Compass by Mesa
legal

Privacy Policy

Last updated 2026-05-13

1. What we collect from you

When you sign up for Compass we collect:

  • Your name and work email (required).
  • Your employer or fund (required).
  • Your role (analyst, builder, investor, etc.), if provided.
  • Authentication data (hashed password).
  • Payment metadata via Stripe (we never see full card numbers).
  • Server logs: IP address, user agent, route timestamps for security and rate limiting.

2. What we collect about others

Compass aggregates publicly available information about crypto entities (companies, projects) and the people associated with them. Sources include public websites, public social media (Twitter, Telegram channels, LinkedIn profiles), and information directly submitted by users.

If you appear in Compass and would like your record updated or removed, write to compass@mesa.so and we will respond within 30 days.

3. How we use your data

  • To operate, secure, and improve the Service.
  • To process payments and manage your subscription.
  • To send transactional emails (receipts, security alerts, payment reminders).
  • To detect and prevent abuse (scraping, fraud, credential stuffing).
  • For aggregate, non-identifying analytics about platform usage.

We do not sell your personal data.

4. Sub-processors

We share data with the following services strictly to deliver Compass:

  • Stripe — payment processing.
  • Railway — hosting and database.
  • Resend — transactional email.

5. Retention

Account data is retained while your account is active. After deletion, we retain a minimal record of transactions for seven years to comply with tax and accounting requirements. Audit logs are retained 90 days.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. Email compass@mesa.so and we will respond within 30 days.

7. Security

Passwords are hashed with bcrypt. Connections to the Service use TLS. We follow industry-standard practices for access controls and least privilege. No system is perfectly secure; we will notify affected users of a confirmed breach within 72 hours of discovery.

8. Cookies

We use first-party cookies for authentication and session management. We do not use third-party advertising cookies.

9. Changes

We will post material changes 14 days before they take effect and notify active users by email.

10. Contact

compass@mesa.so