Meshulash — Privacy Policy

This Privacy Policy explains how Meshulash handles personal data in connection with our Site and Services (browser extension, IDE plug-ins, automations, APIs, and dashboard). We are a B2B provider focused on enabling employees to use AI tools safely under their organization’s policies.

Chrome Web Store compliance

This Policy is written to meet the Chrome Web Store (CWS) Program Policies including Limited Use, accurate privacy practices disclosures, and prominent disclosure/consent where required (e.g., browsing activity beyond the core user-facing feature).

1) What Personal Data We Collect and Why

1.1 Categories We Process

Account & Billing (controller context): name, work email, organization/role, authentication identifiers (e.g., SSO), plan/billing contacts.

Configuration & Enforcement Events (enterprise context): policy rules/changes, timestamps, device/browser metadata, crash/error diagnostics, hashed or tokenized identifiers, and minimal URL or app context necessary to provide the feature and admin visibility.

Content for Enforcement (enterprise context): minimal text/fields/snippets needed to detect or prevent risky disclosures at the point of interaction (e.g., prompts, web form fields, IDE spans). Processing is on-device by default; if admins enable centralized logs/advanced detection, limited data may be transmitted to Meshulash for those features.

Website/Telemetry: essential cookies; optional analytics with consent where required.

Support: messages, attachments, diagnostics you provide.

1.2 Purposes

Provide, maintain, and secure the Services; enforce policies; detect/prevent risky disclosures; enable admin logs/analytics; support; and improve features and safety (using aggregated/de-identified data where possible).

2) How We Process; Where Processing Happens

On-device by default. Enforcement is designed to occur on the endpoint (browser/IDE). If admins enable centralized logs or advanced detection, a minimal subset may be transmitted to Meshulash for those features, under retention controls described below.

Transfers. Data may be processed in Israel, the EEA, the United States, and other locations where we or our providers operate, with appropriate safeguards for international transfers (e.g., SCCs) where required.

3) Chrome Web Store “Limited Use” & Privacy-Practices Commitments

• We limit the use of personal data to the practices disclosed in this Policy and on our Web Store Privacy practices tab.
• If the extension accesses web browsing activity, we collect and use only what’s required for a user-facing feature described prominently on the Web Store page and in the extension UI; otherwise, we present prominent disclosure and obtain informed consent before installation/use.
• We do not sell personal data and do not use it for advertising; sharing is limited to service providers and your organization’s admins as described below.
• We provide accurate, up-to-date permission justifications and keep host permissions as narrow as feasible.

4) Legal Bases (EEA/UK/Israel)

Contract performance; legitimate interests (operating and securing the Services); legal obligations; and consent where required (e.g., non-essential cookies).

5) Sharing

We do not sell personal data. We share with: (a) service providers under written terms; (b) your organization’s administrators (who may view logs and configure retention/policies); (c) authorities when legally required; and (d) parties in a corporate transaction under appropriate safeguards. We keep an updated list of sub-processors and add new ones with advance posting; you may object on reasonable data-protection grounds.

6) Retention; Deletion/Return

We retain personal data no longer than necessary for stated purposes or as required by law. Organization admins can configure retention of many Service logs. Upon termination or valid request, we delete or return Customer data within a reasonable period and can certify completion.

7) Security; Incidents; Audit Support

We implement appropriate technical and organizational measures (e.g., encryption in transit, access controls, monitoring, vulnerability management) and restrict staff access under confidentiality obligations. We will promptly notify admins of security incidents directly impacting Customer data and take reasonable steps to mitigate and prevent recurrence; we also support reasonable audits as applicable.

8) International Transfers

See Section 2 (Transfers). Appropriate safeguards (e.g., SCCs) are used where required.

9) Your Rights

Subject to law and your role (end-user vs. admin), you may have rights to access, correct, delete, or restrict processing. Most requests should be made through your organization’s admin; you can also contactprivacy@meshulash.ai. We will verify identity before acting on requests.

10) Children

The Site/Services are not directed to children under 18. Do not provide information if you are under 18.

11) Cookies & Similar Technologies

We use essential cookies and may use optional analytics (with consent where required). You can control cookies via browser settings.

12) Changes

We may update this Policy and will post a new “Last updated” date. For material changes, we will provide notice in-product or by email where feasible.

Chrome Web Store privacy practices

• Purpose: Endpoint guardrails for safe AI use; admin visibility (logs/analytics).
• Data collected (if enabled by admins): account identifiers (work email/SSO), minimal event logs, minimal text snippets necessary to provide the feature, device/browser metadata, crash diagnostics.
• Processing location: on-device by default; optional cloud features may send minimal data for centralized logs/analytics.
• Use of data: provide/secure/improve features; admin visibility; support and reliability. No ads. No sale.
• Sharing: service providers under contract; your org’s admins; legal/compliance where required.
• Retention & control: org-configured retention; deletion/return on termination or valid request.
• Security: encryption in transit; access controls; monitoring.
• Permissions: request only what’s necessary; justify each permission/host access in one sentence on the Privacy practices tab.