Last updated: June 3, 2026
Privacy Policy
This policy describes the data handled by the Mehashi web app and API as implemented in the current codebase. Mehashi does not include Google Analytics, Meta Pixel, advertising pixels, heatmaps, or third-party product analytics scripts.
Data We Collect
Account data includes your email address, password hash, Google account identifier when you use Google sign-in, email verification state, account timestamps, and staff status where applicable.
Profile and workspace data includes display name, avatar URL or uploaded avatar file, bio, organization membership, organization name, projects, tasks, comments, files, links, notes, message threads, feedback tickets, votes, subscriptions, and related timestamps.
Authentication data includes a hashed session token stored server-side, session expiry, last-used time, IP address, and optional geolocation fields used for operator security views when geolocation is configured.
Billing data includes Stripe customer IDs, subscription IDs, subscription status, seat counts, and an idempotency record of Stripe webhook event IDs and types. Payment card details are handled by Stripe, not stored by Mehashi code.
How We Use Data
We use account and session data to create accounts, authenticate users, secure sessions, verify email addresses, reset passwords, and revoke sessions when passwords change or accounts are deleted.
We use workspace data to provide project boards, task workflows, comments, messages, files, feedback, profiles, and organization collaboration features.
We record first-party project feature usage events when authenticated users switch project views. These records are tied to project and user IDs and are used to understand product usage inside Mehashi. They are not sent to a third-party analytics platform.
Third-Party Services
Google is used for sign-in and, when you choose to connect it, Google Calendar access. The web app loads Google Identity Services only for Google authentication flows and requests Calendar read-only access only when you connect Calendar.
Stripe is used for subscription checkout, billing portal sessions, invoices, and subscription webhooks. SMTP email is used for verification, password reset, and message notification emails when configured.
Avatar uploads may be stored locally, in AWS S3, or in Azure Blob Storage depending on deployment configuration. Workspace weather uses Open-Meteo for forecasts and geocoding; browser-location weather uses the browser geolocation permission and OpenStreetMap Nominatim reverse geocoding.
The public early-access form posts the submitted email address to Mailchimp. Flag images are loaded from jsDelivr Twemoji. The app uses self-hosted Next font output; the source imports Google font definitions at build time rather than adding a browser tracking script.
Cookies and Browser Storage
Mehashi sets one first-party cookie: mehashi_session. It is a strictly necessary authentication cookie and is documented in the Cookie Policy.
The web app also uses localStorage and sessionStorage for first-party app state such as language, sidebar state, recent projects, draft messages, project tab preferences, short-lived page caches, Google OAuth redirect context, and saved weather location. It does not use IndexedDB, Cache API storage, or service worker storage in the inspected source.
Your Choices and Rights
You can request account deletion from the profile security area. When you delete your account, Mehashi marks the account and projects you own as deleted, revokes active sessions, removes password-reset and email-verification tokens, and clears the current session cookie. The account and associated content stay recoverable for 30 days.
During the 30-day recovery window, normal login is blocked. You can request restoration by contacting Mehashi support. Restoration requests are reviewed by authorized operators before access is reinstated. Approved restoration restores the account, memberships, owned projects, tasks, comments, messages, attachments, avatar references, and permissions that remain in the database.
After 30 days, Mehashi permanently removes the account from active systems. The purge deletes owned projects and dependent database records, removes task and message attachment files from active upload storage, and removes stored avatar files. Backup copies are not modified manually; the current infrastructure documentation targets natural backup expiration within 90 days.
You can sign out to revoke the current session. Password changes and password resets revoke other existing sessions. You can remove browser storage through your browser settings; doing so may reset preferences and cached UI state.
Depending on where you live, you may have rights to access, correct, delete, restrict, or object to processing of personal data. Contact hello@mehashi.com for privacy requests.
Security
Session tokens are stored in an HttpOnly cookie in the browser and as hashes in the database. Passwords are hashed with Argon2id. Production session cookies are marked Secure and SameSite=None so the web app can call the API with credentials over HTTPS.