Privacy Policy

Meridian ("Meridian," "we," "us," or "our") provides a marketing operating system for e-commerce teams. This Privacy Policy explains how we handle information when you use our websites, applications, and related services (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

The canonical URL of this Privacy Policy is the same URL you should provide in your Google Cloud OAuth consent screen configuration so it matches the link shown on our public homepage.

Account and profile data. When you register or sign in, we receive identifiers and profile details from our authentication provider (for example, name, email address, and organization identifiers where applicable).

Service usage and content. We process data you submit or generate in the product, such as dashboard preferences, tasks, chat messages, recommendations you view or act on, and support requests you send us.

Connected marketing platforms. If you connect third-party accounts (for example, Meta Ads, Google Ads, Shopify, or Klaviyo), we access and store the types of data needed to show performance metrics, recommendations, and actions you initiate in the product. The exact categories depend on what you connect and which product features you use.

Technical and security data. We collect standard device and connection information (such as IP address, browser type, timestamps, and diagnostic logs) to operate, secure, and improve the Service.

When you choose to connect Google Ads, Meridian uses Google OAuth 2.0 and the Google Ads API. This section supplements the rest of this Privacy Policy for data received from Google.

OAuth scopes requested. The authorization request uses the following scope values (as configured in the Service):

• https://www.googleapis.com/auth/adwords to access Google Ads API resources needed to read customer and campaign performance data used in Meridian dashboards, recommendations, and related product features.
• openid and https://www.googleapis.com/auth/userinfo.email to obtain your Google account email address for account identification and support.

How we access and use Google user data. We call Google APIs only after you complete the OAuth consent flow in your browser. We use Google Ads data solely to provide and improve user-visible features in Meridian (for example, spend and performance views, recommendations, and tasks tied to Google Ads). We use your Google account email in the product and for account administration consistent with this policy.

How we store Google user data. OAuth tokens and synced metrics are stored using our infrastructure and database providers. Tokens are encrypted at rest where the Service is configured to do so. Access is limited to what is needed to operate the Service.

How we share Google user data. We do not sell Google user data. We share it only with subprocessors that process data on our behalf under contract (such as hosting and database services), when you direct us to interact with another service you use, or when required by law, consistent with the "How we share information" section above.

Limited Use. Meridian's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we use Google user data only to provide or improve user-facing features that are prominent in the Service; we do not use it for serving ads (including retargeting or personalized advertising), as credit data, or for sale to data brokers. We do not allow humans to read Google user content except as needed for security, legal compliance, with your explicit consent for support, or where data is aggregated for internal operations as permitted under applicable rules.

When you choose to connect Meta, Meridian uses Meta OAuth and the Meta Marketing API. This section supplements the rest of this Privacy Policy for data received from Meta.

Permissions requested. The authorization request uses ads_read, ads_management, and business_management to read ad account, campaign, spend, and conversion (action) metrics and, only when you explicitly initiate it, to apply budget changes you approve within the product.

How we use Meta data. We use it solely to provide user-facing features — performance views, conversion metrics, recommendations, and optimizations you choose to deploy. We do not sell Meta data and do not use it to advertise to you.

Storage and control. Access tokens are encrypted at rest and we store only the aggregated metrics needed for the product. You can disconnect Meta at any time from the Integrations page, which stops further access.

When you choose to connect Shopify, Meridian accesses your store through the Shopify Admin API using the scopes you approve at install (such as read access to orders, products, and marketing events).

What we access. Order totals and dates, which we use to compute revenue, ROAS, and cross-channel attribution. We do not store individual customer names, email addresses, or shipping addresses.

Privacy compliance. We honor Shopify's mandatory compliance webhooks — customers/data_request, customers/redact, and shop/redact. When your store uninstalls the app and Shopify sends the shop/redact request, we delete the store's synced data.

Disconnect and deletion. You can disconnect Shopify from the Integrations page at any time; uninstalling the app triggers deletion of synced store data as described above.

We rely on a small set of subprocessors that process data on our behalf under contract, including cloud hosting and serverless compute, a managed database, an authentication provider, transactional email, error monitoring, and large language model providers used to generate summaries and recommendations. These providers may process data only to deliver their service to us and are bound by confidentiality and data protection terms.

• Provide, maintain, and improve the Service, including dashboards, chat, tasks, and integrations.
• Process Google user data only as described in this policy and in compliance with the Google API Services User Data Policy (including Limited Use), when you connect Google.
• Authenticate users, prevent fraud and abuse, and protect the security of the Service.
• Communicate with you about the Service, including transactional messages and responses to inquiries.
• Comply with law and enforce our agreements.

We do not sell your personal information. We share information only as needed to run the Service, including with:

• Service providers that host infrastructure, process payments where applicable, provide authentication, deliver email, or help us monitor reliability and security, bound by confidentiality and processing terms.
• Third-party platforms you connect, according to your instructions when you authorize integrations.
• Legal and safety recipients when we believe disclosure is required by law, regulation, or legal process, or to protect the rights, safety, and security of Meridian, our users, or others.

We retain information for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary based on the type of data and your use of the Service.

We use administrative, technical, and organizational measures designed to protect information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

You may update certain profile information through your account settings where available. You may disconnect third-party integrations from within the product or from the third party's own account settings. You may request access, correction, or deletion of personal information subject to applicable law by contacting us through the Contact page.

Meridian may process and store information in the United States and other countries where we or our providers operate. Those countries may have data protection laws that differ from the country where you live.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe we have collected information from a child under 16, contact us and we will take appropriate steps.

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date above. Material changes may also be communicated through the Service or by email where appropriate.

Questions about this Privacy Policy: use the Contact page or the developer contact information shown in your Google OAuth consent screen for this application.