Privacy Policy

Effective Date: May 28, 2026 · Last Updated: May 28, 2026 · Version 2.0

Meridian AI is committed to protecting your privacy and being transparent about our data practices. This Privacy Policy explains what data we process, why we process it, who we share it with, and the rights you have. By using the Meridian AI platform, you agree to the practices described here.

1. Who We Are

Meridian AI ("Meridian," "we," "us," "our") provides a software platform for cross-border deal teams operating in the Gulf-US investment corridor. This Privacy Policy applies to data we process when you visit our website (meridianai.fyi) or use our platform. For privacy questions, contact us at privacy@meridianai.fyi. We do not currently have a formal Data Protection Officer; questions are reviewed by our principal team and answered within 30 days.

2. What Data We Collect

Account data: name, email address, organization name, job title, and password (stored as a bcrypt hash). Phone number only if you provide it for SMS notifications. Profile data: optional avatar, email signature, corridor preferences, language preference, multi-factor authentication settings, and notification preferences. Deal and content data: deal records, stakeholders, contacts, documents you upload, meeting notes, draft communications, regulatory assessments, due-diligence reports, and any other content you create within the platform. AI interaction data: the prompts you send to our AI agents and the responses they return. These include any document text or deal data you reference in a prompt. OAuth and integration data: when you connect a third-party account (Google, Microsoft, Slack, WhatsApp Business, Twilio, Stripe), we receive access tokens scoped to the permissions you grant. We store these tokens encrypted at rest (AES-256-GCM). For Gmail/Outlook integrations, we read messages on your behalf only when you take an action that requires it; we do not bulk-ingest your mailbox. Usage and technical data: HTTP request logs (URL, status, user agent, IP address, timing), error reports, AI request token counts and costs, feature interaction telemetry. We use this to operate, debug, and bill the service. Cookies and similar technologies: a session cookie for authentication (HttpOnly, SameSite=Lax, Secure in production), a CSRF protection token, and a small number of preference cookies (language, theme). We do not use third-party advertising or cross-site tracking cookies. We do not knowingly collect data from individuals under 18.

3. Why We Process Your Data (Legal Basis)

Under the GDPR Article 6 and equivalent provisions in the Saudi PDPL and UAE PDPL, our lawful bases for processing are: - Contract performance (Art. 6(1)(b)): processing necessary to provide the platform you have purchased, including account creation, deal management, AI agent execution, integration sync, billing, and customer support. - Legitimate interests (Art. 6(1)(f)): aggregated usage analytics to improve the product; security monitoring (detecting unauthorized access); fraud prevention; debugging logs. You may object to processing on this basis at any time (see Section 7). - Consent (Art. 6(1)(a)): optional features such as marketing emails, beta participation, or product analytics where required by local law. You may withdraw consent at any time without affecting the lawfulness of prior processing. - Legal obligation (Art. 6(1)(c)): retention of billing records (per tax law), responding to subpoenas, and AML/KYC checks where applicable. We do not rely on consent as the lawful basis for core platform functionality — providing the service is performed under contract.

4. Sub-Processors and Data Sharing

To provide the platform, we share data with a defined set of sub-processors. The full current list — with each vendor's name, location, purpose, and category of data shared — is maintained at our [Sub-Processors page](/sub-processors). We will notify customers via email at least 30 days before adding a new sub-processor that materially changes the categories of data shared. Categories of recipients: - Infrastructure providers: Vercel (application hosting, USA), Railway (database and worker hosting, USA), Amazon Web Services (backup storage in us-west-2, USA). - AI processors: Anthropic (Claude — primary model, USA), OpenAI (fallback for specialized tasks, USA), Google (Gemini for specific functions, USA). When you send a prompt to an AI agent, that prompt and the relevant deal/document context are transmitted to the chosen AI processor. The AI processor returns a response that we display to you. AI processors operate under their own privacy commitments — we have selected providers that contractually agree not to train their public models on customer prompts and responses. - Communication providers: Resend (transactional email, USA), Twilio (SMS, USA), Meta Platforms (WhatsApp Business API, USA), Slack (workspace integration, USA), LiveKit (video, USA). - Identity providers: Google (Google OAuth, Gmail, Calendar, People, USA), Microsoft (Microsoft OAuth, Outlook Mail/Calendar, Graph Contacts, USA). These providers process your authentication request and grant us scoped tokens. - Payment processor: Stripe Inc. (USA). Stripe holds your billing details; we receive only the customer ID and subscription metadata. - Observability: Sentry / Functional Software (USA) — error reports may include limited request context (URL, status, user agent, sometimes user ID). We do not send deal content or AI prompts to Sentry. - Data sources (only when you query them): PitchBook, Crunchbase, OpenSanctions, OpenOwnership, ProxyCurl, GDELT, Newscatcher, SEC EDGAR, Magnitt, CourtListener. These are external data sources we query on your behalf — your search terms reach the source but no other account data is shared. Other disclosures: we may share data with legal authorities when required by valid legal process; with a successor entity in connection with a merger or acquisition (you would be notified at least 30 days in advance); and with members of your own organization who have been granted access by your administrator. We do not sell personal data and we do not use customer deal content or AI prompts to train any AI model.

5. International Data Transfers

Meridian's infrastructure is currently hosted in the United States and the European Union (Railway's EU West region for primary databases; AWS US West region for backup snapshots). If you are based in the Gulf, the European Union, or another non-US jurisdiction, your data will be transferred to and processed in these regions. For transfers from the EEA, United Kingdom, and Switzerland to the United States, we rely on the Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by our security measures (Section 6 below). For transfers from the Kingdom of Saudi Arabia, we comply with the data-export provisions of the PDPL. For transfers from the United Arab Emirates, we comply with the UAE PDPL. Data residency is configurable per organization in our schema (`Organization.dataResidencyRegion`) and we offer Gulf-region hosting for enterprise customers who require sovereignty under explicit contract — contact privacy@meridianai.fyi.

6. Security Measures

We implement technical and organizational measures to protect your data. Current practices: - Encryption in transit: TLS 1.2+ for all connections; HSTS enabled on production domains. - Encryption at rest: AES-256-GCM for sensitive credentials (OAuth tokens, integration keys); Railway-managed Postgres encryption at rest; AWS S3 server-side encryption for backups. - Access controls: per-organization tenancy enforced at the database query layer; role-based access control with four tiers (Owner / Admin / Collaborator / External Advisor / Viewer); session-based authentication with HttpOnly cookies; optional multi-factor authentication via TOTP. - Token rotation: refresh tokens rotate on every use with reuse-attack detection. Compromised token chains automatically invalidate downstream tokens. - Audit logging: significant actions (login, integration connect/disconnect, data export, AI agent execution, document signature events) are logged with actor identity, IP address, and timestamp. E-signature audit events use a SHA-256 hash chain. - Sub-processor due diligence: each sub-processor is reviewed for security posture and data-processing terms before integration. - Vulnerability management: dependency scanning via Dependabot; security alerts triaged within seven days of disclosure. - Incident response: documented procedure for detection, containment, and notification. We will notify affected customers within 72 hours of a confirmed personal-data breach. We are not currently SOC 2 certified. Formal third-party certification is on our roadmap. We are happy to share our security questionnaire responses upon request — email security@meridianai.fyi.

7. Your Rights

Depending on your jurisdiction (GDPR, CCPA/CPRA, Saudi PDPL, UAE PDPL, and equivalent regimes), you may exercise the following rights: - Access: request a copy of the personal data we hold about you. - Rectification: request correction of inaccurate or incomplete data. - Erasure ("right to be forgotten"): request deletion, subject to legal retention obligations described in Section 9. - Restriction: request that we limit processing in specific circumstances. - Objection: object to processing carried out on the basis of legitimate interests. - Portability: receive your data in a structured, machine-readable format and transmit it to another controller. - Withdraw consent: where processing relies on consent. - Complaint: lodge a complaint with your local supervisory authority (EU: your national DPA; California: Office of the Attorney General; Saudi Arabia: SDAIA; UAE: respective DIFC/ADGM/federal authority). To exercise any right, email privacy@meridianai.fyi with sufficient information to verify your identity. We respond within 30 days. Verification is required to prevent unauthorized disclosure. Organization administrators can export their organization's data at any time via Settings → Data Export.

8. Cookies and Tracking

We use the following cookies and similar technologies: - Strictly necessary (cannot be disabled): authentication session cookie, CSRF protection token, security cookies. - Functional (set when you log in): language preference, theme, dashboard layout. You can disable these in browser settings; the platform remains functional. - Analytics: we collect aggregated, anonymized usage statistics for platform improvement. We do not use third-party analytics SDKs that include cross-site tracking (no Google Analytics, no Meta Pixel, no advertising cookies). We respect Do Not Track and Global Privacy Control signals.

9. Data Retention

- Account data: retained for the duration of your active account, plus 30 days after deletion request, to allow account recovery. After 30 days, account data is permanently deleted from primary systems and removed from backups within 90 days (backup rotation cycle). - Deal and content data: retained for the duration of your subscription. On termination, you may export within 30 days, after which data is deleted on the same schedule as account data. - AI prompts and responses: retained for the lifetime of the AI usage row in our cost-tracking system (12 months for cost attribution), then aggregated into anonymized metrics. - OAuth tokens: deleted immediately when you disconnect an integration. Refresh tokens are deleted when their grant expires. - Billing and tax records: retained for 7 years per US tax law (IRS Publication 583). - Audit and security logs: retained for 24 months, then archived in immutable form for an additional 24 months. Hash-chained signature audit logs are retained for 7 years for legal admissibility. - Anonymized aggregate metrics: retained indefinitely. You may request earlier deletion at any time, subject to legal-retention exceptions.

10. Children's Privacy

The Meridian AI platform is a business-to-business product not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact privacy@meridianai.fyi and we will delete it promptly.

11. Changes to This Policy

We may update this policy to reflect changes in our practices, technology, sub-processors, or legal requirements. For material changes: - We will notify account holders via email at least 30 days before the changes take effect. - We will post a notice on the platform. - The "Last Updated" date at the top of this page will reflect the most recent revision. Non-material changes (typos, clarifications, formatting) may be made without notice. The current version always takes effect on the date posted. Historical versions are available upon request.

12. Contact

For privacy questions, requests, or to report a concern: - Privacy questions and data subject requests: privacy@meridianai.fyi - Security disclosures: security@meridianai.fyi - Billing or account questions: support@meridianai.fyi - Legal notices: legal@meridianai.fyi We respond to verified privacy requests within 30 days. Security disclosures receive an acknowledgment within 48 hours.