Privacy Policy
Introduction & Data Controller
Meridian Finance Ltd ("we", "us", "our") operates the Meridian Cards platform. We are committed to protecting your personal data and handling it responsibly, transparently, and in compliance with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR 2016/679).
This Privacy Policy explains what personal data we collect when you use Meridian Cards, why we collect it, how we use and protect it, and what rights you have over it.
Data Controller:
Meridian Finance Ltd
England and Wales (registration pending)
Contact: privacy@themeridian.cards
If you have questions about how we handle your data, please contact our Data Protection Officer (DPO) using the details in Section 13.
Data We Collect
We collect the following categories of personal data:
Account & Identity Data
- Email address: Required to create and access your account via magic link authentication.
- Name: Optionally provided by you in your account profile.
- Account creation date and last login timestamp.
Technical & Device Data
- IP address: Collected at sign-in and when making API requests, used for security and fraud prevention.
- Browser and device information: User-agent string, operating system, browser type (where applicable).
- Session tokens: Stored as SHA-256 hashes — we never store plaintext authentication tokens.
Financial & Transaction Data
- Wallet balance and funding history: Records of USDC deposits and conversions to fiat.
- Card data: Cards created, spending limits set, card status, and last 4 digits of card numbers. Full card numbers are managed by Stripe and never stored in Meridian's own databases.
- Transaction history: Merchant name, transaction amount, date, currency, and outcome for each card transaction.
- USDC wallet addresses: Blockchain addresses used to fund your account (not linked to off-chain identity by us).
Usage & Interaction Data
- API and MCP requests: Logs of API calls made, including the tool/action called, timestamp, and response status (not full request/response bodies).
- Service interactions: Which features you use, error events, and performance metrics.
We do not collect: your full payment card number (handled by Stripe), passwords (we use magic links only), or biometric data.
How We Use Your Data
We use your personal data for the following purposes:
- Service provision: To create and manage your account, issue virtual cards, process transactions, and operate the MCP server on your behalf.
- Authentication: To verify your identity via magic link and maintain secure sessions.
- Billing: To calculate and collect applicable fees, maintain financial records, and provide transaction histories.
- Fraud prevention & security: To detect suspicious activity, prevent unauthorised access, enforce spending limits, and comply with AML/KYC obligations.
- Analytics & improvement: To understand how the Service is used, identify bugs, and improve features. We use aggregated or anonymised data where possible.
- Legal compliance: To meet our obligations under financial services regulation, tax law, and applicable data protection law.
- Communications: To send you service-related emails (magic links, transaction alerts, policy updates). We do not send marketing emails without your explicit consent.
Legal Basis for Processing
We process your personal data on the following legal bases under Article 6 UK/EU GDPR:
- Contract performance (Article 6(1)(b)): Processing your email address, transaction data, and card data is necessary to provide the Service you've signed up for. Without this data, we cannot operate your account.
- Legal obligation (Article 6(1)(c)): We retain financial transaction records as required by HMRC regulations and applicable financial services law. We may share data with law enforcement as required by court order or applicable law.
- Legitimate interests (Article 6(1)(f)): We process IP addresses and device data to detect fraud, improve security, and maintain service integrity. We have conducted legitimate interests assessments to confirm these interests are not overridden by your rights.
- Consent (Article 6(1)(a)): Where we wish to send you marketing communications or process optional data (such as profile information), we will seek your explicit consent. You may withdraw consent at any time.
Data Sharing
We do not sell your personal data. We share data only as necessary with trusted service providers who help us operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Virtual card issuance, payment processing | Email, transaction data, card lifecycle events |
| Circle Internet Financial | USDC receipt and conversion to fiat | USDC wallet address, deposit amounts |
| Vercel, Inc. | Website and API hosting | IP address, request logs (transient) |
All data processors are bound by Data Processing Agreements that comply with UK/EU GDPR requirements. They may only use your data for the specific purposes we have authorised and must implement appropriate security measures.
We may also share data:
- With law enforcement, regulators, or courts when required by law or a valid legal order.
- With fraud prevention services to investigate suspicious activity.
- With professional advisers (solicitors, accountants) under confidentiality obligations.
- In connection with a merger, acquisition, or sale of all or part of our business, in which case we will notify you in advance.
Data Retention
We retain your personal data for as long as necessary to provide the Service and meet our legal obligations:
- Account data (email, profile): Retained for the duration of your account, plus 6 years after account closure (to meet financial record-keeping obligations).
- Transaction records: Retained for 7 years from the date of the transaction, as required by HMRC and financial services regulations.
- Security and fraud logs (IP addresses, session events): Retained for 12 months.
- API request logs: Retained for 90 days (rolling).
- Marketing consent records: Retained for 3 years from the date of consent or until withdrawn.
After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to you.
Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@themeridian.cards. We will respond within 30 days.
| Right | What it means |
|---|---|
| Access | You can request a copy of the personal data we hold about you (a "Subject Access Request"). |
| Rectification | You can ask us to correct inaccurate or incomplete personal data. |
| Erasure | You can ask us to delete your personal data ("right to be forgotten"), subject to legal retention requirements. |
| Portability | You can request your data in a structured, machine-readable format, or ask us to transfer it directly to another provider. |
| Restriction | You can ask us to stop processing your data (while keeping it) in certain circumstances. |
| Objection | You can object to processing based on legitimate interests or for direct marketing (which is always honoured). |
| Withdraw consent | Where processing is based on consent, you may withdraw consent at any time, without affecting prior processing. |
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk. If you are an EU resident, you may also contact your local supervisory authority.
Cookies
We use a minimal cookie policy. Our website uses only:
- Session cookie: A single, essential cookie that maintains your authenticated session. This cookie is HTTP-only, Secure, and SameSite=Strict. It is deleted when you close your browser (or after 30 days of inactivity).
We do not use:
- Tracking or analytics cookies (no Google Analytics, Hotjar, or similar).
- Advertising or retargeting cookies.
- Third-party cookies on our main website.
Because we only use one strictly necessary cookie, we do not display a cookie consent banner. If we ever introduce non-essential cookies, we will update this policy and implement appropriate consent mechanisms.
Our API and MCP endpoints are stateless and do not use cookies at all — they authenticate via bearer tokens.
International Transfers
Some of our service providers are based outside the UK and EEA, which means your data may be transferred internationally:
- Stripe, Inc. is headquartered in the United States. Transfers to Stripe are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, and Stripe participates in the UK-US Data Bridge.
- Vercel, Inc. is headquartered in the United States. We use Vercel's European data centre where possible, and data transfers are covered by SCCs.
- Circle Internet Financial operates internationally. Transfers are covered by SCCs and equivalent UK safeguards.
In all cases, we ensure that adequate safeguards are in place to protect your data to the same standard as required under UK/EU GDPR. You may request copies of the relevant transfer mechanisms by contacting us.
Security Measures
We take the security of your personal data seriously and implement the following technical and organisational measures:
- Encryption in transit: All data transmitted between your browser/client and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced with HSTS).
- Encryption at rest: Sensitive data stored in our databases is encrypted at rest using industry-standard algorithms.
- Token hashing: Magic link sign-in tokens are hashed using SHA-256 before storage. We never store plaintext authentication tokens.
- No plaintext credentials: We do not use passwords. There are no plaintext credentials to steal.
- Card data isolation: Full card numbers and CVVs are managed entirely by Stripe and are never stored in Meridian's systems. We only store the last 4 digits for reference.
- Access controls: Internal access to production data is restricted on a need-to-know basis, with audit logging.
- Incident response: In the event of a data breach affecting your rights, we will notify you and the ICO within 72 hours as required by law.
No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@themeridian.cards.
Children
The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18.
If you believe a child has provided us with personal data, please contact us at privacy@themeridian.cards and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We will give at least 30 days' notice before material changes take effect.
For minor clarifications that do not change your rights or how we use your data, we may update the policy without specific notice.
We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
Contact & Data Protection Officer
For any questions about this Privacy Policy, to exercise your rights, or to raise a data protection concern, please contact us:
- Privacy enquiries: privacy@themeridian.cards
- Data Protection Officer (DPO): dpo@themeridian.cards
- General support: support@themeridian.cards
- Website: themeridian.cards
We will acknowledge your request within 5 business days and respond fully within 30 days. If we require an extension (for complex requests), we will notify you within the initial 30-day period.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113