Mewayz ("Mewayz", "we", "us") is the data controller for our marketing site (mewayz.com) and the data processor for customer data inside the platform (app.mewayz.com). Mewayz is independently owned and founder-led, operating across Belgium, India, Thailand and Nigeria.
For our registered legal entity, our data-protection representative, or any privacy request, contact [email protected] and we'll respond with the relevant details.
Account data: name, email, organization, role, MFA preferences, and the workspace settings you configure.
Customer content (your records): contacts, deals, invoices, employees, tickets, etc. — whatever you put into the platform. We process this on your behalf.
Usage data: page views, feature usage, error logs. Used only to improve the product — never sold, never shared with marketing networks.
Billing data: billing address, last 4 of card, plan, invoices. Card numbers are tokenized via Stripe and never stored on our systems.
We use the data above to: provide the service, send transactional emails (e.g. password resets, invoices), prevent abuse, and improve features. We send marketing emails only if you've opted in, with one-click unsubscribe.
We do not use your customer data to train AI models. We do not sell or rent your data to advertisers or data brokers. We do not derive aggregated insights for sale.
We share data with sub-processors necessary to operate the service. The current list is published at our trust portal and updated 30 days before any addition.
Tier-1 sub-processors include AWS (hosting), Stripe (payments), Twilio (SMS), SendGrid (transactional email), Sentry (error tracking), and Datadog (observability).
You choose your region at signup: EU, US, or APAC. Data stays in-region by default. Cross-region replication is opt-in via the DPA. See Security page for details.
Under GDPR, UK GDPR, CCPA/CPRA, and equivalent laws, you have rights to: access, correct, delete, restrict, or port your data; object to processing; and lodge a complaint with a supervisory authority.
To exercise rights: in-product (Settings → Export, Delete) for self-service, or email [email protected]. We respond within 30 days, free of charge for the first request per year.
We retain your data as long as you have an active account, plus 30 days after cancellation for production data and 35 days for backups. Audit-log metadata is retained for 7 years as required by US and EU regulations.
Your data runs on a self-hosted operating stack — our own database and mail server on infrastructure we operate — with multi-tenant isolation that keeps each company's data separate. AES-256 at rest, TLS 1.3 in transit, MFA for admin accounts, and card processing handled by Stripe (PCI DSS Level 1) so we never store raw card numbers. AI features use your own API key to OpenAI, Anthropic or Google and can be disabled. Full posture documented on the Security page.
We use cookies and similar tools described in our Cookie Policy. You can manage preferences in the cookie banner or via your browser settings.
Mewayz is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, email [email protected] and we will delete it.
Material changes are notified by email and a banner at the top of your workspace 30 days before they take effect. Older versions are kept on this page for reference.
Data privacy questions: [email protected] · Security issues: [email protected] · DPO (EU): [email protected].
Plain-English summary: We hold your data on your behalf. You can leave any time with everything intact. We don't sell it, don't train on it, and we make our policies and audits available to you on request.