Last updated: To be determined in accordance with the governance and publication process of the Universal Event Graph Council.
Public draft for governance review
Meshi provides software, APIs, and related services that support networking, event intelligence, profile enrichment, and other data-driven workflows. This Privacy Policy and Data Protection Statement explains how Meshi collects, uses, discloses, stores, safeguards, and otherwise processes personal data when Meshi operates its services directly or when services are provided on behalf of a client organization through a Meshi-powered deployment.
This policy applies to personal data processed by Meshi in connection with:
Additional contractual or deployment-specific terms may apply in enterprise environments, including data processing agreements, order forms, white-label terms, or client-specific notices. Where a client organization provides a separate notice for a Meshi-powered deployment, that notice may supplement this policy for the relevant environment.
Meshi's privacy role depends on how the service is deployed and who determines the purposes and means of the relevant processing.
The client organization typically acts as the controller or business. Meshi typically acts as a processor, service provider, or contractor for client-directed processing, except where Meshi independently processes data for limited internal purposes such as security, fraud prevention, billing, legal compliance, and core service administration.
Where you participate in a client-powered environment, privacy requests about roster data, event participation, or client-owned source records may need to be routed to the relevant client.
Meshi typically acts as the controller or business for processing that Meshi decides to perform for its own service delivery, account management, security, support, analytics, and improvement purposes.
If you engage directly with Meshi outside of a client-controlled deployment, Meshi will generally handle your request directly, subject to verification and applicable law.
Responsibility may be split. The client may control participant or business data in its environment, while Meshi may separately control limited operational data tied to the underlying platform.
In these cases, Meshi may direct you to the relevant client for some requests and handle other requests directly.
If you are unsure whether Meshi or a client organization controls a particular dataset, contact the organization that invited you into the deployment or use the privacy contact information made available through the relevant service, deployment, or documentation.
Meshi may process the following categories of personal data, depending on the service, deployment, and your interactions with the platform:
Examples: Name, display name, work email, personal email where provided, phone number, account identifiers, login metadata, organization affiliation, role title, profile photograph, usernames, or handles.
Sources: You, the relevant client, connected services, event registration systems, or other approved integrations.
Purpose: To create and manage accounts, resolve identities, support participation, communicate with users, and operate the service.
Examples: Employer, role, biography, work history, education, skills, interests, profile content, questionnaire responses, meeting goals, offers, needs, and preferences.
Sources: You, clients, imports, connected services, public sources where permitted, or approved enrichment providers.
Purpose: To power profile creation, networking workflows, event intelligence, personalization, recommendations, and related analytics.
Examples: Registration details, attendance status, session participation, check-ins, scans, meeting activity, room or cohort assignments, sponsor interactions, and follow-up actions.
Sources: Clients, event systems, event apps, integrations, or your own activity in the service.
Purpose: To operate event workflows, improve relevance, generate briefs or recommendations, and support organizer or sponsor use cases subject to permissions and policy.
Examples: Log data, IP address, approximate location, browser or device details, authentication events, error logs, API requests, feature usage, cookies or similar technologies, and security telemetry.
Sources: Your browser, device, applications, APIs, infrastructure services, and Meshi systems.
Purpose: To secure, troubleshoot, maintain, and improve the service, and to monitor performance and abuse.
Examples: Billing contact data, invoices, payment-related metadata, subscription details, and contractual records.
Sources: You, your organization, and payment or business systems used in connection with the service.
Purpose: To administer the commercial relationship, process payments through approved providers, and maintain financial records.
Examples: Support tickets, meeting notes, communications with Meshi, feedback, corrections, overrides, and survey responses.
Sources: You, your organization, and Meshi support or customer success channels.
Purpose: To provide support, improve quality, handle complaints or corrections, and communicate about the service.
Examples: Profile summaries, inferred interests or domains, relationship or relevance signals, match classifications, generated briefs, graph-derived insights, and other system outputs.
Sources: Meshi models, rules, or workflows operating on source data and other accepted evidence.
Purpose: To support networking, relevance, event intelligence, quality improvement, and other service functions. These outputs are not necessarily user-confirmed facts.
Meshi is designed to distinguish between different classes of information rather than treating all data as equivalent. Depending on the deployment, Meshi may process:
Where operationally feasible, Meshi may preserve metadata about origin, freshness, confidence, ownership, and sharing boundaries so that source records, enriched records, and inferred outputs can be distinguished from one another. This distinction matters because an inferred output or generated brief is not the same thing as a user-confirmed fact or a source-authoritative record.
Important distinction
Meshi's services may create summaries, recommendations, or relationship signals from available information. Those outputs can be useful, but they may reflect inference or synthesis rather than verified fact. Meshi therefore encourages correction, confirmation, and client review workflows where appropriate.
Meshi uses personal data only for purposes that are reasonably necessary and proportionate to the relevant service, deployment, contractual relationship, or legal obligation. Depending on the context, Meshi may use personal data to:
Where data protection law requires a lawful basis, Meshi generally relies on one or more of the following, depending on the purpose and deployment:
Service delivery and account administration
Basis: Performance of a contract; steps prior to entering a contract; legitimate interests
Applies to providing the service, account access, support, and core operational workflows.
Client-directed processing in enterprise deployments
Basis: Processing under client instructions; contract; legitimate interests of the client and Meshi where applicable
The client may determine the primary lawful basis for participant or business data in its own deployment.
Security, fraud prevention, logging, and abuse detection
Basis: Legitimate interests; legal obligation where applicable
Used to maintain platform integrity, auditability, and operational resilience.
Product quality improvement and debugging
Basis: Legitimate interests; consent where required by law
Meshi seeks to limit this processing to what is reasonably necessary and consistent with contractual commitments.
Marketing and promotional communications
Basis: Consent where required; legitimate interests where permitted
You can opt out of non-essential promotional communications at any time.
Compliance, recordkeeping, and legal response
Basis: Legal obligation; legitimate interests
Includes tax, accounting, audit, litigation hold, and legal process response obligations.
If Meshi processes personal data for materially new purposes that are incompatible with the purposes described here, Meshi will provide additional notice where required.
Meshi may use rules-based systems, statistical methods, machine learning models, large language models, graph-based systems, or other computational methods to generate summaries, relevance signals, introductions, ranking outputs, or other service features.
Depending on the deployment, these outputs may be used to help users or clients identify relevant people, sessions, sponsors, or other opportunities; generate profile or event briefs; support follow-up workflows; or improve the usefulness of the Services.
Meshi distinguishes, to the extent operationally feasible, between:
Unless separately disclosed, Meshi does not intend these systems to make decisions that produce legal or similarly significant effects about individuals. Instead, they are intended to support networking, relevance, event operations, and related business workflows. If a particular deployment uses materially different profiling or automated-decision logic, Meshi or the relevant client may provide a supplemental notice.
Where appropriate, Meshi may allow users or clients to correct information, confirm high-value profile elements, or override outputs. Meshi may also maintain provenance or version metadata about generated summaries or recommendations to support quality review and debugging.
Meshi does not disclose personal data more broadly than is reasonably necessary for the purposes described in this policy. Depending on the service and deployment, Meshi may disclose personal data to the following categories of recipients:
Meshi may publish subprocessor information through its website, contractual materials, client-facing documentation, or other appropriate channels. The format and level of detail of those disclosures may evolve over time and, where applicable, may be informed by guidance adopted by the Universal Event Graph Council.
Meshi does not use personal data beyond the scope of applicable agreements, disclosed purposes, and applicable law. Region-specific disclosures may be provided in supplemental notices or updated versions of this policy as Meshi's practices and applicable governance mature.
Meshi retains personal data only for as long as reasonably necessary for the purposes described in this policy, including to provide the Services, honor contractual commitments, maintain appropriate audit and security records, resolve disputes, enforce agreements, and comply with applicable law. Retention periods depend on the type of record, the deployment model, legal obligations, operational needs, and whether the relevant data is controlled by Meshi, by a client, or by both in different contexts.
Account and contract records
Retained for the life of the account or contract and for a reasonable period thereafter for audit, billing, tax, dispute, and legal compliance purposes.
Client-provided source data
Retained according to the relevant client relationship, deployment configuration, and contractual commitments, subject to backups and legal retention requirements.
Support, security, and audit logs
Retained for the period reasonably necessary to investigate incidents, maintain security, and support legal or operational recordkeeping.
Inferred, derived, or generated outputs
Retained for as long as needed to support the related service, deployment, or quality and audit functions, unless earlier deleted, suppressed, or superseded.
Backups and disaster recovery copies
May persist for a limited period after deletion until overwritten in the normal backup cycle.
Where feasible and required, Meshi may delete, de-identify, suppress, or restrict data after a valid request, but Meshi may retain limited information where necessary for legal compliance, security, fraud prevention, dispute resolution, audit obligations, or enforcement of rights.
Meshi uses administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures may include encryption in transit and at rest, role-based and least-privilege access controls, tenant isolation controls, logging and monitoring, secure authentication patterns, and vendor due-diligence and contractual controls.
No system can guarantee absolute security. You should also protect your own credentials, use strong authentication practices, and notify Meshi promptly if you believe your account or a Meshi-powered deployment has been compromised.
Depending on your location and the relevant deployment model, you may have rights to request access to personal data, correction of inaccurate data, deletion, export or portability, restriction, objection to certain processing, withdrawal of consent where consent is the basis for processing, and appeal of a denied request where applicable law provides that right.
Meshi's ability to fulfill a request may depend on whether Meshi controls the relevant data or whether the data is controlled by a client organization. For example:
To submit a request, use the privacy contact method identified in the relevant service, deployment notice, website, contract materials, or other applicable documentation. Meshi may require information sufficient to verify identity and may request additional information where needed to confirm authority, prevent fraud, or locate the relevant records. Authorized agents may be required to provide proof of authorization where allowed by law.
Users may opt out of non-essential marketing communications by using the unsubscribe mechanism in the relevant communication or by contacting Meshi. Operational, security, or transaction-related messages may still be sent where necessary.
Meshi and its service providers may use cookies, local storage, pixels, SDKs, log files, and similar technologies to operate, secure, measure, and improve the Services. Where required by law, Meshi will provide additional notice or choice mechanisms for non-essential technologies.
Meshi may provide a separate Cookie Notice or regional privacy supplement through the relevant website, deployment, or client environment where appropriate. California, EEA/UK, and other region-specific rights or disclosures may also be provided through supplemental notices, contract terms, or deployment-specific disclosures where required.
Meshi may process personal data in the United States and other jurisdictions where Meshi, its affiliates, clients, integration partners, or service providers operate. Where data protection law requires transfer safeguards, Meshi will implement appropriate measures, which may include contractual protections, supplementary security controls, and other recognized transfer mechanisms.
Where Meshi transfers personal data across borders, it will rely on safeguards that Meshi determines are appropriate under applicable law, which may include contractual measures, organizational controls, or other recognized transfer mechanisms. The specific safeguards used in a given deployment may vary over time and may, where relevant, be informed by guidance adopted by the Universal Event Graph Council.
The Services are generally intended for business, professional, and event-related use and are not directed to children. Meshi does not knowingly collect personal data from children in violation of applicable law. If you believe a child has provided personal data unlawfully through the Services, contact Meshi so that appropriate steps can be taken.
Meshi may update this policy from time to time to reflect changes in law, the Services, security practices, operational processes, or business relationships. When required, Meshi will provide notice of material changes through the Services, by email, through the relevant client, or by other appropriate means.
For privacy, security, or data-rights questions, contact: