We collect the data we need to build you a program — your training history, your equipment, your readiness — and we don't sell, share, or train models on any of it. You can export it, delete it, or take it with you at any time. We use Apple/Google for payment so we never see your card. We're GDPR-aligned by default, regardless of where you live.
"Meso," "we," "us," and "our" refer to Meso ApS, a company registered in Copenhagen, Denmark, that operates the Meso application and meso.app website (together, "the Service"). For the purposes of EU/UK data protection law, we are the data controller for the personal information described in this policy.
Our registered address and full contact details are at the bottom of this page.
The basics needed to give you an account — your email (or Apple/Google sign-in identifier), your first name if you tell us, and the encrypted tokens that keep you signed in. Plus the training data the engine actually runs on: your intake answers (history, equipment, schedule, current strength, injuries to work around), the sets and reps you log, and the programs Meso builds for you.
On the technical side we keep enough to keep the app working — device type, OS and app version, language and region, plus crash reports and a small set of aggregate usage events ("session_completed," "swap_invoked") that help us catch bugs and see which features are useful. None of these are tied to your training data.
Things we don't collect: we do not collect your precise location, contacts, photos, microphone, advertising identifiers, or any health data outside of what you explicitly enter into the app. We do not use third-party advertising SDKs.
Four reasons, all of them practical: to give you the Service you signed up for, to keep it running and fix bugs that affect your training, to handle payments through the App Store and Play Store, and to meet the legal obligations that come with operating a business. Each piece of data we collect maps to one or more of those — under GDPR, our legal bases are contract, legitimate interest, and legal obligation, depending on the use.
We do not rely on consent as our legal basis for any core functionality, because we'd rather not hold the Service hostage to a cookie banner. Where we do ask for consent (e.g. optional analytics opt-ins, marketing emails), it is genuine, granular, and revocable.
Your data is stored on EU-based infrastructure. We use industry-standard encryption in transit and at rest, and we maintain encrypted backups for a short rolling window so that we can recover from incidents without holding old copies of your data indefinitely.
Wherever you live, you can access, export, correct, or delete the data we hold about you, withdraw any consent you've given, and lodge a complaint with your local data protection authority — in Denmark that's Datatilsynet. Most of these are one-tap actions inside the app under Settings → Privacy; if you can't find what you need, email privacy@meso.app and we will respond within 30 days, usually much faster. As for tracking: the meso.app website uses one strictly-necessary session cookie to keep you signed in, and that's it. No Google Analytics, no Facebook Pixel, no advertising cookies, no cross-site trackers, no ads. Visiting the site doesn't put you in any ad targeting list anywhere.
Meso is not intended for anyone under 16. We do not knowingly collect data from anyone under that age. If you believe a child has created an account, please email privacy@meso.app and we'll delete the account immediately.
If we change this policy in any meaningful way, we'll email everyone with an active account at least 30 days before the change takes effect, and we'll keep an archive of previous versions linked from the bottom of this page so you can compare.
Cosmetic changes (typos, broken links, restructuring without a meaning change) we just ship.
For privacy questions, data subject requests, or anything else covered in this policy:
Refshalevej 163A
1432 Copenhagen, Denmark
Privacy: privacy@meso.app
General: hello@meso.app
DPO: dpo@meso.app