PRIVACY POLICY

What we hold, and what we never touch.

Effective date: June 15, 2026

This policy explains what KO Studios LLC ("we") collects when you use MeshBoard — the meshboard.ai sites, the app at app.meshboard.ai, and the relay at api.meshboard.ai — and what we do with it.

The short version

  • We hold: your email address, the devices you've enrolled, push tokens, and encrypted control messages we can't read.
  • We never hold: your source code, files, live streams, job history, or receipts. Those stay on your hardware.
  • Cloud AI providers see your data only when you opt in, only the slice the job needs, under that provider's terms — and you get a receipt.
  • We don't sell your data, don't show ads, and don't train AI models on your content.

What we collect

Account

Your email address (used for magic-link sign-in) and sign-in timestamps.

Mesh and relay metadata

The device names/identifiers you enroll, push notification tokens for your phone, and timing/delivery metadata needed to route messages between your devices. The contents of away-from-home control messages (approvals, asks, decisions) are end-to-end encrypted between your phone and your mesh — the relay delivers them but cannot read them.

What never reaches us

Your source code, repositories, files, local model prompts and outputs, live streams of agents working, and your job history and receipts all stay on your machines. They are not uploaded to our servers.

Cloud model slices (opt-in only)

If you connect a cloud AI provider and opt a job in, the slice of data that job needs is sent directly from your devices to that provider — it does not pass through our relay. The job is labeled before it runs and receipted after. Receipts are stored on your machines, not our servers.

Web basics

Like every website, our servers (Cloudflare) log requests: IP address, browser user-agent, pages requested, timestamps. We use first-party cookies/local storage only to keep you signed in. We use Cloudflare's privacy-first, cookieless web analytics for aggregate traffic counts — it sets no cookies and does not track you across sites or over time. We run no advertising or cross-site tracking cookies.

Email you send us

If you email support or legal, we keep the thread.

How we use it

To operate MeshBoard: signing you in, waking your devices, delivering notifications and control messages, preventing abuse of the relay, fixing problems, and sending transactional email (magic links, important account or policy notices). If we ever send product news, it will be opt-out-able.

Who we share it with

  • Infrastructure: Cloudflare, Inc. hosts our sites, app, and relay.
  • Email delivery: Resend, Inc. delivers our magic-link and account emails (your email address and the message content pass through them).
  • AI providers you configure: when you opt a job in, the job's data slice goes to the provider you chose (e.g. your Anthropic or OpenAI account). That transfer is governed by your agreement with them; your receipt names the provider and what was sent.
  • If the law requires it: we comply with valid legal process, and where allowed we'll tell you before handing anything over.
  • If the business changes hands: account data may transfer in a merger or acquisition; this policy continues to apply until replaced with notice.

We do not sell personal information and have not in the past. We don't share it for cross-context behavioral advertising.

Retention

Account and relay metadata are kept while your account is active. If you delete your account, we delete or de-identify your account data within 30 days, except minimal records we need for security, abuse prevention, or legal compliance. Edge/server logs rotate on the order of 30 days. Data on your own machines is yours and untouched by any of this — deleting your account never deletes your local work.

Your choices

  • Delete your account: email legal@meshboard.ai from your account email (in-app deletion is coming). We'll confirm when relay-side data is gone.
  • Access/export: ask and we'll send you what we hold about you — it's short: your email, devices, and timestamps.
  • Local-only mode: MeshBoard's local-only setting is enforced, not cosmetic — a local-only job cannot use a cloud model.

We honor reasonable access and deletion requests from anyone, not just residents of states that mandate it. California residents: we don't "sell" or "share" personal information as the CCPA defines those terms. We don't collect health data. If you use MeshBoard from the EEA/UK, we process account data to perform our contract with you and for legitimate interests like security; contact us to exercise GDPR rights.

Security

The control channel is end-to-end encrypted; transport is TLS everywhere; and the cheapest data to protect is data we never collect, which is the design. No system is perfectly secure — report concerns to security@meshboard.ai.

Children

MeshBoard isn't for children under 13, and we don't knowingly collect their information. If you think a child has an account, tell us and we'll delete it.

Where data lives

We're a US company. Our infrastructure runs on Cloudflare's network (US and global edge). By using MeshBoard you understand your account data is processed in the United States.

Changes

We'll post updates here and, for material changes, give notice via the site or email before they take effect.

Contact
KO Studios LLC · Washington, USA
legal@meshboard.ai