1. Data we process
We process only what the Platform requires to deliver its service: account identity, usage telemetry, and any content the customer uploads. We do not purchase personal data.
For customer-uploaded personal data, the customer is the data controller; we act as a data processor under a Data Processing Agreement available on request.
2. Lawful basis
Contract performance (GDPR Art. 6(1)(b)) and legitimate interest (GDPR Art. 6(1)(f)) for Platform operation. Customer-uploaded personal data lawful basis is the customer's responsibility.
3. How we use data
- To operate the Platform for the customer that uploaded it
- To improve service quality through aggregated, anonymized analytics only
- We do NOT sell personal data. We do NOT train third-party AI models on customer data. We do NOT share data across customers.
4. Retention
Account data retained for the duration of the subscription plus 12 months for audit. Uploaded content retained per the customer's configuration. Deletion requests via privacy@ processed within 30 days.
5. Your rights (GDPR / CCPA / CPRA / Quebec Law 25 / PIPEDA / LGPD / PDPA / DPDPA)
- Access · Rectification · Erasure · Portability · Objection · Withdraw consent · Lodge complaint with local DPA
6. International transfers
Data processed in Canada. EU/UK transfers use Standard Contractual Clauses. Québec-specific data processed under Law 25 requirements.
7. Security
Encryption at rest and in transit. Mesh-wide HMAC-signed API calls. Incident notification within 72 hours of detection where required by law.