Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 1, 2026

Meridian AI ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use our platform and services. By using Meridian AI, you agree to the practices described in this policy.

1. Data Collection

Meridian AI collects the following categories of personal data in the course of providing our services: - Account information: name, email address, organization, job title, and phone number provided during registration or onboarding. - Usage data: interactions with the platform, feature usage, session duration, pages visited, and search queries. - Deal and pipeline data: investment deal details, stakeholder information, regulatory filings, and related documents uploaded to the platform. - Communication data: messages sent through integrated communication channels (WhatsApp, email) as facilitated by the platform. - Device and technical data: IP address, browser type, operating system, device identifiers, and diagnostic logs. - Third-party integrations: data imported from connected services such as Salesforce, Bloomberg Terminal, Microsoft Teams, and DocuSign. We do not collect data beyond what is necessary to provide, maintain, and improve our services.

2. Use of Data

We use your personal data for the following purposes: - Service delivery: powering deal pipeline analytics, AI agent orchestration, regulatory compliance tracking, and stakeholder management. - Personalization: tailoring AI-generated insights, recommendations, and draft communications to your investment corridors and deal context. - Security and fraud prevention: detecting unauthorized access, monitoring for anomalous activity, and enforcing access controls. - Communication: sending service-related notifications, regulatory alerts, and platform updates. - Analytics and improvement: analyzing aggregated usage patterns to improve platform performance, reliability, and user experience. - Legal compliance: fulfilling regulatory obligations, responding to lawful requests, and maintaining audit trails. We do not sell your personal data to third parties. We do not use your deal data or communications to train general-purpose AI models.

3. Data Sharing

We may share your data with the following categories of recipients: - Service providers: cloud hosting (encrypted at rest and in transit), payment processors, and infrastructure partners who process data on our behalf under strict contractual obligations. - Integration partners: when you connect third-party services (e.g., Salesforce, Bloomberg), data is shared as necessary to enable the integration. - Legal authorities: when required by law, regulation, or valid legal process, or to protect the rights, property, or safety of Meridian AI, our users, or the public. - Affiliated entities: with Meridian AI subsidiaries or affiliates for operational purposes, subject to the same privacy standards. All data sharing is governed by data processing agreements that require recipients to maintain appropriate security measures and limit use to specified purposes.

4. Data Security

We implement industry-standard security measures to protect your data: - Encryption: AES-256 encryption at rest and TLS 1.3 encryption in transit for all data. - Access controls: role-based access controls (RBAC), multi-factor authentication, and audit logging for all administrative actions. - Infrastructure: SOC 2 Type II certified infrastructure with regular penetration testing and vulnerability assessments. - Data isolation: tenant-level data isolation ensuring your deal data is not accessible to other organizations. - Incident response: documented incident response procedures with notification within 72 hours of a confirmed breach affecting personal data. - Backups: encrypted daily backups with geographically distributed redundancy and tested recovery procedures.

5. Cookies and Tracking

Meridian AI uses cookies and similar technologies for the following purposes: - Essential cookies: required for authentication, session management, and security. These cannot be disabled. - Functional cookies: remembering your preferences, dashboard layout, and language settings. - Analytics cookies: understanding how the platform is used to improve features and performance. These are anonymized. We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core platform functionality.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data: - Access: request a copy of the personal data we hold about you. - Correction: request correction of inaccurate or incomplete personal data. - Deletion: request deletion of your personal data, subject to legal retention requirements. - Portability: receive your data in a structured, commonly used, machine-readable format. - Restriction: request restriction of processing in certain circumstances. - Objection: object to processing based on legitimate interests. - Withdraw consent: where processing is based on consent, withdraw that consent at any time. To exercise any of these rights, contact us at privacy@meridian.ai. We will respond to verified requests within 30 days.

7. International Data Transfers

Meridian AI operates across multiple jurisdictions including the United States, the Kingdom of Saudi Arabia, the United Arab Emirates, and the European Union. When we transfer personal data across borders, we ensure appropriate safeguards are in place: - EU/EEA: Standard Contractual Clauses (SCCs) approved by the European Commission. - Saudi Arabia: compliance with the Personal Data Protection Law (PDPL) transfer requirements. - United States: data processing agreements incorporating privacy shield principles. All transfers are subject to the data protection standards described in this policy regardless of the destination jurisdiction.

8. Regulatory Compliance

Meridian AI is designed to comply with the following data protection frameworks: - GDPR (General Data Protection Regulation) — European Union - CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) — United States - Saudi PDPL (Personal Data Protection Law) — Kingdom of Saudi Arabia - UAE PDPL (Personal Data Protection Law) — United Arab Emirates We regularly review and update our practices to maintain compliance with evolving regulations. Our Data Protection Officer oversees compliance across all jurisdictions.

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy: - Account data: retained for the duration of your active account plus 90 days after deletion request. - Deal and pipeline data: retained for the duration of your subscription plus any legally required retention period. - Usage and analytics data: retained in anonymized form for up to 24 months. - Audit logs: retained for 7 years to comply with financial regulatory requirements. - Communication data: retained for 5 years or as required by applicable regulations. You may request deletion of your data at any time, subject to legal retention obligations.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes: - We will notify you by email at least 30 days before the changes take effect. - We will post a notice on the platform. - The "Effective Date" at the top of this page will be updated. Your continued use of Meridian AI after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices: - Email: privacy@meridian.ai - Data Protection Officer: dpo@meridian.ai - Mailing address: Meridian AI, Privacy Team For data subject requests, please use privacy@meridian.ai and include sufficient information to verify your identity and specify the nature of your request.