Legal · Privacy
Plain language summary
You submit a personal narrative. We convert it to numbers (a vector embedding) to find complementary minds. No human reads your profile during matching.
We use OpenAI for exactly two things: generating your cluster's discussion question, and writing a synthesis of your session 24 hours after it closes. Your raw profile text never goes to OpenAI.
We don't sell your data. We don't run ads. We don't train on your data.
You can delete everything, anytime. We'll confirm within 48 hours.
01 · WHO WE ARE
InterMesh is a semantic clustering platform that uses AI-mediated profiling to form small groups ("clusters") of people whose thinking patterns exhibit meaningful resonance or productive contrast. We are the data controller for all personal data collected through this platform.
02 · WHAT DATA WE COLLECT
The core data we collect is your identity primitive — a 500–1,000 word narrative built through a conversation between your AI agent and our MCP server. This profile captures how you think, what you're building, what kinds of minds you resonate with, and your working archetype. This is personal data under GDPR Article 4 and CCPA.
Your identity primitive is processed by a local embedding model (@xenova/transformers, 384 dimensions) running on our servers. This produces a vector embedding — a mathematical representation of your profile. Important: your embedding is derived from and linked to your identity. It remains personal data under GDPR. We do not treat embeddings as anonymised data. The embedding is subject to the same deletion rights as your source text.
We use LinkedIn OAuth 2.0 for identity verification only. We collect your LinkedIn user ID, name, and email address. We do not import your LinkedIn profile, connections, work history, or any other LinkedIn data.
When you participate in a cluster session, we collect your written contributions to the discussion, timestamps of activity, and cluster structure (which archetype labels were grouped with you, and average intra-cluster similarity score). Session transcripts are deleted within 7 days of session close, after the synthesis document has been generated.
Standard server logs: IP address, browser/agent type, request timestamps. Retained for 30 days for security monitoring, then deleted.
03 · HOW WE PROCESS YOUR DATA
Profile matching, clustering, and similarity scoring use cosine similarity computed entirely locally. No language model is involved in this step. The algorithm compares vectors mathematically — no human and no AI reads your profile to make matching decisions.
Cluster question generation: when your cluster is formed, we send OpenAI the cluster's archetype labels and aggregate Convergence Signal score (average cosine similarity). Your raw identity primitive text is not sent. OpenAI generates a discussion question calibrated to the cluster's composition.
Session synthesis: 24 hours after your session opens, we send the session transcript to OpenAI to generate a synthesis of the discussion. This synthesis is delivered to all cluster members and the session transcript is then deleted.
Our clustering is a matching service, not a consequential decision system. Cluster placement does not affect your employment, credit, access to services, or any legally significant outcome. You opt into each cluster event voluntarily.
04 · LEGAL BASIS FOR PROCESSING (GDPR)
Consent (Article 6(1)(a)) — explicit consent at profile submission.
Contract (Article 6(1)(b)) — necessary to provide the service.
Contract (Article 6(1)(b)) — core service delivery.
Legitimate Interest (Article 6(1)(f)) — security monitoring.
Contract (Article 6(1)(b)) — identity verification required for service.
05 · DATA RETENTION
Until deletion request or account closure.
Until deletion request or account closure.
Deleted within 7 days of session close.
Retained for 90 days, then deleted.
Until account closure.
30 days.
06 · DATA SHARING
We do not sell your personal data. We do not share your personal data with third parties for marketing or advertising.
We share data only with: OpenAI (as a data processor, under DPA, for the two scoped purposes in section 3); Supabase (infrastructure provider, EU-region hosting); and legal authorities only when required by law, court order, or to protect against fraud or security threats.
What other cluster members see: your archetype label (e.g. "The Builder") and your average similarity score to the cluster. They do not see your identity primitive, your embedding, or your LinkedIn identity.
We maintain an active Data Processing Addendum (DPA) with OpenAI. OpenAI does not use API inputs to train their general models. You may request a copy of our DPA by emailing privacy@intermesh.xyz.
07 · YOUR RIGHTS
Request a copy of all personal data we hold about you.
Correct inaccurate data in your profile.
Delete your profile, embedding, and all associated data. We will confirm deletion within 48 hours.
Receive your identity primitive in machine-readable format (JSON).
Restrict processing while a dispute is resolved.
Object to processing based on legitimate interest.
Withdraw consent for profile collection at any time. This will remove you from the matching pool.
Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale (we do not sell data — satisfied by default), Right to Non-Discrimination.
08 · DATA SECURITY
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Vector embeddings and profile data are stored in Supabase with Row Level Security (RLS) enabled — your data is only accessible to your account and our backend services.
In the event of a data breach affecting your personal data, we will notify you within 72 hours (GDPR Article 33).
09 · INTERNATIONAL DATA TRANSFERS
Our primary database is hosted in the EU (Supabase EU region). When we send data to OpenAI for the two scoped jobs described in section 3, data may be transferred to the United States. This transfer is covered by OpenAI's Standard Contractual Clauses (SCCs) under GDPR Article 46.
10 · CHILDREN'S PRIVACY
InterMesh is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, contact privacy@intermesh.xyz immediately.
11 · CHANGES TO THIS POLICY
We will notify users of material changes via email at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance.
12 · CONTACT
Privacy inquiries: privacy@intermesh.xyz
Response time: 48 hours. If you are in the EU/EEA and believe we have violated your privacy rights, you have the right to lodge a complaint with your local supervisory authority.