Privacy Policy

1. About This Policy, Scope & Acceptance

This Data Protection & Privacy Policy (the "Policy") explains how MeshPilot ("MeshPilot", "we", "us", "our") collects, uses, discloses, transfers, retains, and protects personal data when you access or use the MeshPilot website, web application, generation API, Model Context Protocol ("MCP") server, agent tooling, and related services (together, the "Service"). The Service is an AI agent that turns text prompts and reference images into game-ready and printable 3D models and compatible model sets.

This Policy forms part of, and is incorporated by reference into, the MeshPilot Terms of Service. Capitalised terms not defined here have the meaning given in the Terms of Service. If there is a conflict between this Policy and the Terms of Service on a matter of personal-data processing, this Policy controls.

We design our processing to comply with Indonesia's Personal Data Protection Law (Law No. 27 of 2022, the "PDP Law") and its implementing regulations; and, because our users are global, also with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR (together, "GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and applicable children's-privacy rules including the U.S. Children's Online Privacy Protection Act ("COPPA"). Where a law applicable to you grants stronger rights than this Policy describes, that law controls.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. Where the law requires consent for a specific processing activity, we rely on consent only where it has been validly obtained, and you may withdraw it as described in Section 14.

Honesty note on current build status. The Service is in active development. The account system (registration, login, stored profile, saved models/folders, billing, connected wallet) is not yet live; clauses describing it are marked [Accounts] and apply only once that feature launches and only to data it actually collects. Today, payments to third-party AI/compute providers are funded by a MeshPilot-operated server-side wallet, not by a wallet you connect; we therefore do not currently collect user wallet addresses (see Sections 4 and 9). We describe planned capabilities transparently so this Policy is forward-compatible, but we do not represent that a planned control is operational before it is built.

2. Who Is Responsible (Controller Identity) & How to Contact Us

Controller / responsible party. The data controller (under GDPR), the data controller / pengendali data pribadi (under the PDP Law), and the "business" (under CCPA/CPRA) responsible for personal data processed through the Service is Shandon Sean McAloney, who operates MeshPilot as an individual from Indonesia, at Jl. Nakula No.99X, Legian, Kec. Kuta, Kabupaten Badung, Bali 80361 (the "Operator").

Transparency about the contracting/controlling party. MeshPilot is, at the date of this Policy, an early-stage project operated by an individual rather than a registered company; a separate operating legal entity has not yet been formed. The Operator named above is the controller and contracting counterparty responsible for the obligations described in this Policy. If a legal entity is later formed to operate the Service, this Section will be updated and that entity will assume the Operator role. As MeshPilot remains an early-stage product, please avoid submitting sensitive personal data through the Service.

Privacy contact / DPO function. We have designated a privacy contact point that performs the data-protection-officer ("DPO") function for the purposes of Article 37 GDPR and the relevant provisions of the PDP Law. You may contact this function for any privacy matter.

• Privacy, data protection, and data-subject/consumer-rights requests: privacy@meshpilot.cc
• General legal and Terms-of-Service matters: legal@meshpilot.cc
• Copyright, intellectual property, and DMCA/takedown notices: copyright@meshpilot.cc

There is currently no separate customer-support email address; product support is handled in-app. All privacy requests must nonetheless be sent to privacy@meshpilot.cc so they are logged and actioned within the timelines in Section 14.

EU/UK and other representatives. We are established in Indonesia. Because we may intentionally make the Service available to users in the EEA and the UK, GDPR Article 27 (and its UK equivalent) can require us to appoint an EU representative and a separate UK representative. We will either (a) appoint such representatives and publish their details in this Section before we knowingly serve EEA/UK users at scale, or (b) restrict access from the EEA/UK. Routing EEA/UK requests to privacy@meshpilot.cc is an interim measure only and is not a substitute for an appointed representative where one is legally required.

Supervisory authorities and complaints. EEA/UK users have the right to lodge a complaint with their local supervisory authority (for example, their national Data Protection Authority or the UK Information Commissioner's Office). Indonesian users may exercise their rights and complaints under the PDP Law and through the supervisory authority/agency established or designated under it. We ask that you contact us first at privacy@meshpilot.cc so we can try to resolve your concern.

3. Our Role: Controller vs. Processor

With respect to personal data we collect to operate the Service, create and administer accounts, bill you, secure the platform, and comply with law, MeshPilot acts as a controller.

With respect to the content you submit (prompts, reference images, conversations) and the assets generated for you, you direct the processing and remain responsible for the lawfulness of that content; we process it to deliver the outputs you request. Where you use the Service in a business capacity and submit personal data of third parties within your content, you act as the controller of that third-party personal data and MeshPilot acts as your processor for it. In that case, the data-processing terms in our Terms of Service (or a separate Data Processing Addendum, available on request at privacy@meshpilot.cc) govern, and you warrant that you have a lawful basis and any required notices or consents to submit such data.

4. Personal Data We Collect

We collect the categories of personal data described below. Items that apply only once the account system launches are marked [Accounts]. We collect only what we need for the purposes in Section 5.

Content data (data you submit):

• Prompts and chat content — the text, instructions, and conversation history you type or send to the agent, including saved conversations and projects.
• Reference images — images you upload or paste. We process them (for example, background removal, resizing, multi-view rendering) and transmit them to third-party AI providers to generate models. Reference images may contain a person's likeness; please do not upload other people's images without a lawful basis and any required consent.
• Generated assets — the 3D models (for example, GLB/OBJ files), textures, thumbnails, model sets, and the folders/collections the Service creates and stores for you so you can view, organise, and download them.

Account and profile data [Accounts]:

• Name and/or display name, email address, and account credentials. We store passwords only as salted hashes; we never store passwords in plaintext, and we never see or store your wallet's private keys or seed phrase.
• Account settings, preferences, saved models, folders, and project metadata.
• Billing data: billing identifiers, plan/credit balance, purchase and credit-usage history, and invoices. Full card numbers are processed by our payment processor; we do not store full card numbers. (Credit-card credits are planned and coming soon.)

Payment and blockchain data:

• Today: the Service funds third-party AI/compute charges from a MeshPilot-operated server-side wallet. We therefore do not currently collect a wallet address from you. The server-side wallet's keys are a security-sensitive secret we protect (Section 12).
• [Accounts] / once user-wallet payments launch: the wallet address(es) and on-chain transaction identifiers (transaction hashes) associated with cryptocurrency micropayments you make via the x402 protocol using USDC stablecoin on the Base blockchain, plus amounts, timestamps, and payment metadata needed to reconcile usage and detect fraud.
• Notice: blockchain transactions are public, permanent, and irreversible (see Section 9).

Usage, device, and log data (collected automatically):

• IP address, approximate location derived from IP, browser and device type, operating system, language, referring/exit pages, pages and features viewed, requests made, timestamps, session and job identifiers, and diagnostic/error/log data.
• API-usage metadata when you use the generation API or MCP server (request volumes, model parameters, success/error states).

Cookies and browser local storage:

• Strictly-necessary browser storage (localStorage) used to make the Service work — for example, cached generated model texture atlases and your recent conversation references stored on your device. See Section 10.

Communications:

• Information you provide when you contact us (for example, the content of your message, your email address, and any attachments), and the content of any intellectual-property or rights complaints handled under our IP/takedown policy.

Age-assurance data. When the account system launches, we expect to collect a self-declared date of birth (or an affirmative age-range declaration) at registration to operate the age gate and, where applicable, the parental-consent flow described in Section 16. We do not collect more identity data than necessary for age assurance.

Special-category / sensitive data. We do not intentionally collect special-category data under Article 9 GDPR or "specific personal data" under the PDP Law (for example, health, biometric, genetic, religious or political data, financial-account secrets, or data concerning children). Please do not upload prompts or images containing such data, or other people's personal data, unless you have a lawful basis and any required consent. You are responsible for the content you submit.

5. Why We Use Personal Data (Purposes)

We use personal data for the following purposes:

• To provide, operate, and maintain the Service and to generate the models, textures, and sets you request.
• To store and make available your conversations, generated assets, folders, and (once launched) your account, profile, and saved items.
• [Accounts] To create and administer accounts, authenticate logins, operate the age gate and parental-consent flow, and secure your account.
• To process payments and credits, reconcile crypto and card transactions, issue invoices, and prevent payment fraud and abuse.
• To run, monitor, debug, secure, and improve the reliability and quality of the Service (including queue/job processing and error diagnostics).
• To detect, prevent, and respond to fraud, abuse, security incidents, prohibited content, and violations of our Terms.
• To comply with legal obligations, respond to lawful requests, and establish, exercise, or defend legal claims.
• To communicate with you about your requests, security or service notices, and material changes to the Service or this Policy.

We do not use your prompts, reference images, conversations, or generated assets to train, fine-tune, or improve MeshPilot's own AI models (see Section 7). We do not sell your personal data and do not use it for cross-context behavioural advertising.

6. Legal Bases for Processing

GDPR (EU/UK). Where the GDPR applies, we rely on the following Article 6(1) legal bases:

• Providing the Service, generating models, storing your assets, and (once launched) operating accounts — Article 6(1)(b), performance of a contract or steps taken at your request.
• Processing payments, credits, and invoicing — Article 6(1)(b), contract; and Article 6(1)(c), legal obligation (tax/accounting).
• Securing, debugging, preventing fraud and abuse, and improving reliability — Article 6(1)(f), legitimate interests in keeping the Service secure, functional, and reliable, balanced against your rights.
• Operating age assurance and protecting children — Article 6(1)(c) legal obligation and Article 6(1)(f) legitimate interests; where consent is the appropriate basis (including parental consent under Article 8), Article 6(1)(a).
• Non-essential cookies/analytics, if and when we introduce them — Article 6(1)(a), consent.
• Complying with law and responding to lawful requests — Article 6(1)(c), legal obligation.
• Establishing, exercising, or defending legal claims — Article 6(1)(f), legitimate interests.

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms; you may object as described in Section 14, and you may request our balancing assessment at privacy@meshpilot.cc. Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

Indonesia PDP Law (Law No. 27 of 2022). Under Article 20(2) of the PDP Law, we process personal data on one or more of the following bases:

• (a) the consent of the data subject for one or more specified purposes;
• (b) performance of a contract with the data subject, or steps taken at the data subject's request before entering a contract;
• (c) compliance with a legal obligation of the controller;
• (d) protection of the vital interests of the data subject;
• (e) performance of a duty in the public interest or in the exercise of lawful authority, where applicable; and
• (f) the legitimate interests of the controller, having regard to the purposes and the rights of the data subject.

CCPA/CPRA (California). We collect and use the categories of personal information described in Section 4 for the business and commercial purposes in Section 5. We do not "sell" personal information and do not "share" it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA, and we do not knowingly sell or share the personal information of consumers under 16 years of age. We grant California rights described in Section 14 to all such consumers as a matter of policy; note that the CCPA/CPRA applies as a legal obligation only where its statutory thresholds are met.

7. How AI Processes Your Inputs, and Our No-Training Commitment

The Service depends on third-party AI providers to function. To generate outputs, your prompts and reference images are transmitted to: (a) a large-language-model provider that runs the agent's reasoning and planning; (b) image-generation models that create or edit reference and texture views; and (c) GPU/compute providers and a hosted generation service that run 3D shape and texture generation. These providers return text, images, and 3D assets to us, which we store and deliver to you. The current providers are listed in Section 8.

No training on your inputs by MeshPilot. MeshPilot does not use your prompts, reference images, conversations, or generated assets to train, fine-tune, or improve any MeshPilot AI model, and we do not authorise any third-party provider to use them to train that provider's general-purpose models where we are able to control that setting. Your content is used only to produce the outputs you request and to operate the Service as described in this Policy. We may create and use aggregated, anonymised, or de-identified data (data that does not identify you and is not reasonably linkable to you) to operate and improve the Service; such data is no longer personal data. This commitment is stated identically in our Terms of Service and IP terms, and those documents do not grant MeshPilot any right to train models on your identifiable content.

Third-party provider practices and an honest limitation. Each AI/compute provider processes data under its own terms, and several of ours are reached through an OpenAI-compatible payment/inference gateway, which means the underlying model operators may be downstream of that gateway. We select and configure providers and modes that do not train on, and that minimise retention of, customer inputs where that option is offered and we can verify it. However, some providers we use — for example, certain gateway-routed image/LLM models and decentralised or hosted GPU/compute services — may not offer an enforceable no-training or no-retention guarantee, may not sign a data-processing agreement, or may apply their own defaults we cannot fully control. Where that is the case for a given provider, we either minimise the personal data sent to it, replace it, or disclose the limitation rather than imply uniform contractual coverage. Because of this, do not submit confidential information or content you are not authorised to share. We maintain an internal register of each provider's actual data-use and retention posture and keep it current.

No solely-automated decisions with legal or significant effect (today). The Service generates creative assets at your direction. We do not currently make decisions that produce legal or similarly significant effects about you based solely on automated processing within the meaning of Article 22 GDPR or Article 10 of the PDP Law. Automated systems are used for content generation, queueing, spam/abuse filtering, and basic fraud prevention; these do not by themselves determine your legal rights and are subject to human review on request. If we later deploy automated processes that can block your payments, freeze funds, or suspend or terminate an account (including automated sanctions screening or strike-based enforcement), we will, before doing so, provide the safeguards those laws require for such decisions, including the right to obtain human intervention, to express your view, and to contest the decision, and we will update this Section accordingly.

8. Disclosures & Sub-Processors

We do not sell your personal data. We disclose personal data only as necessary to operate the Service, to comply with law, or at your direction, to the categories of recipients ("sub-processors") below. Where a recipient processes personal data on our behalf, we seek to engage it under contractual confidentiality and data-protection obligations consistent with GDPR Article 28, the PDP Law processor provisions, and the CCPA/CPRA service-provider requirements. Where a particular recipient will not enter such terms (which can be the case for gateway-routed model operators and decentralised/hosted compute), we disclose that limitation and minimise the personal data sent to it; see Sections 7 and 13.

Current categories of recipients and representative providers (kept in sync with our internal register):

• Hosting / application platform — runs the application and APIs and processes content, log, and (once launched) account/payment metadata. Provider: Railway.
• Database / file storage — stores conversations, generated assets (3D model files via GridFS), folders, jobs, and (once launched) account/billing records. Provider: MongoDB / MongoDB Atlas.
• Payment + LLM/image inference gateway — an OpenAI-compatible gateway used to pay for and route model calls. Provider: BlockRun (x402 gateway). Models routed through this gateway include the large-language-model used by the agent and the image-generation models below; the underlying model operators are downstream of the gateway, which may limit our direct contractual relationship with them.
• Large-language-model provider (agent brain) — receives prompts and reference images to plan and drive generation. The current LLM is an Anthropic Claude-class model accessed via the gateway, or an equivalent OpenAI-compatible model.
• Image-generation providers — generate or edit reference and texture images from your prompt/images. Current image models include OpenAI gpt-image-class models and Google "nano-banana"-class image models, accessed via the gateway.
• 3D shape/texture generation service — a hosted generation service (currently a Hugging Face Space accessed programmatically) and/or GPU/compute providers (for example, decentralised or cloud GPU such as Akash-style providers) that run 3D model inference (for example, Hunyuan3D-class models). These providers receive your prompt-derived inputs and reference images; some may not sign a data-processing agreement, which we disclose here.
• Blockchain & payment infrastructure — settles crypto micropayments and records wallet address and transaction hash on a public ledger. Components: the x402 protocol; USDC on the Base blockchain; and (planned) a card payment processor for credit purchases.
• Professional advisers / legal & safety — disclosure where required by law, to enforce our Terms, or to protect rights, safety, and property; for example, counsel and competent authorities upon lawful request.

We maintain an internal record of our current sub-processors and their data-use and retention posture. You may request the current list, and (once accounts launch) a means to be notified of new sub-processors, at privacy@meshpilot.cc.

Legal and safety disclosures. We may disclose personal data if we believe in good faith it is necessary to comply with a legal obligation or lawful request, enforce our Terms, detect or prevent fraud or security or technical issues, or protect the rights, property, or safety of MeshPilot, our users, or the public.

Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets (including the formation of, or transfer to, the operating entity), personal data may be transferred as part of that transaction, subject to this Policy and applicable law; we will notify you of any change in control affecting your personal data.

9. Payments, Crypto & Blockchain Privacy Notice

Paid features use cryptocurrency micropayments via the x402 protocol, settled in USDC on the Base blockchain; credit-card credits are planned. Image-generation cost is passed through to you at cost; our margin is on 3D generation and texturing.

How payment data flows today. At present the Service pays third-party providers from a MeshPilot-operated server-side wallet, so a typical user does not connect a wallet and we do not collect your wallet address. When the [Accounts] / user-wallet payment feature launches, payments will move from a wallet you control, and we will then collect the wallet address and transaction hash needed to reconcile your usage.

Public blockchain warning. Blockchain transactions are public, permanent, and irreversible. A wallet address and transaction identifiers, once recorded, sit on a public ledger that we do not control, cannot edit or delete, and that third parties may link to your other on-chain activity or to your identity. The right to erasure (Section 14) cannot be applied to data already recorded on a public blockchain. Only transact with a wallet, amount, and identity you are comfortable making public. We do not custody your funds beyond what completing a transaction requires, and we never request or store your wallet's private keys or seed phrase.

Data minimisation and no on-chain personal data. We do not write your name, email, or other off-chain identity data onto any blockchain. We commit to not creating a stored mapping between a wallet address and your real-world identity unless it is strictly necessary (for example, for fraud prevention, tax, or legal compliance); where such a mapping is necessary, we document the necessity, minimise it, and protect it as personal data off-chain. The erasure limitation in this Section applies only to data that is inherently recorded on the public ledger; it does not excuse us from deleting, on a valid request, any off-chain record (including any off-chain wallet-to-account linkage) that we control.

10. Cookies & Browser Local Storage

We currently use only strictly-necessary browser storage to make the Service function. We do not currently use advertising, profiling, analytics, or cross-site tracking cookies, so no consent banner is presently required. If we introduce analytics or any non-essential cookie, we will first implement a compliant consent mechanism with prior opt-in (where required, for example under the ePrivacy rules/GDPR and the PDP Law), record your consent state, and update this Section before any such cookie is set. We will not add analytics silently.

Current cookies / local-storage items (each entry describes name or key, purpose, type, and storage/duration):

• mp_atlas:<modelUrl> (atlas cache) — caches a finished model texture atlas on your device to avoid re-running paid texture generation on reload. Type: strictly necessary / functional. Storage: browser localStorage; persists on your device until cache eviction or you clear it.
• Recent-conversations cache — stores your recent conversation references locally for quick reload. Type: strictly necessary / functional. Storage: browser localStorage; persists until you clear it.
• Session / auth token [Accounts] — keeps you signed in and secures your session once accounts launch. We intend to use an httpOnly, Secure, SameSite session cookie (preferred over a localStorage token, to reduce cross-site-scripting exposure). Type: strictly necessary / security. Storage: cookie or, where unavoidable, localStorage; session or short-lived expiry, to be specified at account launch.
• Consent state (only if and when non-essential cookies are added) — remembers your cookie choices. Type: strictly necessary. Storage: localStorage/cookie; up to 12 months.

You can clear browser storage at any time through your browser settings; doing so may remove cached models and, once accounts launch, sign you out. We will update the list above as the account system and any future analytics are introduced.

11. Data Retention & Deletion

Retention principle. We retain personal data only for as long as necessary for the purposes in Section 5, or as required by applicable law, after which we delete or irreversibly anonymise it. We are implementing a scheduled retention/purge process and the per-user data isolation needed to honour deletion reliably; until that tooling and the account system are live, deletion is performed manually on request (see the honesty note in Section 13).

Indicative retention periods (to be finalised against confirmed Indonesian tax/bookkeeping law, which commonly requires commercial records to be kept for up to ten (10) years, and against our real purge cadence):

• Prompts, conversations, generated assets, and folders (no account) — retained while needed to provide the Service; deleted when you delete the conversation (which also frees its stored model files) or otherwise on periodic purge. Target: deletion within thirty (30) days of a verified deletion request.
• Account and profile data [Accounts] — retained for the life of your account; deleted within thirty (30) days of verified account closure, subject to the legal-retention exceptions below.
• Billing and transaction records — retained for the period required by applicable tax/accounting law (typically up to ten (10) years under Indonesian and other tax rules), then deleted or anonymised.
• Server logs / IP / diagnostic data — typically thirty (30) to ninety (90) days, longer only where needed for an active security investigation.
• Age-assurance and parental-consent records [Accounts] — retained as long as needed to evidence compliance with children's-privacy law, then deleted.
• On-chain payment data (wallet address, transaction hash) — cannot be deleted; permanently recorded on the public blockchain (Section 9). Off-chain copies we control are deleted per the rules above.
• Browser localStorage (atlas/conversation cache) — stored on your device; you control deletion via your browser.

Deletion. You may request deletion of your personal data at any time (Section 14). When you delete a conversation, the Service also frees the associated stored model files. We may retain limited data where necessary to comply with law, resolve disputes, prevent fraud or abuse, or enforce our agreements; retained data is restricted to those purposes. Anonymised and aggregated data that can no longer identify you may be retained indefinitely.

12. Security Measures

We implement technical and organisational measures proportionate to the risk, consistent with Article 32 GDPR and the security provisions of the PDP Law, including:

• Encryption of data in transit (TLS/HTTPS) and reliance on encrypted, access-controlled managed database and storage services.
• Access controls, least-privilege practices, and secrets management. Credentials and keys are kept in protected environment configuration and are never committed to source control. The server-side payment wallet's key is treated as a crown-jewel secret, because its compromise could drain funds; it is access-restricted and covered by our incident-response plan.
• Network and platform security provided by reputable managed hosting and database providers.
• Logging, monitoring, and error diagnostics to detect and respond to incidents.
• Serial job processing and input validation to reduce abuse.
• Vendor due diligence and, where available, contractual data-protection terms with sub-processors.

Access-control hardening at account launch. We are aware that, in the pre-account build, conversation data is not yet isolated per authenticated user. Before the account system launches and before we invite paid, multi-user public traffic, we will require authentication, attach an owner/user identifier to conversations and stored models, scope every read and delete operation to the authenticated owner, reject cross-user access, and make conversation identifiers unguessable or authorised by session. We treat any unauthorised cross-user access as a security incident subject to Section 15. We describe this openly rather than overstate current isolation.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for safeguarding your own account credentials, wallet keys, and seed phrases. Notify us immediately at privacy@meshpilot.cc if you suspect any compromise. As the Service matures (and at account launch) we will add further controls, such as salted-and-hashed credentials, rate limiting, and breach monitoring, and reflect them here.

13. International Data Transfers

We operate from Indonesia, and our sub-processors (hosting, database, AI/inference gateway, image and 3D generation, GPU/compute, blockchain) operate globally, including in the United States, the European Union, and other jurisdictions. Using the Service therefore necessarily involves cross-border transfers of personal data, including transfers of reference images that may contain a person's likeness.

GDPR transfers. For transfers of EEA/UK personal data to countries without an adequacy decision, we rely on appropriate safeguards under Chapter V GDPR — principally the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by additional technical and organisational measures where needed — for those providers that will enter such terms. A copy of the relevant transfer mechanism is available on request at privacy@meshpilot.cc.

PDP Law transfers. When transferring personal data outside Indonesia, we comply with the PDP Law's cross-border transfer requirements by ensuring the receiving country/recipient provides a level of protection at least equivalent to the PDP Law; or, failing that, by putting in place adequate and binding safeguards; or, where neither is available, by obtaining the data subject's valid, specific, and informed consent.

Honest disclosure of transfer-mechanism gaps. Some recipients in our stack — including gateway-routed model operators where we lack a direct contractual relationship, decentralised or hosted GPU/compute, and the hosted 3D-generation service — may not execute Standard Contractual Clauses, the UK Addendum, or a data-processing agreement. We do not represent that such a mechanism is in place where it is not. For any such recipient we will either (a) replace it, (b) rely on a documented alternative lawful transfer mechanism, or (c) where consent is the only available basis, present a specific, informed, and separable transfer consent with clear notice — and we will not rely on bundled "using the Service implies consent to all transfers" language as a valid cross-border-transfer basis. We keep our internal register aligned with which mechanism actually applies to each recipient.

By using the Service and submitting content, you understand that your data will be processed in the jurisdictions described above. Blockchain data is, by design, replicated globally across public nodes (Section 9).

14. Your Rights & How to Exercise Them (DSR Procedure)

Your rights. Subject to applicable law and verification of your identity, you may have the following rights:

• Access / be informed — confirmation of whether we process your data and a copy of it (GDPR Art. 15; PDP Law; CCPA right to know).
• Rectification — correction of inaccurate or incomplete data (GDPR Art. 16; PDP Law; CCPA right to correct).
• Erasure / deletion — deletion of your data, subject to legal exceptions and the blockchain limitation in Section 9 (GDPR Art. 17; PDP Law; CCPA right to delete).
• Restriction of processing (GDPR Art. 18; PDP Law).
• Objection — to processing based on legitimate interests, and to any direct marketing (GDPR Art. 21; PDP Law).
• Data portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted where technically feasible (GDPR Art. 20; PDP Law; CCPA portability).
• Withdraw consent at any time, without affecting processing already carried out (GDPR Art. 7(3); PDP Law).
• Right to halt or delay processing in certain circumstances (PDP Law).
• Not be subject to solely-automated decisions with legal or significant effect (GDPR Art. 22; PDP Law Art. 10) — see Section 7.
• Non-discrimination for exercising your rights, and the right to lodge a complaint with a supervisory authority (Section 2).
• CCPA/CPRA — rights to know, delete, correct, opt out of "sale"/"sharing" (we do neither), and limit use of sensitive personal information; you may use an authorised agent.

How to make a request. Send your request to privacy@meshpilot.cc, stating the right you wish to exercise and enough detail (for example, the conversation reference, account email, or — once user-wallet payments launch — the wallet address or transaction hash involved) for us to locate your data.

Honesty note on current capability. Until the account system and per-user data isolation are live, we cannot always reliably attribute pre-account conversation data to a specific individual, which can limit our ability to fulfil access and erasure requests on a strict per-person basis. We will make reasonable, good-faith efforts to locate and act on your data with the details you provide, and we are building the data-mapping and lookup tooling needed to honour these rights fully. We will not claim a verified per-subject capability we do not yet have.

Identity verification. To protect you, we will take reasonable steps to verify your identity (or an authorised agent's authority) before acting, and may request limited information to match against our records. Where we cannot verify your identity, we may be unable to fulfil the request.

Response timelines. We will respond as required by the law applicable to you:

• GDPR — without undue delay and within one (1) month of receipt, extendable by up to two further months for complex or numerous requests (with notice).
• PDP Law — without undue delay and within the timelines set by the PDP Law and its implementing regulations for the relevant right; where a specific statutory period applies to a given request type, we will meet it.
• CCPA/CPRA — we acknowledge within ten (10) business days and respond within forty-five (45) calendar days, extendable by a further forty-five (45) days with notice.

Fees. Requests are generally free. We may charge a reasonable fee or refuse where a request is manifestly unfounded, excessive, or repetitive, as permitted by law, and will explain any such decision.

Limits. We may decline or limit a request to the extent an exception applies (for example, legal-retention obligations, the rights of others, or an ongoing fraud/security investigation). On-chain data cannot be erased or rectified (Section 9). We will explain any refusal and your options, including complaining to a supervisory authority.

15. Personal-Data-Breach Notification

We maintain a written incident-response plan and procedures to detect, investigate, contain, and remediate personal-data breaches, with a named person responsible for executing the notification clocks below. As part of standing this up, we are putting in place centralised logging and alerting and — together with the per-user isolation described in Section 12 — the ability to identify which data subjects are affected by an incident.

PDP Law. Where the PDP Law applies, in the event of a failure to protect personal data we will notify the affected data subject(s) and the supervisory authority in writing within the time and in the manner required by the PDP Law and its implementing regulations (which require prompt notification, in writing, within seventy-two (72) hours of becoming aware), including the personal data exposed, when and how the failure occurred, and the handling and recovery measures taken. Where required, we will also inform the public or law enforcement.

GDPR. Where the GDPR applies, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach (Article 33), unless it is unlikely to result in a risk to individuals' rights and freedoms, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to them (Article 34).

Reaching you. Because pre-account users may not have provided a contact address, where we cannot notify you directly we will provide any legally required notice through a prominent in-app notice and/or by publishing it, in addition to notifying the relevant authority.

Other laws. We will provide any additional breach notifications required under the CCPA/CPRA and other applicable laws within the timelines those laws prescribe.

16. Children's Privacy

Minimum age and the gate we are building. The Service is not directed to children below the minimum age required in their jurisdiction (for example, 13 under COPPA, up to 16 in parts of the EEA under Article 8 GDPR, and the age of consent specified under Indonesian law). We do not knowingly collect personal data from children below the applicable digital age of consent without verifiable parental or guardian consent. We are committed to making this true in practice, not only on paper: before the account system launches and before we invite live public traffic, we will implement a neutral age gate that captures a self-declared date of birth (or age-range declaration), blocks users below the applicable minimum age, and, for permitted minors, runs a parental/guardian-consent flow with a logged consent record. For children under 13 (or the local equivalent), we will obtain verifiable parental consent before collecting personal data, as COPPA and comparable rules require.

Honest status. Until that age gate and consent flow are live, the Service is offered on a pre-launch basis, we ask that it be used only by persons who meet the applicable minimum age, and we do not represent that we have a fully operational verifiable-parental-consent mechanism. Where we cannot yet honour a particular children's-privacy control, we say so rather than overstate it.

Minors who may use the Service. If you are below the digital age of consent in your jurisdiction, you may use the Service only with the involvement and consent of a parent or legal guardian, who accepts the Terms and this Policy on your behalf, is captured as a consenting party through our parental-consent flow when it is live, and remains responsible for your use and any payments. Paid features for self-declared minors are intended to be gated behind guardian authorisation.

No training on children's content. We do not knowingly use the content of users we know to be children to train or improve models, and any personal data of children is handled under the heightened protections in this Policy and applicable children's-privacy law.

Reporting. If you believe a child has provided personal data without appropriate consent, contact privacy@meshpilot.cc and we will verify and delete it as required by COPPA, the PDP Law, GDPR, and other applicable law.

Operator note. MeshPilot is founded by an individual who is currently a minor. This is precisely why the responsible controller and contracting party will be an adult/guardian or a formed entity before live processing (Section 2), and why the parental-consent relationship for any minor user is held by a parent or guardian rather than by the founder. This does not create any agency, partnership, or special relationship and does not change the allocation of responsibility in our Terms.

17. Account-Data Handling [Accounts]

This Section describes how we will handle data once the account system (registration, login, stored profile, saved models/folders, billing, and connected wallet) launches. It applies only to data that feature actually collects.

• Your account will store your name/display name, email, salted-hashed credentials, settings and preferences, saved models, folders, and project metadata, and billing data (plan/credit balance, purchase and credit-usage history, invoices, and tokenised card metadata held by our processor — never full card numbers).
• Where you connect a wallet for payments, your account may store your wallet address(es) and transaction hashes to reconcile usage. Consistent with Section 9, we will avoid storing a wallet-to-real-identity mapping unless strictly necessary, and we will document and minimise it where it is.
• Transactions and credit usage initiated through your authenticated account or connected wallet are deemed authorised by you, except to the extent caused by our proven fault or an unauthorised event you could not reasonably have prevented and promptly reported to us.
• Account closure and deletion: you will be able to close your account and request deletion through in-app controls or by contacting privacy@meshpilot.cc. We will delete account data within the period in Section 11, subject to legal-retention exceptions, and you should export any outputs you wish to keep before closing your account because we are not obligated to retain them afterward.
• Automated enforcement safeguards: if account-level actions (suspension, payment blocking, fund freezing, or strike-based termination) become automated, we will provide the Article 22 / PDP Article 10 safeguards described in Section 7 before relying on them.

18. Third-Party Links, Devices & Content

The Service may link to or interoperate with third-party websites, software, 3D printers, slicers, game engines, and wallets. We are not responsible for the privacy practices or content of those third parties; their own policies govern your use of them. We encourage you to review the privacy notices of any third party before providing it with personal data.

19. Changes to This Policy

We may update this Policy from time to time. We will revise the "Last updated" date and, for material changes, provide more prominent notice (for example, an in-app notice, or — once accounts launch — an email or in-product message). Where applicable law requires fresh consent or advance notice for a material change, we will obtain or provide it. Your continued use of the Service after changes take effect constitutes acceptance, except where applicable law requires otherwise.

20. Contact

• Privacy, data protection, and data-subject/consumer rights (PDP Law, GDPR, CCPA/CPRA), and any request by a parent or guardian concerning a minor: privacy@meshpilot.cc
• General legal and Terms-of-Service matters: legal@meshpilot.cc
• Copyright, intellectual property, and DMCA/takedown notices: copyright@meshpilot.cc

Postal contact: Shandon Sean McAloney (Operator, MeshPilot), Jl. Nakula No.99X, Legian, Kec. Kuta, Kabupaten Badung, Bali 80361, Indonesia. There is no dedicated customer-support email address; product support is provided in-app. Governing law for data matters under the Terms is Indonesia, without prejudice to the mandatory rights that the GDPR, the CCPA/CPRA, and other applicable laws grant you. This Policy is intended to be comprehensive, protective, and fair; any appointed EU/UK representatives and the final retention periods will be confirmed as the Service matures.