Privacy

Privacy notice

Last updated 2026-04

This notice explains what personal information PersonaMesh, Inc. collects, why we collect it, what we do with it, and the rights you have. It applies to personamesh.ai, the Studio, the docs, the API, and the SDKs. Customer-controlled deployments (on-premise, edge) operate entirely under the customer's privacy posture; this notice does not apply there.

What we collect

  • Account information — email, name, role, organization. Provided by you when signing up or by your IdP via OIDC / SAML.
  • Usage and operational data — request logs (path, status, latency, request id), per-tenant usage events (tokens, tool calls, autonomy ticks). Used to run the service and to bill metered plans.
  • Workspace content — personas, memories, conversations, knowledge documents. We process this on your behalf as a data processor; we do not use it to train foundation models.
  • Diagnostic information — browser type, OS, IP address, error stack traces. Used to debug.

Why we collect it

  • To provide the service and authenticate access.
  • To meter and bill usage on paid plans.
  • To diagnose, secure, and improve the service.
  • To comply with legal obligations.

Sharing & sub-processors

We share content with the model + embedding providers you have configured (e.g. Anthropic, Voyage, OpenAI) so we can answer your requests. We list every sub-processor on the sub-processors page and notify customers of changes 30 days in advance.

Retention

Workspace content is retained for the duration of the workspace plus 30 days for backup recovery, then permanently deleted. You can delete content at any time via the API or Studio. Audit events are retained for 1 year online, 7 years cold (where applicable), consistent with industry compliance norms.

Your rights

Subject to local law (GDPR, UK GDPR, CCPA / CPRA, etc.), you have the right to access, correct, delete, restrict processing of, and port your personal data, and to object to processing or withdraw consent. Email privacy@personamesh.ai and we'll respond within 30 days (typically much sooner).

International transfers

We host customer data in the region the customer chose (us-east, us-west, eu-west, or ap-southeast). Cross-border transfers, when required, use Standard Contractual Clauses (or equivalent) and the UK Addendum where applicable.

Children

PersonaMesh is not directed at children under 16 and we do not knowingly collect their personal information.

Changes to this notice

We'll update this page when our practices change and bump the "last updated" date. Material changes are also announced via email to workspace owners.

Contact

Privacy questions: privacy@personamesh.ai. For an EU representative or DPO arrangement, see the data processing addendum.