MeshX Software Ltd is the controller of personal data collected through meshx.uk and the MeshX platform (including Create, Shop Manager, and Print Network modules).
This policy describes how we collect, use, store, and share personal data when you visit meshx.uk or use our services, and your rights under UK GDPR and EU GDPR where applicable.
3. Data we may collect
Account & profile: name, email address, company name, authentication identifiers.
Service usage: designs, catalogue data, listings metadata, order details, application logs, and support communications.
Marketplace connections: where you connect Etsy, eBay, TikTok Shop, or similar platforms, we process OAuth tokens, shop identifiers, shop names, and order data strictly as needed to provide the features you enable. We do not collect your marketplace passwords.
Technical data: IP address, device/browser type, session identifiers, and cookies (see Cookie policy).
Billing: payment processing is handled by Stripe. We receive limited billing metadata (e.g. last four digits of card, payment status) but do not store full card numbers.
4. Lawful bases
We process personal data on the following lawful bases under UK GDPR:
Performance of a contract (Article 6(1)(b)) — to provide the MeshX platform and services you subscribe to, process orders, and manage your account.
Legitimate interests (Article 6(1)(f)) — for security (fraud prevention, abuse detection, session management), product improvement, and system monitoring, where balanced against your rights.
Consent (Article 6(1)(a)) — where required, for example certain cookies or optional marketing communications. You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)) — where we are required to process data by law (e.g. tax records, regulatory requests).
5. How we use data
Provide, secure, and improve the MeshX platform and services.
Authenticate users and enforce access controls.
Process orders, payments, and marketplace integrations on your behalf.
Communicate service, billing, and security notices.
Comply with law and respond to lawful requests.
6. Subprocessors & international transfers
We use the following trusted infrastructure and service providers to deliver our services:
Provider
Purpose
Data location
Supabase (via AWS)
Database, authentication
eu-west-3 (Paris, France)
Cloudflare
CDN, DDoS protection, R2 object storage
Western Europe (WEUR)
Stripe
Payment processing, Connect payouts
UK / EU
Marketplace APIs (Etsy, eBay, TikTok Shop)
Order retrieval, listing management (user-authorised)
As per each platform
Where data is processed outside the UK or EEA, appropriate safeguards are in place (e.g. UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions).
7. Retention
Account data (name, email, profile): retained while your account is active, plus 30 days after account deletion to allow for reactivation requests.
Order and billing records: retained for 7 years after the transaction, as required by UK tax and accounting obligations.
Application and security logs: retained for 90 days, then automatically purged.
Marketplace tokens: deleted immediately when you disconnect a marketplace integration, or when your account is closed.
Design files and media: deleted within 30 days of account closure, unless separately retained by the user via their own downloads.
8. Your rights
Under UK GDPR, you have the right to:
Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data (subject to legal retention requirements).
Restrict processing in certain circumstances.
Object to processing based on legitimate interests.
Port your data to another provider in a machine-readable format.
Withdraw consent at any time where processing is consent-based.
To exercise any of these rights, contact privacy@meshx.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
9. Children
Our services are not directed at children under 16. We do not knowingly collect personal data from anyone under this age.
10. Changes
We will update this policy when our practices change. The “Last updated” date below will be revised. Where changes are material, we will notify you via email or an in-app notice.