Privacy Policy

Effective date: 17 March 2026 · Last updated: 17 March 2026

1. Introduction

Bartlomiej Baran Ventures Limited ("Mitigon", "we", "our", or "us") is a company registered in Dublin, Ireland. We operate the Mitigon platform at www.mitigon.com (the "Service"), a web-based tool for visual Failure Mode and Effects Analysis (FMEA).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or use our Service. It applies to all users, including visitors, free-tier users, and paying customers. By using the Service, you acknowledge that you have read and understood this policy.

2. Data Controller

The data controller responsible for your personal data is Bartlomiej Baran Ventures Limited, Dublin, Ireland. You can reach our data protection contact at [email protected].

3. Information We Collect

We collect the following categories of personal data:

3.1 Information You Provide

  • Account information: name, email address, company name, and job title when you create an account or request a demo.
  • Billing information: payment card details and billing address are collected and processed by our payment processor (Stripe). We do not store full card numbers on our servers.
  • Communications: any information you provide when you contact our support team, respond to surveys, or communicate with us via email.
  • User-generated content: FMEA worksheets, risk analyses, diagrams, and other content you create within the Service.

3.2 Information Collected Automatically

  • Usage data: pages visited, features used, and interactions within the Service.
  • Device and browser data: browser type, operating system, screen resolution, and language preferences.
  • Log data: IP address, access times, and referring URLs.

3.3 Analytics

We use Plausible Analytics, a privacy-first, cookie-free analytics tool. Plausible does not collect personal data, does not use cookies, and is fully compliant with GDPR, CCPA, and PECR. All analytics data is aggregated and cannot be used to identify individual users.

4. How We Use Your Information

We process your personal data for the following purposes:

  • Service delivery: to create and manage your account, provide access to the platform, and deliver the features you use.
  • Communication: to respond to your enquiries, send service-related notices (e.g. security alerts, billing updates), and provide customer support.
  • Improvement: to analyse usage patterns, diagnose technical issues, and improve the Service.
  • Security: to detect, prevent, and address fraud, abuse, or security incidents.
  • Legal compliance: to comply with applicable laws, regulations, or legal processes.

We do not use your personal data for automated decision-making or profiling. We do not sell your personal data to third parties.

5. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we rely on the following legal bases:

  • Contract performance: processing necessary to provide the Service you have signed up for (Article 6(1)(b)).
  • Legitimate interests: processing necessary for our legitimate interests, such as improving the Service, ensuring security, and communicating with you, provided these interests are not overridden by your rights (Article 6(1)(f)).
  • Legal obligation: processing necessary to comply with applicable laws (Article 6(1)(c)).
  • Consent: where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time (Article 6(1)(a)).

6. Data Sharing and Third Parties

We share personal data only in the following circumstances:

  • Service providers: we use trusted third-party providers to operate the Service, including cloud hosting (infrastructure providers based in the EU), payment processing (Stripe), and email delivery. These providers process data on our behalf under data processing agreements.
  • Legal requirements: we may disclose data if required to do so by law, regulation, or valid legal process.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

We do not share your data with advertisers or data brokers. We do not serve third-party advertisements.

7. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with an adequacy decision.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we remove your personal data within 30 days, except where retention is required for legal, tax, or audit purposes. Log data is retained for up to 90 days. Aggregated, anonymised data that cannot identify you may be retained indefinitely.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls restricting personal data access to authorised personnel only.
  • Regular security assessments and vulnerability testing.
  • Audit logging of data access and system changes.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data ("right to be forgotten").
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Data portability: request your data in a structured, commonly-used, machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or your local supervisory authority.

11. Cookies

Our website does not use tracking cookies. We use Plausible Analytics, which is entirely cookie-free. We may use strictly necessary cookies for essential functionality such as authentication sessions. These cookies are required for the Service to function and cannot be disabled.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Bartlomiej Baran Ventures Limited
Dublin, Ireland
Email: [email protected]