This Privacy Policy explains how Basically AB ("RuleMesh", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use the RuleMesh platform, website, APIs, MCP server, and related services (collectively, the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Swedish data protection law. This policy fulfils our transparency obligations under Articles 13 and 14 of the GDPR.
1. Data Controller
The data controller for personal data processed through the Service is:
2. Data Protection Contact
For any questions about this Privacy Policy, your personal data, or to exercise your data protection rights, contact our data protection team:
Data Protection Enquiries
Email: privacy@rulemesh.com
You can also submit a data protection request via our Support page using the "Data Protection" category.
3. What Personal Data We Collect
We collect the following categories of personal data:
Account information
Email address, name, organisation name, and password (hashed). Collected when you create an account.
Usage data
Pages visited, features used, compliance bundles accessed, and Jira integration activity. Collected automatically when you use the Service.
Payment information
Payment details are processed by Stripe. We do not store credit card numbers. We receive your Stripe customer ID and subscription status.
Analytics data
If you consent, we collect anonymised usage analytics via PostHog (EU-hosted). You can decline analytics at any time via the consent banner or in your account settings.
Support communications
When you contact support, we collect the content of your messages, email address, and ticket metadata.
4. Purposes and Legal Basis
We process your personal data for the following purposes under these legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and maintaining the Service | Art. 6(1)(b) — contractual necessity |
| Account management and authentication | Art. 6(1)(b) — contractual necessity |
| Processing payments via Stripe | Art. 6(1)(b) — contractual necessity |
| Product analytics and improvement | Art. 6(1)(a) — your consent |
| Sending transactional emails | Art. 6(1)(b) — contractual necessity |
| Responding to support requests | Art. 6(1)(b) — contractual necessity |
| Preventing fraud and ensuring security | Art. 6(1)(f) — legitimate interest |
5. Sub-Processors and Data Sharing
We do not sell your personal data. We share data with the following service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| AWS (Amazon) | Infrastructure, database (DynamoDB) | EU (Frankfurt) |
| Cloudflare | CDN, DDoS protection, DNS, edge security | Global (EU data stays in EU) |
| Stripe | Payment processing | EU/US (Stripe EU entity) |
| PostHog | Product analytics (consent-based) | EU (Frankfurt) |
| Resend | Transactional email delivery | US (EU DPA in place) |
| Atlassian | Jira integration (user-initiated) | Global (user's Jira instance) |
6. International Data Transfers
Our primary infrastructure is hosted within the EU (AWS Frankfurt, PostHog EU). Where data is transferred outside the EU/EEA (e.g., Resend for email delivery, Stripe for payment processing), we ensure adequate safeguards are in place:
- •EU-US Data Privacy Framework (where applicable)
- •Standard Contractual Clauses (SCCs) approved by the European Commission
- •Data Processing Agreements (DPAs) with all sub-processors
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Usage analytics | 12 months (anonymised after) |
| Payment records | 7 years (Swedish accounting law) |
| Support tickets | 24 months after resolution |
| Server logs | 90 days |
When you delete your account, we remove your personal data within 30 days. Some data may be retained longer where required by law (e.g., financial records under Swedish accounting regulations).
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
Right of access (Art. 15)
Request a copy of the personal data we hold about you.
Right to rectification (Art. 16)
Correct inaccurate personal data. You can update your profile directly in Settings.
Right to erasure (Art. 17)
Request deletion of your personal data. You can delete your account in Settings > Profile.
Right to restrict processing (Art. 18)
Request that we limit how we use your data.
Right to data portability (Art. 20)
Download your data in a structured, machine-readable format (JSON).
Right to object (Art. 21)
Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7)
Withdraw analytics consent at any time via the cookie banner or account settings.
9. How to Exercise Your Rights
You can exercise your rights in the following ways:
- •Self-service: Edit your profile, manage notifications, and delete your account in Settings.
- •Data export: Download your personal data from Settings > Data & Privacy (coming soon).
- •Contact us: Email privacy@rulemesh.com or submit a request via our Support page using the "Data Protection" category.
- •Supervisory authority: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
We will respond to your request within 30 days. We may need to verify your identity before processing the request.
10. Cookies and Analytics
RuleMesh uses minimal tracking:
Essential storage (no consent needed)
Authentication tokens (JWT) stored in localStorage for session management. These are strictly necessary for the Service to function.
Analytics (consent required)
PostHog analytics (EU-hosted in Frankfurt) is only activated after you give consent via the banner on your first visit. You can change your preference at any time. When you decline, no analytics data is collected.
We do not use advertising cookies, social media trackers, or third-party marketing pixels. We do not sell or share analytics data with third parties.
11. Security Measures
We implement appropriate technical and organisational measures to protect your personal data:
- •All data transmitted over HTTPS (TLS 1.2+)
- •Passwords hashed with bcrypt (never stored in plaintext)
- •JWT authentication with token expiry and refresh rotation
- •Cloudflare edge security (WAF, DDoS protection)
- •EU-hosted infrastructure (AWS Frankfurt)
- •Account lockout after failed login attempts
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:
- •Notify the Swedish Authority for Privacy Protection (IMY) within 72 hours of becoming aware of the breach
- •Notify affected data subjects without undue delay in plain language
- •Describe the nature of the breach, likely consequences, and measures taken
- •Provide contact details for our data protection team
13. Children
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@rulemesh.com and we will delete the data promptly.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify registered users of material changes via email at least 14 days before they take effect. The "Effective" date at the top of this page indicates when the policy was last revised.