Privacy Notice

What we collect (and what we don't)

We collect only what we need to give you visa guidance: your email or phone number for authentication, nationality and travel details for visa lookups, and documents you upload for review.

We also collect anonymised usage data (for example, which assessment steps you complete and which destinations you compare) to improve our tools. This data contains no personal data and cannot be linked back to you.

We don't collect browsing history. We don't build advertising profiles, nor use your data for advertising purposes. We don't sell your data. We never will.

How we use your data

• Provide personalised visa guidance based on your profile.
• Improve our accuracy by learning which visa rules change.
• Send you updates if you opt in (email or WhatsApp).
• Understand how people use Meridian through anonymised usage analytics (e.g. which steps are completed), so we can improve it.

Where our knowledge comes from

Meridian combines three sources: AI models trained on public information, community contributions from visa experts who share real-world experience, and official government sources. We cross-reference these to give you accurate, up-to-date guidance.

How we protect your data

Privacy is in our architecture, not just our notice.

• Personal data removal; Before AI models process your data, we remove any personal data and render it anonymised. Specifically, we remove passport numbers, dates of birth, bank account numbers, phone numbers, and other identifiers.
• Encryption at rest; Your answers to the assessment, any extracted document text, and other identifiers are encrypted in our database using ActiveRecord encryption (the database layer).
• Error tracking; Sentry (error monitoring) collection of personal data is explicitly disabled. Errors are tracked without personal data.
• Log filtering; Over 15 patterns (emails, phone numbers, passport numbers) are filtered from server logs.
• Document storage; Documents you upload are stored with encryption at rest and limited access. Temporary copies sent to AI for text extraction are deleted immediately after processing. Your uploaded files remain available in your vault until you delete them.

Third-party services

We use these services to run Meridian. Here's exactly what each one sees.

API and AI-assistant access

Meridian exposes its tools to AI assistants (Claude, ChatGPT, Cursor, and others) over MCP at usemeridian.app/mcp, and to developers through the Meridian CLI. Anonymous tools (visa lookups, requirements, feedback) need no sign-in and never touch your account.

Authenticated tools (readiness checks, application creation, vault access) require you to authorise the assistant via OAuth 2.0. When you authorise, we issue the assistant a short-lived access token and a longer-lived refresh token. Once granted, the assistant can read your vault and act on your behalf within the scopes you approve. You can revoke a connection at any time, when signed in, from the Integrations page; revocation invalidates the tokens immediately.

The assistant itself (Anthropic, OpenAI, etc.) is a separate party. Their handling of your conversation is governed by their own privacy policy. We never share data with assistants beyond what each tool returns for the request you authorised.

AI transparency

Meridian is an AI-assisted product. AI outputs are checks and suggestions; you make the decision, and so does the consulate. We do not train AI models on your data, and personal data is removed before any content reaches an AI provider. For the full list of AI providers and what each one does, see how we use AI.

Whether your prior conversations and vault are used to personalise future AI assistance is controlled by the AI personalization toggle on the Cookies page. Core AI features (chat, readiness checks) work whether or not personalization is on.

How long we keep your data

• Active accounts; We keep your data as long as your account is active and you haven't asked us to delete it.
• Inactive accounts; Accounts with no sign-in for 24 months are notified by email; if there's no response within 30 days, the account and its data are deleted.
• Visa application records; Submitted application records are retained for 3 years from the date of submission so you can refer back to them, unless you delete them earlier via the in-app expunge action.
• Server logs; Filtered server logs (no personal data) are retained for 30 days for debugging and incident response, then deleted.
• Anonymous analytics; Aggregated, non-identifiable usage events are retained for 24 months.

International data transfers

Some processors operate outside the EU/EEA. The International transfer column above shows where each one is based and the safeguard that applies.

For transfers outside the EU/EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and the processor's own GDPR-equivalent commitments. We don't transfer data to jurisdictions without one of these safeguards in place.

Your rights

Under GDPR and similar privacy laws, you have the right to:

• Access; Request a copy of all data we hold about you.
• Deletion; Ask us to delete your account and all associated data.
• Export; Download your data in a portable format.
• Correction; Update or fix inaccurate information.
• Object + restrict; Object to processing or ask us to restrict how we process your data.
• Lodge a complaint; You can complain to your local data protection authority. If we're your point of contact in the EU, that's Datatilsynet (the Danish Data Protection Authority).

To exercise any of these rights, email data.privacy@mail.usemeridian.app. We respond within 30 days as required by GDPR.

Data controller and contact

Saunter Works (the company behind Meridian) is the data controller for the information processed on this site. Our point of contact for data protection matters is Paul Dariye, reachable at paul@usemeridian.app.

Routine privacy and data questions go to data.privacy@mail.usemeridian.app. Security-related disclosures go to data.security@mail.usemeridian.app.

Cookies

We use essential session cookies plus a small set of functional cookies that remember things you typed (theme, sidebar state, home-hub form values). Our analytics provider (Plausible) is entirely cookie-free.

The full inventory, with every cookie we set, what it does, and how long it lasts, lives on our Cookies page, where you can change your choice at any time.