/ privacy

What we see, what we don't, and what we do with what we have.

Effective 2026-05-13. Written in plain English instead of policy boilerplate, because that is the only honest way to explain what's actually happening.

The short version

  • We cannot read your mesh traffic. It's WireGuard, end-to-end encrypted between your devices. Even if we tried, the keys aren't ours.
  • We collect what's needed to run your account: email, password hash, the names + public keys + overlay IPs of the machines you add, and basic billing if you pay.
  • Web analytics is self-hosted Plausible. No cookies, no fingerprinting, no third-party trackers. Adblockers may block it anyway and that's fine with us.
  • We don't sell your data. We don't have ad partners. There's no "data partner" list because there are no data partners.
  • If you delete your account, your data is gone within 30 days — including the encrypted hub keys we hold on your behalf.

What we collect, why, and how long we keep it

Account information

When you sign up: your email address, a bcrypt-hashed password (we never store the plaintext), an optional display name, and the organization name you typed on the signup form. If you use "Continue with Google", we receive your Google account ID, email, and display name from Google's OpenID Connect — nothing else.

Retention: for the life of your account, plus 30 days after deletion so accidental deletes are recoverable.

Mesh metadata (not traffic)

For each machine you add to your mesh, we store: the name you gave it, its public WireGuard key, its assigned overlay IP, and aggregate handshake counters (last seen time, bytes transferred — for the dashboard's status indicators). We never store the private keys of your devices; those are shown to you once at device creation and then forgotten by us.

We also generate and store a per-tenant hub private key (encrypted at rest with AES-256-GCM) that your peers use to establish tunnels to the controller. The encryption key for this field is held in the controller's environment and is never logged.

Retention: while the machine is in your mesh; deleted within minutes when you remove it.

What we never see

Your mesh traffic is WireGuard, encrypted peer-to-peer. The controller acts as a hub for tunnel establishment, but the data inside the tunnels is end-to-end encrypted with keys we do not hold. We technically forward packets between your peers' namespace and can therefore see packet sizes and IP-header metadata in the kernel; the payload content is encrypted and unreadable to us.

Billing

If you upgrade to a paid plan, we store your billing email, the plan, the machine count we're invoicing for, and invoice history. Card details are handled by Stripe — they never reach our servers.

Retention: 7 years after the last invoice, to meet tax obligations.

Technical logs

The controller writes operational logs: HTTP request method/path/status, source IP, timestamp, and error messages. These rotate every 7 days. Application errors that include user-identifying context (email addresses, etc.) are scrubbed before they're written.

Retention: 7 days for HTTP logs; 30 days for error logs.

Web analytics

We use self-hosted Plausible Analytics on meshwg.com. Plausible doesn't use cookies, doesn't fingerprint browsers, and doesn't collect personal data. The only thing recorded for a visit is the page path, anonymized referrer, anonymized country (from IP — IP itself discarded), browser family, and operating system. Aggregate, never individual.

Cookies

We use the minimum cookies needed to make the dashboard work. None for tracking.

  • jwt — your authentication token. HTTP-only, Secure, SameSite=Lax. 24-hour expiry.
  • csrf_ — anti-CSRF token. HTTP-only, Secure, SameSite=Strict. 1-hour expiry.
  • g_oauth_state — short-lived state value during Google sign-in (10 minutes max).

Third parties we route data through

  • Cloudflare — DNS, CDN, and DDoS protection for meshwg.com. They see request metadata.
  • Google — only if you use the "Continue with Google" sign-in flow. Google receives the fact that you signed in to MeshWG; we receive your Google profile.
  • Stripe — payment processing for paid plans. Card details flow directly from your browser to Stripe.

We don't share data with anyone else.

Where your data lives

Account database and controller logs are stored in a single PostgreSQL instance on the same VM as the controller. We don't ship data to third-party databases. The controller VM's physical location is documented separately and available on request — write to hello@meshwg.com.

Your rights

Regardless of where you live, you can:

  • Get a copy of every piece of data we have about you.
  • Correct anything that's wrong.
  • Delete your account and all associated data.
  • Object to processing for any reason.

For any of these, email hello@meshwg.com. We aim to respond within 7 days and complete the request within 30.

Security incidents

If we discover a breach affecting your data, we'll email you within 72 hours of confirmation, with the specifics: what was accessed, what we've done, and what you should do. We won't sit on bad news.

To report a security issue, see our security.txt or email security@meshwg.com.

Changes to this policy

If we change anything material, we'll email the address on file and post a notice on this page for at least 30 days before it takes effect. Cosmetic changes (typos, broken links) we'll just fix; the effective date at the top will move only when substance changes.