Skip to content
Plugins
Legal

Privacy

What we collect, why, on what legal basis, how long we keep it, and how to exercise your rights.

Last updated · 2026-05-08

Data Controller

Data Controller: Mentesh Engineering · 325 Hagefen, Yagel 7169600, Israel · ח.פ. 517332896. Privacy enquiries: legal@me-plugins.com.

What we collect

  • Reservation form (/buy/mentesh2a): email, optional name, intent checkboxes (reserve / trial / devlog).
  • Contact form: email, subject, message body.
  • Account / licence data: email used to sign in, licence keys issued to you, machines you have activated (machine fingerprint hash, machine label you provide, OS, app version, last seen timestamp).
  • Hashed IP: salted SHA-256 of your IP for rate-limiting and abuse prevention. We do not store the raw IP.
  • User-Agent string: stored alongside form submissions to debug delivery.
  • Vercel platform logs: standard server logs (request path, timestamp, response code) generated by our hosting provider, retained per Vercel’s policy.
  • Cookies set by analytics / advertising tools (only after you consent via the cookie banner — see “Cookies & tracking” below).

Lawful basis for processing

ActivityLawful basis (GDPR Art 6)
Reservation / waitlist emailConsent (Art 6(1)(a))
Account creation, licence issuance, plugin activationPerformance of contract (Art 6(1)(b))
Refund processing (via Paddle)Contract + legal obligation (Art 6(1)(b)+(c))
Rate-limiting via hashed IPLegitimate interest — fraud prevention (Art 6(1)(f))
Marketing pixels (Meta, Google Ads, TikTok)Consent via cookie banner (Art 6(1)(a))
Tax / accounting record-keepingLegal obligation (Art 6(1)(c))

Why we collect it

(a) to email you when ME-TUEY v1.0 is available; (b) to fulfil your purchase, deliver licence keys, and operate plugin activation; (c) to reply to direct contact; (d) to prevent automated abuse of the public forms; (e) to comply with tax and consumer-protection law. We do not sell, rent, or trade your personal data.

Sub-processors

  • Supabase (Supabase Inc., USA) — Postgres database, authentication (magic-link sign-in), file storage for plugin installers. Our project is hosted in the EU (eu-west-1, Dublin, Ireland) — primary data residency for EU/EEA users is within the EU.
  • Postmark (ActiveCampaign / Wildbit) — transactional email (reservation confirmation, sign-in links, licence-key delivery, support replies).
  • Vercel (Vercel Inc., USA) — site hosting, edge logs, Speed Insights, Web Analytics.
  • Paddle (Paddle.com Market Ltd. UK and Paddle.com Inc. US) — payment processing, fraud screening, tax remittance. Paddle acts as our Merchant of Record.
  • Anthropic(Anthropic PBC, USA) — Claude Haiku powers the in-app support chat. During a chat your message is sent to Anthropic’s API to generate the response; before we store the transcript in our database, PII (emails, licence keys, OTP codes, bearer tokens) is automatically redacted. Anthropic does not train on data sent via API (their default for paid API customers).
  • Microsoft Clarity (Microsoft Corp.) — anonymised session-replay + heatmap analytics. Loaded only after you accept analytics cookies.
  • Plausible (Plausible Insights OÜ, Estonia) — cookie-less, GDPR-friendly page-view analytics. EU-hosted.
  • Meta Pixel (Meta Platforms Ireland Ltd.), Google Ads (Google LLC), TikTok Pixel (TikTok Pte. Ltd.) — conversion tracking for paid acquisition. Loaded only after you accept marketing cookies in the banner.

International data transfers

Primary personal-data storage for EU/EEA users (Supabase Postgres) is hosted in the EU (Dublin, Ireland — eu-west-1). No cross-border transfer occurs for the core customer record.

The following sub-processors are headquartered outside the EEA and operate from US (or other non-EU) infrastructure: Vercel, Paddle (US arm), Anthropic, Microsoft Clarity, Meta, Google, TikTok. Operational and metadata transfers to those processors rely on Standard Contractual Clauses(EU SCCs, 2021/914 Module 2 or 3 as applicable), supplemented by each processor’s technical and organisational safeguards. DPAs and SCC frameworks are public on each processor’s legal page; copies are available on request from legal@me-plugins.com.

Cookies & tracking

The site uses three cookie categories:

  • Strictly necessary: session cookie for sign-in (set on /account routes only). No consent required.
  • Analytics: Microsoft Clarity (session replay with mouse-move + click + scroll capture, no keystroke recording in form fields by default), Plausible (cookieless, no consent strictly required but treated as analytics). Loaded after consent.
  • Marketing: Meta Pixel, Google Ads, TikTok Pixel. Loaded only after consent. Used for ad-conversion measurement.

You can change your consent at any time via the cookie banner, which re-appears via the “Cookies” link in the footer (or by clearing site data).

Retention

  • Reservation list: until v1.0 ships + 90 days, unless you unsubscribe sooner.
  • Newsletter subscribers: until unsubscribe.
  • Customer + licence records: for the life of the licence + 7 years for tax/accounting (Israeli Income Tax Ordinance + EU Member State retention requirements).
  • Activation records: lifetime of the licence.
  • Contact-form messages: 12 months unless deletion is requested earlier.
  • Hashed IPs (rate-limit): 30 days.
  • Vercel server logs: per Vercel retention (~30 days).

Your rights (EU/EEA & UK GDPR)

You can exercise the following rights at any time by emailing legal@me-plugins.com from the address on file:

  • Access (Art 15) — receive a copy of your data
  • Rectification (Art 16) — correct inaccurate data
  • Erasure (Art 17) — “right to be forgotten” — actioned within 30 days
  • Restriction (Art 18) — pause processing while a dispute is resolved
  • Data portability (Art 20) — receive your data in a machine-readable format
  • Objection (Art 21) — object to processing based on legitimate interest, including direct marketing
  • Withdraw consent (Art 7) — without affecting prior lawful processing

You also have the right to lodge a complaint with a supervisory authority — for EU residents, your local Data Protection Authority; for UK residents, the ICO; for Israeli residents, the Privacy Protection Authority (רשות הגנת הפרטיות).

Israeli Privacy Protection Law

GUY MENTESH LTD processes personal data in accordance with the Privacy Protection Law, 5741-1981 (חוק הגנת הפרטיות) and the Privacy Protection Regulations (Data Security), 5777-2017 (תקנות הגנת הפרטיות (אבטחת מידע)). Database registration obligations are reviewed periodically as the database grows.

Automated decision-making

We do not subject you to automated decisions producing legal or similarly significant effects. Rate-limit decisions are made algorithmically but block only ephemeral abuse — a refused rate-limit attempt does not result in any persistent record beyond the 30-day hashed-IP retention.

Data breaches

In the event of a personal-data breach affecting your account, we will notify the relevant supervisory authority within 72 hoursof becoming aware of the breach, as required by GDPR Art 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art 34) at the email address on file. Notifications include the nature of the breach, categories and approximate number of records affected, likely consequences, and the measures we’ve taken to mitigate. Israeli incidents are reported to the Privacy Protection Authority under the Privacy Protection Regulations (Data Security), 5777-2017, on the same timetable.

Children

The site is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has submitted data, contact legal@me-plugins.com and we will delete it.

Changes

When this policy changes we update the date above and email everyone with an active reservation, customer record, or licence before the change takes effect.