Privacy Policy

Effective: May 23, 2026 · Governing law: State of Florida, USA

1. What We Collect

When you sign up for the hosted tier we collect:

Your Google account email address and OAuth identifier
Payment information (processed by Stripe — we never see raw card data)
Project data you store in Meridian (goal states, task logs, session names)
Server logs (IP address, timestamp, HTTP method and path) retained 30 days

2. How We Use It

We use your data solely to operate the Service: authenticate you, provision your database, process payments, and send transactional emails (welcome, token delivery, churn warnings). We do not use your data for advertising or sell it to third parties.

3. Data Storage

Your project data lives in an isolated Neon Postgres project provisioned in the US East region. Access credentials are encrypted at rest. Only you and automated Meridian processes can access your project data.

4. Third-Party Services

Google OAuth — for sign-in. Google's privacy policy applies to their side of that exchange.
Stripe — for payment processing. Stripe's privacy policy governs payment data.
Neon — for database hosting. Neon's privacy policy applies to data-at-rest handling.
Resend — for transactional email. Only your email address is shared.

5. Data Retention and Deletion

Active accounts: data retained for the duration of the subscription. Upon cancellation:

Day 3–7: first warning email
Day 14: second warning email
Day 28: Neon project deleted, all project data permanently erased

To request immediate deletion email [email protected]. We will confirm and complete deletion within 28 days.

6. Cookies

We use one session cookie (meridian_session) to keep you signed in. It expires after 7 days or on logout. No tracking or advertising cookies are used.

7. Security

Communications are encrypted via HTTPS/TLS. API tokens are stored as SHA-256 hashes — we cannot recover a raw token. If you believe your account has been compromised contact us immediately.

8. Children

The Service is not directed at children under 13. We do not knowingly collect data from children.

9. Changes

Material changes to this policy will be emailed to active subscribers at least 14 days before taking effect.

10. Contact

Privacy questions or deletion requests: [email protected]