GDPR:
	•	Article 6(1)(b) — Contract performance: processing necessary to provide the Services you have subscribed to
	•	Article 6(1)(c) — Legal obligation: processing required to comply with applicable laws
	•	Article 6(1)(f) — Legitimate interests: processing for our legitimate business interests where not overridden by your rights
	•	Article 6(1)(a) — Consent: processing based on your freely given, informed consent (e.g., marketing emails)
13.3 Data Subject Rights Under GDPR
EEA and UK residents have all rights described in Section 11, including the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent under Articles 15–22 of the GDPR.
13.4 Representative
If required by applicable law, M90 will appoint an EU/UK representative and update this Policy accordingly. In the meantime, EEA and UK residents may direct all privacy inquiries to chat@m90.ai.

14. CHILDREN'S PRIVACY
The Services are designed exclusively for adults aged 18 and over. M90 does not knowingly collect personal data from any person under the age of 18. If you are under 18, you must not use the Services or provide any personal data to M90.
If M90 becomes aware that it has inadvertently collected personal data from a person under 18, we will take immediate steps to delete such data and terminate the associated account. If you believe that M90 may have collected personal data from a minor, please contact us immediately at chat@m90.ai.

15. THIRD-PARTY PLATFORMS AND LINKS
15.1 Third-Party Platform Independence
The Services interact with Third-Party Platforms (such as TikTok, Instagram, YouTube, Facebook, and Twitter/X) at your request. M90 has no control over the privacy practices of these platforms and is not responsible for their privacy policies or data handling. We strongly encourage you to review the privacy policies of any Third-Party Platform whose content you access through the Services.
15.2 External Links
The M90 platform may contain links to external websites or services. These links are provided for convenience only and do not constitute M90's endorsement of those sites. M90 is not responsible for the privacy practices of any external site. We encourage you to read the privacy policy of any external site you visit.
15.3 No Affiliation
M90 has no partnership, affiliation, or commercial relationship with any Third-Party Platform. Access to content from Third-Party Platforms through the Services does not constitute any relationship between M90 and those platforms. You remain solely responsible for complying with the terms and policies of any Third-Party Platform.

16. AUTOMATED DECISION-MAKING AND PROFILING
M90 does not use your personal data for automated decision-making that produces legal or similarly significant effects on you. We may use algorithmic processes to personalize your experience within the platform (e.g., organizing your dashboard or surfacing relevant analytics), but these processes do not constitute legally significant automated decisions.
If M90 introduces any automated decision-making that could significantly affect you in the future, we will notify you in advance, provide an explanation of the logic involved, and offer you the right to human review.

17. QUESTIONS AND CONTACT
We are committed to working with you to resolve any privacy concerns you may have. If you have any questions about this Privacy Policy, how we process your personal data, or how to exercise your privacy rights, please contact us:

For
Contact
General Privacy Questions
chat@m90.ai  |  Subject: "Privacy Inquiry"
Data Subject Rights Requests
chat@m90.ai  |  Subject: "Privacy Rights Request"
DMCA / Copyright Takedowns
chat@m90.ai  |  Subject: "DMCA Takedown Notice — M90"
Security / Data Breach Reports
chat@m90.ai  |  Subject: "Security Report"


M90 CORPORATION — PRIVACY POLICY
Effective Date: March 17, 2026  |  Version 1.0
© 2026 M90 Corporation. All Rights Reserved.  |  chat@m90.ai