← Institute home

Legal

Privacy Policy

Last updated: 10 May 2026

Medulla AI Security Research Institute (“Medulla Institute,” “we,” “us,” or “our”) is an independent nonprofit research organization based in Silicon Valley, California, United States. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the public website that links to this policy (the “Site”). It is intended to meet transparency expectations under U.S. federal and state law, including for visitors and residents of California.

Unless another agreement or notice states otherwise (for example, a joint research program, grant, or employment application), we are the organization responsible for personal information described here. This Policy does not apply to third-party websites, repositories, or services that are linked from the Site.

By using the Site, you acknowledge that you have read this Privacy Policy. If you do not agree, please discontinue use of the Site.

1. Children (COPPA)

The Site is not directed to children under 13. We do not knowingly collect personal information online from children under 13 in a manner covered by the U.S. Children's Online Privacy Protection Act (“COPPA”). If you believe we have received such information, contact us at research@medullainstitute.org and we will take appropriate steps to delete it.

2. Categories of information we may collect

Depending on how you interact with us, categories may include:

  • Identifiers and contact information you provide (for example, name, email address, affiliation, or similar).
  • Professional or employment-related information you choose to share (for example, organization name, title, or role) in research, disclosure, or partnership contexts.
  • Internet or other electronic network activity collected automatically or by our hosting and security providers (for example, IP address, browser and device characteristics, referring URL, pages viewed, and approximate location derived from IP).
  • User-generated content you submit for display on the Site, if we offer that in the future.

We do not use the Site to collect biometric information, government ID numbers, or health information except as you might voluntarily include in an email (in which case we ask that you share only what is necessary).

3. How we collect information

We obtain personal information when you provide it directly (for example, by emailing us or completing forms we may add), when it is generated through your use of the Site, or when service providers acting on our behalf process it under contract. If we deploy optional analytics or similar technologies that use cookies, we will update this Policy and provide choice mechanisms where required by applicable U.S. state law.

4. Why we use information (U.S. purposes)

We use personal information for purposes that include:

  • Responding to inquiries and coordinating research or security disclosure correspondence.
  • Operating, securing, and improving the Site; fraud and abuse prevention; and legal compliance.
  • Nonprofit governance, grants, audit, and recordkeeping.
  • Communicating about our mission and programs where consistent with your expectations and applicable law.
  • Any other purpose disclosed at collection or with your consent.

5. Security and retention

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information. No online transmission or storage is completely secure.

We retain personal information for as long as reasonably necessary for the purposes above, including to satisfy legal, tax, accounting, or reporting obligations, and then delete or de-identify it where feasible.

Sale and sharing. We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising through the Site as described under California law. If our practices change, we will update this Policy and, where required, provide a clear “Do Not Sell or Share My Personal Information” pathway.

6. When we disclose information

We may disclose personal information:

  • To service providers and vendors who process data on our behalf under written terms (for example, hosting, email, or security).
  • To professional advisors (lawyers, accountants, insurers) where appropriate.
  • To comply with law, regulation, court order, or governmental request, or to protect rights, safety, and property.
  • In connection with a merger, acquisition, or change of control, with notice where required by law.
  • With your consent or at your direction.

Links to third parties (for example, GitHub) are governed by those parties' own policies. We are not responsible for their practices.

7. International visitors

Our operations and primary service providers are located in the United States. If you access the Site from outside the U.S., your information may be processed in the U.S. or other countries. Where European data protection law applies, we describe transfers and safeguards in requests we receive from EEA, UK, or Swiss residents; Standard Contractual Clauses or other approved mechanisms may be used where required.

8. California residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) may afford you specific rights regarding personal information, to the extent that law applies to our activities. Certain nonprofit and research contexts may limit applicability; regardless, we provide this notice for transparency.

Categories collected (illustrative). In the preceding 12 months, we may have collected the following categories of personal information for the operational purposes in this Policy: identifiers and contact details; professional information; and internet or similar network activity (such as device and usage data logged by infrastructure). We do not use the Site to collect sensitive personal information as defined under the CPRA (for example, precise geolocation, race, health, or government identifiers) except as inadvertently included in communications you send us.

Sources. Directly from you; automatically through the Site; and from service providers acting on our instructions.

Business purposes. Purposes described in Sections 4 and 6 (for example, providing the Site, security, support, and compliance).

Disclosures. We may disclose personal information to service providers and the other categories in Section 6 for operational reasons. We do not sell personal information and we do not share it for cross-context behavioral advertising through the Site as currently operated.

Rights. Subject to exceptions under law, California residents may have the right to: (i) know what personal information we collect, use, and disclose; (ii) request deletion; (iii) request correction of inaccurate information; (iv) opt out of sale (not applicable here) and of sharing for cross-context behavioral advertising (not applicable here as described above); (v) limit certain uses of sensitive personal information (generally not applicable to our Site); and (vi) not receive discriminatory treatment for exercising these rights.

How to submit a request. Email research@medullainstitute.org with “California Privacy Request” in the subject line and a description of your request. We will verify your request as required by law (for example, by matching information you provide with what we maintain). You may designate an authorized agent to submit a request on your behalf where permitted by the CCPA; we may require signed permission from you.

We will respond within the timeframes required by the CCPA (typically 45 days, with an extension if permitted and explained). If we decline a request, you may appeal by replying to our decision within the period stated in our response.

Shine the Light. California Civil Code § 1798.83 permits California residents to request certain information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes as described in that statute as we operate the Site today.

9. Other U.S. states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws may have additional rights (for example, access, deletion, correction, opt-out of targeted advertising, or appeal). Where those laws apply to our processing, you may exercise rights by contacting research@medullainstitute.org. We will respond in accordance with applicable law.

Nevada. We do not sell covered information as defined under Nevada law as we operate the Site today. Nevada residents may still contact us with questions.

10. Your choices (all users)

You may opt out of non-essential email communications by using unsubscribe instructions we include or by writing to research@medullainstitute.org. Browser “Do Not Track” signals and global privacy controls are not uniformly standardized; we look to applicable law and industry practice as those standards evolve.

11. Changes

We may update this Privacy Policy. The “Last updated” date will change when a new version is posted. Material changes may be highlighted on the Site where appropriate.

12. Contact

Privacy questions and requests may be sent to research@medullainstitute.org.

For coordinated security disclosure, follow any dedicated instructions we publish; this Policy is a general website notice and does not replace program-specific rules.

Return to home