Privacy Policy

Who we are

Mesh is operated by Mesh Designs and Craftwork, a sole-proprietorship registered with Qatar's Ministry of Commerce and Industry under Commercial Registration 329233.

Registered address: Doha, State of Qatar. We operate as a home-based sole-proprietorship and our full address is provided by email to legitimate inquiries (governmental, legal, courier dispute) — please email studio@mesh.com.qa.

Privacy contact: The Operator, reachable at studio@mesh.com.qa or on WhatsApp via the link on /contact. As a small business we are not currently required to appoint a Data Protection Officer under the PDPPL implementing regulations.

What data we collect

We collect only the data we actually need to fulfil your order or quote request. Specifically:

• Your name (collected on checkout or quote request)
• Your WhatsApp number (so we can confirm and deliver your order)
• Your email address (optional — only if you choose to provide it for order confirmations)
• Delivery notes you write into the order (e.g. a building number, a preferred drop-off time)
• Files you upload for custom quotes (STL files, reference images, marketplace links)
• Bank account details (IBAN) — collected only when you request a refund on a non-card payment, used only to process that refund, then deleted within 30 days
• Payment information — collected directly by SkipCash on their PCI-DSS Level 1 compliant hosted checkout page. Mesh operates under PCI-DSS Self-Assessment Questionnaire A (SAQ-A) scope and never receives, processes, transmits, or stores cardholder data (card number, CVV, expiry). SkipCash is licensed by the Qatar Central Bank
• Anonymous browsing analytics via Vercel Analytics — page views, time on page, device class. On checkout completion, a one-time event is sent containing an order-cohort marker (year only, e.g. "ORD-2026-***") so we can measure annual conversion rate. No cookies, no IP address stored, no per-order identifier exposed to analytics
• Server logs (request path, status code, opaque internal UUIDs) for security and debugging — sensitive object keys (name, customer_name, whatsapp, email, address, IBAN, bank account, tokens, secrets) are automatically redacted by the logger before any line is emitted
• Mesh does not knowingly collect special-category data (health, religion, ethnicity, political opinion, biometric or genetic data) under PDPPL Art. 6. If a reference image you upload contains such data, please remove it before uploading. Mesh is not directed to children under 18; if we discover we have collected data from a child without verified parental consent, we delete it

Why we collect it and our lawful basis

Your contact details are used solely to fulfil and follow up on your order or quote. We do not use them for marketing without your explicit opt-in.

Your uploaded files are used only to produce your custom order. We do not redistribute, resell, or use them for anything else.

Anonymous analytics help us understand which products and pages are popular so we can improve the catalogue. They are not used to track you.

We process your data on the following lawful bases under PDPPL Art. 4: (a) contract performance — to fulfil orders and quote requests you initiate; (b) legal obligation — to retain transaction records for at least 5 years under Qatar Income Tax Law and Electronic Commerce Law Art. 33, and to verify intellectual-property licensing on custom orders; (c) legitimate interest — to secure the site, prevent fraud, and produce anonymous analytics, balanced against your privacy expectations; (d) consent — only where you opt in to marketing communications.

How long we keep your data

We retain personal data only as long as necessary for each purpose:

• Order records (name, WhatsApp number, delivery address, order line items) — at least 5 years from order date, to satisfy Qatar Income Tax Law and Electronic Commerce Law Art. 33 transaction-record requirements
• Quote requests including uploaded files — 24 months from the request date, then deleted unless linked to an active or disputed order
• STL files and reference images for custom orders — kept for the duration of order production plus 90 days for warranty support, then permanently deleted
• Bank account / IBAN provided for a refund — deleted within 30 days of the refund completing
• Server security logs — 30 days, then deleted
• Anonymous analytics — 90 days at Vercel, then automatically deleted
• Shopping cart — lives only in your browser; clearing site data deletes it instantly

Who we share your data with

We use the following service providers (each a data processor acting on our behalf under a written Data Processing Addendum that requires them to process data only on our instructions and to apply appropriate security measures):

• Vercel Inc. (United States, European Union) — hosts the website and runs anonymous analytics
• Supabase Inc. (European Union, eu-central-1) — stores the database and uploaded files
• SkipCash (Qatar) — processes online payments. Card, Apple Pay, and Google Pay data never reach our servers — you enter those directly on SkipCash's hosted checkout page. We do transmit your contact details (name, WhatsApp number, email) to SkipCash's API on the server side to create the payment session, as required by their merchant agreement
• Resend Inc. (United States) — delivers transactional email (order confirmations, owner alerts)
• Sentry / Functional Software Inc. (United States, European Union) — captures application errors so we can fix bugs
• Upstash Inc. (United States) — rate-limiting infrastructure. Only your IP address and the API endpoint name are sent, kept for the rate-limit window (maximum 24 hours)
• Anthropic PBC (United States) — AI-assisted receipt extraction in the operator's admin tools only. The operator uploads business receipts and the model returns structured data. Customer-facing flows do not use this processor

Your rights under PDPPL

Under Qatar's Personal Data Privacy Protection Law Art. 11, you can ask us to:

To exercise any of these rights, email studio@mesh.com.qa. The PDPPL maximum-response window is 30 days; for most requests we aim to reply within a few days. (General customer-service complaints — distinct from PDPPL rights requests — follow the 2-business-day acknowledgement + 7-day response SLA in our Terms §12.)

• Confirm what personal data we hold about you
• Correct any data that is wrong
• Delete your data (subject to the at-least-5-year tax-record requirement above)
• Withdraw any consent you have given
• Receive a copy of your data in a portable format
• Object to processing based on legitimate interest, including any marketing
• Restrict our processing while you contest accuracy or lawfulness

Cookies and tracking

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Two functional cookies are set:

- NEXT_LOCALE — a small cookie that remembers your language preference (en or ar) so the site loads in your chosen language on return visits. It contains only the locale code, no personal data.

- __Host-mesh-admin-session — an httpOnly, server-signed session cookie set ONLY when an administrator logs in at /admin/login. Strictly necessary for administrator authentication; never set on customer-facing pages.

Vercel Analytics does not set cookies, store IP addresses, or generate persistent identifiers, so it falls outside the consent requirement of PDPPL Art. 5 and Article 5(3) of the EU ePrivacy Directive.

International data transfers

We transfer personal data outside Qatar to the processors named in §5. Specifically: Vercel Inc. (US, EU), Supabase Inc. (EU, eu-central-1), Resend Inc. (US), Sentry / Functional Software Inc. (US, EU), Upstash Inc. (US), and Anthropic PBC (US). Each transfer is governed by a Data Processing Addendum incorporating Standard Contractual Clauses or an equivalent contractual safeguard, satisfying PDPPL Art. 18. A copy of the relevant safeguard is available on written request to studio@mesh.com.qa.

Security

We apply technical and organisational measures appropriate to our size:

In transit:

• HTTPS-only access with modern TLS
• Webhook signature verification (constant-time HMAC compare) before any payment record is updated
• Strict SSRF allow-listing for URL fetches from user-submitted content; server-side API calls to named third-party services (SkipCash, Vercel, Anthropic, Thingiverse) use server-held API keys over HTTPS
• In our systems: row-level security on every database table; cryptographically signed admin sessions with short expiry; sensitive-key redaction in application logs (object keys including name, customer_name, whatsapp, email, address, IBAN, tokens, and secrets are automatically replaced with `<redacted>` before any line is emitted)
• Operational: access to customer data is limited to the operator on a need-to-know basis; documented incident-response procedure with defined escalation paths; periodic review of access logs and security configuration

Contact

For privacy questions or to exercise your PDPPL rights, email studio@mesh.com.qa or message us on WhatsApp via the link on /contact.

Personal-data breaches

If we discover a breach affecting your personal data, we will notify the Compliance and Data Protection Department of Qatar's Ministry of Communications and Information Technology, and the affected individuals, without undue delay — in any event within 72 hours of becoming aware of the breach, where feasible. The notification will describe the nature of the breach, the data categories involved, the likely consequences, and the measures we have taken to address and mitigate it. This commitment follows PDPPL Art. 26 and the 2024 implementing regulations.