Last updated: June 01, 2026
This Privacy Policy explains how Mimetic Inc ("Mimetic", "we", "us", or "our") collects, uses, shares, and protects information when you visit our websites, request a site audit, view an audit report, connect third-party accounts, install our GitHub App, use our Rerun session replay and code-improvement tools, or otherwise interact with our services.
Some features are optional and apply only if you choose to use them, such as Google Analytics, Google Search Console, the GitHub App, Slack notifications, session replay, PR previews, and payments.
When you submit a website, Mimetic may crawl and analyze publicly accessible pages and public business information. Reports may include screenshots, page text excerpts, detected tracking tools, technical checks, SEO findings, conversion findings, recommendations, and estimated business impact.
Reports may be stored in our application database and object storage, including Google Cloud Storage. Some reports are email-gated or manually unlocked after a booked call. We may record which report you accessed, the email used to access it, and whether findings were marked completed, dismissed, or sent to a fix workflow.
Do not submit websites or URLs you are not authorized to analyze if the resulting report may contain confidential business information.
Where session replay is enabled, we use our Rerun SDK and collector to understand product usage and diagnose issues. Rerun may collect page URLs, viewport size, browser and device metadata, clicks, scrolls, navigation, timing information, rage-click signals, console or error information if enabled, and a masked representation of page structure.
Rerun is configured to mask text and inputs by default. For our current Mimetic site instrumentation, network body capture, canvas recording, font collection, console capture, error capture, resource capture, and web-vitals capture are disabled. The Rerun SDK and server also support bot filtering and server-side redaction of common PII and sensitive keys.
Replay data may be summarized into redacted narratives and issue rankings. Raw replay data is treated as sensitive operational data and is access-controlled. Hosted collectors use read/admin keys or GitHub OIDC for authorized access.
If you install the Rerun Code Agent GitHub App, we collect GitHub account, organization, installation, selected repository, permission, branch, commit, pull request, issue, check, and webhook metadata needed to operate the integration.
The GitHub App uses short-lived installation tokens at job time. We do not ask you to provide a personal access token. Depending on the permissions you approve, the app may read repository contents, create branches, push commits, open or update pull requests, read/write issues or PR comments, and trigger preview workflows.
When you ask Mimetic to fix a finding, we may send the selected issue, audit evidence, bounded code context, build/test instructions, and relevant replay summaries to our workflow system and AI coding tools. The workflow may store branch names, PR URLs, preview URLs, check results, bounded unified diffs, agent prompts, and agent outputs so you can review what happened and so we can improve our automation.
PR previews may be deployed to Google Cloud Run and may include review links comparing production and preview pages. Preview URLs are intended for review and may be accessible to anyone with the link unless additional access controls are configured.
Mimetic uses third-party AI providers to generate reports, summarize evidence, rank issues, produce content, and analyze technical context. Current text and code providers include Google Vertex AI (Gemini), Anthropic Claude, and OpenAI; image and video generation uses Replicate. Additional providers may be added or replaced as the Service evolves.
The data sent to each AI provider depends on the task and may include public website content, screenshots, audit findings, selected issue details, and bounded code context. We take reasonable steps to avoid sending secrets, payment data, private personal data, or unneeded sensitive content.
Google user data (data received from Google Analytics or Search Console under scopes you authorize) is transmitted only to the AI providers Mimetic uses to generate audit insights, summaries, and recommendations — currently Google Vertex AI (Gemini), Anthropic, and OpenAI. These providers are bound by their standard enterprise API terms, which prohibit the provider from using the data to train its general-purpose models or for the provider's own purposes, and limit retention to what is necessary to perform the requested processing and to meet the provider's safety, abuse-prevention, and legal obligations. Google user data is not transmitted to Replicate or to any other AI provider.
Some providers may offer prompt caching or similar performance features. We configure provider calls to support product functionality, cost control, and quality, and we rely on provider contractual and platform controls where available.
If you connect Google Analytics or Search Console, we access only the scopes you authorize (currently analytics.readonly and webmasters.readonly, plus your Google account email). This may include available properties, traffic metrics, engagement metrics, traffic sources, device and geography data, page performance, conversion data, and Search Console queries and landing pages.
We use this data to generate analytics insights, detect tracking gaps, benchmark performance, and produce recommendations specific to your property. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertising, do not sell it, and do not transfer it to other applications except (a) to service providers acting on our behalf (currently Google Cloud Platform for hosting, and the AI providers Google Vertex AI / Gemini, Anthropic, and OpenAI for generating insights and recommendations), bound by their standard enterprise API terms that prohibit using the data to train general-purpose models and limit retention to what is necessary to perform the requested processing and to meet the provider's safety, abuse-prevention, and legal obligations; (b) to comply with applicable law; (c) for security and abuse prevention; or (d) in a merger, acquisition, or sale of assets with appropriate notice. We do not allow humans to read your Google user data except with your affirmative consent for specific transactions, for security purposes, to comply with law, or where the data is aggregated and used for internal operations.
Mimetic may publicly display aggregated, non-identifiable statistics derived from connected Google integrations (for example, total annual visitors or revenue tracked across all connected customer properties) to describe the scale of our customer base. Such aggregate statistics do not identify any individual user, property, account, or organization.
You can disconnect Google access from within the Service or revoke it from your Google Account permissions page at any time. When disconnected, we stop accessing new data and promptly delete the stored OAuth access and refresh tokens. Derived analytics snapshots are retained as needed to provide and improve the Service; you may request earlier deletion by contacting us.
When payments are enabled, payment processors such as Stripe or x402-compatible payment providers may process billing details, transaction metadata, wallet or payment identifiers, fraud signals, and payment status. We do not store full payment card numbers.
We use cookies, local storage, pixels, tags, and similar technologies for authentication, report access, preferences, analytics, attribution, performance measurement, product improvement, and abuse prevention.
Providers may include Google Analytics/Google Tag Manager, RB2B or similar B2B attribution tools, Calendly, email tools, and our own Rerun session replay. We do not currently use Microsoft Clarity on the Mimetic application.
We do not sell personal information for money. We may share information with:
We use technical and organizational safeguards such as access controls, environment-separated secrets, short-lived GitHub installation tokens, masked replay capture, redaction, rate limiting, signed webhooks, OIDC where available, and encrypted transport. No system is perfectly secure, and you should avoid submitting secrets or highly sensitive data unless the feature specifically requires it.
We retain information for as long as needed to provide the service, maintain audit and workflow history, improve quality, comply with law, resolve disputes, and enforce agreements.
Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. You may also opt out of marketing emails, disconnect integrations, revoke third-party authorization, uninstall the GitHub App, or request deletion of report or replay data.
To exercise privacy rights, contact contact@trymimetic.com. We may need to verify your identity or authority before acting on a request.
Mimetic is based in the United States, and our service providers may process information in the United States and other locations. By using the service, you understand that information may be processed outside your jurisdiction, subject to applicable safeguards.
Our services are intended for businesses and are not directed to children under 13. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. The "Last updated" date above shows when the policy was last revised. If changes are material, we may provide additional notice through the service or by email.
If you have questions about this Privacy Policy or our privacy practices, contact us: