Legal

Privacy Policy

Effective: March 6, 2026 · Last updated: March 6, 2026

1. Who we are

mwen.io (“mwen”, “we”, “us”, “our”) operates the website at mwen.io and the mwen browser extension (together, the “Service”).

For the purposes of the GDPR, mwen.io is the data controller for any personal data processed in connection with this website. For PIPEDA and Law 25, mwen.io is the organisation accountable for the personal information under its control. For the purposes of the Jamaica Data Protection Act 2020 and the Barbados Data Protection Act (Cap. 308D), mwen.io is the data controller responsible for personal data processed in connection with the Service.

Person responsible for the protection of personal information (Law 25 / PIPEDA): The person accountable for privacy compliance at mwen.io can be reached at privacy@mwen.io.

2. The short version

The mwen browser extension stores all identity credentials exclusively on your device, encrypted with AES-256-GCM. We do not collect, transmit, or retain your credentials. We have no user accounts and no analytics pipeline. The only personal data we may hold about you is your email address if you subscribe to our newsletter.

This policy explains in full what data we process, why, on what legal basis, and what rights you have. We are required by law to provide this information and we have written it in plain language.

3. What personal data we collect and why

We process personal data only in the following limited circumstances:

a) Newsletter subscriptions

Data collected: Email address only.
Purpose: To send product updates and announcements.
Legal basis (GDPR / Jamaica DPA / Barbados DPA): Consent (GDPR Art. 6(1)(a); Jamaica DPA 2020 s. 8(1)(a); Barbados DPA Cap. 308D s. 10(1)(a)). You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us.
Whether provision is required: Voluntary. Providing your email address is not a statutory or contractual requirement. If you do not provide it, you will simply not receive our newsletter — there are no other consequences.
Retention: Until you unsubscribe, or within 30 days of a deletion request. We do not share your email address with third parties.

b) Website server logs

Data collected: IP address, request path, timestamp, HTTP status code. Standard web server logs generated by our hosting provider.
Purpose: Security monitoring and abuse prevention.
Legal basis (GDPR / Jamaica DPA / Barbados DPA): Legitimate interest (GDPR Art. 6(1)(f); Jamaica DPA 2020 s. 8(1)(f); Barbados DPA Cap. 308D s. 10(1)(f)) in protecting the security and integrity of the Service.
Whether provision is required: This data is generated automatically when you visit any website and is processed on the basis of our legitimate interest. You cannot opt out of server log generation while using the website, though the data is retained for only 30 days and is not linked to your identity.
Retention: Up to 30 days, then permanently deleted. These logs are not linked to any identity credential data.

c) Identity credentials stored in the extension

Credentials you add to your mwen vault are encrypted on your device using AES-256-GCM and a key derived from your vault password. They are stored in your browser's local storage only. They are never transmitted to mwen servers. mwen cannot access, view, or recover your credentials under any circumstances, including in response to legal requests, because we do not hold them. This data is outside the scope of this policy as it is not processed by us.

4. Cookies and tracking

This website does not use tracking cookies, advertising pixels, third-party analytics scripts, or device fingerprinting. We do not monitor your browsing behaviour on or off this website.

We do not sell, share, or disclose your personal information for cross-context behavioural advertising purposes. There is no “sale” of personal information as defined under the CCPA/CPRA.

6. International data transfers

Our hosting infrastructure and email service provider may process data in countries outside the European Economic Area (EEA), outside Canada, and outside Quebec. Where this occurs:

For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Chapter V.
For transfers outside Canada, we ensure that the recipient provides comparable protection to that required under PIPEDA. Please note that personal information transferred to a foreign country may be accessible to courts, law enforcement, and national security authorities of that country under its laws.
For transfers outside Quebec, we conduct a privacy impact assessment (PIA) as required by Law 25 and ensure a written agreement is in place providing adequate protection before any transfer occurs.
For transfers of personal data outside Jamaica, we ensure appropriate safeguards are in place as required by the Jamaica Data Protection Act 2020 (ss. 45–50), including that the recipient country or organisation provides a level of protection essentially equivalent to that afforded under the DPA 2020.
For transfers of personal data outside Barbados, we ensure appropriate safeguards are in place as required by the Barbados Data Protection Act (Cap. 308D, ss. 42–47), including that the recipient provides an adequate level of protection or that appropriate contractual safeguards are in place.

You may request details of the safeguards in place for international transfers by contacting us at privacy@mwen.io.

7. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:

Newsletter email addresses: Retained until you unsubscribe or submit a deletion request, whichever comes first. Deleted within 30 days of that event.
Server logs: Retained for up to 30 days, then permanently deleted.

When retention periods expire, data is securely deleted or anonymised. We do not retain personal data “just in case.”

8. Automated decision-making and profiling

We do not make any decisions about you based solely on automated processing. We do not profile you. No decision with legal or similarly significant effect is made about you through automated means.

9. Your rights

Depending on where you live, you have the following rights over your personal data. Where a right applies to you is noted in brackets. In practice, because we hold very little data about most users, many of these rights will be satisfied simply by confirming we hold nothing beyond server logs.

Right	What it means
Access	Request a copy of the personal data we hold about you and information about how we use it. [GDPR · PIPEDA · CCPA · Law 25 · Jamaica DPA s. 28 · Barbados DPA s. 26 · Malabo Convention Art. 16]
Rectification / Correction	Ask us to correct inaccurate or incomplete personal data. [GDPR · PIPEDA · CCPA · Law 25 · Jamaica DPA s. 30 · Barbados DPA s. 27 · Malabo Convention Art. 17]
Erasure / Deletion	Ask us to delete your personal data, subject to legal retention obligations. [GDPR · CCPA · Law 25 · Jamaica DPA s. 31 · Barbados DPA s. 28 · Malabo Convention Art. 17]
Restriction of processing	Ask us to pause processing of your data in certain circumstances, such as while a correction request is resolved. [GDPR · Jamaica DPA s. 32 · Barbados DPA s. 29]
Portability	Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller. [GDPR · Law 25 · Jamaica DPA s. 33 · Barbados DPA s. 30]
Object	Object to processing based on legitimate interests. We will stop unless we have compelling grounds that override your interests. You have an absolute right to object to direct marketing at any time. [GDPR · Jamaica DPA s. 34 · Barbados DPA s. 31 · Malabo Convention Art. 18]
Withdraw consent	Where processing is based on your consent (e.g. newsletter), you may withdraw it at any time without affecting the lawfulness of prior processing. [GDPR · PIPEDA · Law 25 · Jamaica DPA · Barbados DPA]
Automated decision-making	We do not make decisions about you based solely on automated processing (see Section 8). This right is listed here for completeness. [GDPR Art. 22 · Jamaica DPA s. 35 · Barbados DPA s. 32 · Malabo Convention Art. 18(2)]
Opt out of sale / sharing	We do not sell or share personal information for cross-context advertising. No action is required, but you may confirm this by contacting us. [CCPA/CPRA]
Limit sensitive data use	We do not collect sensitive personal information as defined under CPRA. [CCPA/CPRA]
De-indexation / Cessation of dissemination	Request that personal information about you published online be de-indexed or that its dissemination cease, where applicable. [Law 25]
Non-discrimination	We will not discriminate against you for exercising any of these rights. [CCPA/CPRA]
Lodge a complaint	You have the right to lodge a complaint with your local data protection authority. See Section 11 for relevant authorities. [GDPR · PIPEDA · Law 25 · Jamaica DPA (OIC) · Barbados DPA (Data Protection Commissioner) · Malabo Convention (national DPA of relevant ratifying state)]

The CARICOM Model Privacy Bill and the OECS Data Protection Framework are model instruments that have influenced domestic legislation in the Caribbean. They are not directly binding on mwen.io, but the rights they contemplate are substantively covered by the Jamaica DPA 2020, Barbados DPA, and GDPR entries above. If you are in a CARICOM or OECS member state that has enacted its own data protection legislation, you may have additional rights under that law; the relevant national authority is your first point of contact.

To exercise any of these rights, contact us at privacy@mwen.io. We will respond within 30 days (or within the timeframe required by applicable law). We do not charge a fee for reasonable requests. For CCPA requests, you may also designate an authorised agent to submit a request on your behalf.

10. Security and breach notification

We apply technical and organisational measures appropriate to the risk to protect the personal data we hold. This includes encrypted connections (TLS), access controls on any data stores, and minimal data collection by design.

In the event of a personal data breach that presents a real risk of significant harm to you, we will notify you directly in accordance with our obligations under GDPR (Art. 34), PIPEDA (s. 10.1), and Law 25 (s. 3.5), without undue delay. We maintain an internal register of confidentiality incidents as required by Law 25 (s. 3.8).

Where the Jamaica Data Protection Act 2020 applies, we will also notify the Office of the Information Commissioner (OIC) within 72 hours of becoming aware of a breach, and notify affected individuals directly where the breach is likely to result in high risk to their rights and freedoms (Jamaica DPA 2020 ss. 36–37).

Where the Barbados Data Protection Act (Cap. 308D) applies, we will notify the Data Protection Commissioner of Barbados within 72 hours of becoming aware of a breach, and notify affected individuals directly where required (Cap. 308D ss. 37–38).

11. Supervisory authorities and complaints

You have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your personal data in accordance with applicable law. Relevant authorities include:

EU / EEA: Your national data protection authority. A list is available at edpb.europa.eu.
Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca.
Quebec: Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca.
California: California Privacy Protection Agency (CPPA) — cppa.ca.gov.
Jamaica: Office of the Information Commissioner (OIC) — oic.gov.jm. The OIC supervises compliance with the Jamaica Data Protection Act 2020.
Barbados: Data Protection Commissioner of Barbados — dataprotection.gov.bb. The Commissioner supervises compliance with the Barbados Data Protection Act (Cap. 308D).
African Union / Malabo Convention: The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) entered into force in June 2023 and is binding on its 16 ratifying member states. However, it operates through domestic implementing legislation in each state. If you are in a ratifying state that has enacted implementing law, your complaint should be directed to that state's national data protection authority. No pan-African supervisory body exists for individual complaints at this time.
CARICOM / OECS member states: The CARICOM Model Privacy Bill and OECS Data Protection Framework are model instruments, not binding law. Rights arise from the domestic legislation of each member state. If you are in a CARICOM or OECS country that has enacted data protection law, your complaint should be directed to the relevant national authority.

We would always prefer the opportunity to address your concerns directly first — please contact us at privacy@mwen.io before filing a formal complaint.

12. Open source verification

The full source code of the mwen extension, protocol library, and SDK is publicly available on GitHub under the Apache 2.0 licence. The privacy claims in this policy about how the extension operates can be verified by reviewing the code directly.

13. Changes to this policy

We will update this policy when our practices change or when required by law. Material changes will be notified to newsletter subscribers by email. The effective date at the top of this page will always reflect the most recent revision. We will not apply material changes retroactively without providing prior notice.

14. Contact

For any privacy-related queries, requests to exercise your rights, or complaints, contact our privacy team:

mwen.io — Privacy

Email: privacy@mwen.io