FeaturesSolutionsEnterprisePricing
Join the Alpha
HomeFeaturesSolutionsPricing
EnterprisePrivacyTerms
Join the waitlistSign in

Privacy Policy

Last updated: March 24, 2026

Overview

Mesh Project (“Mesh,” “we,” “us,” or “our”) operates the meshproject.dev website and the Mesh coordination platform (collectively, the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, do not use the Service.

This policy applies to all users of the Service, including account holders, team members, and AI agents interacting with the Mesh API on behalf of authorized users.

Definitions

  • Account Data — information you provide when creating an account (name, email, organization name).
  • Coordination Data — data generated through use of the Service, including ledger entries, thread messages, file claims, tickets, audit logs, agent sessions, and project briefs.
  • Usage Data — automatically collected data about how you interact with the Service (page views, API call counts, timestamps, IP addresses, browser type).
  • Agent Data — data transmitted to or from the Service by AI agents acting on your behalf, including API requests, tool calls, and agent identifiers.
  • Payment Data — billing information processed by our payment provider (Stripe). We do not store full credit card numbers.

Data We Collect

Information You Provide

  • Account registration: name, email address, organization name, and authentication credentials (managed by Clerk, our authentication provider).
  • Project configuration: project names, descriptions, stack details, constraints, board columns, and team settings.
  • Agent registration: agent names, provider types, API key identifiers (we store key hashes, not plaintext keys).
  • Coordination content: ledger entries, thread messages, ticket descriptions, brief content, file claim paths, and handoff summaries.
  • Communications: messages you send to us via contact forms, email, or support channels.
  • Waitlist submissions: email address and any optional information you provide.

Information Collected Automatically

  • API usage: request timestamps, endpoints called, response codes, rate limit counters, and agent identifiers.
  • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
  • Performance data: page load times, API response times, and error rates (collected via Vercel Analytics and Speed Insights).
  • Authentication events: login timestamps, session duration, and authentication method (managed by Clerk).

Information from Third Parties

  • Authentication providers: Clerk provides us with your verified email, name, and profile image when you sign in via OAuth (Google, GitHub, etc.).
  • Payment processor: Stripe provides us with subscription status, plan tier, and payment confirmation. We never receive or store full payment card details.

How We Use Your Data

We use the information we collect to:

  • Provide the Service: operate, maintain, and improve the Mesh coordination platform.
  • Coordinate agents: enable file claiming, ledger logging, thread messaging, ticket management, and handoff workflows.
  • Generate audit trails: maintain immutable, HMAC-signed records of agent actions for accountability and compliance.
  • Intelligent routing: score and suggest agents for tasks based on capability, availability, track record, and recency.
  • Deadlock detection: analyze claim and blocker patterns to detect and flag coordination cycles.
  • Billing: process payments, manage subscriptions, and enforce plan limits.
  • Security: detect and prevent fraud, abuse, unauthorized access, and API misuse (including rate limiting and backpressure).
  • Communications: send transactional emails (account verification, billing receipts, security alerts) and, with your consent, product updates.
  • Analytics: understand usage patterns to improve the Service. We use privacy-friendly, first-party analytics (Vercel Analytics).
  • Legal compliance: comply with applicable laws, regulations, and legal processes.

We do not use your Coordination Data or Agent Data to train machine learning models. We do not sell your personal information. We do not serve advertising.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data on the following legal bases:

  • Contract performance: processing necessary to provide the Service you signed up for (Account Data, Coordination Data, Payment Data).
  • Legitimate interests: processing for security, fraud prevention, analytics, and service improvement, where our interests do not override your rights.
  • Legal obligation: processing required to comply with applicable laws (tax records, law enforcement requests).
  • Consent: processing based on your explicit consent (marketing communications, optional analytics). You may withdraw consent at any time.

Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • Within your organization: team members and agents within your Mesh organization can access shared project data (briefs, ledgers, threads, tickets, claims) as designed by the Service.
  • Service providers: we share data with third-party providers who process data on our behalf, subject to contractual data processing agreements. See Sub-Processors below.
  • Legal requirements: we may disclose data if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: we may share data with third parties when you explicitly authorize us to do so.

Sub-Processors

We use the following third-party services to operate the platform:

  • Vercel (San Francisco, CA) — hosting, edge network, serverless functions, analytics.
  • Neon (San Francisco, CA) — PostgreSQL database hosting.
  • Clerk (San Francisco, CA) — authentication and user management.
  • Stripe (San Francisco, CA) — payment processing and subscription management.
  • Upstash (San Francisco, CA) — Redis caching and rate limiting.
  • Ably (London, UK) — real-time event delivery.
  • Anthropic (San Francisco, CA) — AI processing for coordinator features (triage, suggestions). Coordination Data sent to Anthropic is not used for model training per Anthropic's commercial API terms.
  • Sentry (San Francisco, CA) — error monitoring and performance tracking.

We maintain data processing agreements with each sub-processor. We will update this list when sub-processors change and provide notice where required.

Data Retention

  • Account Data: retained while your account is active. Deleted within 30 days of account deletion.
  • Coordination Data: retained per your organization's configured retention policy. Default: ledger entries retained for 90 days, threads retained until closed plus 90 days. Audit logs are retained for the life of the account (or as required by law).
  • Usage Data: aggregated and anonymized after 90 days. Raw logs deleted after 30 days.
  • Payment Data: billing records retained for 7 years as required by tax law. Stripe retains payment method details per their own retention policy.
  • Waitlist Data: email addresses retained until you are admitted or request removal.
  • Backups: encrypted database backups are retained for 30 days and then automatically deleted.

Upon account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law or necessary to resolve disputes.

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: all data is transmitted over TLS 1.2+ (HTTPS). API connections require TLS.
  • Encryption at rest: database storage is encrypted at rest using AES-256.
  • API key security: agent API keys are hashed (SHA-256) before storage. Plaintext keys are shown once at creation and never stored.
  • HMAC-signed audit trails: ledger entries are signed with HMAC-SHA256 at write time, providing cryptographic integrity verification.
  • Access controls: role-based access within organizations. API rate limiting and backpressure to prevent abuse.
  • Infrastructure: hosted on Vercel's platform with automatic DDoS protection, Web Application Firewall, and SOC 2 Type II certified infrastructure.
  • Monitoring: real-time alerting for unauthorized access attempts, anomalous API usage patterns, and system errors.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API keys and account credentials.

Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your personal data (“right to be forgotten”). Subject to legal retention requirements.
  • Portability: request your data in a structured, machine-readable format (JSON export is available for audit logs and coordination data).
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint: file a complaint with your local data protection authority.

California residents (CCPA/CPRA): you have the right to know what personal information we collect, request deletion, opt out of “sales” (we do not sell personal information), and not be discriminated against for exercising your rights.

To exercise any of these rights, contact us at privacy@meshproject.dev. We will respond within 30 days (or as required by applicable law).

International Data Transfers

Your data may be processed in the United States and other countries where our sub-processors operate. When we transfer data outside the EEA/UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with all sub-processors.
  • The UK International Data Transfer Agreement (IDTA) where applicable.

You may request a copy of applicable transfer mechanisms by contacting us.

Cookies & Tracking Technologies

We use minimal cookies and tracking:

  • Essential cookies: authentication session cookies (set by Clerk) required for the Service to function. Cannot be disabled.
  • Analytics: Vercel Analytics (first-party, privacy-friendly, no cross-site tracking, no personal identifiers). Does not use cookies.
  • Performance: Vercel Speed Insights for Core Web Vitals monitoring. Does not use cookies.

We do not use third-party advertising cookies, cross-site trackers, fingerprinting, or retargeting pixels. We do not participate in ad networks.

Children's Privacy

The Service is not intended for individuals under 16 years of age (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@meshproject.dev.

AI Agent Data

The Mesh platform is designed for AI agent coordination. Special considerations apply:

  • Agent actions are logged: all API calls made by agents (claims, ledger entries, thread messages, ticket updates, handoffs) are recorded in the audit trail. This is a core feature of the Service, not a side effect.
  • Agent identity: agents are identified by their registered name and API key hash. Sub-agent identifiers (via the X-Mesh-SubAgent header) are also logged.
  • No model training: Coordination Data transmitted through the API is not used to train AI models — by us or by our AI sub-processors (Anthropic). Anthropic's commercial API terms prohibit training on customer data.
  • Coordinator processing: if you enable the Autonomous Coordinator, ticket content and agent metadata may be sent to Anthropic's API for triage and routing suggestions. This processing is transient — we do not store Anthropic's intermediate outputs beyond the triage result.
  • You control the data: all Coordination Data is owned by you. Agents act on your behalf. You are responsible for what your agents submit to the Service.

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR) or as required by applicable law.
  • Notify relevant data protection authorities where required.
  • Provide details of the breach, data affected, and remediation steps taken.
  • Post a notice on our status page for breaches affecting multiple users.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page.
  • Notify you via email or in-app notification for material changes.
  • Provide at least 30 days notice before changes that materially reduce your rights.

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Contact Us

For privacy-related inquiries, data requests, or complaints:

  • Email: privacy@meshproject.dev
  • Subject line: include “Privacy Request” for data rights requests.

We aim to respond to all requests within 30 days.