Privacy policy
The 60-second summary
- • We collect the minimum needed to contact you about MEPCalc.
- • We never sell your data, ever.
- • We use Supabase, Resend, Mailchimp, Cloudflare, Google Analytics, Contentsquare, PostHog, and Vercel as processors — details below.
- • You can ask us to delete your data any time: privacy@mepcalc.com.
- • Marketing emails are optional and opt-in only. Launch notification is considered service communication.
- • This policy covers UK GDPR, EU GDPR, CCPA/CPRA, PIPEDA (Canada), and the Australian Privacy Act.
1. Who we are
MEPCalc ("we", "us") provides engineering calculation software for MEP (mechanical, electrical, plumbing) professionals. We are the data controller for personal data processed via mepcalc.com.
Privacy contact: privacy@mepcalc.com
2. What we collect (waitlist phase)
MEPCalc is currently in a controlled rollout. Account creation is invite-only. When you join the waitlist we collect:
- Name, work email, country, job role, business type
- Which engineering disciplines and calculators you're interested in
- Optional free-text: modules you'd want, anything else you want us to know, how you heard about us
- Whether you opted into marketing emails
- IP address and user-agent at the time of signup (abuse prevention, rate limiting)
- UTM parameters and referring URL if present (marketing attribution)
3. Why we collect it (lawful basis)
| Purpose | Lawful basis (UK/EU GDPR) |
|---|---|
| Contact you when MEPCalc is ready for you to use | Legitimate interest — you asked to be contacted |
| Segment / prioritise invites by discipline or location | Legitimate interest — product rollout management |
| Send occasional product updates and launch news | Consent — opt-in checkbox on the form |
| Detect abuse, rate-limit, block disposable addresses | Legitimate interest — keeping the service functional |
| Site analytics + product analytics (Google Analytics, PostHog, Contentsquare) | Consent — cookie banner accept |
4. How long we keep it
Waitlist entries are kept until you ask us to delete them or until your invite expires without being redeemed (in which case we delete after 12 months). GDPR request records are retained for 6 years per UK ICO guidance. Analytics data follows each provider's default retention (GA4: 2 months standard / 14 months configured; Contentsquare: 13 months; PostHog: 365 days for product events, 30 days for session replays).
4a. What product analytics specifically captures (GDPR Art. 13)
When you grant analyticsconsent, PostHog (EU cloud, Frankfurt) records interactions with the application so we can understand how the product is used and fix what doesn't work. Specifically:
- Event categories: page views, clicks and form submissions (autocapture), calculator runs (started/succeeded/failed with calculator name, discipline, duration, error type), project lifecycle (created/renamed/deleted), sheet lifecycle (created/opened), PDF downloads, billing events (pricing page viewed, checkout started, billing portal opened), waitlist form views and submissions, authentication events (login, signup, password reset), settings updates (units changed, profile updated), and consent withdrawal.
- Person properties on identified users: account email, email domain, role (user/admin), company name (if you set one), units preference, default standard, whether you uploaded a logo, signup date, subscription tier and status. We deliberately do not send your full name.
- Group analytics: identified users are grouped by their company (or fallback by email domain for personal-email signups) so we can analyse usage at the organisation level — e.g. how many people from one firm use the tool together. The group identifier is your company name (slugified) when set, otherwise
domain:<your email domain>orpersonal:<your email domain>for free-email providers. - Session replay: when enabled at the project level by us, PostHog records a video-like replay of your session for debugging usability issues. All input fields and all text content are masked by default(showing as grey blocks in the replay) — we never see what you type. Console logs are captured to help diagnose errors.
- Feature flags: PostHog returns flag values to enable A/B tests and gradual rollouts. The flag identifier is sent server-side, not the value of any test inputs.
- Routing: events are sent to
mepcalc.com/ingest/...which proxies to PostHog's EU servers. Adblockers don't see them as third-party tracking, but you remain in full control via the consent banner.
PII protection: URL parameters that may contain sensitive tokens (email, token, code, session_id,address) are scrubbed before any event leaves your browser. Reset-password and update-password URLs are truncated so reset tokens never reach PostHog.
4b. Error tracking
We capture unhandled JavaScript errors and unhandled promise rejections that occur during your session. This is essential for us to spot and fix bugs that would otherwise be invisible to us.
- What is captured:the error message, stack trace, the URL where it occurred (sanitised — sensitive query parameters are scrubbed), and basic browser info. Errors are grouped into "issues" in PostHog by stack trace fingerprint so we can prioritise the most impactful bugs.
- What is NOT captured: request bodies, your input values, your project data, your IP address (PostHog anonymises this server-side).
- Lawful basis: consent (analytics) for errors captured in the browser. Server-side errors (when our API routes fail) are captured under our legitimate interest in keeping the Service operational; these never see your input data.
- Pre-consent errors: if you have not granted analytics consent, browser-side errors are not sent to PostHog at all. The error tracking SDK is loaded only after consent.
- Retention: 365 days, same as other PostHog product events.
5. Who processes your data (sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Web hosting, API routing, edge functions, scheduled crons | Global / Singapore (sin1) runtime |
| Supabase (self-hosted) | Primary database, authentication, file storage | EU operator infrastructure |
| Upstash (via Vercel KV) | Rate limiting on the waitlist form and key API endpoints | Singapore |
| Resend | Transactional email — signup confirmation, password reset, waitlist confirmation, daily digest | EU |
| Cloudflare Turnstile | Anti-bot challenge on the waitlist form | Global |
| Cloudflare DNS | Domain Name System resolution for mepcalc.com | Global |
| PostHog (EU Cloud) | Product analytics, autocapture, session replay (input-masked), feature flags — consent-gated | Frankfurt, Germany |
| Google Analytics 4 | Site usage measurement — consent-gated | USA |
| Contentsquare | Session replay and heatmaps on landing and privacy pages only — consent-gated | EU / France |
| Mailchimp (Intuit) | Marketing email audience for users who opt in | USA |
| Stripe | Payment processing | Global (Stripe-hosted; we do not see card data) |
| Google Workspace (Gmail + Drive) | Our internal mailbox infrastructure (support@, privacy@, etc.) and weekly waitlist CSV export destination (Drive) | USA / EU |
| GitHub | Source code repository (private) | USA |
International transfers to the USA rely on Standard Contractual Clauses or the EU-US Data Privacy Framework where applicable. We review our sub-processor list at least annually. A standalone, procurement-friendly version of this register lives at /legal/sub-processors.
6. Cookies and similar technologies
Cookies fall into four categories. Essential cookies load unconditionally; all others require your consent via our cookie banner.
| Cookie | Provider | Category | Purpose | Retention |
|---|---|---|---|---|
| cf_clearance | Cloudflare | Essential | Turnstile bot challenge on waitlist form | Session |
| cc_cookie | MEPCalc (via vanilla-cookieconsent) | Essential | Stores your consent choices so the banner doesn't reprompt | 6 months |
| _ga, _ga_KTRT9K9SDB | Google Analytics 4 | Analytics | Anonymised site usage measurement | 2 years |
| ph_*_posthog | PostHog (EU) | Analytics | Product analytics, autocapture of clicks/forms, session replay, feature flag distinct ID | 1 year |
| _cs_id, _cs_s, _cs_c | Contentsquare | UX Research | Session replay and heatmap analytics | 13 months |
Cookies we plan to add
Once our Meta business account is active, we plan to add the Meta Pixel for ad attribution and retargeting (_fbp, _fbc cookies, marketing category, 90-day retention). The cookie banner will reprompt when this category is added so you can choose again.
7. Your rights
Regardless of jurisdiction you have the right to:
- Access — a copy of the personal data we hold about you
- Rectification — correct anything that's wrong
- Erasure ("right to be forgotten") — ask us to delete your data
- Portability — a machine-readable export of your data
- Objection — object to processing based on legitimate interest
- Withdraw consent — for anything you consented to (marketing emails, analytics cookies)
To exercise any of these rights, email privacy@mepcalc.com. We aim to respond within 30 days.
California residents (CCPA / CPRA)
You additionally have the right to:
- Know what personal information is collected about you and how it's used and shared
- Delete personal information collected from you
- Opt out of the sale or sharing of your personal information — we do not sell or share personal information as defined by the CCPA
- Non-discrimination — we won't treat you differently for exercising your privacy rights
- Global Privacy Control (GPC) — if your browser sends the Sec-GPC: 1 signal, we treat it as an opt-out of analytics and marketing cookies automatically
Canada (PIPEDA) & Australia (Privacy Act 1988)
Same access, correction, and withdrawal-of-consent rights apply. Canadian complaints may be directed to the Office of the Privacy Commissioner of Canada; Australian complaints to the Office of the Australian Information Commissioner.
8. Children
MEPCalc is a professional engineering tool. Our services are not directed to children under 16 and we do not knowingly collect data from them. If you believe we have inadvertently collected data from a minor, email privacy@mepcalc.com and we will delete it.
9. Security
We use TLS everywhere, Supabase Row-Level Security to restrict data access to service-role contexts only, rate limiting, Turnstile bot challenges, and strong access controls on all admin tooling. The waitlist table is not exposed to anonymous database clients — only our server-side routes can read or write to it.
10. Changes to this policy
When we make material changes, we bump the version number, update the "last updated" date at the top of this page, and if the change affects the cookies we use, the cookie banner will reprompt you to consent again. Non-material changes (typo fixes, clarifications) do not trigger a reprompt.
11. Supervisory authorities
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: your national data protection authority — list at edpb.europa.eu
- California: California Privacy Protection Agency — cppa.ca.gov
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
- Australia: Office of the Australian Information Commissioner — oaic.gov.au
12. Change log
- v1.1 — 2026-04-26: added Section 4b (Error tracking) describing PostHog-based exception capture on the client (analytics consent) and server (legitimate interest). No new sub-processors. No cookie changes — the existing analytics consent already covers PostHog error tracking.
- v1.0 — 2026-04-20: initial policy covering waitlist phase, multi-jurisdiction (UK/EU GDPR, CCPA, PIPEDA, Australia), sub-processor list, cookies table.