Privacy Policy

Overview

This Privacy Policy explains how MendMesh ("we", "us", or "our") collects, uses, and protects information when you use our vulnerability workflow orchestration platform and this website (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you are using MendMesh on behalf of an organisation, you confirm that you have the authority to bind that organisation to this policy.

Data We Collect

Account and contact information

When you sign up or join the waitlist, we collect:

• Name and work email address
• Company name and job title
• Password (stored as a cryptographic hash — we never store your plain-text password)

Vulnerability and integration data

To deliver the core service, we process data that you connect to MendMesh:

• Vulnerability findings ingested from your connected security scanners (e.g. Snyk, GitHub Security Alerts, AWS Inspector, Trivy)
• Repository names, service identifiers, and Kubernetes namespace names used for ownership mapping
• API credentials and tokens for third-party integrations (encrypted at rest using AES-256)
• Ticket data synced to or from Jira and GitHub Issues

Usage data

We automatically collect certain technical information when you use the Service:

• IP address, browser type, and operating system
• Pages visited, features used, and actions taken within the platform
• Date and time of access
• Error logs and performance metrics

Communications

If you contact us by email or through our website, we retain a record of that correspondence.

How We Use Data

We use the data we collect for the following purposes:

• Providing, maintaining, and improving the MendMesh platform
• Authenticating users and enforcing account security
• Ingesting and normalising vulnerability findings on your behalf
• Routing findings to the correct team according to your ownership rules
• Creating and syncing tickets in your connected project management tools
• Monitoring and enforcing SLA deadlines
• Sending transactional emails (e.g. SLA breach notifications, account alerts)
• Responding to support requests and enquiries
• Detecting, investigating, and preventing fraud, abuse, or security incidents
• Complying with legal obligations

We do not use your vulnerability data for any purpose other than providing and improving the Service to you.

Data Sharing

We do not sell, rent, or trade your personal data. We may share data with:

Sub-processors

We use a limited number of trusted third-party services to operate the platform (e.g. cloud infrastructure, error monitoring, email delivery). All sub-processors are contractually required to handle your data in accordance with applicable data protection law and our instructions only.

Your integration partners

When you connect an integration (e.g. Jira, GitHub), data necessary to fulfil that integration is sent to and received from that service. You control which integrations are connected.

Legal requirements

We may disclose information if we are legally required to do so (e.g. by a court order or regulatory authority), or where we believe disclosure is necessary to protect the safety of users or the public, or to enforce our Terms of Service.

Business transfers

If MendMesh is acquired by or merges with another company, your data may be transferred as part of that transaction. We will notify affected users before any such transfer and will require the acquiring entity to honour the terms of this policy.

Data Retention

We retain your data for as long as your account is active, or as long as necessary to provide the Service. You may request deletion of your account and associated data at any time by contacting us at privacy@mendmesh.io.

Some data may be retained for a limited period after account closure where required by law or for legitimate business purposes such as resolving disputes or enforcing agreements.

Vulnerability and integration data is processed in real time and is not retained beyond the period necessary to generate the relevant tickets and reports, unless you choose to store historical data within the platform.

Security

We take the security of your data seriously. Our measures include:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256 for all stored data
• Integration credentials stored in a dedicated secrets manager
• Role-based access controls limiting internal access to customer data
• Regular security assessments and dependency scanning (we use MendMesh internally for this)

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. If you discover a security vulnerability, please report it to security@mendmesh.io.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request that we restrict processing of your data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your data for certain purposes
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at privacy@mendmesh.io. We will respond within 30 days. If you are based in the UK or EEA and believe your rights have not been respected, you have the right to lodge a complaint with the relevant supervisory authority (in the UK, the Information Commissioner's Office).

Cookies

This website uses a small number of cookies that are strictly necessary for the site to function (e.g. session management). We do not use advertising cookies or third-party tracking cookies.

You can control cookie settings through your browser. Disabling cookies may affect the functionality of the Service.

International Transfers

MendMesh operates primarily from the United Kingdom. If you are accessing the Service from outside the UK, your data may be transferred to and processed in countries with different data protection laws.

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the relevant authority.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email (if you have an account) or by posting a prominent notice on this website. The "Last updated" date at the top of this page will always reflect when the policy was last changed.

Continued use of the Service after any changes constitutes your acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Email: privacy@mendmesh.io
• Website: mendmesh.io