Privacy Policy

How we handle your data.

Last updated: February 2026

Overview

Meristem Lens ("Lens", "we", "us"), operated by Meristem, is a SaaS platform for running AI copilots with human-in-the-loop approvals. This policy describes what data we collect, how we use it, and your rights regarding that data. This policy complies with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) of Mexico and applicable international data protection standards.

Data we collect

  • Account information: email address, name, and organization name provided during registration.
  • Usage metadata: event counts, job completion timestamps, device activation records, and billing period aggregations.
  • Device metadata: operating system, platform type, and a device fingerprint for lease management.
  • Billing data: Stripe customer ID and subscription status. Payment card details are handled entirely by Stripe and never touch our servers.
  • Server logs: IP addresses, request timestamps, and HTTP method/path for security monitoring. Retained for 30 days.

Data we do NOT collect

  • Source code: We do not access, store, or analyze your source code repositories.
  • Secrets and credentials: API keys, tokens, and passwords are never transmitted to or stored on our servers.
  • Payment card numbers: All payment processing is handled by Stripe. We never see or store card details.
  • File contents: The Lens client operates locally. File contents are not sent to our servers.
  • Personal communications: We do not access emails, messages, or other private communications.

How we use your data

  • To provide and maintain the Lens service, including authentication, billing, and device management.
  • To enforce plan limits and usage quotas as described in your subscription.
  • To detect and prevent security threats, abuse, and unauthorized access.
  • To improve service reliability and performance using aggregated, anonymized usage metrics.
  • To comply with applicable legal obligations, including the LFPDPPP and its regulations.

Data sharing

We do not sell your data. We share data only with: Stripe (payment processing), infrastructure providers (hosting), and as required by law. All third-party providers are bound by data processing agreements.

Data retention

Account data is retained while your account is active. Usage events are retained according to your plan (Free: 7 days, Pro: 90 days, Team: unlimited, Enterprise: configurable). Server logs are retained for 30 days. You may request deletion of your account and associated data at any time.

Your rights

  • Access: Request a copy of your personal data.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your account and associated data.
  • Export: Request your data in a portable format.
  • Objection: Object to processing of your data for specific purposes.

Contact

For privacy-related inquiries, contact us at legal@meristem.mx. We respond within 30 business days.

legal@meristem.mx