Effective Date: June 10, 2026Version: 1.1Next Review: June 10, 2027
Updated in v1.1: Added GDPR lawful basis documentation (Article 6), EU AI Act transparency disclosures, EEA/UK user rights, international data transfer mechanisms, and expanded third-party processor table. If you are located in the European Economic Area, United Kingdom, or Switzerland, additional rights apply to you under Section 9.
1. Company Information
Field
Details
Legal Entity
Meridian Intelligence LLC
EIN
42-3008320
Address
7400 SW 117th St, Pinecrest, FL 33156
Contact Email
systems.meridian@proton.me
Phone
305-588-6104
Data Controller (GDPR)
Rodrigo Pagliery, CEO
Privacy Contact
systems.meridian@proton.me
2. Information We Collect
2.1 Financial Data (via Plaid)
We collect the following consumer financial data through Plaid's API:
Bank account information: institution name, account type, last 4 digits of account number
Account balances: current and available
Transaction history: up to 24 months including merchant name, amount, date, and category
Recurring transaction data: subscriptions and recurring payments
Investment holdings and balances
2.2 What We Do NOT Collect
Bank login credentials or passwords
Full account numbers or routing numbers
Social Security Numbers or government identification numbers
Payment card numbers
Biometric data
2.3 Account and Profile Data
Name and email address (from Sign In with Apple)
Industry profile and income goals entered during onboarding
Tax estimates, transaction categories, and financial scenarios you create
2.4 Device and Usage Data
Device type and iOS version
App usage patterns for product improvement only — not sold or shared
Crash reports and performance diagnostics
IP address (logged by Supabase infrastructure for security purposes only)
3. Lawful Basis for Processing (GDPR Article 6)
If you are located in the EEA, UK, or Switzerland, we rely on the following legal bases:
Processing Activity
Lawful Basis
Article 6 Ground
Delivering the financial intelligence service
Performance of a contract
Art. 6(1)(b)
Importing bank transactions via Plaid
Performance of a contract
Art. 6(1)(b)
AI-powered tax estimates and financial guidance
Performance of a contract
Art. 6(1)(b)
Security logging and fraud prevention
Legitimate interests
Art. 6(1)(f)
Product improvement and analytics
Legitimate interests
Art. 6(1)(f)
Compliance with legal obligations
Legal obligation
Art. 6(1)(c)
Sending opted-in notifications
Consent
Art. 6(1)(a)
Where we rely on legitimate interests, you have the right to object to that processing. See Section 9 for how to exercise this right.
4. AI System Disclosure (EU AI Act Transparency)
Meridian uses an AI system powered by Anthropic's Claude API to generate financial guidance, tax estimates, and transaction categorization. You are always interacting with an AI, not a licensed financial advisor or CPA.
4.1 Nature of the AI System
The AI assistant provides informational guidance only — it does not make binding financial decisions on your behalf
All tax estimates are approximations and should be verified with a qualified professional
Transaction categorization suggestions can be reviewed and overridden by you at any time
The AI system does not have access to your raw bank credentials
4.2 Human Oversight
All consequential financial outputs (tax estimates, deduction recommendations, CPA packages) are presented for your review before any action is taken. No AI output is applied automatically without your confirmation.
4.3 Data Used by the AI
When you interact with the AI assistant, your message and a limited window of conversation history are sent to Anthropic's API to generate a response. Your financial data (bank transactions, balances) is NOT sent to Anthropic. Anthropic does not store your data beyond the immediate request per their zero-data retention API agreement.
5. How We Use Your Information
Deliver AI-powered tax estimates, deduction tracking, and financial guidance
Auto-import and categorize transactions from connected bank accounts
Generate quarterly tax payment reminders and financial health scores
Produce CPA-ready tax preparation packages
Send notifications about tax deadlines and financial events you have opted into
Improve app features, fix bugs, and enhance the user experience
Detect and prevent fraud, security incidents, and abuse
We never use your financial data for advertising, marketing profiling, or to train third-party AI models.
6. Data Retention Schedule
Data Category
Retention Period
Basis
Active account transaction data
Duration of subscription + 90 days
Contract
Account balance snapshots
Duration of subscription + 90 days
Contract
Plaid access tokens
Duration of subscription only — deleted on closure
Contract
Investment holdings data
Duration of subscription + 90 days
Contract
Audit and security logs
12 months from creation
Legitimate interest / Legal obligation
Deleted account data
Purged within 30 days of deletion request
Legal obligation
AI conversation history
Session only — not persisted after session ends
Minimal retention
7. Data Deletion
7.1 User-Initiated Deletion
You may request deletion of your account and all associated data at any time:
In-app: Settings → Delete Account
Email: systems.meridian@proton.me
Upon a verified deletion request, Meridian will:
Immediately revoke all Plaid access tokens
Remove all transaction and balance data from active databases within 7 days
Purge all remaining data from backup systems within 30 days
Send written confirmation to your registered email address upon completion
7.2 Account Inactivity
Accounts inactive for 24 consecutive months will be flagged for deletion. You will receive 30 days written notice before deletion is executed.
7.3 Subscription Cancellation
Upon cancellation, Meridian retains your data for 90 days to allow reactivation. After 90 days, all financial data is permanently purged. Account credentials may be retained for up to 12 months.
8. Data Security
All data stored in Supabase (hosted on AWS) with AES-256 encryption at rest
All data in transit encrypted using TLS 1.2 or higher
Plaid access tokens stored server-side only — never transmitted to or stored on user devices
Row-level security (RLS) policies ensure users can only access their own data
Administrator access to production systems requires multi-factor authentication (MFA)
Access to financial data is limited to the minimum necessary for service delivery
AI API requests authenticated with per-user session tokens and rate-limited to prevent abuse
9. Your Rights
9.1 All Users
Right
Description
How to Exercise
Access
Request a copy of the data we hold about you
Email systems.meridian@proton.me
Correction
Request correction of inaccurate data
Email systems.meridian@proton.me
Deletion
Request deletion of your data
Settings → Delete Account or email
Portability
Request your data in a machine-readable format
Email systems.meridian@proton.me
9.2 California Residents (CCPA / CPRA)
Know what personal information we collect, use, and disclose
Delete your personal information (subject to certain exceptions)
Opt out of the sale of your personal information — we do not sell data
Non-discrimination for exercising your privacy rights
Correct inaccurate personal information
9.3 EEA, UK, and Switzerland Residents (GDPR / UK GDPR)
In addition to the rights above, you have the right to:
Object to processing based on legitimate interests (Article 21)
Restrict processing in certain circumstances (Article 18)
Withdraw consent at any time where processing is based on consent (Article 7)
Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority)
Not be subject to solely automated decision-making with legal or similarly significant effects (Article 22)
We aim to respond to all rights requests within 30 days. For complex requests we may extend by a further two months, in which case we will notify you within the first 30 days.
10. Third-Party Data Sharing and Processors
Meridian does not sell, rent, or share your financial data with third parties for marketing or advertising purposes.
Third Party
Purpose
Data Shared
Safeguards
Plaid Technologies Inc.
Bank account connectivity
Plaid access tokens (no raw credentials)
Plaid End User Privacy Policy; contractual DPA
Anthropic PBC (Claude API)
AI financial guidance generation
User message text only — no financial data
Zero data retention API; contractual agreement
Supabase Inc. (AWS)
Database and infrastructure hosting
All app data (encrypted)
AES-256 at rest; SOC 2 Type II certified
Apple Inc.
Sign In with Apple; App Store payments
Name, email (anonymized option available)
Apple Privacy Policy
Legal / Regulatory
Compliance with valid legal process
As required by law
Review by legal counsel
11. International Data Transfers
Meridian is a US-based company. Your data is stored on servers in the United States. If you are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States.
We rely on the following transfer mechanisms:
Standard Contractual Clauses (SCCs) as adopted by the European Commission where applicable
The EU-US Data Privacy Framework where our processors participate
Adequacy decisions of the European Commission where available
By using Meridian from outside the United States, you acknowledge that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
12. Children's Privacy
Meridian is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are located in the EEA, we do not knowingly collect data from children under 16 without verifiable parental consent. If we become aware that we have collected such information, we will delete it promptly.
13. Regulatory Compliance
This policy is designed to comply with:
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Gramm-Leach-Bliley Act (GLBA) — Safeguards Rule
Federal Trade Commission Act (FTC Act)
General Data Protection Regulation (GDPR) — EU 2016/679
UK General Data Protection Regulation (UK GDPR)
EU AI Act (Regulation EU 2024/1689) — Transparency obligations for limited-risk AI
Apple App Store Review Guidelines — Section 5 (Privacy)
Plaid Developer Policy and Data Use Requirements
14. Changes to This Policy
We will review and update this policy at minimum annually, or when significant changes occur to our data processing practices, applicable laws, or third-party integrations. We will notify you of material changes via email or in-app notification at least 30 days before changes take effect.