Privacy Policy

Meshio (“we,” “us,” or “our”) operates the Meshio platform, a social media management and analytics tool designed to help content creators grow their audience. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you use our Service.

This Privacy Policy applies to all users of the Meshio platform, including our website, application, and APIs. By accessing or using Meshio, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as the legal basis for processing, we will obtain your consent at the relevant time. If you do not agree with this policy, please do not access or use the platform.

This Privacy Policy should be read together with our Terms of Use.

01Information We Collect

1.1 Account Information

When you create an account, we collect your email address, display name, and profile picture. If you sign up through a third-party authentication provider (e.g., Google, GitHub), we receive the profile information you authorize that provider to share with us. We do not receive or store your third-party account passwords.

1.2 Connected Platform Data

When you connect a social media account (such as X/Twitter, LinkedIn, or Threads), we collect and store:

• OAuth access tokens and refresh tokens, which are encrypted at rest using AES-256-GCM encryption with keys stored separately from the encrypted data
• Your platform username, display name, and profile information
• Post performance metrics including impressions, likes, replies, reposts, clicks, and profile visits

We request only the minimum permissions (scopes) necessary to publish content and retrieve analytics on your behalf. You can review exactly which permissions are granted on each platform’s connected application settings page.

1.3 Content You Create

We store the content you compose within Meshio, including post text, uploaded images, scheduling preferences, labels, and publishing history. Images are stored securely in access-controlled storage and deleted from our storage after successful publication to your connected platforms.

1.4 AI-Processed Data

Meshio uses artificial intelligence to provide content classification, performance insights, content improvement suggestions, and experiment recommendations. To deliver these features:

• Your post content and aggregated performance data are processed by third-party AI providers (currently OpenAI)
• We send only the minimum data necessary for each AI operation
• We do not send your authentication credentials, email address, or personal identifiers to AI providers
• We have configured our AI provider accounts to opt out of using your data for model training

1.5 Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, button clicks, and timestamps. This data is collected to improve the service, diagnose technical issues, and understand feature adoption. We do not use third-party behavioral analytics or advertising trackers.

1.6 Technical Data

When you access the Service, we automatically collect technical information such as your IP address, browser type and version, device type, operating system, referring URL, and timezone. This information is used for security purposes, abuse prevention, and to ensure the Service functions correctly.

02Lawful Basis for Processing

We process your personal data on the following legal grounds under applicable data protection law (including GDPR where applicable):

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

03How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Meshio platform
• Publish content to your connected social media accounts at your direction
• Collect and display performance metrics for your published content
• Generate AI-powered insights, content suggestions, and growth experiments
• Classify your content by intent, type, and topic to improve analytics accuracy
• Refresh expired authentication tokens to maintain your platform connections
• Send you transactional and service-related notifications (e.g., publishing confirmations, connection status updates)
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity
• Diagnose and resolve technical issues and improve service reliability

We do not sell your personal data to third parties. We do not use your data for targeted advertising. We do not build advertising profiles based on your activity.

04Data Storage and Security

Your data is stored using Supabase, which provides enterprise-grade PostgreSQL databases with row-level security (RLS) policies ensuring users can only access their own data. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.

Platform authentication tokens receive an additional layer of application-level encryption using AES-256-GCM before database storage. Encryption keys are managed separately from the encrypted data and rotated periodically.

Uploaded media files are stored in a dedicated, access-controlled storage bucket with signed URLs for time-limited access. Files that are not associated with any post are automatically cleaned up within 24 hours.

Our security measures include:

• Row-level security policies enforced at the database level
• OAuth 2.0 with PKCE for all third-party platform connections
• Application-level encryption for sensitive credentials
• Regular security reviews and dependency updates
• Access controls limiting employee access to production data on a need-to-know basis

While we implement commercially reasonable security measures following industry standards, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and enable two-factor authentication where available.

05Third-Party Services and Data Sharing

Meshio integrates with the following categories of third-party services. We share only the minimum data necessary for each integration to function:

5.1 Social Media Platforms

We connect to social media platforms (currently X/Twitter, LinkedIn, and Threads) using their official APIs and OAuth 2.0 with PKCE for secure authorization. When you publish content or retrieve analytics, data is transmitted directly between our servers and the platform APIs. These platforms have their own privacy policies governing how they handle your data.

5.2 AI Providers

We use OpenAI to power our content classification, insights generation, content improvement, and experiment suggestion features. Data shared with OpenAI includes post content and aggregated performance metrics only — never authentication tokens, email addresses, or personal identifiers. We have opted out of having your data used for model training in our provider agreements.

5.3 Infrastructure Providers

Our platform is hosted on Vercel (application hosting and edge network) and uses Supabase for database and authentication services. Background job processing is handled by Inngest. Each provider is bound by their respective data processing agreements and maintains SOC 2 or equivalent compliance certifications.

5.4 When We May Disclose Data

Beyond the integrations above, we may disclose your personal data only in the following circumstances:

• Legal obligation: When required by law, regulation, legal process, or enforceable governmental request
• Safety and rights: To protect the rights, property, or safety of Meshio, our users, or the public
• Business transfer: In connection with a merger, acquisition, reorganization, or sale of assets, in which case we will notify you and this Privacy Policy will continue to apply to your data
• With your consent: When you explicitly direct us to share data with a third party

06Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

When you delete your account, we will delete or irreversibly anonymize all personally identifiable information within 30 days, except where longer retention is required by applicable law (e.g., tax or accounting obligations) or to resolve disputes. Backups containing your data are purged within 90 days of account deletion.

07Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Data export: Export your data in a structured, machine-readable format (JSON)
• Withdraw consent: Withdraw consent for optional data processing at any time

Additional Rights for EU/EEA/UK Residents (GDPR)

• Restriction: Request restriction of processing in certain circumstances
• Portability: Receive your personal data in a portable format and transmit it to another controller
• Object: Object to processing based on legitimate interests, including profiling
• Automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• Supervisory authority: Lodge a complaint with your local data protection authority

Additional Rights for California Residents (CCPA/CPRA)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it
• Right to delete: Request deletion of your personal information
• Non-discrimination: We will not discriminate against you for exercising your privacy rights
• No sale of data: We do not sell or share your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA

You can exercise your data export and account deletion rights directly from the Settings page within the platform. For all other requests, please contact us at privacy@meshio.so. We will respond to verified requests within 30 days (or 45 days with notice if additional time is needed).

08Cookies and Tracking Technologies

Meshio uses only strictly necessary cookies to maintain your authentication session and ensure the Service functions correctly. We do not use:

• Advertising or targeting cookies
• Third-party tracking pixels or beacons
• Behavioral analytics tools (e.g., Google Analytics, Hotjar)
• Cross-site tracking mechanisms
• Fingerprinting technologies

Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive. Session data is stored securely and is not shared with any third party.

09Children’s Privacy

Meshio is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take immediate steps to delete that information. If you believe we may have collected information from a child, please contact us at privacy@meshio.so.

10International Data Transfers

Your information may be transferred to and processed in countries other than your own. Our infrastructure providers (Vercel, Supabase) primarily operate data centers in the United States and European Union.

For transfers of personal data from the EU/EEA/UK to countries that have not received an adequacy decision, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with sub-processors
• The EU-U.S. Data Privacy Framework, where our sub-processors are certified participants
• Supplementary technical measures including encryption in transit and at rest

You may request a copy of the safeguards we rely on by contacting us at the address below.

11Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken in our internal breach register

We maintain incident response procedures and conduct regular security assessments to minimize the risk and impact of potential breaches.

12Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes through at least one of the following methods:

• Posting a prominent notice within the Service
• Sending an email to the address associated with your account
• Updating the effective date at the top of this page

Material changes will take effect no sooner than 30 days after notice is given. Where required by law, we will obtain your consent before processing your data in a materially different manner than was described at the time it was collected. Your continued use of Meshio after the updated policy takes effect constitutes acceptance of the changes, to the extent permitted by applicable law.

13Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your privacy rights, please contact us: