meshr / Privacy
Legal

Privacy Policy

Your privacy matters. Here's exactly how we handle your data.

Last updated: March 25, 2026

meshr.to ("meshr", "we", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your information.

1. Data We Collect

Account Information

Email address, organization name, and authentication credentials (hashed, never stored in plaintext).

Device Information

Device name, hostname, operating system, assigned mesh IP address, and public key. We do not collect device serial numbers or hardware identifiers beyond what you provide.

Connection Metadata

Connection timestamps, heartbeat data, and session duration for health monitoring. We do not inspect or log the content of your encrypted tunnels.

Audit Events

Administrative actions (login, policy changes, device registration) are logged for security and compliance purposes.

2. Data We Do NOT Collect

  • Network traffic content — all tunnels are end-to-end encrypted
  • DNS queries from your devices
  • Browsing history or application usage data
  • Personal files, photos, or communications

3. How We Use Your Data

  • Service delivery: To operate your mesh network, manage devices, and enforce access policies.
  • Security: To detect unauthorized access, audit administrative actions, and protect your infrastructure.
  • Support: To help troubleshoot issues and improve our service.
  • Communication: To send service notifications, security alerts, and (with consent) product updates.

4. Data Storage & Security

All data is encrypted at rest and in transit. Passwords are hashed with bcrypt. SSH session recordings are encrypted with AES-256 and accessible only through HMAC-signed URLs with a 1-hour expiry. For on-premise deployments, all data stays on your infrastructure — nothing leaves your network.

5. Data Retention

Account data is retained while your account is active. Audit logs are retained for 90 days by default (configurable for enterprise customers). SSH session recordings follow your organization's retention policy. When you delete your account, all associated data is permanently removed within 30 days.

6. Third-Party Services

We do not sell, rent, or share your data with third parties for marketing purposes. We may use third-party services for email delivery (SMTP) and error monitoring, subject to their own privacy policies.

7. Your Rights

You have the right to:

  • Access and export your data
  • Correct inaccurate information
  • Delete your account and associated data
  • Object to processing for specific purposes
  • Receive your data in a portable format

To exercise any of these rights, contact us at [email protected].

8. Contact

For privacy-related questions or concerns, contact our data protection team at [email protected].