Privacy Policy
Introduction
MESO ("we", "us", "our") is an AI-powered educational technology platform designed to support educators in curriculum planning and research. This Privacy Policy explains how we collect, use, protect, and share information when you use our platform.
We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy applies to all users of the MESO platform, including teachers, school administrators, and educational professionals.
Data Controller: MESO operates as the Data Controller for personal data processed through our platform. For questions about this policy or our data practices, please contact us at privacy@mesolab.ai.
Scope of This Policy
This Privacy Policy applies to:
The MESO web application and all associated services
All data collected through user registration and platform usage
Communications between MESO and its users
AI-powered features and content generation tools
Important Note: MESO is designed for use by educators and educational professionals. We do not directly collect personal data from students. Our platform processes only professional educator data.
3. Definitions
Term | Definition |
Personal Data | Any information relating to an identified or identifiable natural person. |
Processing | Any operation performed on personal data, including collection, storage, use, and deletion. |
Data Controller | The entity that determines the purposes and means of processing personal data (MESO). |
Data Processor | A third party that processes personal data on behalf of the Data Controller. |
User | Teachers, school administrators, and educational professionals who use the MESO platform. |
4. Data We Collect
4.1 Information You Provide
Identity Data: Your name, email address, and unique user identifier (UUID) created upon registration.
Professional Data: School name, teaching subjects, grade levels taught, years of teaching experience, and professional biography.
User-Generated Content: Lesson plans, assessments, rubrics, and educational materials you create using our platform, as well as chat conversations with our AI assistant and your saved preferences.
4.2 Information Collected Automatically
Technical Data: IP addresses (collected only for consent tracking and audit purposes), session data, and basic usage analytics (with your consent).
4.3 Information We Do NOT Collect
MESO is designed with data minimization as a core principle. We explicitly do not collect:
Student personal data
Detailed lesson content for tracking purposes
Third-party personal information
5. GDPR Compliance
MESO is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We have implemented measures to ensure adherence to all seven GDPR principles.
5.1 GDPR Principles Implementation
Principle | How MESO Implements It |
Lawfulness, Fairness & Transparency | We collect explicit consent during onboarding and provide clear information about data processing. |
Purpose Limitation | Data is used only for educational platform functionality and the specific purposes you consent to. |
Data Minimization | We collect only the fields necessary for platform operation. No excessive data collection. |
Accuracy | Users can update their profile information at any time through the platform settings. |
Storage Limitation | Defined retention policies with automated cleanup processes ensure data is not kept longer than necessary. |
Integrity & Confidentiality | Row-Level Security (RLS), encryption, and strict access controls protect your data. |
Accountability | Comprehensive audit trails are maintained for 7 years to demonstrate compliance. |
5.2 Your Rights Under GDPR
As a data subject, you have the following rights under GDPR, all of which MESO fully supports:
Right | How to Exercise It |
Right to Access (Art. 15) | Request a complete export of your data in JSON format through your account settings. |
Right to Rectification (Art. 16) | Edit your profile information directly in the platform. All changes are logged in our audit trail. |
Right to Erasure (Art. 17) | Request account deletion with a 30-day grace period for recovery, followed by complete anonymization. |
Right to Data Portability (Art. 20) | Export your data in a machine-readable format (JSON) for transfer to another service. |
Right to Object (Art. 21) | Withdraw consent for any optional processing through your consent settings. |
Right to Restriction (Art. 18) | Request account freeze or soft deletion while retaining your data for potential reactivation. |
6. Legal Basis for Processing
We process your personal data based on the following legal grounds:
Consent (Article 6(1)(a) GDPR): For analytics data collection, marketing communications, ambassador program participation, and third-party data sharing. You may withdraw consent at any time.
Contract Performance (Article 6(1)(b) GDPR): Processing necessary to provide you with the MESO platform services you have requested, including account management and core platform functionality.
Legitimate Interests (Article 6(1)(f) GDPR): For platform security, fraud prevention, and service improvement, where such interests do not override your fundamental rights.
Legal Obligation (Article 6(1)(c) GDPR): Where we are required to retain certain records for legal compliance purposes.
7. Consent Management
MESO operates on a consent-first model. During onboarding and throughout your use of the platform, you control what data processing you permit.
7.1 Types of Consent
Consent Type | Purpose | Required? |
Data Processing | Core platform functionality | Yes (for service use) |
Analytics | Usage data collection for improvement | Optional |
Ambassador Program | Early access program participation | Optional |
Marketing | Marketing communications | Optional |
Third-Party Sharing | Partner data sharing | Optional |
7.2 Consent Features
Explicit opt-in required during onboarding for each consent type
Consent withdrawal available at any time through your account settings
IP address logging for audit verification purposes
Timestamp recording for all consent actions
8. How We Use Your Data
We use your personal data for the following purposes:
8.1 Platform Services
Providing access to AI-powered curriculum planning and research tools
Generating and storing lesson plans, assessments, and rubrics
Personalizing your platform experience based on your preferences
Managing your account and authentication
8.2 Platform Improvement (with consent)
Analyzing usage patterns to improve platform features
Understanding how educators use our tools to better serve the community
8.3 What We Do NOT Do
We never: sell your personal data, use your data for advertising purposes, share your data with third parties for their marketing purposes, or use your educational content to train our AI models without explicit consent.
9. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
Data Type | Retention Period |
User profiles | Account lifetime + 30 days |
Lesson plans & Assessments | Account lifetime + 90 days |
Audit logs | 7 years (legal requirement) |
Soft-deleted records | 90 days before permanent removal |
Database backups | 30 days |
Anonymized data | Indefinite (contains no PII) |
10. Account Deletion Process
When you request account deletion, we follow a three-stage process designed to protect both your rights and allow for recovery if needed:
Stage 1 - Deletion Request: You initiate a deletion request through your account settings or by contacting us directly.
Stage 2 - Grace Period (30 days): Your account is deactivated but your data is preserved. During this period, you can recover your account by logging in and cancelling the deletion request.
Stage 3 - Anonymization: After the grace period, all personally identifiable information is permanently anonymized:
Name is replaced with "Deleted User [UUID]"
Email is replaced with "deleted_[UUID]@deleted.local"
Other PII fields are set to NULL
Audit trail is preserved for legal compliance (anonymized)
11. Third-Party Data Processors
We work with carefully selected third-party service providers who process data on our behalf. All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance.
Processor | Purpose | Data Shared |
Supabase | Database & Authentication | User profiles, preferences, content |
OpenAI | AI-powered content generation | Prompts only (no PII) |
AWS Bedrock | Alternative AI services | Prompts only (no PII) |
Important: When using AI features, we send only the prompts and educational context necessary to generate content. We do not send your personal information to AI providers.
12. Data Security
We implement comprehensive technical and organizational measures to protect your personal data.
12.1 Authentication & Access Control
Supabase authentication with JWT tokens
Automatic token refresh mechanism
Row-Level Security (RLS) on all database tables
Users can only access their own data
Cascade deletion when accounts are removed
12.2 Data Protection
SSL/TLS encryption for all connections (data in transit)
Password hashing via Supabase Auth
API keys stored in environment variables (not in code)
Session-based storage for sensitive educational content
Logging disabled by default to protect privacy
12.3 Session Security
30-minute session timeout (configurable)
Maximum 10 concurrent sessions per user
Session persistence with secure token refresh
13. Audit & Accountability
We maintain comprehensive audit trails to ensure accountability and compliance with regulatory requirements.
13.1 What We Log
Table name, record ID, and action type (INSERT, UPDATE, DELETE)
Old and new data values (for tracking changes)
User who made the change
Timestamp and IP address
13.2 Operations Logged
Profile changes
Lesson plan modifications
Assessment creation and updates
Consent changes
14. Privacy by Design
MESO is built with privacy as a foundational principle, not an afterthought. Our privacy-by-design approach includes:
Data Isolation: Each user's data is completely separated via Row-Level Security (RLS)
Minimal Collection: Only essential professional data is collected
Temporary Storage: Educational content is stored in sessionStorage (clears when browser closes)
No External Tracking: No third-party analytics scripts are used
Transparent AI Usage: Clear indication when AI powers features
15. Cookies and Similar Technologies
MESO uses minimal cookies necessary for platform operation:
Essential Cookies: Required for authentication and session management. These cannot be disabled as they are necessary for the platform to function.
Analytics Cookies: Used only with your explicit consent to help us understand how educators use our platform. You can enable or disable these in your consent settings.
No Advertising Cookies: We do not use any third-party advertising or tracking cookies.
16. International Data Transfers
Your data may be processed by our third-party service providers located outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Binding Corporate Rules for certified providers
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.
Notification: We will notify you of material changes by email and/or through a prominent notice on our platform at least 30 days before the changes take effect.
Version History: We maintain a version history of this policy, and previous versions are available upon request.
Your Continued Use: Your continued use of the platform after changes become effective constitutes acceptance of the revised policy.
18. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:
Data Protection Officer: privacy@mesolab.ai
General Inquiries: support@mesolab.ai
Mailing Address: MESO, ADAPT Centre, Trinity College Dublin, Dublin 2, Ireland
We aim to respond to all data protection inquiries within 30 days.
18.1 Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law. In Ireland, the supervisory authority is:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
This Privacy Policy was last updated on 14 January 2026.
© 2025 MESO. All rights reserved.