MPEP AI
Join waitlist

Legal

Privacy Policy

<!-- DRAFT-2026-06-10: Anthropic/Cyrus disclosure language in this file is pending attorney approval. P6 cutover checklist greps for this marker — it must be REMOVED (with approved wording) before production deploy. -->

Last Updated: May 12, 2026

Effective Date: May 12, 2026

1. Introduction

This Privacy Policy describes how MPEP AI ("MPEP AI," "we," "us," "our") collects, uses, discloses, and protects personal information in connection with the mpepai.com website and the patent research, analysis, and matter-workspace features made available through it (collectively, the "Services"). MPEP AI is an independently owned and operated platform created and maintained solely by Kasra Taghavi ("Owner") in his individual capacity and through Monki AI LLC, a Texas limited liability company of which Kasra Taghavi is the sole member.

This Privacy Policy is incorporated into and subject to the Terms of Use. Capitalized terms not defined here have the meanings given in the Terms of Use §2. If you are a legal professional considering whether and how to use the Services with matter-related materials, you should also read the Privilege Policy.

By using the Services, you acknowledge that you have read this Privacy Policy. Where applicable law requires consent for specific processing activities (for example, certain processing in the European Economic Area, the United Kingdom, or for the placement of non-essential cookies), we will obtain that consent through a separate, granular mechanism described in this Policy.

This Policy is designed to address the following data-protection frameworks:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK General Data Protection Regulation, as supplemented by the UK Data Protection Act 2018 ("UK GDPR")
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA")
  • The Virginia Consumer Data Protection Act ("VCDPA")
  • The Colorado Privacy Act ("CPA")
  • The Connecticut Data Privacy Act ("CTDPA")
  • The Utah Consumer Privacy Act ("UCPA")
  • The Texas Data Privacy and Security Act ("TDPSA")
  • The Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA")
  • The California Online Privacy Protection Act ("CalOPPA")
  • The Children's Online Privacy Protection Act ("COPPA")

Where any of these frameworks grants you a right or imposes a controller obligation not expressly addressed in this Policy, we will honor that right or obligation to the extent applicable law requires.

2. Who We Are; Roles Under Data-Protection Law

For purposes of GDPR, UK GDPR, and U.S. state privacy laws that distinguish controllers from processors (or "businesses" from "service providers"), MPEP AI acts as the controller (and, under CCPA/CPRA, as the business) with respect to personal information we collect from individual users of the Services for our own operational purposes — for example, account identifiers received from our identity provider, usage telemetry, support communications, and conversation history.

When you use features that allow you to upload your own documents, build matter workspaces, or otherwise submit User Content for processing on your behalf, MPEP AI acts as a processor (or "service provider") with respect to personal information contained in that User Content; you remain the controller of that material and are responsible for ensuring that you have a lawful basis to submit it.

We have not appointed a Data Protection Officer because we are not currently required to do so under GDPR Article 37. If you have a question about our processing that requires an authoritative answer from a representative, contact us through the contact form described in Section 19.

3. Definitions

For purposes of this Policy, the terms "personal data," "personal information," "processing," "data subject," "consumer," "sale," "share," "sensitive personal information," and "sub-processor" have the meanings given to them under the applicable data-protection framework. Where those frameworks differ, the meaning most protective of the individual applies.

4. Information We Collect

4.1 Account and identity information

When you sign in to the Services, we receive a stable user identifier, your email address, and basic profile information from our third-party identity provider. If you authenticate using a federated identity (for example, a corporate single-sign-on or a consumer identity provider), we receive only the limited profile attributes that you have authorized the identity provider to share.

If you use the public-preview pages for MPEP search at /try/mpep or for CAFC decision search at /try/cafc without signing in, we do not receive an account identifier or email address for you. We do still receive the request-level telemetry described in Section 4.5 (IP address, user-agent string, approximate region inferred from the IP address, application performance and error information, and feature-usage events), which is used for security, anti-abuse, and aggregate analytics. We do not link public-preview activity to any account because there is no account to link it to.

4.2 Beta status; payment information

The Services are currently offered in a Beta Period at no cost, as described in Terms of Use §5. Because no fees are charged during the Beta Period, we do not currently collect payment-card numbers, bank-account information, or other payment instruments from users. If MPEP AI introduces paid plans in the future, billing and payment information will be collected and processed by a third-party payment processor that we will identify in a then-current version of this Policy before any charge is incurred.

4.3 User Content

"User Content" includes everything you submit through the Services, including:

  • Free-text questions, prompts, and chat messages
  • Uploaded files (patent documents, office actions, notes, exhibits, or other materials you choose to attach)
  • Matter-workspace records you create to organize your work
  • Highlighted excerpts, annotations, and tags
  • Saved queries, saved searches, and saved analyses

You are responsible for the lawfulness of User Content you submit. The categories of material you should not submit, and the affirmations you make when you do submit matter-related material, are described in Terms of Use §8 and the Privilege Policy.

4.4 Conversation and research history

The Services maintain a per-user record of your interactions with the AI assistant — including prompts, responses, the tools the assistant invoked, and the documents it consulted — so that you can return to prior conversations, continue research threads, and audit how an answer was produced. You may delete individual conversations, and we honor deletion requests as described in Section 11.

4.5 Telemetry and technical information

When you access the Services, we automatically collect:

  • IP address, user-agent string, and approximate region inferred from the IP address (used for security, fraud prevention, and aggregate analytics)
  • Application performance, error, and diagnostic information
  • Feature-usage events (which pages you visited, which features you engaged, which results you opened)
  • Audit records associated with each tool invocation made by the AI assistant on your behalf, capturing tool name, the parameters supplied, the size and latency of the response, and any error code, so that you and we can later understand what the assistant did during a given session

4.6 Communications

If you contact us through the contact form on mpepai.com, we collect the information you provide in that submission so we can respond.

4.7 Information we do not collect

We do not collect biometric identifiers (such as fingerprints, voice prints, or facial geometry). We do not collect precise geolocation data. We do not purchase personal information from third-party data brokers, and we do not enrich your profile with data acquired from advertising networks.

5. How We Use Information

We use the information described in Section 4 to:

  • Provide, operate, secure, and maintain the Services
  • Authenticate you and manage your account
  • Process your prompts, run searches, retrieve relevant documents, and generate AI responses
  • Maintain your conversation history, saved queries, matters, vault files, notes, notifications, and other user-organized records
  • Communicate with you about the Services, including transactional messages, security notices, and responses to support inquiries
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of the Terms of Use or Acceptable Use Policy
  • Comply with legal obligations and respond to lawful requests
  • Conduct internal analytics, debugging, and quality assurance using aggregated and de-identified data
  • Improve the Services, including refining retrieval quality and evaluating model performance against held-out test sets

We do not use User Content or conversation history to train general-purpose AI foundation models, and our agreements with the AI providers we engage are configured so that those providers do not retain customer prompts and responses for their own model training. See Section 7 for details.

If you are located in the EEA or the United Kingdom, we process your personal data on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) for processing necessary to deliver the Services you have requested — for example, authenticating you, running your prompts, and storing your saved work.
  • Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, diagnostic and aggregate analytics, and internal quality improvement, balanced against your interests and fundamental rights and freedoms. You may object to processing on this basis as described in Section 11.
  • Compliance with a legal obligation (Art. 6(1)(c)) for processing necessary to satisfy applicable law.
  • Consent (Art. 6(1)(a)) for processing that is not necessary to deliver the Services and that we cannot justify on another basis — for example, optional analytics cookies or other elective features that are presented to you separately. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We rely on Articles 12–22 of GDPR to define the scope of your rights and our obligations to facilitate them, on Article 28 to govern our relationships with sub-processors, on Article 32 for our security obligations, and on Articles 44–49 for any international transfer of personal data outside the EEA or the United Kingdom.

We do not engage in solely automated decision-making that produces legal or similarly significant effects concerning you within the meaning of GDPR Article 22.

7. How We Share Information; Categories of Recipients

We engage third-party service providers to host the Services, process AI requests, deliver search and retrieval functionality, send transactional messages, and provide other operational capabilities. Each provider is bound by a written agreement that limits its processing to instructions issued by MPEP AI, that requires appropriate confidentiality and security commitments, and that, where applicable, is supported by Standard Contractual Clauses or another lawful transfer mechanism. To avoid disclosing information that could be useful to an attacker, this Policy describes the categories of recipients with which we share personal information rather than the specific commercial vendors that fulfill each category at any given time.

7.1 Categories of recipients

We share personal information with the following categories of service providers:

  • Generative AI providers. As described in Terms of Use §13, the Services use Anthropic Claude, Google Gemini, and Google Cloud to generate AI responses and to run agentic task workspaces. When you create an agentic task, your task instructions, task titles, attached matter content, and account identifiers are transmitted to Anthropic PBC for the duration of the task session. The in-app Support assistant likewise uses Anthropic Claude to answer your questions about using the Services; the text of your Support questions and the assistant's answers are transmitted to Anthropic PBC and are routed through an enterprise configuration that disables retention of customer prompts and responses for foundation-model training. We may also use other AI providers under enterprise routing to support specific workflows. For matter content, vault content, and other privileged user inputs, requests are routed exclusively through enterprise routes that are configured to disable retention of customer prompts and responses for foundation-model training.
  • Identity and authentication provider. A third-party identity provider performs sign-in, sign-up, and session management.
  • Cloud hosting, edge delivery, and infrastructure providers. One or more cloud providers host the application, deliver content at the network edge, and provide the underlying compute on which the Services run.
  • Cloud storage providers. One or more cloud storage providers store uploaded files, generated artifacts, and backup copies of data.
  • Database providers. Managed database providers host the primary application database and any auxiliary data stores.
  • Search and retrieval infrastructure providers. Managed search-and-retrieval providers operate the indexes that enable the Services to surface relevant content in response to a query. These providers generally receive numerical representations or search indexes rather than the raw text of your prompts.
  • Background-job and durable-execution providers. A workflow provider handles long-running and scheduled background work.
  • Isolated compute providers. An isolated-compute provider may perform auxiliary processing tasks on your behalf as part of fulfilling a request.
  • Document-understanding providers. A document-extraction service may parse uploaded documents to extract text and structure.
  • Transactional email provider. An email-delivery provider sends transactional messages (for example, security notices and responses to support requests).
  • External research providers (opt-in only). When you have enabled external tools for a session, query text may be transmitted to one or more public web-search, patent-corpus search, and scholarly-search providers in order to fulfill your research request. When external tools are disabled, the AI assistant cannot transmit data to these providers. You may disable external tools at any time.
  • Authoritative public-records sources. As described in Terms of Use §13, the Services may query United States Patent and Trademark Office (USPTO) systems and Court of Appeals for the Federal Circuit (CAFC) records to retrieve public patent and prosecution data.
  • Payment processor (future). Because no fees are charged during the Beta Period, no payment processor receives data today. If a paid plan is introduced, a third-party payment processor will collect and process payment information; that information will be governed by the then-current version of this Policy.

The specific commercial vendors that fulfill each of these categories may change over time as we add, replace, or remove providers. If you require the current list of named vendors for a regulated or contractual purpose (for example, a vendor-risk assessment or a controller-to-processor due-diligence review), submit a request through the contact form described in Section 19.

7.2 What AI providers receive

When you send a prompt to the AI assistant, the prompt — together with any relevant document excerpts the assistant has retrieved to answer it — is transmitted to the AI provider that handles the request. When you create an agentic task, the task instruction and title, any matter files you attach, follow-up messages you send within the task, and a stable account identifier are transmitted to the AI provider that hosts the task workspace. The workspace is archived when the task is closed; content transmitted to the AI provider is thereafter retained by that provider in accordance with its enterprise data-retention practices until deleted. For matter content, vault content, and other privileged user inputs, the request is routed exclusively through an enterprise route configured to disable retention of customer data for foundation-model training. Non-privileged development paths may use a separate route for engineering and evaluation workloads, but matter content and vault content are never routed through that separate path.

7.3 What search-and-retrieval providers receive

Search-and-retrieval providers generally receive numerical representations or search indexes rather than the raw text of your prompts. Where a provider necessarily requires query text or candidate result text to fulfill its function, only that minimal text is transmitted.

7.4 Other disclosures

Beyond the categories of recipients listed above, we may disclose personal information:

  • To comply with applicable law, regulation, legal process, or enforceable governmental request
  • To protect the rights, property, or safety of MPEP AI, its users, or the public
  • In connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor commitments materially consistent with this Policy
  • With your direction or consent

7.5 What we do not do

We do not sell personal information for money. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. We do not display third-party advertising on the Services. We do not enable advertising-network pixels, retargeting tags, or social-media tracking pixels.

8. Cookies and Similar Technologies

We use a minimal set of cookies and similar technologies. Strictly necessary cookies (authentication session, cross-site request forgery protection, and load-balancing) are used by default and cannot be disabled without breaking the Services. We do not deploy third-party advertising or cross-site tracking cookies. Where any optional analytics or functional cookies are introduced, we will obtain prior consent through a consent banner in jurisdictions that require it (including the EEA, the United Kingdom, and applicable U.S. states).

For more detail on the cookies in use, see our Cookie Policy.

9. Do Not Track; Global Privacy Control

We honor the Global Privacy Control ("GPC") signal where required by U.S. state privacy law. Because we do not sell personal information and do not share personal information for cross-context behavioral advertising, GPC does not change a default for those purposes; we treat it instead as a confirmation that you have not opted in to any such activity in the future. We do not respond to legacy browser "Do Not Track" headers in any other way; this Section satisfies the disclosure-of-DNT-response requirement under CalOPPA.

10. International Data Transfers

The Services are operated from the United States, and our sub-processors are located primarily in the United States, with edge points of presence and replication in other regions. If you are accessing the Services from the EEA, the United Kingdom, or another jurisdiction that restricts cross-border transfers, your personal data will be transferred to, and processed in, countries that may not provide the same level of protection as your country of residence.

For transfers from the EEA, we rely on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor and Module Three: Processor to Processor as applicable). For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. Where an adequacy decision applies to a given destination (for example, transfers to a country covered by a European Commission adequacy decision), we may rely on that decision instead.

11. Your Rights

Subject to verification and to the limits and exceptions allowed by the applicable framework, you may exercise the rights listed below.

11.1 Rights under GDPR and UK GDPR (Articles 12–22)

You have the right to:

  • Confirm whether we process personal data about you, and obtain a copy of that data (right of access; Art. 15)
  • Have inaccurate personal data corrected (right to rectification; Art. 16)
  • Have personal data deleted in defined circumstances (right to erasure; Art. 17)
  • Restrict our processing in defined circumstances (right to restriction; Art. 18)
  • Receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller (right to portability; Art. 20)
  • Object to processing carried out on the basis of legitimate interests (right to object; Art. 21)
  • Withdraw consent at any time where processing is based on consent (Art. 7(3))
  • Lodge a complaint with the supervisory authority in your country of residence

11.2 Rights under CCPA/CPRA (California)

California residents have the right to:

  • Know the categories and specific pieces of personal information we have collected
  • Know the categories of sources, the purposes for collection, and the categories of third parties to whom we disclose personal information
  • Delete personal information we collected from you, subject to legal exceptions
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share, as those terms are defined)
  • Limit the use and disclosure of sensitive personal information (see Section 12)
  • Receive non-discriminatory treatment for exercising your rights

Categories collected (CCPA/CPRA enumeration). We collect identifiers; internet or other electronic network activity information; geolocation inferred from IP address (at country/region granularity, not precise); commercial information limited to the existence of any account or subscription relationship; and inferences drawn from the foregoing to operate and improve the Services. We disclose these categories for business purposes to the sub-processors listed in Section 7.

11.3 Rights under VCDPA, CPA, CTDPA, UCPA, and TDPSA

Residents of Virginia, Colorado, Connecticut, Utah, and Texas have rights to access, correct (where applicable under the relevant statute), delete, and obtain a portable copy of personal data, as well as the right to opt out of targeted advertising, sale of personal data, and certain forms of profiling. As noted above, we do not engage in targeted advertising, sale, or solely automated profiling that produces legal or similarly significant effects, so the opt-out is honored by default.

For the Texas Data Privacy and Security Act, MPEP AI is operated by a Texas-based individual and Texas LLC; Texas residents are entitled to the rights TDPSA confers, including the right to confirm processing, access, correct, delete, port, and opt out of targeted advertising, sale, and profiling.

11.4 Rights under PIPEDA (Canada)

Canadian residents have the right to access personal information we hold about them, to challenge the accuracy and completeness of that information and have it amended, and to withdraw consent, subject to legal and contractual limitations.

11.5 How to exercise your rights

To exercise any of the rights above, submit a request through the contact form on mpepai.com and identify the right you wish to exercise. We may need to verify your identity before completing the request, particularly for access, portability, and deletion requests. We will respond within the timeframe required by the applicable framework (generally one month under GDPR/UK GDPR, with one extension where permitted; forty-five days under CCPA/CPRA, with one extension; and the periods specified by other state and national laws).

If you are an authorized agent acting on behalf of a consumer, we will additionally require written authorization from the consumer.

11.6 No discrimination

We will not discriminate against you for exercising any privacy right. We will not deny you the Services, charge you a different price, or provide a different level of service because you exercised a right under applicable law.

12. Sensitive Personal Information

Under CPRA, "sensitive personal information" includes precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail/email/text messages where MPEP AI is not the intended recipient, genetic data, biometric data processed to identify a consumer, health information, and information about sex life or sexual orientation.

We do not intentionally collect sensitive personal information for any purpose other than as strictly necessary to provide the Services as defined under CPRA § 1798.121(d) and its implementing regulations. We do not use sensitive personal information to infer characteristics about you. Because we do not use sensitive personal information for purposes that trigger the right to limit, the right to limit is honored by default.

Do not submit sensitive personal information through User Content. If sensitive information appears in a document you upload, you remain responsible for ensuring you have a lawful basis to disclose it.

13. Children's Privacy

The Services are not directed to children. We do not knowingly collect personal information from children under 13 (or, in the EEA, under the age set by the relevant member state under GDPR Article 8, which is 16 unless the member state has lowered it). If you believe we have inadvertently collected personal information from a child under the applicable age, contact us through the contact form on mpepai.com and we will take steps to delete the information promptly. This Policy is intended to satisfy the COPPA disclosure requirements that apply when an operator does not target children under 13.

14. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

  • Account records are retained for the duration of your account and for a limited period after deletion to allow us to honor recovery requests and to satisfy legal obligations.
  • Conversation history, saved queries, saved searches, matter records, vault files, notes, notifications, and similar user-organized records are retained until you delete them or until you delete your account. Soft-deleted records (records placed in a trash state) are retained briefly to allow recovery and are then permanently removed.
  • Telemetry, error, and audit records are retained only as long as needed for security, debugging, and compliance.

After the applicable retention period, personal information is deleted or irreversibly de-identified.

15. Security

We apply technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. These include encryption in transit using industry-standard transport-layer security, encryption at rest using the default mechanisms provided by our cloud and storage providers, role-based access controls, per-user data segregation enforced through access controls applied at multiple layers, principle-of-least-privilege for administrative access, and audit logging of significant actions taken by the AI assistant on your behalf. No system of electronic transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

If we become aware of a personal-data breach that affects you and that meets the notification thresholds of applicable law, we will notify you and the relevant supervisory authority within the timeframes those laws require.

16. Automated Decision-Making

MPEP AI uses AI systems to generate research output, draft text, and surface relevant documents. These are decision-support outputs intended to inform your own professional judgment. We do not use automated decision-making to make decisions that produce legal or similarly significant effects concerning you within the meaning of GDPR Article 22. Output is not legal advice and should not be relied on as a substitute for the judgment of a licensed patent attorney or registered patent agent; see Terms of Use §6 and the Privilege Policy.

17. Beta Status

The Services are currently offered at no cost during a Beta Period as described in Terms of Use §5. MPEP AI reserves the right to introduce fees at any time and without notice. The collection of payment information will be governed by an updated version of this Policy at that time.

18. Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected by updating the "Last Updated" date at the top of this Policy and, where the change is significant, by posting a notice through the Services. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated Policy to the extent permitted by applicable law. Where applicable law requires us to obtain renewed consent for a material change, we will do so before relying on the new basis.

19. Contact

Questions about this Privacy Policy, requests to exercise your rights, or complaints about our handling of personal information should be submitted through the contact form on mpepai.com. We do not provide a support email address, postal address, or telephone number.

If you reside in the EEA or the United Kingdom and have a complaint we have not resolved to your satisfaction, you also have the right to lodge a complaint with your national data-protection authority.