Privacy Policy
Privacy Policy
Effective Date: April 2, 2026
Last Updated: April 3, 2026
Welcome to NeuroMesh, the Intelligent Integration and Automation Platform developed for internal enterprise use. NeuroMesh enables seamless data flows, system integrations, API management, and workflow automation across your organization's technology ecosystem.
1. Overview and Scope
This Privacy Policy describes how NeuroMesh collects, uses, stores, and protects personal data and organizational data processed through the platform. It applies to all users, administrators, and systems that interact with NeuroMesh in any capacity, including but not limited to system integrations, API endpoints, workflow automation pipelines, and the NeuroMesh management console.
NeuroMesh is an internal enterprise product. As such, this policy operates within the broader data governance and information security frameworks established by your organization. In the event of any conflict between this policy and applicable organizational data governance policies, the more protective standard shall apply.
This policy is informed by industry standard practices adopted by leading integration platforms, including provisions for data minimization, purpose limitation, lawful processing basis, and robust security controls.
2. Definitions
For the purposes of this Privacy Policy, the following definitions apply:
Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, employee identifiers, IP addresses, system login credentials, and behavioral usage data within the platform.
Organizational Data: Data owned or controlled by the organization and processed through NeuroMesh integration pipelines, including business records, transactional data, and application data from connected systems.
Integration Data: Data that flows through NeuroMesh connectors, pipelines, or automation workflows between two or more connected systems or endpoints.
Processing: Any operation performed on data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, restriction, or deletion.
Controller: The entity (or designated data steward within the organization) that determines the purposes and means of processing personal data within NeuroMesh.
Processor: NeuroMesh, insofar as it processes personal data on behalf of and under the instructions of the Controller.
Data Subject: A natural person whose personal data is processed within or through NeuroMesh.
Platform Administrator: An authorized user with elevated privileges responsible for configuring and managing NeuroMesh environments, connectors, and access controls.
3. Data We Collect
3.1 Platform Usage Data
NeuroMesh collects data about how authorized users interact with the platform. This includes:
Login timestamps, session durations, and user activity logs
IP addresses and device identifiers used to access the management console
Configuration changes, workflow deployments, and connector activations performed by users
API call logs, including endpoint invoked, timestamp, response codes, and latency metrics
Error logs and diagnostic information generated by integration processes
3.2 Integration and Pipeline Data
When organizational systems are connected to NeuroMesh for data integration or automation purposes, NeuroMesh may process data transiting through its pipelines. This may include personal data of individuals where such data is part of the integrated systems (e.g., HR systems, CRM platforms, ERP solutions). NeuroMesh processes this data solely as a data processor, under the direction and control of the organization as data controller.
NeuroMesh does not retain integration data beyond the period necessary for the completion of the relevant workflow, unless explicit data retention policies have been configured by the Platform Administrator. All transient data in flight is encrypted and not persisted to long term storage by default.
3.3 System and Infrastructure Data
NeuroMesh collects operational and infrastructure metrics to ensure platform performance and reliability. This includes:
Runtime execution metrics for deployed integration processes
Resource utilization statistics (CPU, memory, network I/O)
Connector health status and availability metrics
Audit trail data for all administrative and configuration actions
3.4 Data Not Collected
NeuroMesh does not knowingly collect or process the following categories of data unless explicitly configured by the Platform Administrator for a specific, documented business purpose:
Financial account details, credit card numbers, or payment information
Health or medical records classified under applicable healthcare data protection laws
Biometric data or facial recognition data
Data pertaining to minors under the age of 18
4. Legal Basis for Processing
All processing of personal data within NeuroMesh is conducted on one or more of the following lawful bases, consistent with applicable data protection legislation including the General Data Protection Regulation (GDPR) and other relevant frameworks:
Contractual Necessity: Processing necessary to fulfill obligations under the employment relationship or organizational service agreement.
Legitimate Interests: Processing necessary for the legitimate operational and security interests of the organization, provided those interests are not overridden by the rights and freedoms of data subjects.
Legal Obligation: Processing required to comply with applicable laws, regulations, or governmental orders.
Consent: Where processing is based on consent, such consent shall be freely given, specific, informed, and unambiguous. Users may withdraw consent at any time without detriment.
5. How We Use Data
NeuroMesh uses collected data for the following purposes:
Providing, operating, and maintaining the platform and its integration capabilities
Authenticating and authorizing user access to the management console and connected systems
Monitoring platform performance, reliability, and availability
Detecting, investigating, and remediating security incidents, unauthorized access, or policy violations
Generating audit logs and compliance reports as required by organizational policy or applicable law
Improving platform features and integration capabilities based on aggregated, anonymized usage analytics
Communicating with users regarding system updates, maintenance windows, or security advisories
NeuroMesh does not use integration data or personal data processed through pipelines for product improvement, machine learning model training, or any purpose other than the execution of the configured integration workflow, without explicit organizational approval and documented data processing agreements.
In alignment with best in class integration platform standards, NeuroMesh will not transfer organizational or personal data to any third party AI tools or use such data for training of generalized or non personalized AI or machine learning models.
6. Data Storage and Retention
NeuroMesh stores data in accordance with the data residency and retention policies configured by the Platform Administrator.
Platform Administrators may configure extended or reduced retention periods in accordance with organizational data governance policies. Any reduction in retention must be validated against applicable legal and regulatory obligations before implementation.
Upon termination of a user's access to NeuroMesh, their personal data will be anonymized or deleted within 30 calendar days, except where retention is required by law or ongoing security investigation.
7. Data Security
NeuroMesh implements a comprehensive set of technical and organizational security measures to protect data against unauthorized access, disclosure, alteration, and destruction. These measures include:
7.1 Technical Controls
End to end encryption of all data
Encryption of data
Multi factor authentication (MFA) enforcement for all Platform Administrator accounts
Role based access control (RBAC) with principle of least privilege
Automated vulnerability scanning of platform components
Immutable audit logging for all administrative actions
Network segmentation and firewall controls for NeuroMesh runtime environments
7.2 Organizational Controls
Security awareness training required for all personnel with access to NeuroMesh
Formal incident response procedures with defined escalation paths
Regular security assessments and penetration testing
Vendor and third party connector security review processes
Access reviews conducted at a minimum on a quarterly basis
In the event of a confirmed data security incident involving personal data, the NeuroMesh security team will notify the designated Data Protection Officer and affected stakeholders within 72 hours of becoming aware of the breach.
8. Data Subject Rights
Where NeuroMesh processes personal data of employees or other identifiable individuals, the organization (as data controller) is responsible for facilitating the exercise of data subject rights. NeuroMesh provides technical capabilities to support these obligations, including:
Access: The ability to extract and export personal data associated with a specific individual upon verified request
Rectification: The ability to correct inaccurate personal data within platform logs and records
Erasure (Right to be Forgotten): The ability to delete or anonymize personal data, subject to applicable legal retention requirements
Restriction of Processing: The ability to flag specific data records to limit their use pending resolution of a dispute or legal hold
Data Portability: The ability to export personal data in a structured, machine readable format
Objection: The ability to record and enforce objections to specific categories of processing
Requests to exercise data subject rights should be directed to the organizational Data Protection Officer or to legal@neuromesh.internal. NeuroMesh will provide technical assistance to fulfill verified requests within the timeframes required by applicable law.
9. Cross Border Data Transfers
Where NeuroMesh integration workflows involve the transfer of personal data across national or regional borders, the organization must ensure that appropriate safeguards are in place prior to enabling such transfers. NeuroMesh supports the following transfer mechanisms:
Standard Contractual Clauses (SCCs) as approved by the European Commission
Binding Corporate Rules (BCRs) for intra group transfers
Adequacy decisions where recognized by the relevant supervisory authority
Explicit consent of the data subject where no other mechanism applies
Platform Administrators are responsible for configuring data residency constraints within NeuroMesh to reflect the organization's approved transfer mechanisms. NeuroMesh provides geo restriction controls at the connector and pipeline level to enforce data localization requirements.
10. Third Party Connectors and Integrations
NeuroMesh supports integration with a wide range of third party applications, APIs, and data sources through its connector framework. When organizational data is transmitted to or received from third party systems via NeuroMesh connectors, the following principles apply:
The organization retains full responsibility for ensuring that data sharing with third party systems is authorized and lawful
Third party systems must be assessed for security and data protection compliance before being connected to NeuroMesh
NeuroMesh connector credentials and API keys must be stored in the platform's encrypted secrets management vault and must not be stored in plaintext configuration files
All third party data flows must be documented in the organization's data processing register
NeuroMesh does not endorse, warrant, or assume liability for the data handling practices of third party systems to which it connects. The organization is solely responsible for the security and compliance of data shared with external parties.
11. Cookies and Tracking Technologies
The NeuroMesh management console uses session cookies solely for the purpose of maintaining authenticated user sessions. These cookies are:
Strictly necessary for the functioning of the management console
Session scoped and automatically deleted upon logout or browser close
Not used for tracking, advertising, or any purpose other than session management
NeuroMesh does not use persistent tracking cookies, third party analytics scripts, or behavioral tracking technologies within the platform console.
12. Changes to This Privacy Policy
NeuroMesh reserves the right to update this Privacy Policy to reflect changes in platform capabilities, applicable law, or organizational data governance requirements. Material changes will be communicated to all platform users via:
In platform notification displayed upon login
Email notification to registered administrator accounts
Version increment and publication in the NeuroMesh internal documentation repository
Continued use of the platform following notification of a material change constitutes acceptance of the updated policy. Users who do not accept the updated policy must discontinue use and notify their Platform Administrator.
13. Governing Law and Dispute Resolution
These Terms are governed by and construed in accordance with the laws of the jurisdiction in which the Organization is headquartered, without regard to conflict of law principles.
Any dispute arising from or in connection with these Terms that cannot be resolved informally between the parties shall be subject to the exclusive jurisdiction of the courts of the Organization's principal place of business, or, if mutually agreed, to binding arbitration conducted in accordance with the applicable arbitration rules of the jurisdiction.
Users agree to attempt to resolve any dispute informally by notifying the Platform Legal Team at legal@neuromesh.internal in the first instance and allowing 30 calendar days for informal resolution before initiating formal proceedings.
14. Amendments to Terms
The Organization reserves the right to amend these Terms at any time to reflect changes in Platform capabilities, organizational policy, or applicable law. Amendments will be communicated to Users as described in Section 12 of the Privacy Policy.
Continued use of the Platform following notification of amendments constitutes acceptance of the revised Terms. Users who do not accept amended Terms must immediately discontinue use of the Platform and notify their Platform Administrator.
15. General Provisions
Severability: If any provision of these Terms is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it enforceable.
Entire Agreement: This document, together with the NeuroMesh Service Level Agreement and any applicable data processing addenda, constitutes the entire agreement between Users and the Organization with respect to the Platform and supersedes all prior communications, representations, or agreements.
No Waiver: Failure by the Organization to enforce any provision of these Terms shall not constitute a waiver of the right to enforce that provision in the future.
Headings: Section headings are for convenience only and do not affect the interpretation of these Terms.
Force Majeure: Neither party shall be liable for delays or failures in performance resulting from causes beyond their reasonable control, including natural disasters, cyberattacks by external threat actors, government actions, or infrastructure failures outside the Organization's control.
Assignment: Users may not assign or transfer their rights or obligations under these Terms without prior written consent of the Platform Administrator. The Organization may assign these Terms in connection with a merger, acquisition, or organizational restructuring.
