Privacy Policy
Last updated: June 2026
This policy explains what information MES-DEV collects when you visit mes-dev.com, use our desktop applications, or contact us — and exactly what we do with it.
The short version
- ✓ We collect only what we need to run the service — your name, email, and what you do on the site.
- ✓ Our desktop apps are offline-first: your documents and files stay on your device. They only go online to validate your license.
- ✓ We never sell your data or share it with advertisers.
- ✓ Payments are handled entirely by Lemon Squeezy — we never see or store your card details.
- ✓ You can request a copy of your data or ask us to delete your account at any time.
- ✓ We use Cloudflare Turnstile for spam protection — it sets no tracking cookies.
1. Who we are
MES-DEV ("we", "us", or "our") is a software development studio based in Kuwait. We build and distribute desktop and web applications through our website at mes-dev.com and our license service at api.mes-dev.com.
For any privacy-related questions you can reach us at contact@mes-dev.com.
2. Information we collect
Account information
When you create an account we collect your full name, username, email address, password (stored as a one-way hash — we never see your plain-text password), and optionally your country. This information is used to identify you across sessions and to associate your downloads, reviews, and customization requests with your account.
Contact form
When you send us a message we collect your name, email address, subject, message body, and priority category (general / bug report / partnership). We use this solely to read and reply to your message. Contact submissions are stored in our database so we can track open threads and mark them as resolved.
Custom development requests
If you submit a custom development request, we collect your name, email, company (optional), request type, description, budget range, deadline (optional), and any file attachment you choose to upload. This information is used exclusively to assess and respond to your project enquiry.
Download activity
When you download one of our applications (requires a free account), we record the application downloaded and the timestamp, and — where you provide it — the email address associated with the download. We may use that email to send you a single, one-time request to review the app after you've tried it. This data also powers the download counter shown on each app page. We do not store your IP address in the downloads record.
Reviews
You can leave a review either from your account or as a guest. For a guest review we collect the name and email you provide; for an account review it is linked to your account. In both cases we store your rating, title, and comment. Reviews that are approved are shown publicly on the app page alongside the name you submitted. You can request deletion of your review at any time by contacting us.
Newsletter & product updates
If you subscribe to our newsletter (for example, via the footer sign-up), we store your email address, the source of the subscription, and a unique unsubscribe token. We use this only to send the product updates and occasional offers you opted into. Every email includes a one-click unsubscribe link, and you can unsubscribe at any time — we then mark your address as unsubscribed.
Purchases & license records
When you buy a premium license, the payment is processed by Lemon Squeezy, which then notifies our license server at api.mes-dev.com. We create a license record containing your name, email address, and order reference as provided by Lemon Squeezy, generate your license key, and email the key to you. We use this to deliver and support your license. We do not receive or store your card or billing details — those remain with Lemon Squeezy.
Usage analytics (our own)
We run our own lightweight, privacy-respecting analytics to understand which apps and pages are popular and roughly how long visitors stay:
- For page views, we store a one-way hashed visitor signature (derived from your IP, browser, and the day) together with a country code. The signature cannot be reversed back to your IP address.
- For session timing, we set a first-party cookie (
mdev_sid) holding a random id, and store only the country (resolved from your IP, then discarded) and the visit duration.
Our own analytics store no raw IP address and no personal data.
Google Analytics
On the production site we also use Google Analytics to understand how visitors navigate (pages visited, time on page, referral source, approximate location at country level). Google Analytics uses cookies and may process your IP address. You can opt out via the Google Analytics opt-out browser add-on.
License validation (desktop apps)
Our desktop applications validate premium licenses against our license server at api.mes-dev.com. When the app checks a license, it sends:
- your license key;
- the application identifier and version;
- a device fingerprint — a one-way SHA-256 hash that identifies your device but cannot be reversed into your hardware details; and
- your computer's name (the Windows hostname).
We use this to activate your license, enforce the number of devices a license permits, and let you deactivate a device so you can move your license elsewhere. The server keeps an activation record (device fingerprint, computer name, app version, and a "last seen" timestamp that updates when the app re-checks the license). The documents, files, and any content you create in the apps are never transmitted — they remain on your device.
Optional component downloads
Some applications download additional components at runtime. For example, CutOut downloads its AI background-removal model the first time it is needed. These downloads transfer only the standard technical data any internet request involves (such as your IP address, which is visible to the host serving the file). No documents or personal content you process in the app are sent as part of these downloads.
3. How we use your information
We use the information we collect for the following purposes only:
- To operate and improve mes-dev.com and our applications.
- To authenticate you and keep your account secure.
- To fulfill download requests and track download statistics.
- To reply to your contact messages and customization enquiries.
- To moderate and display reviews.
- To activate premium licenses, deliver your license key, and enforce the per-license device limit.
- To send transactional emails (e.g. password reset, email verification, and your purchased license key).
- To send newsletter updates and occasional offers — only if you opted in — and a one-time review request after a download. You can unsubscribe at any time.
- To detect and prevent spam and abuse using our honeypot and CAPTCHA systems.
- To understand aggregate, non-identifying usage patterns via our own analytics and Google Analytics.
4. Third-party services
We rely on the following third parties to deliver parts of our service. Each operates under its own privacy policy.
| Service | Purpose | Data shared |
|---|---|---|
| Lemon Squeezy | Payment processing for premium licenses | Name, email, billing address, payment details (card data never reaches our servers) |
| Google Analytics | Website usage analytics | Browsing data, approximate location, device type, IP address |
| Cloudflare Turnstile | Spam and bot protection on forms | Browser signals only — no personal data, no tracking cookies |
| Hostinger | Website, API, and database hosting | All site and license data is stored on their managed infrastructure |
5. Cookies
We use a minimal set of cookies to operate the website and measure usage:
| Cookie | Type | Purpose |
|---|---|---|
| mes_dev_session | Essential | Keeps you logged in and maintains form state |
| XSRF-TOKEN | Essential | Protects against cross-site request forgery attacks |
| mdev_sid | Analytics (first-party) | Random session id so repeat page loads count as one visit for timing; 1-day expiry; no personal data |
| _ga, _ga_* | Analytics (Google) | Google Analytics visitor identification (2-year expiry) |
Cloudflare Turnstile does not set any persistent cookies. The two essential cookies are required for the site to function and cannot be disabled while using an account. The analytics cookies (mdev_sid and _ga) are non-essential; you can block them in your browser without affecting core functionality.
6. Data retention
We keep your data for as long as your account is active or as needed to provide our services:
- Account data Retained until you delete your account or request deletion.
- Contact messages Retained for 2 years to maintain a record of support history, then deleted.
- Custom development requests Retained for 3 years for business record purposes, then deleted.
- Download logs Retained indefinitely in aggregate anonymised form for statistics.
- Reviews Retained until you request deletion or your account is deleted.
- Newsletter Retained until you unsubscribe, after which your address is marked unsubscribed.
- License records Your license record (name, email, order reference, license key, and device activations) is retained for as long as the license is valid and as needed for support and our legal/accounting obligations.
- Payment records Card and billing data is held by Lemon Squeezy per their legal obligations — we never store it.
- Analytics Our first-party analytics are stored only in hashed/aggregated form with no personal data; Google Analytics data is retained per Google's settings.
7. Security
We take reasonable precautions to protect your information:
- All data is transmitted over HTTPS/TLS.
- Passwords are hashed using bcrypt — we cannot recover your plain-text password.
- Admin access is restricted by role-based access control.
- File uploads are validated, stored outside the web root, and served through controlled routes.
- Forms are protected against CSRF, spam bots (honeypot + time-trap), and brute-force (rate limiting).
- License and webhook endpoints are rate-limited, and payment webhooks are verified by cryptographic signature.
No system is perfectly secure. If you discover a security issue, please report it to contact@mes-dev.com and we will respond promptly.
8. Your rights
Regardless of where you are located, you have the following rights over your personal data:
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Ask us to delete your account and associated personal data.
Receive your data in a commonly used, machine-readable format.
Object to how we process your data in certain circumstances.
Ask us to restrict processing while a dispute is resolved.
To exercise any of these rights, email us at contact@mes-dev.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
You can also: delete your account directly from your profile page (this removes your personal data from our active database), unsubscribe from emails using the link in any email, and deactivate a license on a device from within the app.
9. Children's privacy
MES-DEV Tools is not directed at children under 13. We do not knowingly collect personal information from anyone under that age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. Continued use of the site after changes are posted constitutes acceptance of the revised policy. For major changes that affect how we use personal data, we will notify registered users by email.
Questions about this policy?
If you have any questions or concerns about how we handle your data, we're happy to help.