Meridant
meridant
Map the gap.  Chart the path.
How it works Frameworks Pricing My dashboard Start free

Legal

Privacy Policy

Meridant LLC
Effective Date: April 1, 2026
Last Updated: April 5, 2026


1. Introduction

Meridant LLC (“Meridant,” “we,” “us,” or “our”) is committed to protecting the privacy of our customers and their users. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with our platform and services available at meridant.io and app.meridant.io (the “Service”).

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you are accessing the Service on behalf of an organisation, you represent that you have authority to agree to this Privacy Policy on that organisation’s behalf.

This Privacy Policy is incorporated into our Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service.


2. Information We Collect

2.1 Information You Provide Directly

When you register for an account or use the Service, we collect:

  • Account information: Name, email address, organisation name, job title.
  • Authentication credentials: Password (stored as a cryptographic hash — never in plain text).
  • Assessment data: Capability scores, response notes, and other content you enter during assessments (“Customer Data”).
  • Survey respondent data: Names and email addresses of survey respondents you invite through the platform.
  • Billing information: Payment method details (processed and stored by Stripe, Inc. — we do not store raw card data).
  • Communications: Messages you send to our support team.

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Usage data: Pages visited, features used, assessment actions, session duration.
  • Log data: IP address, browser type and version, operating system, referral URLs, timestamps.
  • Device information: Device type, screen resolution, language settings.
  • Authentication tokens: JWT tokens used to maintain session security.

2.3 Information from Third Parties

We may receive information about you from third parties including:

  • Stripe: Billing status, subscription events, and payment confirmation (not raw card data).
  • Resend: Email delivery confirmations and bounce notifications.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (GDPR)
Providing and operating the ServicePerformance of contract
Processing payments and managing subscriptionsPerformance of contract
Sending transactional emails (verification, password reset, billing)Performance of contract
Providing customer supportLegitimate interests
Improving and developing the ServiceLegitimate interests
Detecting and preventing fraud, abuse, and security incidentsLegitimate interests / legal obligation
Complying with applicable lawLegal obligation
Sending product updates and relevant communications (opt-out available)Legitimate interests / consent

We use AI processing (via Anthropic’s Claude API) to generate assessment findings, recommendations, and roadmaps. Your Customer Data is transmitted to Anthropic solely for this purpose. See Section 5 for details.

We do not use your Customer Data to train AI models or for any purpose beyond providing the Service to you.


4. Cookies and Tracking

The Service uses cookies and similar technologies to:

  • Maintain your authenticated session (strictly necessary).
  • Remember your preferences (functional).
  • Understand how the Service is used (analytics, where applicable).

You can control cookies through your browser settings. Disabling strictly necessary cookies may impair your ability to use the Service.

We do not use advertising cookies or sell your data to advertisers.

On our public marketing website (meridant.io), we use PostHog for privacy-friendly, aggregate analytics. It is configured without cookies and does not store a persistent identifier on your device, so no cookie-consent banner is required. It helps us understand which pages and campaigns are effective (for example, sample-report requests and checkout starts). We do not use it to build advertising profiles.


5. How We Share Your Information

We do not sell your personal information. We share information only as follows:

5.1 Service Providers

We share information with third-party service providers who process it on our behalf:

ProviderPurposeLocation
Fly.ioCloud infrastructure and hostingUSA
Anthropic, Inc.AI model inference (assessment generation)USA
Stripe, Inc.Payment processingUSA
ResendTransactional email deliveryUSA

All service providers are bound by data processing agreements and are prohibited from using your information for their own purposes.

5.2 Within Your Organisation

Customer Data is accessible to other authorised users within your tenant account (i.e., colleagues you have invited to the platform).

5.3 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or where we believe in good faith that such disclosure is necessary to protect the rights or safety of Meridant, our users, or others.

5.4 Business Transfers

In connection with a merger, acquisition, sale of assets, or other business transaction, your information may be transferred to the successor entity, subject to the same privacy protections described in this Policy.


6. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service. We retain Customer Data for a period of 12 months after account closure, after which it is deleted or anonymised.

We may retain certain information for longer periods where required by law, for fraud prevention, or for legitimate business purposes (such as billing records).

You may request earlier deletion of your data by contacting support@meridant.io. See Section 10 for your rights.


7. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • All data in transit encrypted via TLS.
  • Passwords stored using industry-standard cryptographic hashing.
  • JWT tokens with expiry and rotation controls.
  • Production environment isolated with access controls.
  • Regular security reviews and dependency audits.

No method of transmission over the internet or electronic storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law.


8. International Transfers

Our Service is operated from the United States. If you are accessing the Service from outside the United States, including from the European Economic Area (EEA), United Kingdom, or Australia, please be aware that your information will be transferred to and processed in the United States.

For users in the EEA or UK, we rely on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): Where applicable, we use EU-approved Standard Contractual Clauses for transfers to third-party service providers.
  • Adequacy decisions: Where applicable.

For users in Australia, transfers are conducted in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).


9. GDPR — Rights of EEA and UK Users

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal obligations.
  • Right to restriction: Request that we limit the processing of your personal data in certain circumstances.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at support@meridant.io. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Our legal bases for processing personal data are set out in Section 3. We do not make solely automated decisions that have a legal or similarly significant effect on individuals without human review.


10. Australian Users

If you are located in Australia, we comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. You have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information.
  • Make a complaint about our handling of your personal information to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have not complied with the Australian Privacy Principles.

11. Children’s Privacy

The Service is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will delete it promptly. If you believe a child has provided us with personal information, contact us at support@meridant.io.


12. Third-Party Links

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you visit.


13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by updating the “Last Updated” date at the top of this page and, where appropriate, by direct notification. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy.


14. Contact and Data Controller

For questions about this Privacy Policy, to exercise your rights, or to make a privacy-related complaint, please contact:

Meridant LLC
Email: support@meridant.io
Website: meridant.io

Meridant LLC is the data controller for personal information processed in connection with the Service.

For EEA users who require a formal Data Processing Agreement (DPA) — for example, enterprise customers — please request one at support@meridant.io.


This Privacy Policy was last updated on April 5, 2026.

Meridant is built by practitioners with over 30 years of experience designing, assessing, and modernising enterprise IT — across cybersecurity, cloud financial management, and large-scale technology transformation. We've delivered hundreds of capability assessments the hard way: custom rubrics in Excel, hand-maintained Word templates, and weekends spent rewriting findings narratives. Meridant is the platform we built so the next assessment doesn't start from scratch — and we still run assessments on it ourselves.

Meridant meridant
Privacy Terms Contact
© 2026 Meridant, LLC · All rights reserved

Get the sample report

A complete AI Threat Readiness assessment — heatmap, findings, and prioritised roadmap. Enter your email and we'll open it.

No spam. We'll only email you about Meridant, and you can unsubscribe any time.

✅

Your report is ready

Thanks — it should open in a new tab. If it doesn't, use the button below.

Open the sample report →