PRIVACY POLICY

Mesh Logic Pty Ltd ("we", "our" and "us") is committed to protecting your personal information. This Privacy Policy sets out our policies and practices regarding the collection, use and disclosure of personal information that you provide to us and which we collect from you. By accessing or otherwise using the MeshLogic AI Governance browser extension (the "Extension"), the website at www.meshlogic.ai (the "Website"), contacting us by email or telephone or acquiring our products or services provided from time to time (together, the "Service"), or engaging with us in any other way, you agree to the terms and conditions set out in this Privacy Policy and consent to the processing of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.

Please read this Privacy Policy carefully and contact us on the details below, if you have any queries.

By providing your personal information to us, you consent to us collecting, holding, using, and sharing your personal information as outlined in this Privacy Policy.

1. TYPES OF PERSONAL INFORMATION WE COLLECT AND HOLD

1.1 The types of personal information that we may collect includes:

1. personal details such as name, age, gender, date of birth, current employment status, your occupation and length of employment, level of education;
2. contact details such as billing and delivery address, business address, email address, telephone number and other contact details;
3. organizational information including your role, department, company size, industry sector, and AI governance maturity level;
4. Extension usage data including AI tools detected on websites you visit, governance risk indicators, feature usage patterns, and configuration settings;
5. profile data including username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses;
6. transaction data which may include details about payments to and from you and other details of products and services you have purchased from us;
7. records of our interactions with you;
8. if you are an employee or prospective employee, information about your qualifications, skills, and work experience;
9. if you are a supplier or prospective supplier, information about your business skills, services, products, and prices;
10. your computer and connection information, statistics on page views, traffic to and from and other standard web log information;
11. marketing and communication preferences;
12. any other personal information that may be required to facilitate your dealings with us;
13. any other personal information you may volunteer.

1.2

Wherever lawful and practical, you have the option of not identifying yourself (or using a pseudonym) when dealing with us.

2. HOW WE COLLECT PERSONAL INFORMATION

2.1 We collect your personal information in several different ways, including by way of:

1. when you voluntarily acquire our Services;
2. when you install and use the MeshLogic AI Governance browser extension;
3. personal contact with us at a face-to-face meeting or virtual conference;
4. correspondence, chats, social applications or services, mail, email, or telephone;
5. when you apply for a job, internship, or other work placement with us;
6. when you visit our Website;
7. when you participate in our pilot programs or beta testing;
8. when you invest in our business or enquire about a potential acquisition of our business.

2.2

Where possible, we will collect your Personal Information directly from you. However, where it is not reasonable or practicable to do so, we may collect information about you from third parties. For example, personal information may be collected from other sources, such as:

1. public sources, or
2. our service providers.

2.3

In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.

2.4

If we receive your personal information from third parties, we will protect it as set out in this Privacy Policy.

2.5

If you do not provide us with personal information when requested to do so, we may not be able to provide our Services to you, carry out your instructions, or otherwise achieve the purpose for which the information has been sought.

2.6

We may hold your personal information in hard copy files and/or electronic files.

2.7

We will destroy or de-identify information where we form the opinion that the information has been provided to us unlawfully or unfairly.

3. WHY WE COLLECT, HOLD, USE AND DISCLOSE YOUR PERSONAL INFORMATION

3.1 We will use and disclose your personal information only for the purpose (the "primary purpose") for which you provide it to us, which may include:

1. to provide you with any goods or services that you may request including enabling you to access and use the Services from time to time;
2. to enable the Extension to detect AI tool usage, assess governance risks, and provide real-time alerts;
3. to contact and communicate with you and otherwise provide customer support;
4. to maintain a database of customers, subscribers or similar;
5. for internal administration and operational purposes such as preventing fraud and abuse of our systems and to troubleshoot bugs;
6. to assist in providing better products and services to you by tailoring the Services to meet your needs;
7. to improve AI detection accuracy and develop new governance features;
8. to consider your employment or contractual engagement application;
9. to provide you with further information about us or other websites or products or services offered by us or which we consider may be of interest to you;
10. to carry out marketing, promotional and publicity activities (including direct marketing), market research and surveys;
11. to keep our Website and Extension relevant and of interest to users;
12. to show you advertising and information that is most relevant to you and your interests;
13. to allow us to run our business and perform administrative and operational tasks;
14. to comply with legal and regulatory requirements; and
15. for any other purpose which is stated to you at the time of collection or that you otherwise authorise.

3.2

When we collect Personal Information, we will, where appropriate and where possible, explain to you why we are collecting the information and how we plan to use it.

3.3 Sensitive information:

Sensitive Information is defined in the Privacy Act to include information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record, or health information.

We do not intentionally collect sensitive information through our Extension or Services. If sensitive information is inadvertently collected, it will be used by us only:

• For the primary purpose for which it was obtained
• For a secondary purpose that is directly related to the primary purpose
• With your consent; or where required or authorised by law.

4. COOKIES AND BROWSER EXTENSION DATA

4.1 Cookies and Tracking Technologies

While we do not use browsing information to identify you personally, we may use cookies, web beacons, and other tracking technologies to collect certain information about your use of the Website such as the pages you visit, the date and time of your visit, your IP address, and your interaction with the Website. A cookie is a small file containing a string of characters that is sent to your computer or mobile device when you visit a website. When you visit the website again, the cookie allows that site to recognise your browser. Cookies may store unique identifiers, user preferences and other information. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services may not function properly without cookies.

4.2 Cookie Consent

When you first visit our Website, a cookie consent banner allows you to manage your cookie preferences, including the ability to accept or decline non-essential cookies such as analytics cookies. You may update your preferences at any time via the cookie settings accessible from the Website. We honour Global Privacy Control (GPC) signals where detected.

4.3 Browser Extension

The Extension analyses web page content locally in your browser to detect AI tools and governance risks. This analysis is performed in real-time and only relevant governance data is transmitted to our servers for processing and reporting purposes.

5. THIRD-PARTY AI AND MACHINE LEARNING SERVICES

5.1 Use of Third-Party AI Services

MeshLogic uses third-party artificial intelligence and machine learning services to deliver core platform features including content validation, meeting analysis, natural language processing, and intelligent recommendations. These services may process Your Content — including text you submit for analysis, meeting transcripts, chat messages, and documents — in order to generate insights and responses.

5.2 Data Protection with AI Sub-Processors

All third-party AI service providers engaged by MeshLogic are contractually bound to:

• Not use Your Content to train, improve, or fine-tune their general-purpose AI models
• Process Your Content solely for the purpose of delivering the MeshLogic Service
• Delete or return Your Content after processing, in accordance with their data processing agreements
• Maintain security controls consistent with applicable industry standards and regulatory frameworks, including but not limited to SOC 2, ISO 27001, ISO 42001, GDPR, and the Australian Privacy Act

5.3 Sub-Processor List

MeshLogic maintains a current list of sub-processors, including AI service providers and infrastructure partners, which is available upon request by contacting support@meshlogic.ai. We will notify customers of material changes to our sub-processor list with reasonable advance notice.

6. ENDPOINT MONITORING AGENTS

For enterprise customers, MeshLogic provides endpoint monitoring agents that can be deployed to corporate-managed devices running Windows, Linux, or macOS. These agents operate at the system level to provide security visibility.

6.1 Data Collected by Endpoint Agents

The endpoint agents may collect the following system telemetry:

• Process execution events (application name, process ID, parent process, timestamp)
• File access events (file path, access type such as open/write/delete)
• Network connection events (destination address, port, protocol)
• Code signing information (certificate details, signature validity)

6.2 Data NOT Collected by Endpoint Agents

6.3 Privacy Protections for Endpoint Data

All endpoint telemetry is subject to the following privacy protections before transmission:

• Differential Privacy: Laplace noise (ε=1.0) is applied to event timestamps to prevent timing-based identification
• Device Anonymization: Hardware identifiers are SHA256 hashed with customer-specific salt before transmission
• Username Anonymization: Usernames in file paths and process data are replaced with [USER] placeholders
• Sensitive Data Redaction: Passwords, API keys, and tokens detected in command-line arguments are automatically redacted
• Path Filtering: Administrators can configure paths to exclude from monitoring (e.g., personal directories)

6.4 Platform-Specific Implementation

• Windows: Uses kernel-level ETW (Event Tracing for Windows) for system event collection
• Linux: Uses eBPF (extended Berkeley Packet Filter) for kernel event monitoring
• macOS: Uses Apple's Endpoint Security Framework (ESF) for system event monitoring

6.5 Enterprise Deployment

Endpoint agents are deployed exclusively to enterprise-managed devices through:

• Mobile Device Management (MDM) systems for macOS
• Group Policy or SCCM for Windows
• Configuration management tools (Ansible, Puppet, Chef) or Kubernetes DaemonSets for Linux

Individual consumers cannot install endpoint agents. Deployment requires administrative access and is visible to device users through standard system tools.

6.6 Data Storage and Retention

Endpoint telemetry is:

• Transmitted over encrypted connections (TLS 1.3)
• Stored in encrypted AWS infrastructure (DynamoDB for real-time data, S3 for archival)
• Isolated by customer using partition keys to prevent cross-tenant access
• Retained according to customer-configured policies, typically 90 days for real-time data

6.7 Data Minimisation Tiers

MeshLogic supports configurable data minimisation tiers, allowing customer organisations to control the scope of endpoint telemetry collection in accordance with GDPR data minimisation principles:

• Tier 1 — Minimal: AI tool DNS detection and identity provider session tracking only. No file or process event metadata is collected or transmitted. Suitable for organisations requiring the smallest possible data footprint (e.g., EU default deployments).
• Tier 2 — Standard: Tier 1 data plus credential file access events, governed process activity (git, ssh, curl), and package manager operations. Balances security visibility with privacy. Recommended for most deployments.
• Tier 3 — Full: All file, process, and network telemetry with complete event metadata. Required for regulated industries needing comprehensive audit trails (e.g., SOC 2, HIPAA, PCI-DSS).

Customer organisations select their tier during deployment. Tier selection can be changed at any time through the management console or cloud policy configuration.

7. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?

7.1 We may disclose your personal information to:

1. third party contractors engaged to perform functions or provide services relating to the purposes for which we collect personal information. If this is the case, we will do our best to ensure that their privacy policy adheres to similar standards of privacy protection and will request they comply with this Privacy Policy;
2. third party service providers or affiliates within or outside of Australia and who work on behalf of or with us to provide some of our administrative and other services, such as processing payments (such as credit card payments). We require such service providers to agree not to use such information except as necessary to provide the services to us;
3. our employees, contractors and/or related entities on a 'need to know' basis to continue to provide our products and services to you and to otherwise administer our organisation;
4. professional advisers, dealers, and agents;
5. any party to whom our assets or business may be transferred or with whom we are merged;

7.2

We are committed to ensuring that any personal information we share is complete, accurate, up to date and relevant.

7.3

We may also disclose your personal information if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

7.4

At your request, we will share your personal information with your representative or any person acting on your behalf (for example, financial advisers, lawyers, attorneys, accountants, executors, administrators, trustees or auditors).

8. COMMUNICATIONS AND MARKETING

8.1

We may from time to time use your personal information to communicate and market our products and services to you via newsletters, email invitations and updates about our products and/or services, upcoming workshops and events. These communications may be sent in various forms, including without limitation mail, SMS, fax and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If you indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so. You may opt out of direct marketing at any time by notifying us in writing or by using the opt-out facilities provided in the communication.

8.2

We do not provide your personal information to other organisations for the purposes of direct marketing.

8.3

We do not sell, rent, or trade your personal information to any third party for monetary or other valuable consideration. This applies to all categories of personal information we collect, without exception.

9. HOW WE STORE AND PROTECT YOUR PERSONAL INFORMATION

9.1 We are committed to ensuring the safety and security of your personal information. We will take reasonable technical and organisational precautions to protect your information from misuse, interference, loss, unauthorised access, modification, or disclosure. For example:

• we limit access to personal information to a "need-to-know" basis
• we keep all hard copies of personal information in secure premises, accessible by authorised personnel only;
• we store data securely on cloud servers or other types of networked or electronic storage, with providers who are subject to encryption and data protection policies;
• our devices are protected by password and are stored in secure premises;
• the devices we use to collect, hold, use and disclose personal information contain anti-virus software;
• all conversations involving the discussion of personal information take place in private, where they are unable to be overheard by unauthorised personnel;
• our Website contains pages encrypted with SSL/TLS (Secure Sockets Layer/Transport Layer Security) to ensure the safety of any data submitted through use of this Website;
• our email data is encrypted;
• the Extension uses encryption for data transmission between your browser and our servers.

9.2

Despite our best efforts to securely store your information, due to the nature of email and the internet, we cannot guarantee the privacy or confidentiality of your personal information.

9.3

If you communicate with us via electronic means such as email, Zoom, Skype, contact forms or social media platforms, we do not have full control over the transmission or storage of any personal information disclosed. By participating in such forms of communication you understand and accept that there is an inherent risk of disclosure or loss of your personal information for which we cannot be held responsible.

9.4 Data Retention

We will destroy or de-identify your personal information when it is no longer needed for the purpose for which it was obtained, except where we have a legal obligation to retain such information. We will never permanently store complete credit card details.

Specific retention periods include:

• Real-time telemetry data: Automatically deleted after 90 days via time-to-live policies
• Audit trail and compliance records: Retained for the duration required by applicable regulatory frameworks (typically 7 years)
• Account and profile information: Retained for the duration of your subscription, plus 30 days for data export following termination
• AI processing data: Content submitted to third-party AI services is processed transiently and not retained by those services after processing is complete

Where automated deletion is not technically feasible for certain data categories, we apply manual review cycles on a quarterly basis to identify and remove data that is no longer required.

9.5

When you provide us with personal information, that information may be collected, stored, and processed on servers located outside of Australia. As electronic or networked storage can be accessed from various countries via an internet connection it is not always practicable to know in which country your information may be accessed or held.

9.6 Data Processing Agreement

Where required by applicable data protection laws (including GDPR), or upon customer request, MeshLogic will enter into a Data Processing Agreement (DPA) that sets out the specific terms governing our processing of personal data on your behalf. To request a DPA, contact support@meshlogic.ai.

10. LINKS TO OTHER SITES

10.1

We may provide links on our Website to third party websites, for your information and convenience. Please note we do not have any control over such websites and are therefore not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. We note those websites are not governed by this policy. We encourage you to be safe and make sure you read their privacy policy before giving them your personal information.

11. HOW YOU CAN ACCESS AND CORRECT YOUR PERSONAL INFORMATION

11.1

We will take reasonable steps to ensure that any personal information we collect is up-to-date, complete, relevant and not misleading, and any personal information that we use or disclose is up-to-date, complete, relevant, and not misleading.

11.2 You may contact us using the details set out below to seek any of the following:

1. Access: You can ask to be provided with full information about your personal information that we hold.
2. Change or correct information: You can also ask us to change or correct any information we hold about you.
3. Delete your personal information: You can ask us to delete or destroy your personal information. Please note that certain conditions may apply to the exercise of this right. Please note that if we agree to delete your information, due to backups and records of deletions, it may be impossible to completely delete your information, however we will functionally delete the information and not sell, transfer, or use your personal information moving forward.

11.3

We will respond to any request to access information within a reasonable time.

11.4

We will not charge any fee for your access request but may charge an administrative fee for providing a copy of your Personal Information.

11.5

To protect your Personal Information, we may require identification from you before releasing the requested information.

12. MANAGING EXTENSION PERMISSIONS

You can manage the Extension's permissions through your browser settings:

• Chrome: Settings → Extensions → MeshLogic AI Governance → Details
• You can disable the Extension at any time
• You can limit the Extension to specific websites
• You can revoke specific permissions granted to the Extension

13. YOUR PRIVACY RIGHTS

13.1 California Privacy Rights

Where we process the personal information of California residents, we are committed to complying with the California Consumer Privacy Act (CCPA). California residents may have the right to:

• Know what personal information is collected about you
• Know whether your personal information is sold or disclosed
• Say no to the sale of personal information
• Access your personal information
• Request deletion of your personal information
• Not be discriminated against for exercising your privacy rights

13.2 European Privacy Rights

Where we process the personal data of individuals located in the European Economic Area (EEA), we are committed to complying with the General Data Protection Regulation (GDPR). EEA residents may have the following rights:

• The right to be informed about data collection and use
• The right of access to your personal data
• The right to rectification of inaccurate data
• The right to erasure ("right to be forgotten")
• The right to restrict processing
• The right to data portability
• The right to object to processing
• Rights related to automated decision-making

13.3 Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases for processing personal data:

• Contractual necessity (Article 6(1)(b)): Processing necessary to deliver the Service you have subscribed to, including account management, platform access, and support
• Legitimate interest (Article 6(1)(f)): Processing for platform security, fraud prevention, service improvement, and anonymised analytics, where our interests do not override your fundamental rights
• Consent (Article 6(1)(a)): Processing for marketing communications and non-essential cookies, which you may withdraw at any time by contacting us at support@meshlogic.ai or updating your preferences in your account settings
• Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws, regulations, or legal proceedings

13.4 Automated Decision-Making

The MeshLogic Service uses artificial intelligence to generate risk scores, compliance assessments, and governance recommendations. These AI-assisted outputs are designed to inform and support human decision-making — they do not, on their own, produce decisions with legal or similarly significant effects on individuals.

All AI-generated assessments are subject to human review through a tiered escalation process. Customers retain full control over how AI-generated insights are actioned within their organisation, and may override, adjust, or disregard any automated output. Where you believe an AI-assisted assessment has materially affected you, you may contact us to request a human review of the relevant output.

14. CHILDREN'S PRIVACY

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

15. DATA BREACH NOTIFICATION

15.1

In the event of a data breach that is likely to result in serious harm to any individuals whose personal information is involved, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within 72 hours of becoming aware of the breach, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

15.2

Enterprise customers will receive direct notification from their designated account contact, including details of the nature of the breach, the types of information involved, and the steps we are taking to contain and remediate the incident.

16. COMPLAINTS ABOUT A PRIVACY BREACH

16.1

We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have in writing. We will then attempt to resolve it within 30 days.

16.2

If you are not satisfied with our response, you may also contact the Office of the Australian Information Commissioner (OAIC). Generally, the OAIC will require you to give them time to respond before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 363 992.

If you are located in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection supervisory authority (for example, the Information Commissioner's Office in the United Kingdom or the relevant authority in your EU member state).

17. INTERNATIONAL DATA TRANSFERS

Where you are located outside of Australia, the information we collect may be processed in and transferred between your location and Australia. Australia may not have equivalent data protection laws to those in force in your location.

17.1 Transfer Safeguards

Where personal data is transferred from a jurisdiction that restricts international data transfers (such as the EEA or the United Kingdom), we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where required
• Data processing agreements with all sub-processors that include equivalent protections
• Technical measures including encryption in transit and at rest, and access controls

17.2 Data Sovereignty

MeshLogic's primary infrastructure is hosted in Australia (AWS ap-southeast-2, Sydney). Where customers have specific data residency requirements — such as data that must remain within the European Economic Area, the United Kingdom, or another jurisdiction — MeshLogic will undertake reasonable efforts to establish sovereign processing capabilities in the relevant region to meet those requirements. Data residency arrangements can be discussed as part of an Enterprise Agreement.

18. CHANGES TO OUR PRIVACY POLICY

Any changes to this Privacy Policy will be posted onto the Website. Unless stated otherwise, changes will be effective immediately upon being placed onto the Website. Your continued use of the Website or Extension means you agree to be bound by the amended Privacy Policy.