Privacy Policy

Last updated: 7 July 2026

This policy explains how Melio Labs Ltd, a company registered in England and Wales (company number 16136624), whose registered office is at 1 High Gates, Sale, England, M33 2LN ("Melio Labs", "we", "us"), collects and uses personal data when you use Melio Studio (https://studio.meliolabs.io and https://app.meliolabs.io, the "Service").

For the purposes of the UK GDPR and the Data Protection Act 2018, Melio Labs is the data controller of the personal data described in this policy.

We do not sell your personal data. Ever.

1. What data we collect

Account data. Your email address and a password (stored as a secure hash), managed through our authentication provider, Supabase. Optionally, a name and workspace/brand details you choose to add.

Customer content. Text, images and video that you upload to the Service or that the Service generates for you.

Connected account data. If you connect an Instagram or Facebook account, we receive and store, with your explicit OAuth consent: the access tokens Meta issues, and basic profile/page/account identifiers needed to publish on your behalf (for example page names and IDs).

Billing data. Your subscription plan and billing status. Payments are processed by Stripe; we do not receive or store your full card details. Stripe shares with us limited information such as payment status and the last digits of your card.

Usage and technical data. Log data generated when you use the Service (such as IP address, browser type, timestamps and actions taken), used for security, debugging and service operation.

2. How we use your data, and our lawful bases

PurposeData usedLawful basis (UK GDPR Art. 6)
Providing the Service: accounts, login, storing and publishing your content, schedulingAccount data, customer content, connected account dataContract — necessary to perform our contract with you
Billing and subscription managementBilling data, account dataContract
Generating content with AI at your requestCustomer content you submit for generationContract
Publishing to Instagram/Facebook on your behalfConnected account data, customer contentContract (and your explicit OAuth consent to connect the account)
Securing the Service, preventing abuse, debuggingUsage and technical dataLegitimate interests — keeping the Service secure and working
Service emails (e.g. receipts, important changes, security notices)Account dataContract / legitimate interests
Complying with legal obligations (e.g. tax and accounting records)Billing dataLegal obligation

We do not use your personal data for automated decision-making that produces legal or similarly significant effects.

3. AI processing

When you use content-generation features, the content you submit is processed via Anthropic's Claude API. Anthropic acts as our processor for this data and, under Anthropic's commercial terms, does not use your content to train its models.

4. Who we share data with

We share personal data only with the service providers (processors) we need to run the Service:

ProviderWhat they doWhere
SupabaseAuthentication and database hostingEU region
Cloudflare R2Storage of uploaded and generated mediaEU-adjacent storage
StripePayment processingStripe's own infrastructure; Stripe is an independent controller for payment data
AnthropicAI content generation (as processor; no model training)See Anthropic's commercial terms
Meta (Instagram/Facebook)Receiving the content you choose to publish, via APIs you have authorisedMeta acts under its own terms once content is published to its platforms

We may also disclose data if required by law, or as part of a business sale or reorganisation (in which case this policy will continue to apply to your data).

5. International transfers

We keep primary data storage in the EU (Supabase EU region) and EU-adjacent storage (Cloudflare R2). Where a provider processes data outside the UK or EEA (for example Stripe or Anthropic), we rely on appropriate safeguards recognised under UK GDPR, such as adequacy regulations and the UK International Data Transfer Agreement/Addendum to the EU Standard Contractual Clauses, as reflected in each provider's data processing terms.

6. How long we keep your data

We keep your personal data and content for the lifetime of your account plus 30 days after deletion, after which it is deleted from our active systems. The 30-day window exists so we can restore your account if you delete it by mistake.

Exceptions: we may keep limited billing records for longer where tax and accounting law requires it, and short-lived encrypted backups may persist briefly beyond deletion before they are cycled out.

Access tokens for connected Meta accounts are deleted when you disconnect the account in Settings, or when your account is deleted, whichever comes first.

7. Data deletion

You can delete your data at any time. This section also serves as our data deletion instructions for Meta platform users.

Option 1 — in the app: Go to Settings in the Melio Studio app (https://app.meliolabs.io) and choose to delete your account. This deletes your account, your content, and any stored Meta access tokens, subject to the 30-day window described in Section 6.

Option 2 — by email: Email contact@meliolabs.io from the email address on your account and ask us to delete your data. We will confirm and complete the deletion within 30 days.

To disconnect Instagram/Facebook without deleting your whole account, go to Settings and disconnect the account; we delete the associated access tokens immediately.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate data;
  • Erase your data (see Section 7);
  • Restrict or object to processing, including processing based on legitimate interests;
  • Data portability — receive a copy of data you provided in a machine-readable format;
  • Withdraw consent at any time where processing relies on consent (for example by disconnecting a Meta account).

To exercise any right, email contact@meliolabs.io. We will respond within one month.

Complaints. You have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO) https://ico.org.uk or 0303 123 1113. If you are in the EU/EEA, you may also complain to your local data protection authority. We'd appreciate the chance to resolve any concern first, but you don't have to contact us before going to the ICO.

9. Cookies

We use essential session cookies only — cookies strictly necessary to keep you logged in and keep the Service secure. We do not use advertising, analytics or other non-essential cookies, so we do not show a cookie consent banner. If this changes, we will update this policy and ask for consent where required.

10. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit, hashed passwords, access controls, and hosting with reputable providers. No system is perfectly secure; if a breach occurs that risks your rights, we will notify you and the ICO as required by law.

11. Children

The Service is not intended for anyone under 18, and we do not knowingly collect data from children. If you believe a child has created an account, contact contact@meliolabs.io and we will delete it.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or in the app before they take effect. The "Last updated" date at the top shows the current version.

13. Contact us

Melio Labs Ltd (company number 16136624)
1 High Gates, Sale, England, M33 2LN
Email: contact@meliolabs.io