Privacy Policy

Last updated: January 2025

This Privacy Policy explains how Meridian ("we", "our") collects, uses, and protects your personal data. We are committed to handling your data transparently and in accordance with UK GDPR and the Data Protection Act 2018.

1. Data we collect

Category	Data	Purpose
Account	Email address, hashed password	Authentication and account management
Organisation	Organisation name, industry, size	Personalise assessment weighting
Assessment	Uploaded filenames, pillar scores, responses	Generate reports and dashboard history
Billing	Stripe customer ID, purchase records (credits, amount)	Credit management; Stripe holds card data
Waitlist	Email address	Product update communications
Technical	IP address, browser type, page views	Security and service reliability

2. How we use your data

To provide, operate, and improve the Service.
To authenticate you and maintain your account and assessment history.
To process payments via Stripe (we never see or store card details).
To send transactional emails: email verification, purchase receipts, and PDF report delivery (via Resend).
To send product update emails to waitlist subscribers (you may unsubscribe at any time).

3. Legal basis for processing (UK GDPR)

Contract performance — processing your account and running assessments you request.
Legitimate interests — security logging, service improvement.
Consent — waitlist emails (you opt in explicitly).

4. Uploaded files

Files you upload (CSV/Excel data catalogues) are processed in memory to generate scores and are not written to persistent storage. No uploaded file content is retained beyond the request that processes it.

5. AI processing

Meridian's scoring engine uses AI inference to generate assessment scores. Relevant metadata from your upload (column names, statistics) and questionnaire answers are sent to our AI infrastructure providers for processing. No personal data about individuals in your organisation should be included in data catalogues. Our current AI sub-processor is Anthropic — please review their Privacy Policy for details of their data handling.

6. Data sharing

We do not sell your data. We share data only with the following sub-processors necessary to operate the Service:

Stripe — payment processing (UK/EU/US)
Resend — transactional email (US)
Anthropic — AI inference sub-processor (US)
Railway — cloud hosting and database (US)

All sub-processors are bound by appropriate data processing agreements.

7. Data retention

Account and assessment data: retained for as long as your account is active, plus 90 days after deletion.
Purchase records: retained for 7 years for accounting and tax compliance.
Waitlist emails: retained until you unsubscribe.

8. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request erasure ("right to be forgotten"), subject to legal retention obligations.
Object to or restrict processing in certain circumstances.
Data portability — receive your data in a machine-readable format.
Lodge a complaint with the Information Commissioner's Office (ICO).

To exercise any of these rights, email hello@meridiandata.io.

9. Security

We use industry-standard measures including TLS encryption in transit, hashed passwords (bcrypt via Werkzeug), and access-controlled database infrastructure. We perform regular security reviews.

10. Cookies

We use a single session cookie (Flask-Login) strictly necessary for authentication. We do not use advertising or analytics cookies.

11. Changes to this policy

We may update this Privacy Policy. Material changes will be notified by email. The current version is always available at this URL.

12. Contact

For privacy enquiries, email hello@meridiandata.io.