Privacy Policy

Overview

Meandr Inc., a Delaware corporation (“Meandr,” “us,” or “we”), provides infrastructure software that enables organizations to securely manage interactions between AI agents and software tools, including external services and internal systems. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the choices available to you.

This Privacy Policy applies to our website at www.meandr.com, our application dashboard at app.meandr.com, our gateway endpoints at *.meandr.io, and any related subdomains (collectively, the “Site”). It also applies to the Service offered by Meandr through the Site (the “Service”).

By using or accessing the Site, you accept the practices described in this Privacy Policy, our Terms of Use, and all other policies or notices posted by us on the Site.

Data We Collect

Where possible you may have the option of interacting with us anonymously (for example, when browsing the Site as a casual visitor). We will usually make it clear whenever this is an option.

Personal data we may collect includes:

  • Account data: name, email, organization or company information, role, and other information you provide when you create an account or fill out a form on the Site;
  • Billing data: information you provide when subscribing to a plan. Payment card data is handled directly by our third-party payment processor and is not stored by Meandr;
  • Communications: comments, support tickets, or other information you provide when you contact us;
  • Usage and technical data automatically collected from your computer or device, such as device identifier, IP address, browser type, internet service provider, referring/exit pages, operating system, date/time stamp, and clickstream data;
  • Location information derived from your device or network, where permitted by law;
  • Interaction information when you interact with our content on the Site or on third-party sites or platforms.

Customer Data

Customer Data consists of the information and configuration submitted by customers through the Service, including:

  • Project configuration (servers, tools, agents, policies);
  • Connection details for upstream services;
  • Credentials provided by the customer for the Service to access upstream services on the customer’s behalf (stored encrypted at rest);
  • Operational metadata of tool calls processed through the Service (described below).

What we log per tool call:

  • Timestamp
  • Latency
  • Status code
  • Byte counts (in / out, client and upstream)
  • Policy decision

What we do NOT log:

  • Prompt contents (the request payload body of a tool call)
  • Tool outputs (the response payload body)
  • Credentials, secrets, or other sensitive content present in the payload

Exception — payload retention for offline approvals: a customer-configured policy may require owner approval before a tool call is executed. The handling of the original request body depends on the approval mode:

  • Interactive approval — the approver decides while the gateway instance handling the request keeps the client connection open. In this case, the request body is held only in the memory of the gateway instance handling the request and is never persisted.
  • Offline approval — the agent’s session is closed and the approver authorizes the action later via the Meandr dashboard. In this case, the request body is temporarily stored encrypted at rest using industry-standard encryption, in addition to being transmitted only over encrypted connections (TLS 1.2 or higher). The payload is discarded once the approval is resolved (approved, rejected, or expired).

Offline approval mode is the only circumstance under which Meandr persistently stores tool call payload content. Customers explicitly enable offline approval mode during policy configuration and are informed that enabling this feature results in temporary encrypted storage of tool call payloads.

Except as required to operate the Service, Meandr does not access Customer Data.

No AI training. Unless explicitly agreed with a customer, Meandr does not use Customer Data or tool call payloads to train machine learning or artificial intelligence models, whether ours or those of third parties.

Customers remain responsible for the legality of the data they submit through the Service and for ensuring they have all rights necessary to submit such data to and process such data through the Service.

How We Use Data

We use the data we collect to:

  • Provide, maintain and improve the Site and the Service;
  • Operate the gateway functionality, including routing tool calls, enforcing customer policies and rate limits, managing customer- provided credentials, and producing operational metadata;
  • Diagnose and fix technical issues;
  • Detect, investigate, and prevent activity that may violate our policies or applicable law;
  • Analyze trends and usage patterns to improve the Service;
  • Bill for use of the Service in accordance with the applicable subscription plan;
  • Deliver customer support and respond to inquiries;
  • Communicate with you, including newsletters, product updates, security advisories, and offers (see “Your Rights” below for opt-out options);
  • As otherwise described to you at the time of collection or as authorized or required by applicable law.

Legal Bases for Processing

We process personal data on the legal bases described in applicable law, including:

  • Performance of a contract — to provide the Service you have subscribed to;
  • Compliance with legal obligations — including tax, fraud prevention, and lawful information requests;
  • Our legitimate interests — including security, abuse detection, service improvement, and protection of our rights and the rights of our users;
  • Your consent, where required by applicable law.

Sharing

Meandr does not sell, trade, share, or transfer your personal data to third parties except in the following limited circumstances:

  • We may share personal data with third-party service providers who help us operate the Site and the Service (including hosting, payment processing, customer support, and analytics). These providers are authorized to use personal data only as necessary to provide services to us, and are bound by appropriate confidentiality and data protection obligations. Enterprise customers may request a list of our current sub-processors as part of their Data Processing Agreement;
  • We may share personal data with our affiliates, who may use it consistent with this Privacy Policy;
  • We may share personal data when we have a good-faith belief that disclosure is reasonably necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Use or investigate violations; or © protect against imminent harm to the rights, property, or safety of Meandr, its users, or the public;
  • We may share personal data to detect, prevent, or address fraud, security, or technical issues;
  • As described in “Changes of Control” below, we may share personal data if we become involved in a merger, acquisition, bankruptcy, or sale of some or all of our assets; and
  • We may share personal data with a third party if we have your consent to do so.

We may also share aggregated or non-personally identifiable information with third parties for other purposes.

Upstream services. When a customer configures the Service to connect to a third-party MCP server (an “upstream service”), the Service relays the customer’s tool call requests to that upstream service on the customer’s behalf using the credentials the customer provides. The upstream service operates independently of Meandr; its handling of any data sent through it is governed by its own terms and privacy policy. Meandr is not responsible for the practices of upstream services.

International Transfers

Personal data may be transferred outside the country where you reside. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, including the Standard Contractual Clauses where applicable.

Security

We take reasonable measures to protect personal data and Customer Data:

  • Encryption in transit using TLS 1.2 or higher for all connections to the Site, the dashboard, the gateway endpoints, and our APIs;
  • Encryption at rest for credentials, audit metadata, and any tool call payload content temporarily stored for customer-enabled offline approvals;
  • Access controls limiting employee access to personal data and Customer Data to those who need it to perform their roles;
  • Continuous monitoring and periodic security reviews.

No method of transmission over the Internet or method of electronic storage is one hundred percent secure. We cannot guarantee absolute security.

We ask that you not send us, and you not disclose, any sensitive personal data (such as information related to racial or ethnic origin, religion or other beliefs, health, criminal background, or trade union membership) on or through the Site or otherwise. If, contrary to this request, you do provide any sensitive information, in doing so you consent to us collecting and handling that information in accordance with this Privacy Policy.

Retention

We retain personal data and Customer Data for the period necessary to support the Site and the Service, comply with our legal obligations, resolve disputes, or otherwise fulfill the purposes outlined in this Privacy Policy.

Operational data (audit metadata, configuration history, metrics) is retained per the retention windows applicable to your subscription plan. Specific retention windows are referenced in your subscription agreement or in our plan documentation.

Even after you cancel your account, copies of some information may remain in backup or archive systems for a period, and may be retained for fraud detection, to comply with applicable law, or to comply with our internal security policies.

Customer-provided credentials for upstream services are retained for the lifetime of the corresponding configuration plus a brief grace period after deletion, after which they are purged from active systems (subject to backup retention).

Your Rights

Depending on where you live, you may have additional rights under applicable privacy laws, including the European Union’s General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), and similar state laws in the United States.

These rights may include:

  • Access — to request a copy of the personal data we hold about you;
  • Rectification — to request correction of inaccurate or incomplete data;
  • Erasure — to request deletion of your personal data, subject to certain legal exceptions;
  • Portability — to receive your personal data in a structured, commonly used, machine-readable format;
  • Objection — to object to certain processing, including direct marketing;
  • Opt-Out of Sale or Sharing — to opt out of any “sale” or “sharing” of personal data as defined under applicable law (we do not sell personal data in the conventional sense);
  • Non-discrimination — we will not deny you services, charge different prices, or provide a different level of service because you exercised any of these rights.

To exercise any of these rights, contact us at privacy@meandr.com. We may need to verify your identity. We will respond within thirty (30) days, or such longer period as permitted by applicable law.

Account holders can access and update most of their personal data directly through the dashboard.

Cookies and Tracking Technologies

The Site uses cookies and similar technologies (pixel tags, web beacons, HTML5 local storage) for purposes including authentication, preferences, analytics, and security. You can remove or block cookies using your browser settings, but parts of the Site may cease to function properly if you do so.

If you no longer wish to receive our newsletter or promotional communications, you may opt out by following the instructions in such communications or in the dashboard. You may not have the option to opt out of certain service-related communications (such as billing notifications, security advisories, or material policy changes).

Children Under Age 13

The Site is not intended for use by anyone under the age of 13, nor does Meandr knowingly collect or solicit personal data from anyone under the age of 13. If we confirm that we have collected personal data from someone under 13 without verification of parental consent, we will delete that data promptly. If you are a parent or legal guardian of a child under 13 and believe that we might have any information from or about such child, please contact us at the email or mailing address provided at the end of this Privacy Policy.

Changes of Control

If we sell all or part of our business, or make a sale or transfer of assets, or are otherwise involved in a merger or business transfer, or in the event of bankruptcy, dissolution, liquidation, or similar proceeding, we may transfer personal data and Customer Data to one or more third parties as part of that transaction.

Third Party Sites

The Site may contain links to other third party websites. This Privacy Policy applies only to information collected by Meandr. We are not responsible for the privacy practices of other websites and encourage you to familiarize yourself with their policies.

Changes to This Policy

We reserve the right to change our Privacy Policy and our Terms of Use at any time. Non-material changes will take effect immediately, and material changes will take effect within thirty (30) days of their posting on the Site (unless we specify a different notice period). If we make material changes, we will notify you here, by email, or through notice on our home page.

Contact

If you have questions or suggestions about this Privacy Policy, or to make any request described above, contact us at privacy@meandr.com.