1. What We Collect

• Account information — name, email address, role, organization metadata you provide during sign-up or invite acceptance.
• Usage data — request logs, audit-trail entries, device and browser metadata, and IP addresses captured for security and troubleshooting.
• Operational data — the sales, expense, inventory, scheduling, and related records your team enters into the platform.
• Cookies — an authentication cookie, a CSRF token, and a theme preference cookie. We do not use advertising or tracking cookies.

2. How We Use It

• to provide, maintain, and improve the Service;
• to authenticate users and protect against fraud, abuse, and unauthorized access;
• to send transactional email (sign-in verification, password reset, invitations) via Resend;
• to produce de-identified aggregate analytics for product improvement;
• to comply with legal obligations and enforce our Terms of Service.

3. Sharing

We share data only with the sub-processors required to operate the Service, under standard data-processing terms:

• Cloudflare — hosting (Workers, D1, R2);
• Resend — transactional email delivery;
• Better Auth — embedded authentication library executed on Cloudflare infrastructure.

We do not sell personal data to third parties. We may disclose data when required by law, court order, or to defend the rights and safety of users and the Service.

4. Retention

Operational data is retained while the account is active and for a reasonable period after termination to allow for export and dispute resolution. Soft-deleted records may be retained in audit logs for compliance purposes. On verified request, we will perform a hard delete of customer data subject to legal hold requirements.

5. Security

Mezbano relies on Cloudflare D1 encryption-at-rest, TLS in transit, scrypt password hashing, Better Auth session controls, comprehensive audit logging, and optional two-factor authentication. Access to customer data by Mezbano staff is restricted and audited.

6. Your Rights

Where applicable law (such as GDPR or CCPA-equivalent regimes) provides them, you have the right to access, correct, export, or delete your personal data. To exercise these rights, contact us at the email address below. We will respond within the timelines required by applicable law.

7. Cookies

We use a strictly-necessary authentication cookie, a CSRF token, and a theme preference cookie. We do not set advertising, cross-site tracking, or analytics fingerprinting cookies.

8. Children’s Data

The Service is intended for business use by adults. It is not directed to individuals under 18, and we do not knowingly collect personal data from children.

9. International Transfers

Data is hosted on Cloudflare’s global edge network, which means it may be processed in countries other than the one where it was collected. Where required, transfers are protected by Standard Contractual Clauses or another approved transfer mechanism.

10. Changes

We will provide notice of material changes to this policy via in-app banner or email, with the updated effective date shown above.

11. Contact

Privacy questions, data-rights requests, or security concerns? Email legal@mezbano.app.