Privacy Policy
Last updated: 12 March 2026
At MEP Spain (hereinafter, «the Controller»), we respect your privacy and are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
1. Data Controller
The data controller's details are:
- Identity: MEP Spain
- DPO Contact: [email protected]
- Address: Available at the corresponding Commercial Registry.
2. Data We Collect and Purposes
We collect and process the following personal data, with the indicated purposes and legal bases (Art. 6 GDPR):
| Data | Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Name, email, password (bcrypt hash) | Account management, authentication, and 2FA | Art. 6.1.b — Contract performance |
| Agent conversation history | Agent memory, chat context, and service improvement | Art. 6.1.f — Legitimate interest |
| Registered LLM server IPs | Connection, health checks, and endpoint routing | Art. 6.1.b — Contract performance |
| Aggregated usage statistics (no content) | Service improvement, monitoring, and abuse detection | Art. 6.1.f — Legitimate interest |
| Contact book: name in plaintext; email and phone encrypted (AES-256-CBC) | Sending messages and reminders to third parties at user request | Art. 6.1.a — Explicit consent |
| Subscription and billing data (managed by Stripe) | Payment processing, plan management, and billing | Art. 6.1.b — Contract performance |
| TOS violation records (type, severity, evidence, appeals) | Terms of Service enforcement and platform security | Art. 6.1.f — Legitimate interest |
| Page visits (path, referrer, UTMs — no IP, no cookies, no fingerprinting, GDPR-safe). Automatically deleted every 90 days | 100% server-side internal traffic analytics. No Google Analytics, Meta Pixel, or any third-party service. No anonymous visitor tracking | Art. 6.1.f — Legitimate interest |
3. User LLM Servers
When you connect your own LLM server:
- Messages you send to the chat are transmitted to YOUR server to generate responses through an encrypted tunnel (WireGuard).
- MeigaHub acts as a technical intermediary: it does not store responses generated by your server beyond the conversation history.
- If you enable the option to share your server with administrators, administrator messages may also be processed on your server.
Important: You are responsible for the data processed on your own LLM server. MeigaHub has no control over how your server processes the data.
3 bis. Specialist Access to User Accounts
When the user purchases a specialist hour pack, an authorized MeigaHub worker (specialist) may access the user's account in a limited capacity to deliver the contracted service.
Legal basis: Contract performance (Art. 6.1.b GDPR) — access is strictly necessary to fulfil the contracted service.
- The specialist only accesses account sections that the administrator has expressly authorized in the assignment.
- All access is automatically logged (date, time, section, action) in an unalterable activity log.
- The specialist signs a digital confidentiality agreement before accessing each assigned account.
- The user can view the complete specialist access history in their "My Services" section (GDPR Art. 15 — right of access).
- Additionally, the user receives a daily email digest summarizing the specialist's recorded actions.
Retention: Activity logs are retained for 2 years and automatically deleted after that period (GDPR Art. 5.1.e).
4. Third-Party Cloud APIs
Users may optionally configure cloud APIs from external providers (OpenAI, Mistral, Groq, etc.). In this case:
- Chat messages are sent to the selected cloud provider. These providers act as independent data controllers with their own privacy policies.
- API keys are stored encrypted (AES-256-CBC) and are never visible to MeigaHub administrators.
Important: Using cloud APIs means your data may leave the European Economic Area if the provider has servers outside the EU. Please consult the relevant provider's privacy policy.
5. Data Retention
Retention periods are as follows:
- Account data: while the account is active, plus 30 days after deactivation or cancellation.
- Conversation history: until the user manually deletes it, with a maximum of 2 years from the last interaction in each conversation. Conversations without activity for more than 2 years may be automatically purged.
- Billing data: 5 years in accordance with Spanish tax legislation (Law 58/2003 General Tax Law).
- TOS violation records: 3 years from resolution, or as required by applicable law.
- Messaging channel records (Telegram, WhatsApp, Slack): 30 days. Automatically deleted.
- Page visit analytics: 90 days. Automatically deleted.
- Application errors: 90 days.
- Desktop activity records (Desktop Agent): until the user deletes them, with a maximum of 1 year.
6. Security Measures
MeigaHub implements appropriate technical and organizational measures proportionate to the risk, in accordance with Art. 32 GDPR and Art. 28 LOPDGDD:
- Encryption of sensitive data at rest (AES-256-CBC) and in transit (HTTPS/TLS 1.2+, WireGuard for LLM servers).
- Mandatory two-factor authentication (2FA/TOTP) for users.
- Passwords stored with bcrypt hash (non-reversible). API keys encrypted and never exposed in the UI.
- Network isolation between users through deny-by-default ACLs. Users cannot access other users or the central infrastructure.
7. Your Rights (GDPR Arts. 15-22 and LOPDGDD)
You have the right to:
- Access (Art. 15): request a copy of your processed personal data.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your account and data («right to be forgotten»).
- Restriction of processing (Art. 18): request restriction of processing under certain circumstances.
- Portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
To exercise these rights, send an email to [email protected] indicating your full name, registered email, and the right you wish to exercise. We will respond within a maximum period of 30 days.
8. International Transfers
MeigaHub processes personal data with the safeguards required by Regulation (EU) 2016/679 (GDPR) and Spain's LOPDGDD. Below we detail the international data transfers that may occur and the legal bases that support them.
MeigaHub's core infrastructure is hosted on OVHcloud SAS (a French company) servers at their Beauharnois, Quebec (Canada) data center. This transfer is covered by European Commission Adequacy Decision 2002/2/EC, which recognizes that Canadian organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) provide an adequate level of personal data protection under Art. 45 GDPR. OVHcloud, as an entity subject to PIPEDA, meets this requirement. Additionally, OVHcloud provides a GDPR-compliant Data Processing Agreement (DPA).
If the user configures third-party cloud APIs (OpenAI, Mistral, Groq), chat data is sent to the selected provider. The following table includes the cloud providers supported as conditional sub-processors (only applicable when the user actively configures them):
The following table summarizes the sub-processors that may receive personal data outside the EEA:
| Provider | Country | Safeguard | Purpose |
|---|---|---|---|
| OVHcloud (SAS) | Canada (Beauharnois, QC) | Adequacy Decision 2002/2/EC (PIPEDA) + DPA | Infrastructure hosting (servers, database, storage) |
| Stripe, Inc. | USA | EU-U.S. Data Privacy Framework (DPF) + SCCs | Payment processing and billing |
| Tailscale, Inc. | Canada | Adequacy Decision 2002/2/EC (PIPEDA) + SCCs | VPN network for user LLM server connections |
| OpenAI | USA | EU-U.S. Data Privacy Framework (DPF) + SCCs | AI processing (only if the user configures their OpenAI API key) |
| Mistral AI | France (EU) | Processing within the EEA — no international transfer | AI processing (only if the user configures their Mistral API key) |
| Groq | USA | EU-U.S. Data Privacy Framework (DPF) + SCCs | AI processing (only if the user configures their Groq API key) |
| Bunny.net | EU (Slovenia) | Processing within the EEA — no international transfer | Web font service (only IP address and browser HTTP headers) |
| jsDelivr (Prospect One) | EU (Poland) + global CDN | Main processing within the EEA; global CDN nodes with SCCs | Content delivery network for JavaScript libraries (Chart.js, QRCode) — only IP address and HTTP headers |
When the user connects their own LLM server, data travels through an encrypted tunnel (WireGuard/Tailscale) to the user's server; the location of said server and regulatory compliance in its jurisdiction are the user's responsibility. MeigaHub will periodically review the validity of adequacy decisions and adopt additional safeguards (Standard Contractual Clauses or other Art. 46 GDPR mechanisms) if any decision is revoked.
9. AI Processing and Automated Decisions
MeigaHub uses artificial intelligence models (LLMs) to deliver its features. It is important that you understand how your data is processed in this context:
- AI models run on the user's own servers or on cloud APIs configured by the user. MeigaHub does not train or fine-tune models with your data.
- Some features involve automated processing with scoring: opportunity matching (SearchCases), content performance evaluation (blog), and violation detection (TOS). These processes are auxiliary and subject to human oversight.
- No decisions producing legal effects or significantly affecting the data subject are based solely on automated processing (Art. 22.1 GDPR). Actions such as account suspension or content unpublishing can be manually reviewed at any time.
- You have the right to obtain human intervention, express your point of view, and contest any automated decision, in accordance with Art. 22.3 GDPR. Contact [email protected].
10. Privacy Contact
MEP Spain is not legally required to appoint a Data Protection Officer (Art. 37 GDPR), as it does not process data on a large scale. However, you may direct any queries regarding the processing of your personal data to [email protected].
11. Contact and Complaints
To exercise your rights, submit a query, or file a complaint:
You may also file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es if you believe your rights have not been properly addressed.