1. Who we are and what this covers
This policy explains what personal data [company entity — TBD]("Meridian", "we") collects when you use the Meridian website, terminal and research pages, why we hold it, how long we keep it, and what you can make us do about it.
We are the data controller for that data. Our baseline is Thailand's Personal Data Protection Act (PDPA). If you are in the EU or UK we apply the same rights and protections to you — a GDPR-lite posture — even where we are not formally required to.
The short version: we hold as little as we can, your exchange API keys are the most sensitive thing we hold and we treat them that way, we do not sell anything to anyone, and you can delete all of it.
2. What we collect
| Data | Why we hold it |
|---|---|
| Email address (and, if you sign in with a provider, the basic profile it returns) | To create and secure your account, to sign you in, and to send service messages you cannot opt out of — billing, security, material changes to these policies. |
| Layouts and preferences — workspaces, panes, chart settings, watchlists, theme | So the terminal looks the same when you come back and syncs across your devices. |
| Exchange API keys — encrypted | So your automations and account-sync features can read your account and place the orders you configured, on your own exchange account. See section 3. |
| Backtest and automation history — the strategies you built, the runs you made, their results and logs | So you can revisit and compare your own work, and so we can debug an automation that misbehaved. |
| Subscription status | To know which plan you are on. Card and billing details go to the merchant of record, not to us — see section 5. |
| Technical logs — IP address, browser/device type, timestamps, error traces | Security, abuse prevention and debugging. Kept short and not used to build a profile of you. |
We do not ask for and do not want your government ID, your bank details, your card number, your exchange password, or any of the special categories of data (health, religion, biometrics, political opinion). Do not send them to us.
3. Your exchange API keys
These are the crown jewels. They get their own section.
- Keys are encrypted at rest and are never written to logs in plaintext, not in error traces, not in analytics, not in support tickets.
- They are decrypted only in memory, only at the moment an operation you asked for needs them — a sync, or an order from an automation you deployed.
- Internal access is scoped as narrowly as we can make it. We do not read your keys to look at your positions.
- You should connect trade-only keys with withdrawal permission disabled. We warn you if we see a key that can withdraw. A key that cannot move money cannot be used to steal money, even in the worst case.
- Delete a key in Meridian and we delete our copy. Deleting your account deletes all of them. We cannot revoke a key at your exchange — do that there as well.
We hold no custody of your funds and we cannot transfer or withdraw them.
4. Why we are allowed to hold it
- To perform our contract with you — account, layouts, keys, automations, backtests, subscription. Without this data the product does not work.
- Consent — given at signup for the processing described here, and separately for anything optional such as marketing email. You can withdraw consent for the optional parts at any time.
- Legitimate interest — keeping the service secure, preventing abuse and fraud, and fixing bugs.
- Legal obligation — where a law or a competent authority requires it (for example, retaining billing records).
5. Who we share it with
We do not sell your personal data. We do not trade on it, and we do not share your positions, strategies or trading behaviour with anyone. We use a small number of processors, and only for what is listed:
- Supabase — database, authentication and storage. Holds your account record, layouts, encrypted keys and history.
[merchant of record — Paddle or Lemon Squeezy, TBD]— the seller of record for paid plans. It takes and holds your payment details under its own privacy policy; we never see your card number. It tells us only that you paid and which plan you are on.- Exchanges you connect (for example Binance) — your instructions and API calls go to them, which is the point of connecting them. They are independent controllers, under their own terms.
[hosting / email / error-monitoring / analytics vendors — TBD]— the final list will be named here before paid launch.
We will also disclose data where the law genuinely requires it, and we will tell you if we are permitted to.
6. Where your data is held (cross-border transfer)
Supabase and our other processors host data on servers outside Thailand. Using Meridian therefore involves a cross-border transfer of your personal data, and we are telling you so plainly because the PDPA requires it.
We only use processors that maintain adequate protection standards and contractual safeguards for the data they hold. Region of primary storage: [hosting region — TBD].
7. How long we keep it
- Account data, layouts, keys, history — for as long as your account exists.
- After you delete your account — deleted. Encrypted API keys are destroyed immediately; the remainder is removed from live systems, and from backups as those backups roll over within
[backup retention window — TBD]. - Technical logs —
[log retention — TBD], then deleted. - Billing records — kept as long as tax and accounting law requires, by us and by the merchant of record.
8. Your rights
Under the PDPA — and we extend the same to everyone — you may:
- Access the personal data we hold about you, and get a copy of it.
- Correct anything inaccurate or incomplete.
- Delete it. Deleting your account is a real deletion — your keys and your data are actually removed, not flagged as hidden.
- Port it — receive it in a machine-readable form.
- Object to or restrict processing, and withdraw consent for anything you consented to.
- Complain — to us first, please, and to the Thai Personal Data Protection Committee (PDPC) if we do not fix it.
Most of this you can do yourself from the settings page. Otherwise write to [privacy contact email — TBD] and we will respond within 30 days.
9. Security, and what happens if we are breached
Data is encrypted in transit and at rest, API keys have the extra handling described in section 3, internal access is limited to what a task needs, and we patch what we run. No system is perfectly secure and we are not going to claim ours is.
If a breach occurs that puts your personal data at risk, we will notify the Thai PDPC within 72 hours of becoming aware of it and tell affected users without undue delay, describing what happened, what data was involved and what to do about it. If exchange keys are implicated in any way, our first message to you will be: revoke them at your exchange, now.
10. Cookies and analytics
We use the cookies needed to keep you signed in and to keep the service secure. These are strictly necessary and cannot be turned off without breaking sign-in.
Any product analytics we use is aggregate and privacy-respecting — we want to know that a feature is used, not to follow you around the internet. We do not run advertising trackers and we do not sell data to ad networks. Provider and cookie list: [analytics provider and full cookie list — TBD].
11. Children
Meridian is not for anyone under 18. We do not knowingly collect data from children, and if we learn we have, we will delete it.
12. Changes to this policy
If we change this policy materially we will tell you by email or in the product before the change takes effect. The date at the top is always the date of the current version.
13. Contact
Privacy questions, rights requests, or anything that smells like a security problem: [privacy contact email — TBD]. Controller details and registered address: [company entity and address — TBD]. Data protection officer, if one is required of us: [DPO — TBD, subject to legal review].
The English version of this policy is the governing text; any translation is a courtesy.