Privacy policy.

AgreeMesh.ai is a multi-LLM decision-intelligence platform. We send your question in parallel to multiple frontier language-model providers and synthesize their independent answers into a single consolidated recommendation with agreements, disagreements, confidence, and a recommended next action.

• Account info — email, name, hashed password (bcrypt), org membership, 2FA factors (TOTP secret, hashed SMS codes via Twilio).
• Org info — org name, members, role assignments, allowed providers, privacy-mode setting.
• Query content — the prompt text you submit, the LLMs you select, the answers each returns, the synthesized verdict, and per-model latency and token counts. Stored in the queries + model_calls collections.
• Usage metering — input/output tokens per provider, raw provider cost, our markup, final credits debited.
• Payment metadata — Stripe customer ID, last-4 of card, subscription state, invoice URLs. We never see your full card number or CVV.
• Audit logs — every admin action (block/unblock, plan edit, role change, refresh-token revocation, password reset) with actor, target, timestamp, IP, and user-agent.
• Security telemetry — IP address and user-agent on every request, failed-login attempts, rate-limit triggers, webhook signature failures.

• Service delivery — forwarding your prompts to the LLM providers you selected and returning the synthesized answer.
• Billing — calculating credit consumption, generating invoices via Stripe.
• Moderation — every prompt is screened by an automated classifier (Claude). High-severity flags are auto-blocked at request time; three strikes in 30 days auto-suspends the account. False-positive rates are reviewed manually.
• Audit and compliance — to respond to lawful requests, investigate abuse, and demonstrate control over a regulated workload.
• Product analytics — aggregated and de-identified usage patterns (e.g., "what % of queries use Council mode vs Fast"). Never resold.
• Security incident response — to detect, contain, and remediate account compromise or platform abuse.

Your data flows to the following sub-processors. Each receives only the slice of data they need to do their job:

If your org admin has supplied their own API key for a provider, your prompts to that provider flow under that key's contractual terms with the provider — including their retention policy (e.g., OpenAI defaults to 30-day retention for API traffic unless a zero-retention agreement is in place). We still log query metadata (latency, tokens, cost = 0) for your usage record, and we still moderate every prompt at request time. We do not see or transmit your BYOK key in plaintext — it is encrypted at rest with Fernet and decrypted only in-memory at request time.

• Query content — default 90 days, org-configurable. After expiry, only aggregate metadata (token counts, cost) is retained.
• Audit logs — 7 years (regulatory minimum for financial audit trails).
• Billing records — 7 years (tax compliance).
• Authentication artifacts — refresh tokens 30 days; failed-login attempts 90 days; 2FA challenges 5 minutes; password-reset tokens 15 minutes.
• Webhook events — 90 days (Stripe + SendGrid).

• Encryption in transit — TLS 1.2+ on every endpoint. HSTS enabled in production.
• Encryption at rest — MongoDB Atlas server-side AES-256. BYOK API keys additionally Fernet-encrypted before insert.
• Authentication — bcrypt password hashing (cost 12). Optional 2FA (TOTP or SMS). Refresh-token rotation on every use.
• Webhook hardening — Stripe and SendGrid webhooks both verify signatures fail-closed; unsigned or bad-signature requests are rejected with an audit row.
• Rate limiting — slowapi-based per-user and per-org limits on auth and /ask endpoints.
• Moderation strikes — three high-severity flags in 30 days auto-suspends the account and notifies the platform owner.

Depending on your jurisdiction (GDPR, CCPA, etc.) you may have the right to:

• Access — request a copy of the personal data we hold on you.
• Export — receive your queries + account metadata in a machine-readable form (NDJSON or CSV).
• Correct — fix inaccurate account data via /settings/security or via support.
• Delete — request permanent deletion of your account and associated query content. Audit and billing records are retained per §6 (regulatory requirement).
• Object / restrict — to specific processing (e.g., product analytics opt-out).

Request any of the above via our contact form or at privacy@agreemesh.ai (routed through the contact form until the mailbox is provisioned). We action requests within 30 days.

AgreeMesh.ai is not intended for individuals under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

We may revise this policy. Material changes are notified via email and an in-app banner. Each revision is versioned and dated at the top of this page. Continued use after the effective date is acceptance.

Questions about this policy or any aspect of how we handle your data? Reach us via our contact form or at privacy@agreemesh.ai.