Privacy Policy

• Account info, email address (required), name (optional), avatar if provided, managed by Clerk.
• Payment info, PayPal collects and stores payment details on their PCI-compliant infrastructure. We store only the transaction ID, amount, and receipt email.
• Usage, reports generated, reports viewed, export history. This is used to enforce plan limits and improve accuracy in aggregate.
• Optional inputs, report topics, comments, corrections, alert subscriptions. Only what you voluntarily type or upload.
• Server logs, IP address, user-agent, request timestamps. Retained for up to 30 days for abuse prevention.
• Cookies, a Clerk session cookie and a sidebar UI preference (both strictly necessary), plus a first-party consent cookie that records your choice on the optional categories below. No advertising cookies, no third-party tracking pixels.
• Optional, consent-gated, Vercel Analytics (anonymised page views, sets a first-party _vercel cookie) and Sentry session replay (records a masked DOM snapshot only when the page errors). Both are off until you accept on the banner or via cookie preferences; declining is a one-click choice and does not degrade the product.

• Operate the service, sign you in, generate and provide access to reports, process payments, enforce plan limits.
• Send transactional email, receipts, report-ready notifications, security alerts, and refund confirmations.
• Send product email (only if you opt in), alert digests and market-update notifications. Unsubscribe anytime.
• Improve the platform, aggregate usage and quality signals to refine validation methods and templates. We do not use your prompts to train any model.
• Comply with law, respond to lawful requests, enforce our terms, and prevent fraud.

These are the only subprocessors your data touches. We vet each for a published security and privacy posture.

• Clerk (US), authentication and session management.
• PayPal (US), payments, subscription billing, receipts.
• Vercel (US), web hosting, edge network, file storage for report PDFs.
• Neon (US), PostgreSQL database for accounts, reports, and usage records.
• Model inference provider (US), research synthesis uses an external inference API under a no-retention-for-training agreement. No personally identifiable information is included in research prompts. A current subprocessor list is available on request.
• External data providers, the research pipeline queries a set of authoritative public and institutional data sources. These receive generic market-topic queries only; no user data is sent to them. A current subprocessor list is available on request.
• BetterStack / Pingdom (if configured), uptime monitoring against a public health endpoint. No user data involved.

Our primary infrastructure (Vercel, Neon) runs on US data centers. If you are outside the US, your data is transferred to and processed in the US. Where required, transfers rely on standard contractual clauses or equivalent safeguards between the processor and their upstream providers.

• Account data, while your account is active, plus 30 days after deletion for chargeback/fraud windows.
• Purchase records, retained for 7 years to comply with tax and accounting laws.
• Report PDFs, retained for the life of your account so you can re-download them. Subscribers can export locally any time.
• Server logs, up to 30 days.
• Email opt-outs, retained indefinitely to respect unsubscribe requests.

Depending on where you live (GDPR in the EEA/UK, CCPA in California, or similar frameworks elsewhere), you have the right to:

• Access the personal data we hold about you.
• Correct it if it is wrong.
• Delete it (“right to erasure” / “right to be forgotten”).
• Export it in a machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent for product email at any time.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@meridianconsensus.com from the email on your account. We respond within 30 days.

The service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has created an account, email us and we'll delete it.

Data is encrypted in transit (TLS 1.2+) and at rest on all of our subprocessors. Access to production systems is limited to essential personnel and protected by single sign-on and hardware-key MFA. We don't have a formal bug bounty yet; responsible disclosures can be sent to the support email.

If we change this policy in a material way, we'll notify registered users by email at least 14 days before the change takes effect. Non-material changes (clarifications, new processors within an existing category) may be made without notice; the “Last updated” date at the bottom of this page will reflect the most recent revision.

Privacy questions, data requests, or complaints: support@meridianconsensus.com. For EU/UK users we do not currently appoint an Article 27 representative, contact us directly.

• Terms of Service
• Refund Policy
• Research Standards
• Methodology