meshflow
Log in Get Started

Legal

Privacy Policy

Last updated: January 2025

1. Who we are

Meshflow is a product of Alpaca Software Ltd, registered in England and Wales. We operate the Meshflow trading automation platform at meshflow.co. References to "we", "us", or "our" in this policy refer to Alpaca Software Ltd.

Contact: [email protected]

2. What data we collect

  • Account data — your name and email address when you register.
  • Exchange API keys — encrypted immediately on entry using hardware-backed key management. The plaintext is never stored and is not accessible to Meshflow staff.
  • Trade activity — orders placed, cancelled, and filled by your agents, used to display your dashboard and order history.
  • Usage data — basic logs (IP address, browser type, pages visited) for security and service reliability.

3. How we use your data

  • To provide and maintain the Meshflow platform.
  • To authenticate your account and process subscription payments.
  • To display your trading activity and agent performance in your dashboard.
  • To send transactional emails (account creation, billing, important service notices).
  • To investigate security incidents and prevent abuse.

We do not use your data for advertising and do not sell it to third parties.

4. Data sharing

We do not sell or rent your personal data. We share data only with:

  • Cloud infrastructure providers — to host and operate the service. These providers are bound by data processing agreements.
  • Payment processor — for billing purposes only. We do not store card details.
  • Law enforcement — only when required by applicable law.

5. API key security

Your exchange API keys are encrypted using hardware-backed key management before storage. The plaintext never touches our database. Meshflow only requests read and trade permissions — withdrawal permissions are neither requested nor accepted. Even in a worst-case infrastructure breach, your keys cannot be used to withdraw funds.

6. Data retention

We retain your account data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer.

7. Your rights (GDPR)

If you are in the UK or EEA, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Request a machine-readable export of your data.
  • Object to or restrict certain processing activities.

To exercise any of these rights, email [email protected].

8. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.

9. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or requests, contact us at [email protected].