Skip to main content

Privacy Policy.

Last updated: April 17, 2026

This is what we collect, why, and how to reach us. Plain language. Pre-product. If a question is not answered here, email us and we will answer.

What this policy covers

MESO is a pre-launch cosmetic brand. Right now we run a waitlist. This page explains what we collect when you join, why, where it lives, and what you can ask us to do with it. This is the whole policy.

Meso-Sweet LLC (referred to as “MESO” throughout this policy) is the controller of your personal information for the purposes of the California Consumer Privacy Act, the EU General Data Protection Regulation, and the UK GDPR. Our registered office is [REGISTERED-OFFICE-PENDING].

What we collect

When you join the MESO waitlist we collect:

  • Your email address.
  • Optionally, your zip code and a short “how did you hear about us” note, if you choose to share them on the welcome page.
  • If you answered the see-your-pH quiz, your quiz score.
  • If you arrived through someone else’s squad link, their squad code is recorded so the squad gets credit for the referral.
  • When you receive a squad code of your own, that code is stored as your unique referral identifier. Your cohort position (for example, “Member #47”) is also stored; this is how the welcome page shows you your place in the founding cohort.

We do not collect your name at signup. We do not collect your phone number. We do not collect payment information anywhere on this site, because nothing is for sale here yet.

Our servers record standard request metadata (IP address, user agent, timestamp) in short-lived logs used to detect abuse and to operate the site. Those logs are not correlated with your email or squad data beyond what is needed to investigate a specific abuse signal.

Why we use it, and on what legal basis

  • To tell you when MESO ships. You gave us your email for this specific purpose. In EU / UK terms: your consent is the lawful basis under GDPR Art. 6(1)(a).
  • To operate the squad mechanic. When your squad fills, we send the squad-unlock email. The squad code also determines cohort position. Lawful basis under GDPR: performance of the waitlist you signed up for, Art. 6(1)(b).
  • To defend the site from abuse. Rate limits, honeypot fields, and request-metadata logs catch bots and scrapers. Lawful basis under GDPR: legitimate interest, Art. 6(1)(f).
  • To understand, in aggregate, where our early community is coming from. Zip code and “how did you hear” data is reviewed in aggregate only. We do not profile individuals with it.

We do not sell personal information. We do not share personal information with advertisers. We do not run any third-party advertising cookies on this site.

Where your data lives

We use three processors to run this site. Each has a data processing agreement with us. Each publishes its own public sub-processor list, which we monitor.

Supabase

Role
Database for waitlist, squad, and cohort records.
Region
United States
EU safeguard
Standard Contractual Clauses
Data
Email, squad code, cohort position, quiz score, optional zip and source note.
DPA
supabase.com/legal/dpa · reviewed April 17, 2026

Vercel

Role
Website hosting, edge delivery, and first-party analytics (cookieless, server-side only).
Region
United States
EU safeguard
EU-US Data Privacy Framework
Data
Request metadata (IP address, user agent, timestamp) and aggregate analytics.
DPA
vercel.com/legal/dpa · reviewed April 17, 2026

Resend

Role
Transactional email delivery (signup confirmation, squad-unlock notification, launch email).
Region
United States
EU safeguard
EU-US Data Privacy Framework and Standard Contractual Clauses
Data
Email addresses and message content for transactional sends.
DPA
resend.com/legal/dpa · reviewed April 17, 2026

We do not use any third-party payment processor. We do not use any third-party email marketing tool. We do not run any advertising pixels, ad-tech cookies, or behavioral analytics (Google, Meta, or otherwise). If that ever changes we will update this policy and, where the change is material, email everyone on the waitlist before the change takes effect.

If MESO ever adds a new processor that would receive Consumer Health Data, we will update this page and our Consumer Health Data Privacy Policy, and we will email every waitlist member at least 72 hours before the change takes effect.

How long we keep it

We keep your waitlist record until the earliest of: (a) you ask us to delete it, (b) you unsubscribe and 30 days pass, (c) 24 months from your signup date, or (d) the Founding 500 purchase window closes and 6 months pass. We review retention once a year. If we still have not launched 24 months after you signed up, we will either ask you to re-confirm or delete your record.

Request-metadata logs (IP, user agent) are kept for 30 days and then deleted.

Your rights, and how to exercise them

If you are a resident of California, the European Union, the United Kingdom, or any US state with a consumer privacy statute (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, and others), you have the following rights with respect to the personal information we hold about you:

  • Access. Ask us what we have.
  • Deletion or erasure.Ask us to remove your record. This also removes your squad membership and cohort position. Aggregate anonymous counts (for example, “the founding 500 included 500 members”) remain.
  • Correction or rectification. Ask us to fix something.
  • Portability. Ask us to send you your record in a machine-readable form.
  • Objection or restriction. Ask us to stop processing for a specific purpose.
  • Opt out of sale or sharing.We do not sell or share personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals now: when your browser sends a GPC signal, we automatically turn off analytics and marketing processing and stop any sharing of consumer health data, and we treat it as a valid opt-out of sale or sharing. If we ever begin selling or sharing, we will also add a “Do Not Sell or Share My Personal Information” link.
California residents (CCPA and CPRA)

California residents have each of the rights above. We honor Global Privacy Control (GPC) browser signals as a valid opt-out of sale or sharing even though we do not currently sell or share personal information; a detected GPC signal also automatically turns off analytics and marketing processing and stops any sharing of consumer health data. We do not discriminate against anyone who exercises a right. Methods of request: email privacy@meso-usa.com. We respond within 30 days.

EU and UK residents (GDPR and UK GDPR)

EU and UK residents have access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time. You may also lodge a complaint with your supervisory authority. Lists of authorities: the European Data Protection Board for EU residents and the UK Information Commissioner’s Office for UK residents. We respond within 30 days. A Data Protection Officer is not appointed because our core activities do not require large-scale monitoring or special-category processing. An EU representative under Art. 27 is not appointed because our processing of EU residents’ data is occasional and low-risk; we will appoint one if that changes.

Washington residents (MHMDA)

See the full Consumer Health Data Privacy Policy for MHMDA-specific rights.

Other US states (VCDPA, CPA, CTDPA, UCPA, TDPSA, Oregon CDPA, Montana CDPA, Florida DBR)

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and Florida have rights that substantially overlap with the list above: access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, sale of personal information, or consequential profiling. To exercise any right, email privacy@meso-usa.com. We respond within 30 days.

How to ask. Email privacy@meso-usa.com. We respond within 30 days. For requests that require verification (access, deletion, correction) we confirm by email that the request came from you. We do not charge for the first request. We do not retaliate or degrade service for anyone who exercises these rights.

Sensitive Personal Information (California residents)

California residents have the right to limit the use and disclosure of their Sensitive Personal Information for purposes beyond what is necessary to provide the service, as defined by CPRA §1798.121.

The categories of Sensitive Personal Information MESO may collect or process:

  • Precise geolocation. Not collected in v1.
  • Contents of email or other communications. Transactional email bodies we send through Resend (signup confirmation, squad-unlock, launch notice) and any reply you send to an @meso-usa.com address.
  • Health-related data. The pH-quiz score and Washington MHMDA-scoped Consumer Health Data described on our separate Consumer Health Data Privacy Policy.

To limit MESO’s use of your Sensitive Personal Information, open and toggle off the Consumer Health Data Sharing category, or email privacy@meso-usa.com. MESO does not use Sensitive Personal Information for advertising, sale, or cross-context behavioral advertising.

A note on Washington state

Washington’s My Health My Data Act (RCW 19.373) covers “consumer health data.” MESO collects a small amount of information at signup that falls inside this statute’s definition. MESO’s full disclosure lives on our separate Consumer Health Data Privacy Policy. Washington residents can exercise every right RCW 19.373 provides (including opt-out, deletion, and authorization-revocation) by emailing privacy@meso-usa.com.

For the full Consumer Health Data notice, see /consumer-health-data.

A note on MoCRA (the Modernization of Cosmetics Regulation Act)

Nothing is for sale on this site yet, so MoCRA’s product-listing and adverse-event-reporting requirements are not yet active for MESO. When the product enters commercial distribution we will comply with the requirements that apply to us and update this policy to describe the data flows involved in adverse-event reporting.

Children

This site is not intended for users under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has signed up for the waitlist, email privacy@meso-usa.com and we will remove the record.

Security

Your waitlist record is stored on Supabase with row-level security enabled and row access restricted to a service-role key held only by our server-side API routes. Data is encrypted in transit and at rest. We do not store payment information anywhere. In the event of a data breach affecting personal information, we will notify affected individuals and relevant supervisory authorities in accordance with applicable law (within 72 hours for the GDPR, and in line with state breach-notification statutes for US residents).

If you have reason to believe a security issue or data incident affects your MESO data, email security@meso-usa.com. We respond within three business days.

Changes to this policy

If we change this policy in a way that is material (a new processor, a new data category, a new purpose, a changed retention period, a changed rights mechanism) we will email everyone on the waitlist before the change takes effect. Non-material changes (typos, clarifications) are posted with an updated date.

Last updated: April 17, 2026.

Contact

Email privacy@meso-usa.com for any request under this policy. The entity responsible for personal information handling is Meso-Sweet LLC, [REGISTERED-OFFICE-PENDING].