Introduction
Mycelium LTD (“Mycelium”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you visit our website at www.mycelium.ai. It does not govern personal data processed inside our SaaS platform on behalf of customers; that processing is governed by the data processing agreement signed with each customer.
Data Controller
Mycelium LTD is the controller for personal data collected through this website.
- Legal entity. Mycelium LTD, registered in Israel, principal office at Tel Aviv, Israel.
- Privacy contact. For any privacy-related question or request, write to info@mycelium.ai.
- Data Protection Officer. Our website processing falls below the GDPR Article 37 thresholds, so we have not appointed a Data Protection Officer. All privacy-related requests should be addressed to the email above.
- EU representative. Mycelium LTD relies on the GDPR Article 27(2) exemption for occasional, low-risk processing through this marketing website and has not appointed an EU representative for website processing. Platform processing on behalf of customers is governed by the customer’s data processing agreement, which addresses representative arrangements where required by the customer’s data-flow scope.
Information We Collect
Information you provide directly. When you fill out our contact form, we collect your name, email address, phone number, and message content. This information is used solely to respond to your inquiry.
Automatically collected information. When you visit the website our servers record standard log information including IP address, browser type, referring page, and timestamp. We use Google Analytics (GA4) to collect anonymized usage data including pages visited, time on site, device type, and approximate geographic location. Google Analytics uses cookies to collect this information. Google Analytics 4 anonymizes IP addresses by default; Google Signals (cross-device tracking based on signed-in Google users) is disabled on this property.
Lawful Basis for Processing
Under GDPR Article 6 we rely on the following lawful bases for each processing activity. The relevant basis is shown alongside each activity below.
| Processing activity | Lawful basis |
|---|---|
| Responding to contact-form inquiries and platform-evaluation requests | Article 6(1)(b), steps prior to entering into a contract |
| Website analytics (Google Analytics 4) | Article 6(1)(a), consent given through the cookie banner |
| Server logs and security monitoring (IP, request metadata) | Article 6(1)(f), legitimate interest in protecting our infrastructure |
| Compliance with legal, regulatory, and tax obligations | Article 6(1)(c), legal obligation |
Where we rely on consent under Article 6(1)(a), you can withdraw that consent at any time through the Cookie preferences link in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
How We Use Your Information
We use the information we collect to respond to your inquiries and contact form submissions, improve our website and user experience, and analyze website traffic and usage patterns.
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Cookies
Our website uses cookies and related local storage in two categories. Necessary items are required for the site to function and to remember your saved consent choice. Analytics items are optional and only set after you opt in. We do not use advertising cookies, cross-site tracking cookies, or social media cookies.
The Google Analytics cookies set after consent are _ga (2 years) and _ga_TQM08196ZQ (2 years). For the full cookie inventory, including the local-storage record we use to remember your consent choice, see the cookie policy.
You can change your analytics consent at any time through the Cookie preferences link in the site footer; clearing or rejecting analytics deletes the analytics cookies set during a prior opt-in. You can also block or delete cookies through your browser settings; the core functionality of our website continues to work either way.
Third-Party Services
We use the following third-party services to operate this website.
- Google Analytics 4 for website analytics. Provider Google LLC. Google’s Privacy Policy.
- Google Cloud Platform for contact-form processing through a Cloud Function and for the email delivery of submitted form payloads. Provider Google LLC. Google Cloud Privacy.
A current sub-processor list with categories, purposes, data locations, and transfer mechanisms is published on our security page.
International Transfers
Some of the services we use process data outside the country in which you reside. The following transfer mechanisms apply.
- Transfers to the United States. Google LLC (Google Analytics 4 and Google Cloud Function) processes data in the United States. Transfers from the EU and the UK rely on Google’s certification under the EU-US Data Privacy Framework and the UK Extension to that framework. Where the framework does not apply or is later invalidated, transfers rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) and on the UK Addendum issued by the UK Information Commissioner.
- Transfers from Israel. Where personal data covered by Israeli Privacy Protection Law is transferred to the United States, we rely on the recipient’s written commitment to apply Israeli-equivalent privacy protections under the Privacy Protection Regulations (Transfer of Information to Databases Abroad), 5761-2001.
- Other jurisdictions. We do not transfer personal data collected through this website to jurisdictions other than the United States and Israel.
Data Storage and Security
Contact form submissions are processed through a Google Cloud Function and delivered through encrypted email. We do not store your form submissions in a database. Website analytics data is processed by Google Analytics under Google’s privacy terms.
We apply the technical and organizational measures required under GDPR Article 32 to protect personal data, including TLS 1.2 or higher in transit, encryption at rest on the underlying storage layer, OAuth2 and JWT authentication on platform APIs, audit logging of state-changing operations, multi-tenant data isolation, and regular testing of these measures. Our full security posture is published on the security page.
Mycelium LTD holds ISO/IEC 27001:2022 certification (Certificate #100326059706) covering the development and operation of our SaaS platform for transportation and shipment management. Marketing website operations follow the same information-security practices, though they are not themselves within the certified ISMS scope.
Security Incidents
If we become aware of a personal-data breach affecting your information we will notify the relevant supervisory authority within 72 hours where required under GDPR Article 33, and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms under GDPR Article 34. Equivalent commitments apply under the corresponding provisions of Israeli Privacy Protection Law.
Your Rights
Where applicable law grants them, you have the following rights with respect to your personal data.
- Access to your personal data (GDPR Article 15).
- Correction of inaccurate or incomplete data (Article 16).
- Erasure of your personal data (Article 17).
- Restriction of processing (Article 18).
- Portability of data you provided to us, in a structured, commonly used, and machine-readable format (Article 20).
- Objection to processing carried out on the basis of legitimate interest (Article 21).
- Withdrawal of consent at any time, without affecting the lawfulness of prior processing (Article 7(3)).
- Lodging a complaint with a supervisory authority. In Israel this is the Privacy Protection Authority; in the EU and EEA this is the data protection authority of your country of residence; in the UK this is the Information Commissioner’s Office.
How to Exercise Your Rights
To exercise any right above, write to info@mycelium.ai describing your request. We respond within 30 days of receipt. Where the request is complex or we receive a high volume of requests we may extend that period by a further 60 days and will tell you within the first 30 days. The first request you make in any 12-month period is free; for repeat or manifestly unfounded requests we may charge a reasonable fee or decline to act, as permitted by GDPR Article 12. To verify your identity we may ask you to confirm details from a prior interaction with us.
Automated Decision-Making
We do not use your website-collected personal data to make decisions producing legal or similarly significant effects on you under GDPR Article 22. Mycelium’s optimization and dispatch platform makes operational routing decisions inside our customers’ transportation systems; those decisions are governed by the customer’s data processing agreement and are not derived from website visitor data.
Data Retention
We retain personal data only for as long as needed for the purpose for which it was collected, applying the schedule below.
| Data category | Retention period |
|---|---|
| Contact-form submissions and follow-up email | Up to 24 months after the last substantive correspondence, then deleted. If the inquiry becomes a customer engagement, retention shifts to the terms of the customer agreement, typically 7 years after termination for tax and audit purposes. |
| Google Analytics 4 user-level data | 14 months under the Google Analytics default setting; after that period, individual visitor data is automatically deleted by Google. |
| Server logs containing IP addresses and request metadata | 30 days, then deleted. |
| Cookie-consent record (local storage on your device) | Until you clear it or change your preferences. |
Children’s Privacy
Our website is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal data through this website, write to info@mycelium.ai and we will delete it.
Israeli Residents
Mycelium LTD is the controller of website data under the Israeli Privacy Protection Law, 5741-1981, as amended. The website-data database falls below the registration threshold under section 8 of that law as amended by Amendment 13 (2024). Data subjects in Israel have access and correction rights equivalent to those described in Your Rights above and may lodge a complaint with the Privacy Protection Authority.
For Customers
Customers entering into a platform agreement with Mycelium sign a Data Processing Agreement covering GDPR Article 28 processor obligations, sub-processor flow-down, audit rights, and security commitments. Request the current DPA template through info@mycelium.ai or visit our security page for the broader trust posture.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Material changes that affect how we process personal data will be highlighted on the page header for a reasonable period after they take effect.
Contact Us
Mycelium LTD, Tel Aviv, Israel. Email info@mycelium.ai.