Privacy Policy

Meridian is operated by Rithik Sudhakar ("we", "us", "our"), an individual proprietor based in Chennai, Tamil Nadu, India. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Meridian service at go-meridian.com.

This Policy is prepared in compliance with: the Information Technology Act, 2000 (India); IT (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011; Digital Personal Data Protection Act, 2023 (India); General Data Protection Regulation (GDPR) — for users in the European Economic Area; California Online Privacy Protection Act (CalOPPA); and the Children's Online Privacy Protection Act (COPPA).

1. Data Fiduciary Identity

Data Fiduciary (Indian Law) / Data Controller (GDPR):
Rithik Sudhakar
Operating as: Meridian
Address: Chennai, Tamil Nadu, India
Email: rithikbuilds@gmail.com
Grievance Officer: Rithik Sudhakar (same contact details as above)

2. What Data We Collect and Why

We collect only the minimum data necessary to provide the Service. We do not sell your data to third parties under any circumstances.

2.1 Account Data
What: Your name, email address, password (stored as a hashed value — we never see your actual password), profile picture (if you choose to upload one).
Why: To create and manage your account, authenticate your identity, and enable access to the Service.
Legal basis (GDPR): Contract performance (Article 6(1)(b))

2.2 Study and Session Data
What: Energy level check-ins (1–5 scale), session logs (date, duration, task name, category, outcome), regulation state data, rhythm pattern data, distraction logs.
Why: To generate your personal insights, visualize your rhythm patterns, and provide the core study tracking functionality. This data IS the product — retaining it during your account lifetime is necessary to provide the Service you signed up for.
Legal basis (GDPR): Contract performance (Article 6(1)(b)); Legitimate interests (Article 6(1)(f))

2.3 Communication Data
What: Your email address for transactional emails (account verification, password reset, subscription confirmations).
Why: To deliver essential account communications.
Legal basis (GDPR): Contract performance (Article 6(1)(b))

2.4 Technical Data
What: IP address, browser type and version, device type, operating system, pages visited, time spent, session timestamps, error logs.
Why: To operate and maintain the Service, diagnose technical issues, ensure security, and prevent fraud and unauthorized access.
Legal basis (GDPR): Legitimate interests (Article 6(1)(f))

2.5 Cookies and Local Storage
What: Authentication session tokens (essential); user preference data (theme, font, sidebar state — stored in browser localStorage, not our servers).
Why: To keep you logged in and remember your display preferences. We do not use advertising cookies or tracking cookies from third-party advertising networks.

2.6 Data We Do NOT Collect
We do not collect payment card details (handled directly by Paddle.com), biometric data, or data about race, ethnicity, religion, political views, sexual orientation, or health conditions.

3. How We Share Your Data

We do not sell, rent, or trade your personal data. We share data only with the following service providers who are contractually bound to handle it securely:

3.1 Supabase — Database and authentication. SOC 2 Type II certified, AES-256 encryption at rest, TLS in transit. supabase.com/privacy

3.2 Paddle.com — Payment processing (Merchant of Record). Meridian does not receive or store your payment card details. Paddle is GDPR compliant and PCI DSS certified. paddle.com/privacy

3.3 Resend — Transactional email only. SOC 2 certified, EU-US Data Privacy Framework certified. resend.com/privacy

3.4 Vercel — Hosting and deployment. SOC 2 Type II and ISO 27001 certified. vercel.com/legal/privacy-policy

3.5 Legal Disclosures. We may disclose your data when required by law, court order, or governmental authority, or when necessary to protect our legal rights or prevent harm to others.

4. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, United Kingdom, and India.

For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914) for transfers to countries without an EU adequacy decision. You may request a copy of the applicable safeguards by contacting us at rithikbuilds@gmail.com.

5. Data Retention

Account and session data: Retained while your account is active. Your study session history is the core product — it is retained to provide the Service you registered for. Upon account deletion, all personal data is permanently deleted within 30 days.

Payment records: Retained for 7 years from the transaction date as required by Indian financial regulations and tax law. This retention is handled primarily by Paddle.com.

Technical/access logs: Retained for a maximum of 90 days for security and fraud prevention, then automatically deleted.

Inactive accounts: If your account shows no activity for 24 consecutive months, we will send you an email notification and, if no response is received within 30 days, will delete your account and all associated data.

6. Your Rights

6.1 Rights under Indian Law (DPDP Act 2023 / IT Rules 2011):
Right to access · Right to correction · Right to erasure · Right to withdraw consent · Right to grievance redressal · Right to nominate

6.2 Rights under GDPR (EU/EEA users):
Right of access (Art. 15) · Right to rectification (Art. 16) · Right to erasure (Art. 17) · Right to restriction of processing (Art. 18) · Right to data portability (Art. 20) · Right to object (Art. 21) · Right to lodge a complaint with your national supervisory authority

To exercise any of these rights, contact: rithikbuilds@gmail.com. We will respond to all verified requests within 30 days.

7. Children's Privacy

Meridian is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. Under the Digital Personal Data Protection Act 2023 (India), we are required to obtain verifiable parental consent before processing data of users under the age of 18. Users between 13 and 17 must provide verifiable parental consent during registration.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at rithikbuilds@gmail.com.

8. Security Measures

We implement appropriate technical and organizational measures consistent with the IT (Reasonable Security Practices) Rules, 2011 and the DPDP Act 2023, including: TLS 1.2+ encryption in transit, AES-256 encryption at rest (Supabase), role-based access controls, secure password hashing, and protective HTTP security headers (CSP, HSTS, X-Frame-Options).

Breach Notification: In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours and will notify affected users without undue delay, in accordance with DPDP Act Section 8(6) and CERT-In Directions 2022.

9. Cookies Policy

9.1 Essential cookies: Session cookies and authentication tokens essential to the operation of the Service. These cannot be disabled without losing access.

9.2 Preference storage: We use browser localStorage (not cookies) to store display preferences (theme, font, sidebar state). This data never leaves your browser.

9.3 Third-party cookies: Paddle.com may set cookies during checkout for fraud prevention. We do not use cookies from advertising networks.

10. Do Not Track

Meridian does not currently respond to browser Do Not Track (DNT) signals, as no uniform industry standard has been established. We do not track users across third-party websites.

11. Grievance Officer

In accordance with the IT Rules 2011 and Consumer Protection (E-Commerce) Rules, 2020:

Name: Rithik Sudhakar
Email: rithikbuilds@gmail.com
Address: Chennai, Tamil Nadu, India

Complaints will be acknowledged within 48 hours and resolved within one calendar month. If not satisfied, you may approach the Data Protection Board of India (dpb.gov.in) or your national data protection authority (EU/EEA users).

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email and/or in-app notification at least 15 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Questions about your privacy? Contact us at rithikbuilds@gmail.com