Skip to main content

Privacy Policy

Version 1.0

Date: 01.04.2026

Privacy notice in accordance with Article 13 GDPR

Name and address of the data controller

The responsible body within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

meshcloud GmbH
Schaumainkai 91
60596 Frankfurt am Main
Germany

Phone: +49 69 3487 3587
Email: impressum@meshcloud.io
Registernummer: HRB 116189

Name and address of the data protection officer

The data protection officer of the data controller is:

Resilience Operations Center GmbH
Neumeyerstr. 48
90411 Nürnberg
Germany
Phone: +49 911 477 528 0
Email: datenschutz@meshcloud.io

General information on data processing

Personal Data we collect

We collect the following categories of personal data in connection with meshStack:

Identity & Account Data

  • Full name
  • Work email address

Usage & Behavioral Data

  • Feature interactions and navigation paths within meshStack
  • Session duration and frequency of use
  • Actions performed within the platform (e.g. creating, editing, deleting records)
  • Error logs and performance data
  • In-app support and feedback submissions

Technical Data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Time zone and language settings
  • Cookie identifiers and session tokens

We do not collect sensitive personal data (special categories under Art. 9 GDPR) and we do not knowingly collect personal data from individuals under the age of 18.

In accordance with Article 13 GDPR, we will inform you of the legal basis for our data processing. If the legal basis is not specified in the privacy notice, the following applies:

PurposeData TypeLegal Basis
Providing and operating meshStackAccount dataArt. 6(1)(b) – Performance of a contract
User authentication and access controlAccount data, technical dataArt. 6(1)(b) – Performance of a contract
Product analytics and improvementUsage & behavioral dataArt. 6(1)(f) – Legitimate interests
Customer support and communicationAccount dataArt. 6(1)(b) – Performance of a contract
Compliance with legal obligationsAll relevant dataArt. 6(1)(c) – Legal obligation
Sending service-related updatesAccount data (email)Art. 6(1)(b) – Performance of a contract

Data deletion and storage period

We adhere to the principles of data minimisation in accordance with Article 5(1)(c) GDPR and storage limitation according to Article 5(1)(e) GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here, or as stipulated by the retention periods provided for by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.

Our platform contains links to external websites and services, specifically to the consoles and portals of Cloud Service Providers (e.g., AWS, Microsoft Azure, Google Cloud) that are integrated into your meshStack environment.

Please be aware that as soon as you click on these links, you leave the meshStack platform. Data processing on those external sites is the responsibility of the respective provider and is subject to their own privacy policies. If you are redirected to a cloud provider console, the processing of your data there is usually governed by the enterprise agreement (and associated DPA) between your employer and that provider.

By clicking these links, technical data (such as your IP address and the referral URL) may be transmitted to the destination. Please note that clicking links to providers based outside the European Economic Area (EEA) may result in a transfer of data to third countries. Only when you click on an external link will your personal data be transferred to the destination of the link. The operator of the other website will then receive your IP address, the time at which you clicked on the link, the website you were on when you clicked on the link, and other information that you can find in the respective provider’s privacy notice.

Rights of data subjects

As a data subject within the meaning of the GDPR, you have the option to assert various rights. The data subject rights arising from the GDPR are the right to information (Article 15), the right to rectification (Article 16), the right to deletion (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisory authority and the right to data portability (Article 20).

Right of revocation

Some data processing can only take place with your express consent. You have the option to revoke your consent at any time. However, the lawfulness of the data processing up to the point of revocation is not affected by this.

Right of objection

If the processing is based on Article 6(1)(e) or (f) GDPR, you as the data subject can object to the processing of your personal data at any time for reasons arising from your particular situation. You are also entitled to this right in the case of profiling based on these provisions within the meaning of Article 4(4) GDPR. Unless we can prove a legitimate interest for the processing which overrides your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims, we will refrain from processing your data after the objection has been made.

If the processing of personal data serves the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling associated with direct marketing. Here, too, we will no longer process personal data as soon as you raise an objection.

Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, without prejudice to any other administrative or judicial remedy, your place of work or the location of the alleged violation.

Right to data portability

If your data is processed automatically based on consent or fulfilment of a contract, you have the right to receive this data in a structured, common and machine-readable format. You also have the right to request that the data be transferred and made available to another data controller, insofar as this is technically feasible.

Right of access, rectification and erasure

You have the right to obtain information about the processing of your personal data with regard to the purpose, categories and recipients of the data processing, as well as the duration of storage. If you have any questions on this topic or on other topics regarding personal data, you can of course contact us using the contact options provided in the legal notice.

Right to restriction of processing

You may assert your right to the restriction of processing of your personal data at any time. To do this, you must meet one of the following requirements:

You contest the accuracy of the personal data. While the accuracy of the data is being verified, you have the right to demand that its processing is restricted.

If processing is unlawful, you can request the restriction of the use of the data as an alternative to deletion.

If we no longer need your personal data for the purposes of processing, but you need the data to assert, exercise or defend legal claims, you can request the restriction of processing as an alternative to deletion.

If you object to the processing in accordance with Article 21(1) GDPR, we will weigh up your interests against ours. Until this weighing up is completed, you have the right to request the restriction of processing.

The effect of restricting processing is that, apart from storage, the personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a member state.

Provision of services

Technical Provision and Logging (Server Log Files) To ensure the secure and stable operation of the meshStack platform, our systems automatically collect and store technical information in so-called server log files. When you access the meshPanel or interact with our API, your browser or client automatically transmits the following data:

  • IP Address of the requesting device.
  • Technical Details: Browser type/version, operating system, and host name of the accessing computer.
  • Request Details: Name of the retrieved file/resource, User ID, date and time of the server request, and the volume of data transferred, action performed, and the affected resource.
  • Status Codes: Information on whether the request was successful (e.g., HTTP 200) or failed (e.g., HTTP 404).

Purposes of Processing

  1. Security & Stability: These logs are essential for detecting and preventing cyberattacks (e.g., DDoS attacks) and for troubleshooting technical errors.
  2. Auditability: In accordance with our security standards, these logs help maintain an audit trail of system access. To ensure the traceability of infrastructure changes and to meet security requirements, meshStack records a history of actions within the platform (e.g., creating projects, modifying permissions, or deleting resources).
  3. Performance: To ensure the technically error-free presentation and optimization of the platform.

Legal Basis
The processing of this data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the security, stability, and functional integrity of the meshStack platform. If you are accessing the platform as part of a trial or to initiate a contract, Art. 6(1)(b) GDPR serves as an additional legal basis.

Hosting
The platform is hosted by specialized infrastructure providers (Sub-processors). We have concluded a Data Processing Agreement (DPA/AVV) with these providers in accordance with Art. 28 GDPR to ensure that your data is processed strictly according to our instructions and the highest security standards. A list of our hosting locations is available in our Security FAQ.

Technical storage (cookies and local storage)

The meshStack platform utilizes cookies, local storage, and session storage to provide a functional and secure user experience. These are technical tools stored in your browser that enable the core features of the platform. Inside the meshStack platform (panel.meshcloud.io), we use only strictly necessary cookies and local storage items. These are used for authentication (keeping you logged in), security (CSRF protection), and remembering your UI preferences. We do not use marketing or third-party advertising cookies within the authenticated product platform.

Name / TechnologyTypePurpose / FunctionProviderDuration
SSO / Keycloak AuthenticationCookieTechnically necessary for authentication and session management within the Single Sign-On (SSO) framework.Internal Service (meshcloud Keycloak instance)Session (until browser is closed)
OAuth Security ParametersLocal StorageTemporary storage of a random value ("Nonce") to secure the OAuth authentication process and prevent replay attacks.Internal Service (Platform Auth Service)Temporary (until login completion)

Strictly Necessary Storage
These items are essential for the operation of meshStack and cannot be switched off in our systems. They are typically only set in response to actions made by you, such as:

  • Authentication: Maintaining your login session so you don't have to re-authenticate on every page.
  • Security: Protecting against Cross-Site Request Forgery (CSRF) and other security threats.
  • User Preferences: Remembering your UI settings, such as language selection, dark/light mode, or expanded/collapsed sidebar states.

Storage Duration

  • Session Storage: These items are temporary and are automatically deleted as soon as you close your browser tab or log out.
  • Local Storage / Persistent Cookies: These remain on your device for a specified period or until you manually clear your browser cache. They allow us to remember your preferences across different sessions.
  • Retention times for DB entries and log files can be found here

Data Residency and Storage Location

  • All personal data and platform metadata processed by meshStack are stored on servers located within the European Union (EU) / European Economic Area (EEA). Any transfer of data to sub-processors in third countries is conducted exclusively on the basis of adequacy decisions by the European Commission or through the use of Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to the GDPR.

Legal Basis
The use of strictly necessary cookies and local storage is based on Art. 6(1)(f) GDPR. As the operator of an Internal Developer Platform, we have a legitimate interest in ensuring the platform is technically error-free, secure, and user-friendly.

No Third-Party Tracking
We do not use any third-party marketing, advertising, or behavioral tracking cookies within the meshStack product. Any storage used is strictly dedicated to providing the services you or your employer have requested.

Use of external services and sub-processors

To provide the meshStack platform reliably and securely, we work with selected service providers (Sub-processors). A current and detailed list of these providers, including their roles and data processing locations, is maintained in our technical documentation: List of Sub-processors & Security FAQ

Privacy by Design: Analytics and Tracking
We prioritize the data sovereignty of our customers. Therefore, meshStack is configured with the following privacy-first principles:

  • Self-Hosted Analytics: We do not use third-party tracking or marketing analytics services (such as Google Analytics) within the product. All usage analytics are processed on our own self-hosted infrastructure to ensure no behavioral data is shared with external third parties.
  • No Third-Party Data Sharing: Your personal data and infrastructure metadata are never sold, traded, or shared with third-party providers for their own purposes.
  • Technical Necessity: External services are only utilized where technically necessary for the operation of the platform (e.g., managed hosting or encrypted backup services) as defined in our Sub-processor list.

Customer Support and Feedback
If you contact our support team (e.g., via email or an integrated support portal), we process your contact details and the content of your inquiry to provide technical assistance. This processing is based on Art. 6(1)(b) GDPR (fulfilment of our contractual obligations to your employer). We use specialized service providers for ticket management; a list of these providers can be found in our Sub-processor list.

Third party tools
Where data is transferred to providers in the USA or other third countries, we ensure a level of data protection equivalent to the GDPR through the use of Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

No automated decision-making

In accordance with Article 22 of the GDPR, we hereby inform you that we do not use fully automated decision-making processes—including profiling—that produce legal effects concerning you or similarly significantly affect you.

As an Internal Developer Platform (IDP), meshStack provides the tools and data for human administrators and developers to manage their cloud infrastructure. All significant actions within the platform, such as the granting of access rights, the creation of projects, or the deletion of resources, are initiated by human users or based on pre-defined technical configurations set by your organization.

Closing statement

We reserve the right to update this Privacy Notice from time to time to ensure it remains compliant with current legal requirements or to reflect changes in our services (e.g., the introduction of new platform features or infrastructure updates).

The version currently published within the platform at the time of your visit shall apply. For existing customers, significant changes to data processing activities will be communicated through the usual channels (e.g., via the platform administrator or technical release notes) in accordance with our contractual agreements.