NEW Self-serve signup is live. Free for 2 machines, forever. ₹349/machine/month after. See pricing →
/ privacy policy

Privacy Policy

Effective 2026-05-13. This Privacy Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. About this policy

This Privacy Policy describes how [YOUR LEGAL ENTITY NAME] ("we", "us", "our", or "MeshWG") collects, uses, stores, processes, discloses, and protects the personal data of users ("you", "your") who access the MeshWG service through the websites meshwg.com and vpn.meshwg.com (collectively, the "Service").

By accessing or using the Service, you confirm that you have read, understood, and agreed to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

2. Personal data we collect

2.1 Information you provide

  • Account data: email address, password (stored only as a one-way cryptographic hash; never in plaintext), display name, and organisation name.
  • Authentication identifiers (Google sign-in only): your Google account ID, verified email, and display name, received from Google OpenID Connect.
  • Mesh metadata: for each device you add — the name you assign, its public WireGuard key, its assigned overlay IP address, and aggregate handshake counters (last-seen time, byte counters) used for the dashboard status indicators.
  • Billing data: billing email, the plan you subscribe to, and machine count for invoicing. Payment card details are processed entirely by Razorpay; we never receive or store full card numbers.
  • Communications: any emails or support messages you send to us.

2.2 Information collected automatically

  • Technical logs: HTTP method, path, response status, source IP, user agent, timestamp.
  • Authentication cookies: see Section 6.
  • Aggregate analytics: page paths, anonymised country (derived from IP and then discarded), browser family, operating system. Collected via a self-hosted, privacy-respecting analytics platform with no cookies, no PII, and no cross-site tracking.

2.3 What we do not see

Traffic flowing through your mesh is end-to-end encrypted using standard WireGuard. The private keys required to decrypt that traffic reside only on your devices and are never transmitted to or stored by us.

3. Purpose and lawful basis of processing

Under Section 7 of the DPDP Act, we process your personal data only for lawful purposes for which you have given consent or which are otherwise permitted by law. Specifically:

  • To provide and operate the Service (account access, mesh establishment, dashboard).
  • To process billing and issue tax-compliant invoices.
  • To send transactional email (verification, password reset, billing notices).
  • To respond to your support requests.
  • To prevent fraud and ensure security of the Service.
  • To comply with applicable laws and respond to lawful requests from authorities.

4. Sharing and disclosure

We do not sell, rent, or trade personal data. We share personal data only with the following categories of recipients, only to the extent necessary for the purposes listed in Section 3:

  • Payment processor — Razorpay Software Private Limited (an Indian company): card, UPI, and net-banking processing. Card details flow directly from your browser to Razorpay; we receive only a payment token and transaction status.
  • Email delivery — Mailsetu Communications (an Indian SMTP provider): transactional emails (sign-in links, billing receipts, security notices) are dispatched through Mailsetu's infrastructure.
  • Google LLC (United States): only if you choose "Continue with Google" — receives the fact that you signed into MeshWG; we receive your Google profile basics.
  • Cloudflare, Inc. (United States): provides DNS, CDN, and DDoS protection for our websites. Sees request metadata only; cannot decrypt mesh traffic.
  • Law enforcement and regulatory authorities when required by Indian law or court order, after verifying the legal basis of the request.

5. Cross-border data transfer

Some of our service providers (Google, Cloudflare) are located outside India. Where personal data is transferred to such providers, we ensure the transfer complies with Section 16 of the DPDP Act and we apply contractual safeguards to protect such data. The territories to which transfers may be made are documented and updated as the Central Government may notify under the DPDP Act.

6. Cookies

The Service uses only strictly necessary cookies:

  • An authentication cookie that keeps you signed in. HTTP-only, Secure, SameSite=Lax, with a 24-hour lifespan.
  • An anti-CSRF cookie protecting state-changing requests. HTTP-only, Secure, SameSite=Strict, with a 1-hour lifespan.
  • A short-lived Google sign-in cookie (only set if you start a Google sign-in; 10-minute maximum lifespan).

We do not use advertising, tracking, or analytics cookies on any page. Our analytics platform is cookieless by design.

7. Data retention

  • Account data: for the life of your account; deleted within 30 days of account closure.
  • Mesh metadata: while the corresponding device exists in your mesh; deleted within minutes of device removal.
  • Billing data: retained for 8 financial years to comply with applicable Indian tax and accounting laws (Companies Act, 2013; Income-tax Act, 1961).
  • HTTP request logs: 7 days.
  • Application error logs: 30 days.

8. Security

We implement reasonable security practices and procedures as contemplated under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:

  • Passwords stored only as one-way hashes using an industry-standard slow-hash function.
  • Server-side WireGuard keys held on your behalf are encrypted at rest with strong symmetric encryption; the service refuses to start without the unlock secret.
  • Each customer organisation is strictly isolated from every other organisation on the service.
  • Sessions can be terminated immediately on logout or revocation.
  • CSRF protection is enforced on every state-changing request.
  • Server software is updated within seven days of any vendor security advisory that applies to it.
  • Routine encrypted backups, retained for 30 days.

9. Your rights as a Data Principal

As a Data Principal under the DPDP Act, you have the following rights:

  • Right to access — request a summary of personal data we hold about you and the processing activities we carry out.
  • Right to correction and erasure — request correction of inaccurate data, or deletion of personal data that is no longer necessary for the purpose for which it was collected.
  • Right to withdraw consent — at any time, with effect from the time of withdrawal (not retroactively).
  • Right to grievance redressal — file a complaint with our Grievance Officer (Section 11) about the processing of your data; we will respond within 30 days.
  • Right to nominate — nominate another individual to exercise these rights in the event of your death or incapacity.

To exercise any of these rights, write to us at amit@meshwg.com or hello@meshwg.com. We may verify your identity before acting on the request.

10. Children

The Service is not directed at, and we do not knowingly collect personal data from, children below the age of 18 years (in accordance with Section 9 of the DPDP Act). If we become aware that we have collected personal data from a child, we will delete such data promptly.

11. Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and Section 10 of the DPDP Act, 2023, the contact details of our Grievance Officer are:

Name: Amit [LAST NAME]

Designation: Grievance & Data Protection Officer

Email: amit@meshwg.com

Address: [REGISTERED BUSINESS ADDRESS, CITY, STATE, PIN]

Phone: [+91-XXXXX-XXXXX], Mon–Fri 10:00–18:00 IST

We aim to acknowledge grievances within 48 hours and to resolve them within 30 days of receipt.

12. Security incident notification

In the event of a personal data breach affecting your data, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act and applicable CERT-In directions. Notification will include the nature of the breach, the data affected, mitigation steps taken, and the recommended actions you should take.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to the email address associated with your account at least 30 days before they take effect, and a notice will be displayed prominently on this page. The "Effective" date at the top of this page reflects the most recent update.