Privacy Policy
Version: 0.1 (DRAFT — pending lawyer review) Effective from: TBD (post lawyer review) Last updated: 2026-05-02 Operator (Controller for visitor data; Processor for Customer Data): Stefan Stešević trading as meandai, registered in Montenegro. Contact: privacy@meandai.com Data Protection Officer: Stefan Stešević (interim — until headcount triggers a formal DPO appointment under GDPR Article 37).
This Privacy Policy describes how meandai collects, uses, shares, and protects Personal Data when you visit meandai.com, sign up for the Platform, or use the Services. It complies with the EU General Data Protection Regulation 2016/679 ("GDPR"), the EU AI Act 2024/1689, and where applicable the United Kingdom GDPR and the Montenegrin Data Protection Act.
For the avoidance of doubt:
- meandai is a controller for the limited Personal Data we collect about visitors to our website, signup-flow leads, and the natural-person contacts of our Customers (e.g., the email address of a Customer's billing contact).
- meandai is a processor for any Personal Data that a Customer submits to the Platform via its tenant. The Customer is the controller of that data. The terms of the processing relationship are set out in the Data Processing Agreement (DPA), which is incorporated by reference into the Terms of Service.
1. Personal Data we collect
1.1 As controller — visitor and Customer-contact data
| Data category | Source | Purpose | Lawful basis |
|---|---|---|---|
| Email address, name | Signup form, Calendly bookings, sales correspondence | Account creation, billing, support, contractual communications | GDPR Art. 6(1)(b) — performance of contract |
| Company name, role | Signup form, sales conversations | Tenant provisioning, account management | GDPR Art. 6(1)(b) |
| IP address, browser user-agent, referrer | Web server logs (Cloudflare, Railway) | Security, abuse prevention, fraud detection | GDPR Art. 6(1)(f) — legitimate interest in platform security |
| Cookie data — strictly necessary | Cloudflare Turnstile, session cookie | Authenticate session, anti-bot | GDPR Art. 6(1)(f); ePrivacy Directive — strictly necessary cookie exemption |
| Cookie data — analytics (PostHog) | Browser, after consent | Aggregate usage analytics | GDPR Art. 6(1)(a) — consent |
| Marketing email address | Forms where the data subject explicitly opted in | Newsletter, product updates | GDPR Art. 6(1)(a) — consent |
| Support correspondence | Help-desk emails, in-app messages | Service support, audit | GDPR Art. 6(1)(b) and (f) |
| Recorded sales call audio + transcript | Recorded with explicit notice + consent at start of call | Sales coaching, deal-context retention | GDPR Art. 6(1)(a) — consent; Art. 9 not engaged |
We do not collect any "special category" data of GDPR Article 9 about visitors or Customer contacts (no health, ethnicity, religion, political opinion, sex life, sexual orientation, biometric, or trade-union data).
1.2 As processor — Customer Data
When the Customer connects an external account (Gmail, Google Drive, Calendar, Slack, Airtable, WhatsApp Business, etc.) and operates AI agents within its tenant, the Platform processes whatever Personal Data is contained in or about those external accounts, on the Customer's instructions.
We do not enumerate the categories of Personal Data we process as processor. The Customer (controller) is responsible for documenting that processing in its own records of processing activities under GDPR Article 30(1).
We do not train any AI model, classifier, or embedding on Customer Data, and we do not share Customer Data with any AI model provider for any purpose other than the Customer's per-request inference call. We require this commitment in writing from each AI model subprocessor (see §6).
2. How we use Personal Data we control
- Provide, maintain, and improve the Platform.
- Bill the Customer and process payments.
- Provide customer support.
- Detect, investigate, and prevent abuse, fraud, or violation of the AUP.
- Comply with legal and regulatory obligations.
- Send service notices that are necessary for the operation of the Customer's account.
- With consent: send product updates, newsletters, and marketing.
- With consent: improve the user experience using PostHog product analytics.
We do not sell Personal Data to any third party. We do not engage in advertising-targeting profiling.
3. Automated decision-making and AI agent transparency
The Platform is an AI system within the meaning of the EU AI Act.
3.1 In Concierge mode (default for new tenants), no AI agent makes any decision affecting a third party — every outbound action requires Authorised User approval.
3.2 In Standard and Full Autonomy modes, AI agents may execute actions automatically within the AUP rate limits. The Customer retains final responsibility for outputs and must inform the affected data subjects about the role of AI in those interactions where required by Article 50 of the EU AI Act.
3.3 No AI agent on the Platform makes a decision producing legal or similarly significant effects on a natural person within the meaning of GDPR Article 22 without an effective human review step. The Customer is contractually prohibited (AUP §2.6(x)) from configuring an Agent to do so.
3.4 Data subjects may request information about the AI logic involved in any output addressed to them by emailing privacy@meandai.com and identifying the relevant communication.
4. How we share Personal Data
We share Personal Data:
- With Subprocessors (§6) strictly to operate the Platform.
- With professional advisers (lawyers, accountants, auditors, insurers) bound by confidentiality.
- With competent authorities if required by law, court order, or to defend legal claims.
- With a successor entity in connection with a merger, acquisition, or sale of substantially all assets — in which case we will give the Customer at least 30 days' notice and an opportunity to terminate.
We do not share Personal Data with marketing partners, ad networks, or data brokers.
5. International transfers
The Platform's primary infrastructure is hosted in the EU (Railway EU region, Neon EU region, Cloudflare R2 EU region, Logfire EU region, AWS KMS in eu-central-1 Frankfurt).
Some Subprocessors host or have access to Personal Data outside the EU/EEA, including:
| Subprocessor | Region | Transfer mechanism |
|---|---|---|
| Anthropic (AI inference) | United States | EU Standard Contractual Clauses 2021/914 + supplementary measures, Data Privacy Framework adequacy where applicable |
| OpenAI (AI inference) | United States | EU Standard Contractual Clauses + DPF |
| FAL.ai (image generation, if used) | United States | EU Standard Contractual Clauses |
Where we rely on Standard Contractual Clauses, we have completed the transfer impact assessment required by the Schrems II ruling.
6. Subprocessors
The current list of subprocessors is published below and updated at https://meandai.com/subprocessors (when live). We notify Customers at least 30 days before any new subprocessor takes effect, allowing them to object.
| Subprocessor | Service | Region | Personal Data category |
|---|---|---|---|
| Railway Corp. | Application hosting | EU | Customer Data + operational logs |
| Neon, Inc. | Postgres database | EU | Customer Data + account data |
| Cloudflare, Inc. | Edge / CDN, Turnstile, R2 backups | EU edge / R2 EU region | Visitor IP, account data, encrypted backups |
| Anthropic, PBC | LLM inference (Claude family) | United States | Prompt content (per Customer instruction) |
| OpenAI, L.L.C. | LLM inference (GPT family — fallback) | United States | Prompt content (per Customer instruction) |
| Inngest, Inc. | Background job orchestration | United States | Job metadata (no payload) |
| Logfire (Pydantic Services Ltd.) | Observability / structured logs | EU | Log payloads (PII redaction applied) |
| PostHog, Inc. | Product analytics | EU (cloud-eu) | Authorised User events |
| Resend, Inc. | Transactional email | EU | Recipient email, subject, body |
| Clerk, Inc. | Customer authentication | EU | Authorised User email, name |
| Stripe / Paddle (TBD) | Payments | EU | Billing email, invoice metadata |
| Amazon Web Services, Inc. | KMS key management (eu-central-1) | EU | Encrypted DEKs only — never plaintext |
| Doppler, Inc. | Secret management (CI / dev) | United States | Service credentials only — no Customer Data |
| Coalition, Inc. | Cyber + Tech E&O insurance | United States | Incident report metadata only, on claim |
We require each Subprocessor to provide written security commitments at least equivalent to ours, including encryption in transit and at rest, breach notification, and audit rights.
7. Retention
| Data category | Retention period |
|---|---|
| Account data (controller) | Duration of the contract + 7 years for tax / accounting |
| Authentication logs | 90 days |
| Application logs (Logfire) | 30 days for full payload, 1 year for aggregates |
| Encrypted Postgres backups (R2) | 30 daily + 12 monthly snapshots |
| Customer Data | As instructed by the Customer; default at termination is deletion within 90 days, see DPA §10 |
| Sales call recordings | 24 months unless deletion requested earlier |
| Marketing email list | Until consent withdrawn, then 30 days |
8. Your rights
Under the GDPR, you have the rights to access, rectify, erase, restrict processing of, port, and object to processing of your Personal Data, and to lodge a complaint with a supervisory authority (the Montenegrin Data Protection Agency, or the supervisory authority of your habitual residence in the EU).
To exercise rights about Personal Data we control, email privacy@meandai.com. We respond within 30 days and may extend by a further 60 days for complex requests, with notice.
For Personal Data that the Customer (controller) has submitted to the Platform, please contact the Customer directly. We will assist the Customer in fulfilling its obligations under the DPA but cannot fulfil data-subject requests addressed to us in our role as processor without the Customer's instruction.
9. Security
We apply technical and organisational measures appropriate to the risk, including:
- TLS 1.3 in transit between all services.
- AWS KMS envelope encryption with per-tenant DEK at rest for OAuth tokens and connected-account credentials.
- Postgres row-level security with per-tenant policies enforced as
FORCE RLS. - Capability-token system for sensitive tool calls — every email send / CRM write / external API call requires a fresh, KMS-signed, 60-second-TTL token.
- Custom prompt-injection filter (Anthropic Haiku-based) on all untrusted ingress (incoming email, document upload, MCP responses).
- Daily encrypted Postgres backups stored in Cloudflare R2 (EU).
- Continuous deep-health probes and an out-of-band kill switch.
- Single Sign-On (Clerk), role-based access control, and MFA enforcement on all administrative accounts.
- Quarterly secret rotation (Doppler).
- Annual third-party penetration test (planned post-launch).
A summary of measures, suitable for Customer due diligence, is available on request.
10. Personal Data Breach notification
We notify Customers of any Personal Data Breach affecting their tenant without undue delay and in any event within 48 hours of becoming aware. We notify supervisory authorities where required by law and on the timeline required by GDPR Article 33.
11. Children
The Platform is not directed to children under 16. We do not knowingly collect Personal Data from children. If you believe we have collected data from a child, contact privacy@meandai.com and we will delete it.
12. Cookies
We use only strictly necessary cookies by default. Analytics cookies (PostHog) are loaded only after explicit consent via the cookie banner. The cookie banner offers per-category granular consent and a one-click "reject all" option compliant with EDPB Guidelines 03/2022.
13. Changes
We update this Privacy Policy from time to time. Material changes are notified to active Customers at least 30 days in advance via email and via the in-app changelog. The "Last updated" date at the top of this document records the most recent revision.
14. Contact
- General privacy questions:
privacy@meandai.com - Security reports:
security@meandai.com - Data subject access requests:
privacy@meandai.comwith subject "DSAR" - Supervisory authority (Montenegro): https://azlp.me