GDPR Compliance

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) grants you specific rights over your personal data. PartnerMesh is committed to upholding these rights.

Your GDPR rights include:

• Right to be informed — to know how we collect and use your personal data
• Right of access — to obtain a copy of the personal data we hold about you
• Right to rectification — to correct inaccurate or incomplete personal data
• Right to erasure — to request deletion of your personal data in certain circumstances
• Right to restrict processing — to limit how we use your data in certain circumstances
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests or for direct marketing

To exercise any of these rights, contact our Data Protection Officer at dpo@partnermesh.ai. We will respond within 30 days as required by GDPR.

PartnerMesh, Inc. acts as the Data Controller for personal data collected through our platform and website. As Data Controller, we determine the purposes and means of processing your personal data.

Where we process personal data on behalf of our customers (e.g., end-user data within a customer's PartnerMesh workspace), we act as a Data Processor. In these cases, our customers are the Data Controllers and our processing is governed by a Data Processing Agreement (DPA).

If you are a customer and require a Data Processing Agreement to comply with GDPR, please contact legal@partnermesh.ai. We will provide a signed DPA within 5 business days.

We process personal data only when we have a valid lawful basis under GDPR Article 6. The lawful bases we rely on include:

Contractual necessity: We process account information and service usage data to fulfill our contractual obligations to customers, including providing access to the platform and technical support.

Legitimate interests: We process certain data for fraud prevention, security monitoring, and platform improvement, where our interests are not overridden by your rights.

Legal obligation: We may process data to comply with applicable legal requirements, including tax laws and regulatory reporting obligations.

Consent: For optional processing activities such as marketing communications and analytics cookies, we rely on your explicit consent, which you may withdraw at any time.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Active accounts: We retain account data for the duration of your subscription plus a 30-day grace period to allow account recovery.

After account deletion: Personal data is permanently deleted within 30 days of account termination, except where retention is required for legal or regulatory reasons.

Billing records: Transaction records are retained for 7 years as required by tax and financial regulations.

Security logs: Access and security logs are retained for 12 months to support incident investigation.

PartnerMesh is headquartered in the United States. If you are located in the EEA or UK, your personal data will be transferred to and processed in the United States.

We ensure that such transfers comply with GDPR requirements through the following mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements incorporating appropriate transfer safeguards
• Transfer Impact Assessments for high-risk data transfers

We transfer data only to sub-processors who provide sufficient guarantees of GDPR-compliant data protection. A current list of our sub-processors is available upon request.

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format (typically JSON or CSV).

Your data export will include account profile information, activity logs, integration metadata, and any other personal data associated with your account.

To submit an access request, email dpo@partnermesh.ai with the subject line "GDPR Access Request" from your registered email address. We will verify your identity and provide the requested data within 30 days. There is no charge for the first request in a 12-month period.

You have the right to request erasure of your personal data ("right to be forgotten") in the following circumstances: the data is no longer necessary for the purpose it was collected; you withdraw consent; you object to processing; or the data was processed unlawfully.

To request deletion, email dpo@partnermesh.ai with the subject line "GDPR Deletion Request". We will process your request within 30 days and confirm once deletion is complete.

Please note that we may be unable to delete certain data where retention is required by law (e.g., financial records) or where legitimate interests override your erasure right. We will explain any such limitations in our response.

Deletion of your account will cascade to remove all associated data from our live systems. Backups are purged on their standard rotation schedule, within 90 days.

Our Data Protection Officer oversees our GDPR compliance program and is your primary contact for data protection matters:

Email: dpo@partnermesh.ai

Response time: Within 72 hours for urgent matters, 30 days for formal requests

Supervisory authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.