Privacy Policy

Privacy Policy

Last updated: February 23, 2026

MeshKit ("MeshKit", "we", "us", or "our") is committed to protecting the privacy and personal data of all users. This Privacy Policy explains what personal data we collect, the lawful basis on which we process it, how we use and store it, how long we retain it, and your rights as a data subject.

MeshKit is operated from the Federal Republic of Nigeria. This Privacy Policy is written to comply with the Nigeria Data Protection Act 2023 (NDPA), enforced by the Nigeria Data Protection Commission (NDPC), and the NDPC General Application and Implementation Directive (GAID) 2025. Where users are located in the EU, UK, or other jurisdictions with applicable data protection laws, we acknowledge and extend relevant rights as described in Section 8.

1. Who We Are and How to Contact Us

MeshKit is the data controller responsible for the personal data collected through the meshkit.design platform.

For requests relating to your personal data, please contact hello@meshkit.design. We will respond within 30 days. We may need to verify your identity before processing your request.

2. Data We Collect

2.1 Account Data (via Google OAuth)

When you sign in with your Google account, MeshKit receives the following data directly from Google:

  • Email address
  • Google display name
  • Google profile photo (where available)

We do not receive your Google password or any payment information from Google.

2.2 Account and Subscription Data

We store the following data in our Supabase database linked to your user account:

  • User ID (internal identifier generated by Supabase)
  • Email address
  • Subscription tier (Free or Pro)
  • Export count for the current calendar period
  • Account creation timestamp
  • Subscription period reset timestamp

2.3 Brand Style Data (Pro Users Only)

If you are a Pro subscriber, we additionally store:

  • Accent colour (hex value)
  • Surface roughness value (float between 0 and 1)
  • Last updated timestamp

2.4 Export and Usage Data

We track the number of PNG exports you perform per calendar month to enforce tier-based export limits. We do not store the visual content of your exports. No export images are retained on MeshKit's servers after delivery.

2.5 Payment Data

Payment processing is handled entirely by Polar, our third-party billing provider. MeshKit does not store your payment card details, billing address, bank account information, or any financial credentials. Polar communicates subscription status changes to MeshKit via secure web hook, and we update your account tier accordingly. Please refer to Polar's privacy policy at polar.sh/legal/privacy for details on how they handle your payment data.

2.6 Icon Request Data

If you submit an icon request via the Request Icon button, you are redirected to a Notion form. The contents of the form are handled according to Notion's privacy policy. No data from this interaction is received or stored on MeshKit's servers.

2.7 Technical and Log Data

We may collect standard technical data including IP address, browser type and version, device type, pages visited within MeshKit, and activity timestamps. This data is used for security monitoring, debugging, and performance optimisation. It is not used to build advertising profiles or sold to third parties.

3. Lawful Basis for Processing

Under the Nigeria Data Protection Act 2023, we rely on the following lawful bases for processing your personal data:

  • Contractual necessity (Section 25(b) NDPA): processing required to perform our agreement with you, including account creation, tier enforcement, export processing, and service delivery.
  • Legitimate interests (Section 25(f) NDPA): security monitoring, fraud prevention, platform analytics, and product improvement, where these interests do not override your fundamental rights and freedoms.
  • Consent (Section 25(a) NDPA): where you have actively opted in to specific communications or data uses. You may withdraw consent at any time without affecting the lawfulness of prior processing. Withdrawal of consent does not affect our ability to process data under other lawful bases.
  • Legal obligation (Section 25(c) NDPA): where processing is required to comply with applicable Nigerian law or lawful regulatory requirements.

4. How We Use Your Data

We use the data we collect strictly for the following purposes:

  • Account creation and authentication: to create your account, identify you on return visits, and maintain a secure session.
  • Subscription and tier management: to determine which features you can access, enforce export limits, and apply resolution restrictions.
  • Service delivery: to render 3D icons, process PNG exports, serve signed asset URLs, and operate the Copy Embed feature.
  • Billing: to communicate subscription lifecycle events with Polar and update your account tier in response to upgrade, renewal, and cancellation webhooks.
  • Brand Style persistence (Pro only): to store and auto-apply your saved accent colour and surface roughness across sessions.
  • Platform communications: to notify you of new icon releases, product updates, and material changes to these policies via in-app notification or email.
  • Security: to detect and prevent unauthorised access, tier circumvention attempts, and abuse of export functionality.
  • Analytics and product improvement: to understand how MeshKit is used and improve the platform. We do not sell usage data to third parties or use it for advertising purposes.

5. Data Storage, Security, and Retention

5.1 Storage Infrastructure

Your personal data is stored in Supabase, a managed PostgreSQL database service hosted on AWS infrastructure. Row-level security (RLS) policies are applied at the database level to ensure users can only access their own data. No data is stored on local servers operated by MeshKit directly.

5.2 Asset Storage and Signed URLs

3D icon GLB assets are stored in a private Supabase Storage bucket that is never publicly accessible. Assets are served exclusively via short-lived, server-generated signed URLs that expire after your session ends. Direct bucket access is blocked at the infrastructure level.

5.3 Security Measures

  • All data in transit is encrypted via HTTPS/TLS.
  • Authentication uses Google OAuth. MeshKit stores no passwords.
  • Database access is governed by row-level security policies.
  • Subscription tier enforcement is server-side only. Client-reported state is never trusted.
  • Export limits and resolution restrictions are validated server-side before any render is initiated.

5.4 Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, MeshKit will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required under the NDPA 2023. Where the breach is likely to result in high risk to your rights, we will also notify you directly without undue delay.

5.5 Data Retention

We retain your account data for as long as your account is active. In accordance with Article 49 of the GAID 2025, personal data that is no longer required for its original purpose will not be retained beyond six calendar months after that purpose is fulfilled, except where a longer retention period is required by Nigerian law. If you request account deletion, we will delete or irreversibly anonymise your personal data within 30 days, subject to any mandatory legal retention obligations.

6. Third-Party Services

MeshKit integrates with the following third-party services. Each operates under its own privacy policy, and we have assessed each for adequate data protection standards.

  • Google (Authentication): used for OAuth login. Google receives your authentication request and returns your email address and profile data to MeshKit. Google's Privacy Policy: policies.google.com/privacy
  • Supabase (Database and Storage): stores your account data, subscription status, Brand Style, and icon GLB assets. Supabase Privacy Policy: supabase.com/privacy
  • Polar (Payments): handles subscription billing, tax compliance, and invoicing. Polar receives your payment details and sends subscription lifecycle webhook events to MeshKit. Polar's Privacy Policy: polar.sh/legal/privacy

We do not sell, share, rent, or trade your personal data to any third party for marketing, advertising, or profiling purposes. Any sharing of personal data with the above processors is limited to what is strictly necessary for service delivery.

7. Cross-Border Data Transfers

MeshKit is a Nigerian-operated platform. Your personal data may be processed outside Nigeria by our infrastructure providers (Supabase on AWS, Polar). Such cross-border transfers are governed as follows:

  • Transfers to infrastructure providers: we rely on Standard Contractual Clauses (SCCs) or equivalent contractual safeguards to ensure that personal data transferred outside Nigeria receives a level of protection substantially equivalent to that required under the NDPA 2023, as permitted under Section 43 of the NDPA.
  • EU/EEA users: transfers of data from the EU/EEA to our infrastructure are covered by Standard Contractual Clauses approved by the European Commission (SCCs) embedded in our data processing agreements with Supabase and Polar.
  • UK users: transfers from the UK are covered by International Data Transfer Agreements (IDTAs) or addenda to EU SCCs, consistent with UK GDPR requirements.
  • No adequacy decision has yet been issued by the NDPC listing specific approved recipient countries. We therefore rely on contractual safeguards as the primary transfer mechanism for all cross-border transfers.

8. Your Rights as a Data Subject

8.1 Rights Under the NDPA 2023 (All Users)

Under the Nigeria Data Protection Act 2023, you have the following rights in relation to your personal data:

  • Right of access: request a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent, subject to any legal retention obligations.
  • Right to restriction: request that we limit processing of your data in certain circumstances (e.g., while accuracy is disputed).
  • Right to data portability: request your personal data in a structured, commonly used, machine-readable format that you can transfer to another service.
  • Right to object: object to processing based on legitimate interests, particularly in relation to direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact hello@meshkit.design. We will respond within 30 days and may need to verify your identity before acting on your request.

8.2 Additional Rights for EU and UK Users

If you are located in the EU or UK, you also have the right to lodge a complaint with your local supervisory authority if you believe your data has been processed in violation of applicable law:

  • EU users: contact your national Data Protection Authority (DPA) — the full list is available at edpb.europa.eu
  • UK users: contact the Information Commissioner's Office (ICO) at ico.org.uk or by telephone: 0303 123 1113

You may exercise these rights directly with us before escalating to a supervisory authority, but you are not required to do so.

8.3 California Users (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose about you.
  • Request deletion of your personal information, subject to exceptions.
  • Opt out of the sale of personal information. MeshKit does not sell personal information.
  • Non-discrimination: you will not receive different levels of service for exercising your privacy rights.

To exercise CCPA/CPRA rights, contact hello@meshkit.design with the subject line: CCPA Privacy Request.

9. Cookies and Tracking

MeshKit uses session cookies to maintain your authenticated state after Google OAuth login. These are strictly necessary cookies and do not require your consent under applicable law.

We do not use third-party advertising cookies, tracking pixels, or behavioural profiling tools. We may use first-party analytics to understand aggregate product usage patterns (such as which icon categories are most browsed or total export volumes). This data is aggregated and not linked to individual user identity in analytics reports.

Under Article 19 of the NDPC GAID 2025, opt-in consent is required before deploying non-essential cookies or tracking tools. MeshKit currently operates without non-essential cookies. If this changes, we will implement an appropriate consent mechanism before deployment.

10. Children's Privacy

MeshKit is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. Users between 13 and 17 may only use MeshKit with verified parental or guardian consent in accordance with Section 8 of the NDPA 2023 and the Child Rights Act 2003.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at hello@meshkit.design and we will delete the data within 72 hours of confirmation.

11. Changes to This Policy

We may update this Privacy Policy from time to time as our data processing practices change or as required by law. Material changes will be communicated via in-app notification or email at least 14 days before they take effect. The effective date at the top of this policy will be updated with each revision. Continued use of MeshKit after the effective date of an update constitutes acceptance of the revised policy.

12. Regulatory Authority

The primary supervisory authority for data protection in Nigeria is:

Nigerian users who believe their data protection rights under the NDPA 2023 have been violated may lodge a complaint with the NDPC. EU, UK, and other international users may additionally contact their local supervisory authority as described in Section 8.

13. Contact

If you have questions or concerns about this Privacy Policy, please contact us:

Email: hello@meshkit.design