Meridian

Privacy Policy

Last updated: April 27, 2026

1. Who We Are

Meridian ("we", "us", "our") operates the platform accessible at meridianterminal.com. For privacy matters, contact us at the support page.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, hashed password (or Google account ID if you use Google Sign-In).
  • Profile data: Watchlist symbols, portfolio holdings, alert preferences, and settings you configure.
  • Usage data: Pages visited, features used, AI queries made, and interaction timestamps.
  • Device & technical data: IP address, browser type, operating system, and device identifiers.
  • Payment data: Billing details are processed and stored by Stripe. We do not store full card numbers.
  • Communications: Email address for transactional emails (account verification, alerts, morning brief).

3. How We Use Your Data

  • To create and manage your account and authenticate your identity.
  • To provide and personalise the Service (watchlists, alerts, AI analysis).
  • To process payments and manage subscriptions.
  • To send transactional emails (verification, password reset, alerts, morning brief).
  • To improve the platform through aggregated, anonymised analytics.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

4. Legal Basis for Processing (GDPR)

  • Contract performance: Processing necessary to provide the Service you signed up for.
  • Legitimate interests: Security, fraud prevention, and platform improvement.
  • Legal obligation: Where required by applicable law.
  • Consent: For optional cookies and marketing communications (where applicable).

5. Third-Party Services & Data Processors

We share your data with the following trusted third-party processors, each bound by data processing agreements:

  • Supabase — Authentication and database infrastructure. Data stored on EU servers. Privacy Policy
  • Stripe — Payment processing. PCI DSS Level 1 certified. Privacy Policy
  • Resend — Transactional email delivery. Privacy Policy
  • Google — OAuth authentication (if you choose "Sign in with Google"). Privacy Policy
  • Vercel — Hosting and CDN infrastructure. Privacy Policy
  • Anthropic — AI analysis generation (your queries may be processed by Anthropic via Groq). Privacy Policy

We do not sell your personal data to any third party.

6. Cookies

We use the following types of cookies:

  • Essential cookies: Required for authentication and session management. Cannot be disabled.
  • Preference cookies: Store your settings and preferences.
  • Analytics cookies: Anonymised usage data to improve the platform (PostHog). Only set with your consent.

You can manage cookie preferences via the cookie banner or your browser settings.

7. Data Retention

  • Account data is retained for as long as your account is active.
  • Upon account deletion, personal data is removed within 30 days, except where required by law.
  • Anonymised and aggregated analytics data may be retained indefinitely.
  • Payment records are retained for 7 years to comply with financial regulations.

8. Data Security

We implement industry-standard security measures including TLS encryption for data in transit, bcrypt password hashing, and access controls. However, no system is 100% secure. We encourage you to use a strong, unique password and enable any available security features.

9. International Transfers

Some of our service providers may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses) in accordance with GDPR Articles 44–49.

10. Your Rights (GDPR)

You have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data ("right to be forgotten").
  • Restriction — Request that we limit how we process your data.
  • Portability — Receive your data in a machine-readable format.
  • Object — Object to processing based on legitimate interests.
  • Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at the support page. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the platform. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at the support page.