meshflow
Log in Request access

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

Meshflow is a product of Alpaca Software Ltd, registered in England and Wales. We operate the Meshflow trading automation platform at meshflow.co. References to "we", "us", or "our" in this policy refer to Alpaca Software Ltd.

Contact: [email protected]

2. What data we collect

  • Account data — your name and email address when you register.
  • Exchange API keys — encrypted in the browser before submission using a dedicated key management service. The plaintext is never stored and is not accessible to Meshflow staff.
  • Trade activity — orders placed, cancelled, and filled by your agents, used to display your dashboard and order history.
  • Usage data — basic logs (IP address, browser type, pages visited) for security and service reliability.

3. How we use your data

  • To provide and maintain the Meshflow platform.
  • To authenticate your account and process subscription payments.
  • To display your trading activity and agent history in your dashboard.
  • To send transactional emails (account creation, billing, important service notices).
  • To investigate security incidents and prevent abuse.

We do not use your data for advertising and do not sell it to third parties.

The lawful basis for processing under UK GDPR Article 6 is: contractual necessity for providing the service and processing payments; legitimate interests for security monitoring, abuse prevention, and service reliability.

4. Data sharing

We do not sell or rent your personal data. We share data only with:

  • Cloud infrastructure providers — to host and operate the service. These providers are bound by data processing agreements.
  • Payment processor — for billing purposes only. We do not store card details.
  • Law enforcement — only when required by applicable law.

5. API key security

Your exchange API keys are encrypted in the browser before submission using a dedicated key management service. The plaintext never touches our database. Meshflow only requests read and trade permissions — withdrawal permissions are neither requested nor accepted. Even in a worst-case infrastructure breach, your keys cannot be used to withdraw funds.

6. Data retention

We retain your account data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer.

7. Your rights (GDPR)

If you are in the UK or EEA, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Request a machine-readable export of your data.
  • Object to or restrict certain processing activities.

To exercise any of these rights, email [email protected].

8. Cookies

We use only essential browser storage (including session tokens) required for authentication and session management. We do not use advertising or tracking cookies.

9. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or requests, contact us at [email protected].