Privacy Policy

This Privacy Policy describes how Meridian ("we," "us," or "our") collects, processes, stores, and protects information in connection with the Meridian content moderation infrastructure service (the "Service").

Meridian operates as a backend infrastructure provider. We distinguish between two types of individuals whose data may be implicated by the Service:

• Platform Partners: Developers and organizations that integrate Meridian's API into their products. Platform Partners interact directly with Meridian and are subject to this Policy as data controllers in their own right.
• End Users: Individuals who use platforms and applications operated by Platform Partners. Meridian typically processes End User data as a data processor acting on behalf of the Platform Partner.

Platform Partners are responsible for providing their own end-user disclosures and obtaining any required consents before submitting end-user data to Meridian for processing.

We collect the following categories of information:

Content Processing: Submitted text and profile inputs are processed in real-time by Meridian's inference models solely to generate classification signals (labels, risk scores, embeddings) returned to the requesting Platform Partner. This is the core function of the Service.

Service Operation: Account data is used to authenticate access, manage API credentials, enforce rate limits, and ensure service availability and integrity.

Safety & Abuse Prevention: System logs and usage patterns are analyzed to detect misuse of the API, adversarial probing of classification models, or patterns indicating policy violations.

Model Improvement: Meridian may use aggregated, de-identified signals derived from API usage to improve classification model performance. We do not use raw submitted content to train models without explicit written agreement with the submitting Platform Partner.

Legal & Compliance: Data may be processed as required to comply with applicable law, regulatory requests, or to enforce our Terms of Service.

We do not sell personal data. We do not use submitted content for advertising purposes.

Meridian is designed for low-latency real-time processing. Our data retention posture reflects a minimal-retention approach:

Platform Partners may request deletion of associated account data upon termination of their service agreement, subject to legal retention obligations.

Meridian does not sell, rent, or broker personal data to third parties.

We may share data in the following limited circumstances:

• Service Providers: We engage trusted subprocessors to support infrastructure operations (e.g., cloud hosting, monitoring, billing). These providers are contractually bound to process data only as instructed and to maintain appropriate security standards.
• Legal Requirements: We may disclose data if required by applicable law, court order, regulatory authority, or to protect the rights, safety, or property of Meridian, our partners, or others.
• Corporate Events: In the event of a merger, acquisition, or sale of assets, data may be transferred to a successor entity, subject to equivalent privacy protections.
• Between Services: Meridian is part of the broader IrisAI infrastructure umbrella. Data shared internally is subject to equivalent security and use restrictions.

No data is shared with advertising networks, data brokers, or marketing platforms.

Meridian applies a security-first engineering philosophy consistent with its infrastructure mandate.

Measures in place include:

• Encryption of data in transit using modern TLS standards
• Encryption of data at rest for stored account and log data
• API authentication via credential management and access control
• Network-level isolation of inference infrastructure
• Internal access controls limiting data access to authorized personnel on a need-to-know basis
• Logging and anomaly detection for unauthorized access attempts

While we implement robust technical and organizational security measures, no system can guarantee absolute security. Platform Partners are responsible for securing their own API credentials and access configurations. In the event of a security incident affecting personal data, we will notify affected Platform Partners in accordance with applicable breach notification requirements.

When Platform Partners submit data to Meridian's API, they act as data controllers with respect to the end-user data they submit. Platform Partners are responsible for:

• Providing appropriate privacy notices to their end users disclosing the use of third-party content moderation infrastructure
• Obtaining any legally required consent for processing personal data through Meridian
• Ensuring that the data submitted to Meridian is collected and shared in compliance with applicable law, including data protection regulations such as the GDPR, CCPA, and equivalent frameworks
• Implementing appropriate data security measures on their own systems
• Responding to end-user rights requests relating to data held within their own systems

Meridian provides data processing agreements (DPAs) to Platform Partners subject to applicable data protection law requirements. Contact legal@meridian.ai to request a DPA.

Depending on your jurisdiction, you may have certain rights with respect to personal data held by Meridian.

For Platform Partners (as account holders), these rights may include:

• Access: Request a copy of personal account data we hold
• Correction: Request correction of inaccurate account data
• Deletion: Request deletion of your account and associated data, subject to legal retention obligations
• Portability: Request transfer of your account data in a machine-readable format
• Objection: Object to certain processing activities

For End Users of platforms powered by Meridian: Because Meridian processes end-user data on behalf of Platform Partners, requests to exercise data rights with respect to content submitted for classification should be directed to the Platform Partner operating the platform you use. We will assist Platform Partners in fulfilling verified end-user rights requests where technically feasible. To exercise rights relating to Meridian account data, contact: privacy@meridian.ai

Meridian's core Service is an API and does not operate a consumer website with tracking-based advertising. If you interact with Meridian's developer portal or documentation site, limited session and functional cookies may be used to maintain authenticated sessions and improve usability.

We do not use cross-site tracking cookies, third-party advertising pixels, or behavioral profiling technologies on our developer-facing properties. Analytics, if used, are limited to aggregate, non-identifying usage metrics.

We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or product capabilities. When we make material changes, we will notify Platform Partners via email or prominent notice in the developer portal, with reasonable advance notice where practicable.

The "Effective Date" at the top of this Policy indicates when the current version took effect. Continued use of the Service after an updated Policy is posted constitutes acceptance of the changes.

For questions about this Privacy Policy, data processing arrangements, or to submit a privacy rights request, contact: meridianprivacy@irisai.foundation