Plain-English summary
This box is informational. The Policy below is the binding part.
- Who: iMeshh Ltd (UK) is the data controller for iMeshh Pro.
- What: We collect the data you give us (name, email, billing info, files you upload) and a small amount of data we generate (logs, analytics, security records).
- Why: To run the Service, take payment, send you product email, prevent abuse and improve the Service.
- Who we share with: A small set of carefully chosen sub-processors (Stripe, Supabase, Cloudflare, Resend, Upstash, PostHog, Vercel, Anthropic) — listed in Section 6 with locations and safeguards.
- AI: We process User Content through AI Features only when you choose to use them, and we do not allow our AI providers to train on your data.
- Where: Personal data is processed in the UK, the EU and the United States. We use approved transfer mechanisms when data leaves the UK or EEA.
- How long: As long as your account is active, plus retention periods set out in Section 9.
- Your rights: You can ask for a copy, ask us to correct or delete your data, object to processing, take your data elsewhere, and complain to a regulator. See Section 10.
1. Who we are and how to contact us
This Privacy Policy explains how iMeshh Ltd ("iMeshh", "we", "us") collects, uses and protects personal data when you use iMeshh Pro at pro.imeshh.com, the client portal at portal.imeshh.com, the iMeshh Pro desktop add-on, and the public Gallery (together, the "Service").
iMeshh Ltd is registered in England and Wales (company number 11378052), with its registered office at 15 Good Intent, Edlesborough, Dunstable, England, LU6 2RD, United Kingdom.
iMeshh is the data controller for personal data we process about you as a Studio Owner, Studio Member, Client or Public Visitor, except where this Policy expressly states otherwise (in particular Section 12, where Studios act as controller and iMeshh as processor for personal data Studios upload about their own clients and contacts).
For data-protection enquiries:
- Email: office@imeshh.com
- Post: Data Protection, iMeshh Ltd, 15 Good Intent, Edlesborough, Dunstable, England, LU6 2RD, United Kingdom
We are not required to appoint a statutory Data Protection Officer under the UK GDPR. The point of contact for data-protection matters is the above email address.
2. Who this Policy applies to
This Policy applies to:
- Studio Owners and Studio Members who sign up for an account.
- Clients invited into a Studio via the Client Portal.
- Public Visitors who view the public Gallery, public studio profile pages, public panorama tours or other public surfaces of the Service.
- Recipients of Share Links who view content shared by a Studio without signing into an account.
- Users of the desktop add-on who install and run iMeshh Pro on a local computer.
Where you are located and the parts of the Service you use determine which laws apply to our processing of your personal data. We have written this Policy to comply with the UK GDPR, the UK Data Protection Act 2018, the EU GDPR (where you are located in the EEA), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA", where you are a California resident), and to provide a baseline of equivalent rights to users in other jurisdictions.
3. Personal data we collect
3.1 From Studio Owners and Studio Members
- Account: name, email address, password (stored only as a hash by our auth provider), role within the Studio.
- Profile: display name, avatar, biography, social links, timezone, locale, preferred download format.
- Billing: company name, billing email, billing address, VAT or tax registration number, payment card details (collected directly by Stripe — we receive only a token plus the last four digits of the card and its expiry), Stripe customer and subscription identifiers, legacy WooCommerce customer and subscription identifiers (where applicable).
- Session and security: IP address, user-agent string (browser and operating system), session identifiers, last sign-in time, concurrent device count, security events (failed logins, password resets).
- Usage: pages visited, modules used, features used, file uploads and downloads, AI generation requests, search queries (where you have not opted out of analytics — see Section 5).
- Notifications and preferences: in-app and email notification preferences, marketing-email opt-ins.
- Communications with us: the content of support tickets, replies to ticket emails (delivered via our inbound-email handler), bug reports, and any feedback you send.
3.2 From Clients invited into the Client Portal
- Name, email address.
- Role and permissions within each Project shared with the Client.
- Magic-link sign-in metadata (when invited, when accepted, when last signed in).
- Comments, approvals and rejections recorded on Project deliverables.
- Limited usage metadata (which deliverables viewed, when downloaded).
3.3 From Public Visitors and Share Link recipients
- IP address (used transiently for security and abuse prevention and not retained in our primary database; see Section 5 on analytics).
- Pages visited, device and browser metadata.
- View counts on individual showcases or panoramas (de-duplicated per anonymous viewer per day using a hashed prefix — we do not retain the full IP).
3.4 From users of the desktop add-on
The desktop add-on processes most data locally on your computer and contacts our servers only for authentication, asset downloads, update checks and (optionally) anonymous error logging. See the Desktop EULA for full detail. Personal data transmitted to iMeshh from the desktop add-on is limited to:
- Authentication tokens issued by our auth provider.
- Update-check requests (containing your installed version and OS/architecture).
- File-download requests using presigned URLs.
The desktop add-on does not transmit the contents of your Blender projects or local files to iMeshh.
3.5 User Content
User Content — the 3D files, images, video, panoramas, project metadata, deliverables, comments and other content you upload to the Service — may incidentally contain personal data (for example, the names of people in a brief, or the contact details of a third party in a project document).
We process User Content only as needed to provide the Service to you (see Section 12). For User Content uploaded by a Studio that contains personal data of third parties, the Studio is the data controller and iMeshh is the data processor; the terms of that processing are set out in the DPA.
3.6 Special-category data
We do not request and do not knowingly collect special-category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a person's sex life or sexual orientation). If you knowingly upload such data as User Content (for example, in a project brief or client record), you must have a lawful basis for doing so; see the DPA.
3.7 Children's data
The Service is not directed at and may not be used by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, contact us at office@imeshh.com and we will delete it.
4. Why we process personal data and our legal bases
| Purpose | Legal basis (UK GDPR / EU GDPR Article 6) |
|---|---|
| Provide and operate the Service to you (account creation, plan management, project hosting, asset delivery, client portal, public Gallery). | Contract (Art. 6(1)(b)). |
| Take payment and manage your Subscription. | Contract; legal obligation for VAT and other tax records (Art. 6(1)(b) and (c)). |
| Send transactional emails (sign-in, billing, invitations, notifications you have opted into, security alerts). | Contract; legitimate interests. |
| Send marketing emails about iMeshh products and features to existing customers about similar products. | Legitimate interests (UK PECR soft opt-in) — you can opt out at any time, including in every marketing email. |
| Send marketing emails to people who are not existing customers. | Consent (Art. 6(1)(a)) — you can withdraw at any time. |
| Keep the Service secure, prevent fraud and abuse, enforce the AUP, investigate incidents. | Legitimate interests; legal obligation. |
| Improve and develop the Service (product analytics, performance monitoring, debugging). | Legitimate interests; consent for non-essential cookies (Section 5). |
| Process User Content through AI Features that you actively use. | Contract (you have requested the processing). |
| Comply with legal, regulatory, court or law-enforcement obligations. | Legal obligation. |
| Establish, exercise or defend legal claims. | Legitimate interests. |
| Process personal data on behalf of a Studio about that Studio's own clients (Client Portal users, contacts in a Studio's CRM and so on). | Acting as processor — see Section 12 and the DPA. The Studio is the controller and must have its own lawful basis. |
Where we rely on legitimate interests, our balancing tests consider the rights and freedoms of you, our reasonable expectations as a SaaS operator, and the minimisation steps we take. You can ask for a copy of the relevant balancing test by emailing us.
5. Cookies, similar technologies and analytics
The Service uses cookies and similar technologies, including browser local storage and session storage. The full list (with name, purpose, duration and whether first- or third-party) is in our Cookie Policy at pro.imeshh.com/cookies.
In summary:
- Strictly necessary cookies and local storage — for sign-in, session management, security and basic Service function. These are exempt from consent under PECR / ePrivacy.
- Analytics cookies and identifiers — we use PostHog to understand how Studios use the Service so we can prioritise improvements. PostHog sets cookies and local-storage items on your device and identifies you using a pseudonymous user identifier. We do not share your email address with PostHog for analytics.
- Payment-processor cookies — set by Stripe on payment pages for fraud prevention. Governed by Stripe's own notices.
We will only set non-essential cookies and similar technologies with your consent. You can change your cookie choices at any time through the in-product cookie settings.
We do not currently use cross-site advertising cookies. If we begin to do so, we will update this Policy and ask for your consent.
6. Sharing personal data — our sub-processors
We share personal data with the third-party providers listed below ("sub-processors") to operate the Service. Each sub-processor is bound by a data-processing agreement that meets the requirements of Article 28 UK GDPR and (where applicable) Article 28 EU GDPR.
| Sub-processor | Purpose | Location of processing | Transfer mechanism (when data leaves UK/EEA) |
|---|---|---|---|
| Stripe Payments Europe, Limited (or other Stripe entity contracted with you) | Payment processing, subscription billing, tax calculation | Ireland (primary); United States (sub-processing) | UK-US Data Bridge (Stripe is DPF-certified including UK Extension); EU SCCs |
| Supabase, Inc. | Authentication, primary database (PostgreSQL) | United States (US East region) | EU SCCs with UK Addendum |
| Cloudflare, Inc. | API hosting (Workers), file storage (R2), background queues, DNS, CDN | R2 object storage is located in the European Union (Western Europe region); Workers run at Cloudflare's global edge close to the requesting user; control-plane operations are processed in the United States | UK-US Data Bridge (Cloudflare is DPF-certified including UK Extension); EU SCCs |
| Vercel, Inc. | Frontend hosting for pro.imeshh.com and portal.imeshh.com | United States (primary); we deploy to the Frankfurt region for EEA-relevant traffic where supported | UK-US Data Bridge (Vercel is DPF-certified including UK Extension); EU SCCs |
| Plus Five Five, Inc. (d/b/a Resend) | Transactional and notification email delivery; inbound email for support replies | United States | UK-US Data Bridge (Resend is DPF-certified per its DPA); EU SCCs |
| Upstash, Inc. | Redis cache for rate limiting and short-lived state | EEA region of Upstash (Frankfurt) where available | UK-US Data Bridge (Upstash is DPF-certified including UK Extension) |
| PostHog, Inc. | Product analytics | United States (us.i.posthog.com) | UK-US Data Bridge (PostHog is DPF-certified per their DPA); EU SCCs with UK Addendum |
| Anthropic, PBC | AI vision tagging for Marketplace Assets (no User Content) | United States | SCCs with UK Addendum; Anthropic's API terms confirm customer data is not used to train Anthropic's models |
| RunPod, Inc. | Image-generation compute for the AI Studio module (only where you actively use the feature) | United States | SCCs with UK Addendum; per-job processing; generation outputs not retained by RunPod after delivery |
| Backblaze, Inc. | Off-site, encrypted disaster-recovery backups of the database and uploaded files (retained up to 12 months, then permanently deleted) | European Union (Amsterdam, EU Central region) | EU SCCs with UK Addendum (US-headquartered provider; backup data stored in the EU) |
We may also share personal data with:
- Our professional advisers (lawyers, accountants, auditors) where reasonably necessary for the operation of our business, under duties of confidentiality.
- Law-enforcement, courts, regulators and other authorities where required by law, court order or as we reasonably consider necessary to protect the rights, safety or property of iMeshh, our users or any third party.
- Acquirers, successors or buyers of our business or assets, in connection with any merger, acquisition, restructuring or sale.
We do not sell personal data, and we do not share personal data for cross-context behavioural advertising, within the meaning of the CCPA/CPRA.
We will give you at least 30 days' notice before adding a new sub-processor or replacing an existing one. Studios may object to a new sub-processor in writing; if we cannot reasonably accommodate the objection, you may terminate the Subscription as described in the DPA.
The current authoritative list of sub-processors, with last-updated date, is maintained at pro.imeshh.com/dpa.
7. International transfers
We are based in the UK; most of our sub-processors are based in or operate from the United States. When personal data is transferred from the UK or EEA to a country that has not been recognised as providing an adequate level of protection, we put in place one of the following safeguards:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses ("UK Addendum") or the standalone UK International Data Transfer Agreement ("IDTA"), as appropriate;
- the EU Standard Contractual Clauses as adopted by the European Commission in 2021;
- reliance on the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") and/or the EU-US Data Privacy Framework where the receiving organisation is certified;
- any other lawful transfer mechanism recognised by the UK Information Commissioner's Office or the European Commission from time to time.
The current adequacy status, as at the date of this Policy, recognises the EEA, Switzerland, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, the United Kingdom (for transfers from the EEA, valid until December 2031), Uruguay and the United States (only for organisations participating in the Data Privacy Framework).
We carry out transfer impact assessments for our material US-based sub-processors. A summary is available on request.
8. How we keep personal data secure
We apply technical and organisational measures appropriate to the risks of our processing. These include:
- Encryption in transit (HTTPS/TLS) for all traffic between you, the Service and our sub-processors.
- Encryption at rest at the database and object-storage layer (as provided by Supabase and Cloudflare R2).
- Multi-tenant isolation enforced both at the application layer (every API request is scoped to the Studio you select) and at the database layer (row-level security policies in PostgreSQL).
- Role-based access control with least-privilege roles within each Studio.
- Multi-factor authentication available for Studio Owners; mandatory multi-factor authentication for iMeshh administrative access.
- HMAC signature verification on every inbound webhook (Stripe, Resend, RunPod, WooCommerce).
- HTTPS-only cookies, HTTP Strict-Transport-Security headers and a tightly scoped Content Security Policy.
- Rate limiting on authentication, uploads, exports and the public API.
- Soft deletes with cryptographic verification of the soft-deleted flag in every query.
- Logging and monitoring of administrative actions in an immutable audit log.
- Documented incident-response procedures with a 72-hour clock for notifying regulators of qualifying breaches.
Despite these measures, no system is perfectly secure. Where we are the controller of the affected personal data (for example your account, login, billing or usage data), and we become aware of a personal data breach, we will notify the relevant supervisory authority and (where the breach is likely to result in a high risk to your rights) you, without undue delay and in line with our obligations under Article 33 and Article 34 UK GDPR. Where the affected data is personal data that a Studio controls and we only process on its behalf (see Section 12), we instead notify that Studio without undue delay, so that it — as the controller — can make any notifications required to the supervisory authority and to affected individuals; Section 10 of the DPA governs that process.
The full list of technical and organisational measures is in Annex II to the DPA.
9. How long we keep personal data
| Category | Retention period |
|---|---|
| Account profile (Studio Owners and Studio Members) | For the life of the account, plus 30 days after closure (read-only grace period), then deleted from the live database. |
| Client (portal) account | Until the Studio that invited the Client revokes access, or 12 months of Client inactivity, whichever is sooner. Magic-link tokens expire automatically. |
| User Content (uploaded files, project metadata, deliverables) | For the life of the Subscription. After Subscription end: the Studio is downgraded to the Free plan; content within Free plan limits remains available, and content exceeding Free plan limits is retained read-only for at least 90 days (with email warnings before any deletion) and may then be permanently deleted. Soft-deleted within the Service: recoverable for 7 days (Free), 30 days (Pro), 60 days (Studio Pro) or 90 days (Enterprise). |
| Public Gallery showcases | Until unpublished by the Studio. Cached copies on third-party services (e.g. search engines) may persist beyond our control. |
| Billing records (invoices, Stripe customer/subscription IDs, payment metadata) | At least 6 years from the end of the relevant tax year (UK statutory minimum). |
| Activity log of in-Studio actions | 12 months (24 months on Enterprise). |
| Security and authentication logs (sign-ins, failed sign-ins, rate-limit events) | Up to 12 months. |
| Cloudflare Workers operational logs (request/response metadata) | 24 hours, as set by Cloudflare. |
| Webhook event records | 90 days. |
| Inbound and outbound email (transactional) | Up to 30 days at our email provider, plus 12 months in our support-ticket system where the email is part of a support thread. |
| Marketing email contact list (consented) | Until you opt out, plus 30 days for record-keeping. |
| Cookie consent records | Up to 24 months from the date of consent. |
| Backups of the database and uploaded files | Two layers: (a) a rolling 7-day backup window at our database provider; and (b) independent, encrypted, access-controlled disaster-recovery backups of the database and uploaded files, held off-site with a specialist backup provider and retained for up to 12 months, after which they are automatically and permanently deleted. Disaster-recovery backups exist solely to recover from a major data-loss event, are kept "beyond use", are not used for any other purpose, and are not restored to live systems except to recover from such an event. |
When you delete content or close your account, we remove it from our live systems within the periods set out above. Residual copies may persist in our encrypted, off-site disaster-recovery backups for up to 12 months, after which they are permanently deleted. During that period the backup data is kept solely for disaster recovery and is "beyond use": it is not accessed or used for any other purpose. If we restore from a backup following a data-loss event, we re-apply any deletion or erasure requests received in the interim, so that data you asked us to delete is not reinstated.
Where personal data is no longer needed for the original purpose, we either delete it or irreversibly anonymise it.
10. Your rights
You have the rights set out below in relation to your personal data. To exercise any right, email office@imeshh.com and tell us which right you want to exercise and which account or content it relates to. We may need to verify your identity before acting on a request.
10.1 UK and EEA users (UK GDPR / EU GDPR)
- Be informed about how we process your personal data — this Policy and the DPA provide that information.
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete personal data we hold about you.
- Erasure ("right to be forgotten") of personal data we no longer have a lawful basis to keep.
- Restrict our processing of your personal data in certain circumstances.
- Object to our processing of your personal data on the basis of legitimate interests, including objecting to direct marketing at any time.
- Data portability — receive personal data you have provided to us in a structured, commonly used and machine-readable format. The data-export feature in Settings → Preferences provides much of this; for the remainder, email us.
- Withdraw consent at any time where we rely on consent (for example, marketing emails or non-essential cookies). Withdrawal does not affect the lawfulness of processing before the withdrawal.
- Lodge a complaint with a data-protection supervisory authority:
- In the UK: the Information Commissioner's Office (ICO),
ico.org.uk, 0303 123 1113. - In the EEA: the supervisory authority for the EEA Member State where you live, work or where the alleged infringement occurred. We will let you know which authority is competent if you ask.
- In the UK: the Information Commissioner's Office (ICO),
We will respond to requests within one month (extendable by a further two months for complex requests, where we will tell you within the first month).
10.2 California residents (CCPA / CPRA)
If you are a California resident, you have these additional rights under the CCPA as amended by the CPRA:
- Right to know what categories of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, the categories of third parties with whom we share, and the specific pieces of personal information.
- Right to delete personal information we have collected about you, subject to statutory exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" and "sharing" of personal information — we do not sell or share personal information for cross-context behavioural advertising as defined by the CPRA, so there is no sale or sharing to opt out of.
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination for exercising your CCPA rights.
To exercise a CCPA right, email office@imeshh.com with subject line "CCPA request". You may also designate an authorised agent to make a request on your behalf, subject to verification.
10.3 Other jurisdictions
If you are outside the UK, EEA and California, you may have similar rights under your local data-protection law (for example, the Australian Privacy Act 1988, Canada's PIPEDA, Brazil's LGPD or other equivalents). We extend the UK GDPR-level rights in Section 10.1 to you as a baseline so that, regardless of where you are based, you can ask for access, correction, deletion, restriction, portability or objection.
11. AI Features and automated processing
11.1 What we use AI for
The Service includes optional AI Features described in Section 18 of the Terms. These include AI image generation and enhancement in the AI Studio module, and automatic vision-tagging of Marketplace Assets we publish.
11.2 Personal data and AI
The AI Studio module processes the source images and prompts you submit. To the extent those inputs contain personal data, that personal data is sent to our AI infrastructure provider (RunPod) for the duration of generating an output, and the output (which may also contain personal data) is stored in your Studio and counts as User Content from then on.
The vision-tagging feature processes Marketplace Asset thumbnails and product names only. It does not process User Content.
11.3 No training on your data
We do not use User Content (including AI Studio inputs and outputs) to train any machine-learning model, whether ours or a third party's. Anthropic's API terms commit Anthropic not to use customer API data to train Anthropic models. RunPod processes generation jobs per-request and does not retain images after delivery.
11.4 No automated decisions producing legal effects
We do not use AI Features to make decisions about you that produce legal effects concerning you or that similarly significantly affect you, within the meaning of Article 22 UK GDPR. AI Features generate creative outputs at your request; they do not approve or deny services, prices, hiring decisions or similar.
11.5 Output accuracy and bias
AI outputs may be inaccurate, biased, offensive or otherwise unsuitable for a particular purpose. We make no warranty about AI outputs (Section 21 of the Terms). You are responsible for reviewing AI output before using it.
12. Studios as data controllers for Client and contact data
When a Studio uses the Service to manage its own clients, projects and contacts, the Studio is the data controller for the personal data of those clients and contacts (their names, emails, project comments, addresses and so on), and iMeshh is the data processor.
The relationship between iMeshh and the Studio in respect of that processing is governed by the DPA at pro.imeshh.com/dpa, which forms part of the Terms and applies automatically when you sign up for a paid Subscription. The DPA covers the categories of data subjects, the categories of personal data, the nature and purpose of processing, our security measures, our sub-processors, our assistance with data-subject requests, breach notification, return and deletion of data on termination, and audit rights.
If you are a Client invited into a Studio, your personal data is controlled by the Studio that invited you (with iMeshh acting as processor). Your first point of contact for data-protection enquiries should be that Studio. We will assist the Studio in responding to your requests as required by the DPA.
13. Marketing communications
- To existing customers: we may send marketing emails about iMeshh products and features similar to those you have used, on the basis of the PECR soft opt-in for existing customers. Every marketing email has a one-click unsubscribe link. You can also turn off marketing emails in Settings → Preferences.
- To people who are not existing customers: we will only send marketing emails where you have given us consent (for example, by signing up to a newsletter). You can withdraw consent at any time.
- Transactional emails: we will continue to send essential transactional emails (sign-in, billing, security, share-link notifications) regardless of marketing preferences, because they are necessary to perform the contract or comply with the law.
14. Public surfaces and what is visible to others
Some content on the Service is intentionally public:
- Public Gallery showcases are visible to anyone, including search engines.
- Public studio profile pages are visible to anyone with the URL.
- Public panorama tours are visible to anyone with the URL.
- Share Links are visible to anyone with the URL (and password, if set) until they expire or are revoked.
We do not place a "noindex" tag on these surfaces by default, so search engines may index them. Before publishing User Content to a public surface, consider what it contains and whether you have the rights and consents needed to make it public.
15. How we handle requests from law enforcement
We disclose personal data to law-enforcement, courts or regulators only when:
- we are required to do so by valid law, subpoena, court order or warrant binding on iMeshh; or
- we reasonably consider disclosure necessary to protect the rights, safety or property of iMeshh, our users or any third party.
We notify the affected user where we are legally permitted to do so.
16. Changes to this Policy
We may update this Policy from time to time. The version date at the top of this page changes when we update. If we make material changes we will notify Studio Owners by email at least 30 days before the change takes effect. Non-material changes (typos, clarifications, an updated sub-processor list after the notice period in Section 6) take effect when the version is updated.
17. Contact
For any data-protection question, request or complaint:
iMeshh Ltd — Data Protection 15 Good Intent, Edlesborough, Dunstable, England, LU6 2RD, United Kingdom office@imeshh.com
You also have the right to complain to a data-protection supervisory authority — see Section 10.1.