Privacy

Protecting your privacy is the cornerstone of our company’s values.

Privacy Policy

Overview

Your trust is important to us, and we want to ensure that your personal information is protected.

This Privacy Policy describes how Mesh Payments Inc. (together with its affiliated companies – “Mesh“, “we“, or “us“) collects, stores, uses and discloses personal data when you interact with us, including when you visit or interact with any of our linked websites (“Sites”), participate in any of our events, interact with any of our online ads and content, emails, sales and marketing channels, integrations or communications under our control (collectively, the “Commercial Engagements”).

It also describes how you can control or exercise your rights related to your personal information.

01. Applicability of this Policy

Our products, including our Mesh virtual cards, SaaS platform(s) and other financial management tools (collectively, the “Services”) are not covered by this Privacy Policy. The processing by Mesh of company data such as any personal information that you submit to us for processing to provide the Services is covered by the commercial agreements, including data processing agreements, that Mesh has with the respective Business Customer of such Services. 

This Policy do not apply to any personal information we collect or process in our capacity as an employer, co-employer, or employer of record. For information we collect as part of the applicant process, please see our Applicant Privacy Policy.

Moreover, this Policy does not apply to any third-party applications or services that are used in connection with our Services, or any other products, services or accounts provided by other entities under their own terms of service and privacy policy (collectively, “Third-Party Services”).

Please review this Privacy Policy carefully, and please use the information herein to make informed choices. If you have any concerns or questions about our privacy practices, please feel free to contact us. By accessing the Sites, registering for an account, making a purchase from us or any other Commercial Engagement, you are agreeing to all of the terms set forth in this Privacy Policy.

If you do not agree to this Privacy Policy, do not use the Sites, interact with us, or give us any information.

Our Services and our Commercial Engagements are designed for businesses and are not intended for personal or household use. Accordingly, we treat all personal data covered by this Privacy Policy, including information about any visitors to our Sites, as pertaining to individuals acting as Business Representatives, rather than in their personal capacity.

You are not legally required to provide us with any personal data. If you do not wish to provide us with your personal data, or to have it processed by us or any of our service providers, please do not provide it to us and avoid any interaction with us or with any of our Services.

Specifically, this Privacy Policy describes our practices regarding:

Data Collection & Processing

Data Uses & Lawful Bases for Processing

How We Share or Otherwise Disclose Your Personal Data

How Long We Retain Your Personal Data

Analytics and Interest-Based Advertising

Data Transfer

Cookies

Data Security

Children’s Personal Information

Your Rights and Choices

02. Data Collection & Processing

When we use the term “personal data” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.

We collect the following categories of personal data, when you interact with Mesh’s Commercial Engagements with respect to the following types of data subjects:

  • Business Representatives Data: personal data concerning our Business Customers’ internal focal persons who directly engage with Mesh concerning their organization’s account, e.g., the account administrators, billing contacts and authorized signatories on behalf of the Business Customer (“Business Representatives”)
  • Prospect Data: personal data relating to visitors of our Sites, participants at our events, and any other prospective customer, user or partner (collectively, “Prospects”) who visits, purchases, or otherwise interacts with our Commercial Engagements.

We may collect the following data about Business Representatives and Prospects:

Contact and business details: name, business email, business phone number, position, workplace and professional information, and related business insights, our communications with such individuals (correspondences, sensory information including call and video recordings, and transcriptions and analyses thereof), feedback and testimonials received, contractual and billing details, as well as any expressed, presumed or identified needs, preferences, attributes and insights relevant to our potential or existing engagement, purchasing details including interest and/or purchase history, commercial information, including records of our products or services purchased, obtained, or considered).

Connectivity, technical and aggregated usage data: IP addresses, device data (like type, OS, device id, browser version, locale and language settings used), activity logs, session recordings, inferred or presumed data generated from Commercial Engagements, other internet or electronic network activity information and other device or browser information. We also infer our Business Customers’ needs and preferences, as identified to us or recognized through our engagement with Business Representatives and Prospects.

  • End-User Data: personal data that we collect, process and manage on behalf of our business customers, regarding their customers, employees or other end-users of our Services (“EndUser Data”). We process End-User Data on behalf of and under the instruction of the respective customer, in accordance with our contractual agreements with them, including out Data Processing Addendum, where applicable. Accordingly, this Privacy Policy (which describes Mesh’s own privacy and data processing practices) does not apply to such processing done on its customers’ behalf. To learn about the Privacy Policy and practices of our customers, please contact them directly.

Information We Collect from Other Sources

We may also obtain information about you from other sources:

  • Financial Institution Partners such as banks (e.g. the bank issuing your Company’s card or originating loans to finance Company expenses), card networks, payment processors, money transmitters, or other entities that provide or support delivery of financial services.
  • Identity Verification, Fraud and Compliance Monitoring, and Financial and Business Information Providers, which may help us supplement our understanding of your business and its personnel, maintain security, prevent fraud and comply with regulation and contractual obligations.
  • Vendors and Platform Users transacting with or supporting our business customers (e.g., merchants and accounting firms). For example, a merchant might supply us with their payment details and tax identification number so our business customers can make bill payments and report on their tax obligations.
  • Service Providers, which help us operate our Business.
  • Social Networks and Advertising Providers, including to help us identify or enrich our understanding of prospective customers, and to serve and measure advertising.
  • Joint Marketing, Business Partnership, Referrals, and Rewards Partners that we engage for joint marketing activities and our referrals and rewards programs.
  • Other Data Suppliers that provide information about industries, business trends, organizations and other matters related to our business.
  • Publicly Available Sources, including information in the public domain that helps us identify potential customers and partners or conduct due diligence and risk management for potential and existing customers.

03. Data Uses & Lawful Bases for Processing

We use your personal data as necessary for the following business and commercial purposes and in reliance on the lawful bases detailed in the chart below:

Prospects & Business Representatives Data

 

Purpose

Lawful basis for processing

To facilitate, operate and provide our Services.

  • Performance of a Contract (to the extent applicable)
  • Legitimate Interest
  • Consent (to the extent applicable)

To monitor, study and analyze use of the Services.

  • Performance of a Contract (to the extent applicable)
  • Legitimate Interest

To gain a better understanding on how individuals use and interact with our Services, and how we could improve their and others’ experience and continue improving our offerings and the overall performance of our Services.

  • Legitimate Interest

To provide customer service and technical support.

  • Performance of a Contract
  • Legitimate Interest

To support and enhance our data security measures, including for purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity.

  • Performance of a Contract
  • Compliance with legal obligations
  • Legitimate interest

To comply with court orders and warrants, and prevent misuse of the Services, and to take any action in any related legal dispute and proceeding.

  • Compliance with legal obligations
  • Performance of a Contract
  • Legitimate interest

To comply with applicable laws and regulations.

  • Compliance with legal obligations

To contact you with general or personalized Service-related messages, as well as promotional messages that may be of specific interest to you.

  • Performance of a Contract
  • Consent (to the extent applicable)
  • Legitimate Interest

To facilitate and optimize our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our products and services more effectively, including on other websites and applications.

  • Consent (to the extent applicable)
  • Legitimate Interest

To explore and pursue growth opportunities by facilitating a stronger local presence and tailored experiences.

  • Legitimate Interest

To facilitate, sponsor and offer certain events, contests and promotions.

  • Legitimate Interest
  • Consent (to the extent applicable)

To create aggregated data, inferred non-personal data or anonymized or pseudonymized data (de-identified data), which we or our business partners may use to provide and improve our respective services, conduct research, or for any other purpose.

  • Legitimate Interest Performance of a Contract
  • Compliance with legal obligations

 

If you reside or are using the Services in a territory governed by privacy laws under which “Consent” is the only or most appropriate lawful basis for the processing of personal data as described herein (in general, or specifically with respect to the types of personal data you expect or elect to process or have processed by us or via the Commercial Engagements, or due to nature of such processing), your continued interaction with our Commercial Engagements means that you have had the opportunity to read and that you accept this Privacy Policy and will be deemed as your consent to the processing of your personal data for all purposes detailed in this Privacy Policy, unless applicable law requires a different form of consent. If you wish to revoke such consent, please contact us at privacy@meshpayments.com.

04. How We Share or Otherwise Disclose Your Personal Data

We disclose personal data in the following ways:

Service Providers: We engage selected third-party companies to perform services on our behalf or complementary to our own. Such service providers include hosting and server co-location services, communications and content delivery networks (CDNs), data security services, billing and payment processing services, fraud detection and prevention services, web and product analytics, e-mail distribution and monitoring services, session or activity recording services, remote access services, content transcription and analysis services, performance measurement, data optimization and marketing services, social and advertising networks, content and data enrichment providers, event production and hosting services, e-mail, voicemails, support, enablement and customer relation management systems, and our legal, financial, privacy and compliance advisors (collectively, “service providers“). Our service providers may have access to personal data, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data as determined in our agreements with them.

Service Integrations: Users who chose to do so can login to our Services using third party services, including Google, Microsoft, and Okta. If any such third-party services include the collection of biometric information, Mesh will not receive that biometric information and will not process it. Additionally, using our Services to their fullest extent requires connecting or integrating with third-party services, for example, HR systems, ERP platforms, inventory/procurement systems, CRMs, financial platforms, and more in order to share or receive data, which may include personal data, to present the data in the Services or to enrich the data you are processing using our Services. The provider of this connected or integrated third-party service may receive certain relevant data about or from your account on the Services, or share certain relevant data from your account on the third-party provider’s service with our Services, depending on the nature and purpose of such integration. This could include Business Representative and/or End-User Data. Note that we do not receive or store your passwords for any of these third-party services (but do typically require your API key in order to integrate with them).

Event Sponsors: If you attend an event or webinar organized by us, or download or access an asset on our Sites related to such an event, webinar or other activity involving third-party sponsors or presenters, we may share your personal data with them. Depending on the applicable law, you may consent to such sharing via the registration form or by allowing your attendee badge to be scanned at a specific sponsor’s booth. In these circumstances, your personal data will be subject to the sponsors’ privacy statements. If you do not wish for your personal data to be shared, you may choose not to opt-in via the event/webinar registration, or elect to not have your badge scanned, or you can opt-out in accordance with Section 7 below.

Sharing your Feedback or Recommendations: If you submit a public review or feedback, note that we may (at our discretion) store and present your review in our Services. If you wish to remove your public review, please contact us at dponotices@meshpayments.com.

Business Customers: Our customers have access to any personal data we process on their behalf in our capacity as a “processor” or a “service provider”.

Third-Party Services: We may engage selected business and channel partners, resellers, distributors, and providers of professional services in connection with our Commercial Engagements or our Services, which allow us to provide them, including as required by local regulations, and to explore and pursue growth opportunities by facilitating a stronger local presence and tailored experiences for End-Users, Business Representatives and Prospects. In such instances and in certain cases, you may be required to directly engage with such respective third-party provider and accept its specific terms and privacy policy or we may share relevant contact, identity, and other details at your instruction in order for you to benefit from such third-party services. Such engagement may also be subject to those third parties’ specific terms and privacy policies, depending on the service provided. If you directly engage with any of our third-party providers, please note that any aspect of that engagement that is not directly related to the Services and directed by Mesh is beyond the scope of Mesh’s Terms and this Policy and shall be covered by the third-party provider’s terms and privacy policy. 

Legal Compliance: We may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our products and services.

Identity Verification and Validation Services: We disclose information as necessary to verify your identity and perform other compliance functions.

Security, Fraud Detection and Compelled Disclosure: We disclose information to comply with the law, regulations, payment network rules, or legal process, investigate suspicious or potentially fraudulent activity, and where required in response to lawful requests by regulators, law enforcement, Financial Institution Partners and public authorities, including to meet national security, anti-money laundering or law enforcement requirements. We will also disclose information to protect the rights, property, life, health, security and safety of us, the Services, our Business, or anyone else.

Financial Institution Partners: We disclose information to Financial Institution Partners to support their customer identification, risk and compliance programs, and so they can determine eligibility for, and provide, products and services to our business customers, either directly or through us. For example, we may disclose your Contact Information, Identifying Data and other Company information and documentation so a Financial Institution Partner can validate your Company’s eligibility to receive, and deliver, card, payments, and international transfer capabilities through our Services.

Through your use of the Mesh Services, you may be required to directly engage the banking services of SoFi Bank, the credit card services of Visa USA Inc. and the financial services of Nium Pte Ltd and Galileo Financial Technologies. The terms and conditions of any banking, credit card, and financial services you obtain through Mesh services are governed by agreements between you and Mesh, you, Mesh, and the third-party service provider, and a direct agreement between you and the relevant third-party service provider, all as applicable.

When you request to obtain banking/credit/financial services via the Mesh Services, we may share any Business Representative Data required by the relevant related third-party service provider to establish you with such services. We may, likewise, retrieve your banking and transactional information held by these third parties providing Mesh related services to you, strictly as data processors. You will be provided notice and opportunity to review the relevant privacy policies before using any third-party services related to our Services. 

Protecting Rights and Safety: We may share personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of Mesh and our employees, any of our Prospects, or our Business Customers or their Representatives, or any members of the general public.

Mesh Subsidiaries and Affiliated Companies: We may share personal data internally within our group, for the purposes described in this Privacy Policy. In addition, should Mesh or any of its subsidiaries or affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of substantially all or part of its assets, personal data may be shared with or transferred to the parties involved in such an event. We may disclose personal data to a third-party during negotiation of, in connection with or as an asset in such a corporate business transaction. Personal data may also be disclosed in the event of insolvency, bankruptcy or receivership.

Mesh Rewards: We disclose information about you and your Company’s Mesh Account as necessary to determine your Company’s eligibility for rewards and to facilitate the rewards program effectively.

Marketing and Advertising: We disclose information to vendors, platforms, analytics providers and other parties for marketing and advertising related purposes. For more information on our online advertising practices, see the “Analytics and Advertising” section below. If you connect your bank account to your Company’s Mesh Account, we will not disclose your Bank Account Information to market our Business on advertising platforms.

Referrals and Joint Marketing: We disclose information about you and your Company’s Mesh Account to our partners in connection with facilitating referral partnerships or engaging in joint marketing activities. For example, if you or your Company were referred to us through a referral partner, we may disclose information with our referral partner to confirm the status of your application and to calculate the referral fee.

Mergers and Acquisition: We disclose information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale or any other type of acquisition or business combination of all or any portion of our assets, or transfer of all or a portion of our business to another business.

With Notice to You and Your Consent: For the avoidance of doubt, Mesh may share personal data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal, non-identifiable and anonymous. We may transfer, share or otherwise use non-personal and non-identifiable data at our sole discretion and without the need for further approval.

05. How Long We Retain Your Personal Data

We retain personal data for as long as we deem it as reasonably necessary in order to maintain and expand our relationship and provide you with our Services and offerings; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship), all in accordance with our data retention policy and applicable laws.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and the applicable legal requirements.

Please note that except as required by applicable law or our specific agreements with you, we will not be obligated to retain your personal data for any particular period, and we are free to securely delete or anonymize it for any reason and at any time, with or without notice to you.

If you have any questions about our data retention policy, please contact us by e-mail at privacy@meshpayments.com

06. Analytics and Interest-Based Advertising

Where permitted under laws applicable to our Business, we use analytics services, such as Google Analytics, to help us understand how users access and use the Website and other aspects of our Business. In addition, we work with agencies, advertisers, ad networks, and other technology services to place advertisements on our behalf on other websites and services. For example, we may place ads through Google, LinkedIn and Facebook that you may view on their platforms as well as on other websites and services.

As part of this process, we may use tracking technologies (including incorporating them into our Website and emails), as well as incorporating into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you (“Interest-based Advertising”).

For further information on the types of tracking technologies we use and your rights and choices regarding analytics and Interest-based Advertising, please see the “Your Rights and Choices” section below. You will continue to see advertising, including potentially from us, even if you opt out of personalized advertising.

07. Data Transfer

Our Business is operated from the United States, with subsidiaries in Israel, the United Kingdom, Netherlands and Singapore.

We maintain primary data centers in the United States.

We and our authorized service providers (further detailed below) maintain, store and process personal data in the United States, Europe, the United Kingdom, Israel, as well as and other locations, in which Mesh Payments, its subsidiaries, affiliates or Service Providers operate – as reasonably necessary for the proper performance and delivery of our Services, for our internal business purposes in the locations where Mesh resides, or as may be required by law.

While privacy laws may vary between jurisdictions, Mesh is committed to protecting personal data in accordance with this Privacy Policy and customary industry standards, including using appropriate lawful transfer mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

For data transfers from the EEA, Switzerland or UK to countries that are not considered to be offering an adequate level of data protection, we have entered into Standard Contractual Clauses as approved by the European Commission, FDPIC and UK Information Commissioner’s Office (ICO) reference 2010/87/EU prior to September 27, 2021, 2021/914 thereafter, or any subsequent final version thereof that shall automatically apply. You can request to obtain a copy by contacting us as indicated in Section ‎12 below. For further information on these transfers and the relevant appropriate safeguards, please see the “Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom” section below.

08. Cookies

We and our service providers use cookies and similar technologies to enable our systems to recognize your browser or device, to provide our Services, and to improve your experience. To learn more about our practices concerning cookies and tracking, please see our Cookie Policy. This notice also describes how you may opt out of the use of personal information stored in cookies, such as browser cookies, for targeted or cross-contextual behavioral advertising.

09. Data Security

We have implemented industry-standard physical, administrative and technical security measures, designed to protect your personal data, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.

However, we cannot guarantee that our Services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.

You are solely responsible for protecting your credentials, limiting access to your devices, and signing out of websites after your sessions.

If there is any unexpected activity or inaccurate information or if you have reason to believe that your information is no longer secure, or if you have any questions about our security, please contact us by e-mail at security@meshpayments.com.

View our Security page to learn more about the specific security controls we have put in place to safeguard your information.

10. Children’s Personal Information

We do not provide our Services to children. We do not knowingly collect personal information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children under 13. We also do not knowingly “share” or “sell,” as those terms are defined under the California Privacy Rights Act, the personal information of minors under 16 who are California residents. If you are a parent or guardian and believe we have violated this provision, please contact us at the address stated under the “How to Contact Us” section below.

11. Your Rights and Choices

Region-Specific Rights. In addition to these rights and choices, you may have additional rights based on your region. For region-specific terms, please see the bottom of this Policy.

Mesh Account

Mesh Services are intended for use by business customers, and you may only use a Mesh Account if you are an employee or other Authorized User of a Company that has opened a Mesh Account. The information in a Company’s Mesh Account is governed by our Agreement with the business customer. You should direct questions about Personal Information we are processing on behalf of a Company to that Company’s administrators. If you are an Authorized User, you may also be able to access, update, or delete certain information within your Company’s Mesh Account through the Services, provided that the Company and its administrators are responsible for determining how that data is processed.

Communications

We engage in service and promotional communications, through e-mail, phone, SMS and notifications.

Service Communications: We may contact you with important information regarding our Services. For example, we may send you notifications (through any of the means available to us) of changes or updates to our Services, billing issues, log-in attempts or password reset notices, etc. Please note that you will not be able to opt out of receiving certain service communications which are integral to your use of some of our Services (like password resets or billing notices).

Promotional Communications: We may also notify you about new features, additional offerings, events, special opportunities or any other information we think you will find valuable, as our Business Customer and Business Representative or Prospect, subject to any necessary collection of your consent as appropriate based on applicable laws. We may provide such notices through any of the contact means available to us (e.g., phone, mobile or e-mail), through the Services, or through our marketing campaigns on any other sites or platforms.

You can opt out of receiving promotional communications from us at any time by following the instructions as provided in emails to click on the unsubscribe link or by sending an e-mail to: dponotices@meshpayments.com.

Tracking Technology Choices

Cookies and Pixels. Most browsers and devices accept cookies by default. The Help feature on most browsers and devices will tell you how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.

Please note that if you get a new computer, install a new browser, erase or otherwise alter your browser’s cookie file (including upgrading certain browsers), you may also clear the opt-out cookies installed once you opt-out, so an additional opt-out will be necessary to prevent additional tracking.

Do Not Track. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com. Note that if you are a California resident, you may exercise your right to opt-out of sales or sharing through preference signals. Please visit the “Additional Disclosures for California Residents” section below for details.

Please be aware that if you disable or remove tracking technologies some parts of our Services, Website and Business may not function correctly.

Analytics and Interest-Based Advertising. We use the web analytics tool Google Analytics. You may opt out of online behavioral advertising on the Internet by visiting the Network Advertising Initiative, or the Digital Advertising Alliance opt-out pages. You may also opt out of online behavioral (sometimes called “interest-based” or “cross-contextual”) advertising on your mobile device by some mobile advertising companies and other similar entities by downloading the App Choices App. Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at https://tools.google.com/dlpage/gaoptout and by Google Analytics for Display Advertising or the Google Display Network at https://www.google.com/settings/ads/onweb.

The companies we work with to provide you with targeted ads in connection with our Business are required to give you the choice to opt out of receiving targeted ads. Most of these companies are participants of the Digital Advertising Alliance (“DAA”) and/or the Network Advertising Initiative (“NAI”). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants, https://www.aboutads.info/choices; and (ii) for targeted ads from NAI participants, https://www.networkadvertising.org/choices . Opting out only means that the selected participants should no longer deliver certain targeted ads to you, but does not mean you will no longer receive any targeted content and/or ads (e.g., in connection with the participants’ other customers or from other technology services). Any such targeted advertising will only be carried out to the extent that it is permitted by applicable law.

Please note that if you opt out using any of these methods, the opt out will only apply to the specific browser or device from which you opt out. Except as required by applicable law, we are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities’ statements regarding their opt-out options or programs.

12. Changes to this Privacy Policy

The Services and our business may change from time to time. As a result, it may be necessary for Mesh to make changes to this Privacy Policy. Mesh reserves the right to update or modify this Privacy Policy at any time.

Any changes will become effective when we post the revised Privacy Policy on this page. All amendments shall be deemed accepted by you. In the event consent is required based on where you reside, you will be asked to consent prior to being allowed to access our Services subsequent to a Privacy Policy update/amendment. This Privacy Policy was last updated to be effective as of the “Last Updated” date indicated at the top. Unless stated otherwise, our current Privacy Policy applies to all personal information we collect, how we use and otherwise process it and under what circumstances we will disclose it to third parties

13. Contacting Us

If you have any comments or questions regarding our Privacy Policy, or if you have any concerns regarding your personal data held with us, please contact Mesh’s privacy team:

By email: privacy@meshpayments.com

By mail: 1350 Broadway, 24th Fl, New York, NY, 10018 USA.

If you have any questions about the Customer Data handled by your Company, please contact your Company’s Data Custodian.

14. Additional Disclosures for California Residents

These additional disclosures apply only to California residents and only to the extent applicable.

Notice of Collection

The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) provides additional rights and requires businesses collecting or disclosing personal information to provide notices and means to exercise rights. In the past 12 months, we have collected the following categories of personal information enumerated in the CPRA:

  • Identifiers, including name, postal address, email address, and online identifiers (such as IP address).
  • Customer records, including phone number, billing address, bank account and credit or debit card information.
  • Characteristics of protected classifications under California or federal law, including gender.
  • Commercial or transaction information, including records of products or services purchased, obtained, or considered.
  • Internet activity, including browsing history, search history, and interactions with a website, email, application, or advertisement.
  • Non-Precise Geolocation data.
  • Employment and education information.
  • Inferences drawn from the above information about your predicted characteristics and preferences.

For further details on personal information we collect, including the sources from which we receive information, review the “Information that Mesh Collects” section above. We collect and use these categories of personal information for the business purposes described in the “How We Use Information” section above. We disclose the personal information to the categories of persons set out in the “Disclosure of Information” section above. Please visit those sections for further details.

Right to Know, Correct and Delete

You have the right to know certain details about our data practices. In particular, you may request the following from us:

  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you we disclosed for a business purpose or sold or shared;
  • The categories of persons to whom the personal information was disclosed for a business purpose or sold or shared;
  • The business or commercial purpose for collecting or selling or sharing the personal information; and
  • The specific pieces of personal information we have collected about you.

In addition, subject to exceptions, you have the right to correct or delete the personal information we have collected from you.

To exercise any of your rights, please contact us at privacy@meshpayments.com and we will send you a privacy request form. We will confirm receipt of your privacy request form and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests.

If personal information about you has been processed by us as a service provider on behalf of a business customer, please inquire with the business customer directly to exercise your rights. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention

We retain each category of personal information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

Authorized Agent

You can designate an authorized agent to submit requests on your behalf. However, we may require signed proof of the agent’s permission to do so and verify your identity directly. Requests must be submitted through the designated methods listed above.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.

Additional Notice and Opt-Out

Under the California Privacy Rights Act (“CPRA”), some marketing activities may be considered a “share” or “sale” even if no money is received for sharing the data. We may share categories of information such as identifiers, characteristics, internet activity, non-precise geolocation data, and inferences with third parties for business purposes, but we do not receive any monetary compensation from those third parties for doing so. The third parties we share with include vendors engaged in cross-context targeted advertising. To the extent that our marketing activities constitute a “share” or “sale” of your personal information, you can opt out. To opt out, you can modify your cookie choices as described in our Cookie Policy or activate Global Privacy Control on all applicable devices.

Shine the Light

Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclose such information. To exercise a request, please write to us at privacy@meshpayments.com or the postal address set out in “Contact Us” above and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

15. Additional Disclosures for Nevada Residents

Nevada law (NRS 603A.340) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal information that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal information for monetary consideration by the business to a third party for the third party to license or sell the personal information to other third parties. If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, please refer to the “Contact Us” section above.

16. Additional Disclosures for Virginia Residents

Virginia provides additional rights to Virginia residents through the Virginia Consumer Data Protection Act (“VCDPA”). This section addresses those rights and applies only to Virginia residents acting in an individual or household context.

You have the following rights under the VCDPA:

  • To confirm whether or not we are processing your personal data
  • To access your personal data
  • To correct inaccuracies in your personal data
  • To delete your personal data
  • To obtain a copy of your personal data that you previously provided to us in a portable and readily usable format
  • To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you

To exercise any of your rights, please contact us at privacy@meshpayments.com and we will send you a privacy request form. We will confirm receipt of your privacy request form and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests.

If personal data about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with the business customer directly. If you wish to make your request directly to us, please provide the name of the business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

17. Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom

Roles

Mesh may process personal information in accordance with the instructions of or on behalf of a business customer, including when providing Services to a Company under an agreement. In this context, Mesh acts as a processor and the business customer acts as a controller. Mesh may also act as a controller when directly determining the processing of personal information in other Business contexts set out in this Policy, like complying with regulatory obligations applicable to our Business.

Lawful Basis for Processing

Data protection laws in Europe require a “lawful basis” for processing personal information. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or business customers; (b) processing is necessary for the performance of a contract; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

International Transfers

We may transfer your personal information to our operations in the United States or to our service providers or other third parties in the United States or in other countries – this may involve the transfer of your personal information to countries which have different data protection standards to those which apply in the European Economic Area, Switzerland or the United Kingdom.

Some of these countries are subject to a European Commission and/or UK government adequacy decision. For other countries, Mesh has put in place the relevant European Commission or UK government-approved standard contractual clauses with the relevant third parties to ensure that your personal information is protected with appropriate safeguards. We may also rely on other permitted data transfer mechanisms.

Your Data Subject Rights

You may have certain statutory rights relating to your personal data. Subject to applicable law, you may have the right to access and rectify your personal data, to require us to erase your personal data or to transfer it to other organizations, and to object to the processing of your personal data. Where we process your personal data because we have a legitimate interest in doing so (as explained above), you may have a right to object to this. You may also have the right to restrict processing of your personal data in certain circumstances. These rights may be limited in some situations, for example, where we can demonstrate that we have legitimate grounds to process your personal data. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different from those for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any processing of your personal data which we do based on consent you have provided to us.

To exercise any of your rights, please contact us at privacy@meshpayments.com and we will send you a privacy request form. We will confirm receipt of your privacy request form and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests. If your personal data has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with our business customer directly. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention of your Personal Data

Please note that we retain personal data for as long as necessary to fulfill the purposes for which it was collected from you and/or our business customers, and may continue to retain and use your personal data for purposes of our legitimate interests and/or as necessary to comply (or demonstrate compliance with) with our legal/regulatory obligations, resolve disputes, prevent fraud, and enforce ur rights.

We hope that we can satisfy any queries that you may have about the way we process your personal data. However, if you have any issues with our compliance, you may contact us at privacy@meshpayments.com. You can lodge the complaint in the country where you reside, where you work or where any alleged infringement of data protection law occurred.

18. Additional Disclosures for Individuals Located in Canada

Your Rights and Choices

Subject to limited exceptions under applicable Canadian law, you may have the right to access, update, correct inaccuracies in, and withdraw consent (subject to reasonable prior notice and applicable legal and contractual restrictions) to the collection, use and disclosure of your personal information. If you withdraw your consent, we may not be able to provide our Website, Services or other aspects of our Business. To exercise any of these or other rights applicable to you under Canadian privacy laws, please contact us as set out in the “Contact Information” section below. We may require specific information from you to help us confirm your identity and process your request.

If personal information about you has been processed by us on behalf of a business customer and you wish to exercise any rights you have with respect to such personal information, we encourage you to inquire with our business customer directly. If you are a resident of the province of Quebec, please note that we transfer and store personal information outside of the province. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we process your personal information, and we may refer your request to that business customer. We will assist our business customers in responding to your request.

Governance Policies and Practices

We are committed to protecting personal information and have implemented policies and practices that govern our treatment of personal information, including:

  • Policies and procedures regarding the protection, retention and disposition of personal information, including with respect to the implementation of security safeguards designed to protect personal information against loss or theft and unauthorized access, disclosure, copying, use, and modification;
  • A framework that sets out roles and responsibilities of our personnel in connection with the handling of information in our possession and control;
  • An information about the security and privacy of our Business, including our compliance with relevant audit standards and security frameworks;
  • Processes for responding to data subject requests and complaints in a timely and effective manner; and
  • Employee data protection training and awareness.

Contact Information

If you have any questions or comments about this Privacy Policy or the manner in which we or our service providers (including our service providers outside Canada) treat your personal information, to withdraw your consent, or to request access to or correction of your personal information, please contact us at privacy@meshpayments.com.

19. Additional Disclosures for Individuals Located in Brazil

Controller of Personal Information. MeshPay US Inc., 1350 Broadway, Suite 2400, New York, NY 10018, is the data controller for the personal information covered by this Privacy Policy.

Processing. The Brazilian General Data Protection Law (“LGPD”) requires a legal basis for our use of personal information. Our basis varies depending on the specific purpose for which we use personal information. We use personal information for the following legal bases:

  • Performance of a contract, such as when we provide you with our Services, or communicate with you about them. This includes when we use your personal information to process your order, administer your account, provide you with support, and process payments.
  • Our legitimate business interests and the interests of our customers, such as when we operate, develop, or improve our Services, when we analyze your behavior in the course of your interaction with our Services, when we detect and prevent fraud and abuse in order to protect the security of our customers, ourselves, or others, and when we advertise or market to you through direct marketing.
  • Your consent, when we ask for your consent to process your personal information for a specific purpose that we communicate to you. When you consent to our processing your personal information for a specified purpose, you may withdraw your consent at any time and we will stop processing your data for that purpose.
  • Compliance with a legal obligation, when we use your personal information to comply with laws.
  • These and other legal bases, depending on the purpose for which we use personal information.

Your Rights. Subject to applicable law, you have the right to:

  • Ask whether we hold personal information about you and request copies of such personal information and information about how it is processed;
  • Request that inaccurate personal information is corrected;
  • Request deletion of personal information;
  • Request us to restrict the processing of personal information where the processing is inappropriate;
  • Object to the processing of personal information;
  • Request portability of personal information that you have provided to us (which does not include information derived from the collected information), where the processing of such personal information is based on consent or a contract with you and is carried out by automated means;
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

If you wish to do any of these things, please contact us at the address stated under “Contact Us” above, stating the country in which you are located.

Transfers outside of Brazil. We may transfer personal information from Brazil to other countries that may not have the same level of data protection that applies in your jurisdiction. In these cases, we use a variety of legal mechanisms to ensure that the recipient of your personal information offers an adequate level of protection, or where required, we will ask you for your prior consent.

Applicant Privacy Policy

Overview

This Applicant Privacy Policy (“Policy”) describes how Mesh Technologies Inc., MeshPay US Inc., MeshPay UK ltd, MeshPay EU B.V. and their affiliates (“Mesh”, “Company”, “we”, “us” and “our”) collect, uses, and disclose information about individuals who are applicants for engagement with Mesh as an employee, contractor, consultant, and other contingent worker of the Company (hereinafter “Applicants”, and “you”).

We may update this Policy from time to time. We may also provide you additional privacy policies regarding our collection, use or disclosure of information, as applicable. When we update this Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Policy changes if, and where, required by applicable data protection laws.

You can see when this Policy was last updated by checking the “Effective Date” displayed at the top of this Policy. We encourage you to check back here periodically in order to be aware of the most recent version of this Policy.

This Policy does not apply to the Company’s handling of data gathered about Applicants arising from their role as a user of Company products and services. When interacting with the Company in that role, the Mesh Privacy Policy associated with the relevant service applies.

Please read this Policy and any other privacy policies carefully.

Data Collection

Mesh collects, stores, and uses various types of personal information through the application and recruitment process. Mesh collects such information either directly from Applicants or (where applicable) from another person or entity, such as an employment agency or consultancy, background check provider, or other referral sources.

The categories and specific Applicant personal information Mesh may collect and/or process are:

  • Identification and contact information and related identifiers, such as real name, alias, preferred name, pronouns, home postal address, home telephone number, personal email address, personal mobile number, online account name/screen name, or handle, and such information about an Applicant’s beneficiaries or emergency contacts.
  • Recruitment, employment, or engagement information such as application forms and information included in a resume, cover letter, or otherwise provided through any application and recruitment process including communication regarding recruitment, and our evaluations of your performance during the interview process. We also may collect Applicants’ websites and professional networking addresses. Where permitted by law, and required by job responsibility, we may also collect criminal background check information.
  • Personal Characteristics and Voluntary Demographic Data, such as race, ethnic origin, sexual orientation, preferred pronouns, or gender.
  • Sensory information, such as videos and recordings of audio interviews.
  • Government-Issued Identification Numbers, such as driver’s license, operator’s license, or other motor vehicle information, passport number, social security number, birth certificate number, and other state or federal issued IDs.
  • Financial Information, such as credit history or credit checks.
  • Education Information, such as degrees or schooling, licenses and professional memberships, certifications, trainings, academic record, and other non-publicly available educational record information held by an education institution.
  • Professional or employment-related information, such as job titles, work history, work dates and work locations, employment, service or engagement agreements, contact and identification information about an Applicant’s references, appraisal and performance information, information about skills, qualifications, experience, publications, speaking engagements, and preferences (e.g., mobility), absence and leave records, disciplinary and grievance information, and termination information.

Data Use

Mesh collects, uses, shares, and stores personal information from job applicants for the operational purposes of Mesh and its service providers in the recruitment and hiring process such as those listed below.

Purpose: Recruitment
Processing applications; tracking applications through the recruitment process; evaluating applicants for current and, as permitted by applicable laws, future job opportunities, (including matching skills and interests to applicable job requirements); making hiring decisions.

Examples of personal information that may be processed: Information concerning your application. This includes: your personal details, education and qualification details; as well as any relevant recordings e.g. of your interview. We also process: our assessment of your application; the fact of your application and our record of it, your references; any checks Mesh may make to verify information provided or background checks (including criminal and credit history); any tests required for your position; and any information connected with your right to work. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements. This may also include potentially legally protected classification information to the extent required or as permitted by law; and indirect identification information (such as publicly available social network profiles you provide).

Grounds for processing, if applicable under law: Legal obligation, Legitimate interests.

Purpose: Contacting you or others on your behalf.

Communicating with applicants throughout the hiring process; contacting references / beneficiaries with Applicant authorization; (as permitted by applicable laws) contacting you in the future about other opportunities if you are not hired.

Examples of personal information that may be processed: Your address and phone number; emergency contact information and relevant beneficiaries / references. In case you authorize us to contact beneficiaries and references, you warrant that you have their authorization to provide their personal information, and you are responsible for informing them the terms and reasons for which we will contact them and, if applicable, the processing of their personal information in accordance with this Policy, as well as the means to access the full content thereof.

Grounds for processing, if applicable under law: Consent, Contract, Legitimate interests.

Purpose: Verifying your residency and right to work

Examples of personal information that may be processed: Information including your citizenship; passport data; and details of residency or work permit.

Grounds for processing, if applicable under law: Legal obligation.

Purpose: Supporting and managing any health concerns

Examples of personal information that may be processed: To the extent required or permitted by local law, information concerning your health, including self-certification forms, fit notes and medical and occupational health reports.
Grounds for processing, if applicable under law: Contract, Legal obligation, Legitimate interests, Vital interests.

Purpose: Physical and system security

Examples of personal information that may be processed: Information used in detecting security incidents, debugging and repairing errors, and preventing unauthorized access to our computer and electronic communications systems (including biometric identification information) and preventing malicious software distribution; and monitoring.

Grounds for processing, if applicable under law: Legal obligation, Legitimate interests.

Purpose: Internal Analysis
Understanding the applicants who apply and to improve the Company’s recruitment and interviewing process

Examples of personal information that may be processed: Information related to your experience as a Mesh applicant (e.g. via applicant feedback surveys) including: your name; title; unit/department applied for; and location.

Grounds for processing, if applicable under law: Legitimate interests.

Purpose: Monitoring of diversity and equal opportunities

Examples of personal information that may be processed: To the extent required or permitted by local law, information on your nationality, racial and ethnic origin, gender and gender pronouns, sexual orientation, religion, disability and age.

Grounds for processing, if applicable under law: Legitimate interests, Consent.

Purpose: Disputes and legal proceedings
The Company may sometimes need to use applicant information for legal purposes, such as in connection with any challenges made to Mesh’s hiring decisions.

Examples of personal information that may be processed: The Company may sometimes need to use applicant information for legal purposes, such as in connection with any challenges made to Mesh’s hiring decisions.

Grounds for processing, if applicable under law: Legitimate interests, Legal obligation.

Purpose: Compliance with any other legal requirements

Examples of personal information that may be processed: Information relevant to our tax records, auditing requirements.
Information about Union membership, professional association membership, and licensure-related organizational memberships.

Grounds for processing, if applicable under law: Legal obligation.
The following purposes are considered secondary purposes under applicable data protection laws: (i) evaluating applicants for future job opportunities; and (ii) contacting you in the future about other opportunities if you are not hired. If you do not want your personal information to be processed for these secondary or accessory purposes, you may reach out to the People team and opt-out at hr@meshpayments.com.

We may also use personal information for any other legally permitted purpose (subject to your consent, where legally required).

As identified in the table above, under EU and UK data protection laws, there are various grounds on which we can rely when processing your personal information. Similar grounds may apply outside the EU and UK, or some grounds may be inapplicable in some jurisdictions, e.g., Mexico. In some contexts, more than one ground applies. We have summarized these grounds as Contract, Legal Obligation, Legitimate Interests, Vital Interests and Consent and outline what those terms mean below.

Term: Contract
Grounds for processing: Processing necessary for performance of a contract with you or to take steps at your request to enter a contract
Explanation: We need your personal information to perform a contract for services with you. This covers carrying out our contractual duties and exercising our contractual rights.

Term: Legal Obligation
Grounds for processing: Processing necessary to comply with our legal obligations
Explanation: Ensuring we perform our legal and regulatory obligations in particular in the area of labor and employment law, social security and protection law, data protection law, tax law, and corporate compliance laws. For example, providing a safe place of work and avoiding unlawful discrimination.

Term: Legitimate Interests
Grounds for processing: Processing necessary for legitimate interest
Explanation: We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms.

This includes:

  • Implementation and operation of a group-wide matrix structure and group-wide information sharing
  • To help us conduct our business more effectively and efficiently – for example for general HR resourcing, IT security/management, accounting purposes, or financial planning
  • Prevention of fraud, misuse of Mesh IT system, or money laundering
  • Operation of a whistleblowing/compliance hotline
  • addressing physical security, Cloud, IT and network security, and
  • Conducting internal investigations.

Term: Vital Interests
Grounds for processing: Processing necessary to protect your vital interests or those of another person
Explanation: We may use your information where it is necessary to protect your or someone else’s life, physical integrity, or safety. This could include providing law enforcement agencies or emergency services with information necessary to protect health or life in an emergency circumstance (e.g. if you have a medical emergency at one of our offices and paramedics request information about your allergies / diabetes / etc.).

Term: Consent
Grounds for processing: You have given specific consent to processing your data
Explanation: In general, processing of your data in connection with employment will not be conditional on your consent. However, there may be occasions where we do specific things such as contacting a referee, seeking to monitor diversity or obtaining medical reports and rely on your consent to our doing so.

Certain information we collect may be “sensitive Personal Information”, “special category data” or otherwise sensitive under the data protection laws applicable to your country. Any such processing is undertaken in compliance with applicable laws.

For US Residents, except where you provide such information voluntarily on your resume or in your application, or for the purpose of requesting an accommodation during the recruitment process, or if you provide government identification or driver’s license information, we do not collect personal information that is considered “sensitive” under applicable law during the recruitment process. We do not use or disclose such information other than for disclosed and permitted business purposes for which there is not a right to limit under the applicable law.

For EU and UK residents, if we process special category data (or criminal conviction data) about you, we will make sure that one or more of the following legal grounds applies: (i) you have provided your explicit consent; (ii) the processing is necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorized by law or collective agreement; (iii) the processing protects your or our legitimate interests and relates to data about you that you have made public (e.g. if you tell us that you are ill); (iv) the processing protects your or our legitimate interests and the processing is necessary for the purpose of establishing, making or defending legal claims; or (v) the processing is necessary to protect you or someone else’s vital interests (e.g. if you have a medical emergency at one of our offices office and paramedics request information about your allergies / diabetes / etc.). Further, we will ensure that any processing satisfies the additional “conditions for processing” under local laws including:

Sensitive Personal Data: Criminal History
Conditions for processing: Performing or exercising obligations or rights which are imposed or conferred by law on you or us in connection with employment, social security or social protection. Protecting the public against / regulatory requirements relating to unlawful acts and dishonesty.

Sensitive Personal Data: Union membership information
Conditions for processing: Insurance purposes, Occupational Pensions

Sensitive Personal Data: Biometric information
Conditions for processing: Preventing Fraud

Sensitive Personal Data: Health information and gender information
Conditions for processing: Assessment of the working capacity of an applicant

Sensitive Personal Data: Religious or philosophical beliefs
Conditions for processing: Identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

Sensitive Personal Data: Racial/ethnic origin, sexual orientation, and/or disability status
Conditions for processing: Identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. As part of a process of identifying suitable individuals to hold senior positions in a particular organization, a type of organization or organizations generally.

Data Disclosure

Mesh will disclose the personal information of applicants to the following types of entities or in the following circumstances (where applicable):

  • Internally: to people within the Company who are involved in the recruiting and hiring process.
  • Service Providers: such as technology service providers, travel management providers, human resources suppliers, background check companies, recruitment consultants, and employment agencies or recruiters, where applicable. These entities process your Personal Information on Mesh’s behalf in performing services for Mesh, and are subject to contractual restrictions on use of your Personal Information. These are considered as transmissions under data protection laws such as Mexico.

Service Provider: Checkr and HireRight
Services:
Background check / Verification Services
Personal data: Name, Email, Phone, Home address, Gender, Birth month and day, Social Security Number, Social Media details

Service Provider: Greenhouse
Services:
Applicant Tracking System
Personal data: Name, Email, EEOC, Pronouns, Resume, Phone Number, Email, Address (City, State, Country)

Service Provider: LinkedIn
Services: Sourcing Tool
Personal data: Name, Email, Location

Data Retention

The personal information we collect from Applicants, including any sensitive personal information voluntarily provided by Applicants, and, subject to the terms of the applicable law, will be retained until we determine it is no longer necessary to satisfy the purposes for which it was collected and our legal obligations. In determining how long to retain information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we process the personal information and whether we can achieve those purposes in other ways, the applicable legal requirements, and our legitimate interests.

For example, we will keep certain information about former applicants (e.g. your address and phone number) for as long as necessary for our legitimate interests in keeping this information as part of our organizational history and to confirm the facts of your recruitment with us and to comply with law. The purposes we process information (as well as the other factors listed above) may dictate different retention periods for the same types of information. For example, applicant names in email headers may be kept indefinitely depending on the nature of the email.

We may also retain certain information to deal with and resolve requests and complaints (for example, if there is an ongoing dispute surrounding Mesh’s hiring decisions this information would be retained until the legal claim had been concluded); or to protect individuals’ rights and property (for example, we will retain information about a data subject access request for five years after the request is dealt with in case there is a subsequent complaint and the information is needed to demonstrate how the request was handled).

Additional Privacy Information for California Residents

California residents have certain rights regarding their personal information. Subject to certain exceptions, if you are a California resident, you may request:

  • Access to your personal information including the right to know the categories of personal information we have or will collect about you and the reason we will or have collected such information;
  • Correction of the personal information that we have or will hold about you that is inaccurate;
  • Deletion or removal of your personal information.

You also have the right not to be discriminated against (as provided for in California law) for exercising your rights.

Exceptions to Your Rights: There are certain exceptions to these above rights. For instance, we may retain your personal information if it is reasonably necessary for us or our service providers to provide a service that you have requested or to comply with law or to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for that activity.

Exercising Your Rights: To exercise one of the rights above, you may contact us as provided below.

We will take reasonable steps to verify your identity before responding to a request. In doing so, we may ask you for verification information so that we can match at least two verification points with information we maintain in our files about you. If we are unable to verify you through this method, we shall have the right, but not the obligation, to request additional information from you.

California law places certain obligations on businesses that “sell” personal information to third parties or “share” personal information with third parties for “cross-context behavioral advertising” as those terms are defined under the California Consumer Privacy Act (“CCPA”). We do not “sell” or “share” the personal information covered by this Policy and have not done so in the twelve months prior to the effective date of this Policy.

Additional Privacy Information for Eu and Uk Residents

Your data protection rights
MeshPay EU B.V. is the data controller for EU and UK resident applicants. Individuals located in the EU and UK have certain rights regarding their Personal Information.

  • Access your information. You can ask the People Team, to confirm what information we process about you, to provide certain information about the processing, and for a copy of your information. This applies irrespective of the legal basis we have relied upon to process your data.
  • Delete your information. You can ask us to delete some or all of your information. [E.g. Applicants can emailing the People Team].
  • Rectify your information. Mesh will make reasonable efforts to ensure that Personal Information collected, used, or disclosed is accurate and complete. However, please notify the People Team to request that Mesh correct any errors or omissions in information about you that we may have on file.
  • Port your information. You have the right to data portability in circumstances where we rely on contractual necessity or consent as our legal basis. This means that you have the right to receive your information in a structured, commonly used, and machine-readable format and to share it with a third party. [E.g. Applicants can emailing the People Team].
  • Object to the processing of your information. You also have the right to object to the processing of your information in certain circumstances. This right applies when we are pursuing our legitimate interests or those of a third party. In submitting an objection request to the People Team, please provide all relevant information, including the processing activity you are objecting to, why you want to object and how the processing activity affects you, and any additional information that you think will help us review your request. We will stop the particular processing if we don’t have compelling legitimate grounds to continue that processing or don’t need it for legal claims.
  • Restrict the processing of your information. You can ask the People Team to restrict processing of your personal data where: (a) you are challenging the accuracy of the information, (b) the information has been unlawfully processed, but you are opposing the deletion of that information, (c) where you need the information to be retained for the pursuit or defense of a legal claim, or (d) you have objected to processing and you are awaiting the outcome of that objection request.
  • Withdraw consent. If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time by using the contact details provided under the “How to Contact Us About This Policy” heading below. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
  • Right to complain. You have the right to complain to a supervisory authority about our collection and use of your personal data. For more information, please contact your local supervisory authority[ies]. Contact details for the supervisory authority in the UK (the Information Commissioner’s Office) are available here and in the EU here.

Some of these rights apply generally, while others will only apply in certain circumstances. Depending on the scenario, these rights may be subject to some limitations. MeshPay EU B.V. will be responsible for responding to your request within the relevant periods provided by law. If necessary to resolve your request, MeshPay EU B.V. will liaise with other Mesh entities.

To exercise any of your rights see specific instructions below or contact us using the contact details provided under “How to Contact Us About This Policy” heading below. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Before we can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or provide additional information so that we can understand your request.

Automated decision-making
In some instances, our use of your personal data will result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

Automated decisions mean that a decision concerning you is made automatically based on a computer determination (using software algorithms), without any human review. For example we may use automated decisions for:

  • Automated screening of CVs. This involves processing automated scanning of CV documents to screen out applications lacking mandatory requirements (e.g. no legal qualifications for a legal counsel role). To safeguard your rights and interest, all CV screening suggestions must be reviewed by a human supervisor before being approved.

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us using the contact details provided under the “How to Contact Us About This Policy” heading below.

International Data Transfers
In some cases, where your personal data is transferred to another Mesh company or third parties, it is processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, we are headquartered in the United States and may use service providers that operate in the United States and other countries. Therefore, we may transfer your personal information to recipients outside of the UK and EU. Some of these recipients are located in countries which have been formally recognized as providing an adequate level of protection for personal information by the Secretary of State in the UK and the European Commission in the EU, in which case, we rely on the relevant “adequacy decisions”.

Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to ensure your personal information remains protected in accordance with this Privacy Policy and applicable laws by entering into appropriate data transfer mechanism permitted under Article 46 of the UK GDPR, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

Our Standard Contractual Clauses entered into by our group companies and with our third party service providers and partners.

Additional Information

Nothing in this Policy shall be construed as limiting or restricting applicants from properly exercising any rights or entitlements under applicable federal, state, or local laws and regulations. To the extent anything in this Policy may conflict with any applicable law, such law will control.

Nothing in this Policy shall be construed as conferring any contractual right, either express or implied, to employment with Mesh.

How to Contact Us About This Policy

If you have any questions or concerns about our use of your personal data, please contact us at privacy@meshpayments.com.

If you believe that Personal Information has been breached, please contact the Security Team immediately at security@meshpayments.com.

Acceptance of Privacy Notice

I have read this Policy and give my express consent for my personal information to be processed in accordance with the provisions therein by submitting my application and associated information on this date.

Data Processing Addendum

To request our DPA, please email the Mesh Privacy team at privacy@meshpayments.com

Sub Processors

Company Purpose Location
AWS Cloud service provider US
SoFi Bank Bank account, Card issuing US
Galileo Processing Inc. Credit card issuance and processing US
Nium Pte Ltd Credit card issuance and processing UK, Singapore
Datadog Logging and monitoring solution US
Sentry Error monitoring and alerting tool US
Google Cloud service provider US
Zendesk Help desk ticketing system US
Salesforce CRM US
Twilio Inbound & outbound SMS US
Merge HRIS integration connector US
HubSpot Email API US