Meridia

Privacy Policy

Effective date: March 30, 2026

Meridia ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our website, mobile application, and related services (the "Service").

1. Data Controller

Meridia is the data controller responsible for your personal data. If you have questions about data processing, you can reach us at legal@meridia.app.

2. Information We Collect

Information you provide

  • Account information: Email address, display name, and password (hashed) when you register
  • OAuth data: Name, email, and profile picture when you sign in with Google or Apple
  • User content: Community submissions, news source suggestions, and feedback
  • Preferences: Language, notification settings, and personalization choices

Information collected automatically

  • Usage data: Pages visited, features used, and interactions with the map
  • Device information: Browser type, operating system, device type, and screen resolution
  • IP address: Used for rate limiting, security, and approximate geolocation
  • Cookies and similar technologies: See our Cookie Policy for details

3. How We Use Your Information

We use your personal data to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Personalize your experience (e.g., preferred categories, regions)
  • Send transactional emails (account verification, password resets)
  • Monitor and prevent abuse, fraud, and security threats
  • Analyze usage patterns to improve the Service
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

  • Contract: Processing necessary to provide the Service you requested (account management, authentication)
  • Legitimate interest: Analytics, security, and fraud prevention
  • Consent: Optional personalization features and non-essential cookies
  • Legal obligation: When required by law

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Authentication providers: Google and Apple, when you use OAuth sign-in
  • Error monitoring: Sentry, for crash reporting and performance monitoring
  • Email delivery: Our self-hosted SMTP service for transactional emails
  • Legal authorities: When required by law or to protect our rights

6. Data Retention

  • Account data: Retained while your account is active and for 30 days after deletion
  • Session data: Automatically expired after 30 days of inactivity
  • Security logs: IP addresses and rate-limiting data retained for up to 90 days
  • Analytics data: Aggregated and anonymized data may be retained indefinitely

7. Data Security

We implement appropriate security measures to protect your data, including:

  • Passwords hashed with Argon2 and checked against known breaches (HaveIBeenPwned)
  • Session tokens hashed with SHA-256 and stored securely
  • Account lockout after failed login attempts
  • Rate limiting on all endpoints
  • Encrypted data in transit (HTTPS/TLS)

8. Your Rights (EEA and UK)

Under GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request that we limit processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at legal@meridia.app. We will respond within 30 days.

9. International Transfers

Your data may be processed in countries outside the EEA. When this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a revised effective date.

12. Contact

For privacy-related inquiries, contact us at legal@meridia.app.