Last updated: March 17, 2026
Meridian Blue, Inc. ("we," "us," or "the Company") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Meridian Blue platform and services ("Our Service").
This policy applies to all users of Our Service, whether accessed through our website, API, or any other means. By using Our Service, you acknowledge that you have read and understood this Privacy Policy. For details on your contractual relationship with us, please see our User Agreement.
The data controller responsible for your personal data is:
Meridian Blue, Inc.
Email: [email protected]
We have appointed a Data Protection Officer (DPO) who can be contacted regarding any data protection matters:
Data Protection Officer
Email: [email protected]
When you create a Meridian Blue account, we collect:
When you use Our Service, we automatically collect:
Meridian Blue operates a zero-data-retention architecture for prompt and response content. Your API requests (prompts) and model responses are processed transiently in memory and are not stored in any long-term Meridian Blue system. We do not use your prompts or responses to train any models. For more details, see our Security page.
Our website uses only essential cookies required for the functioning of the site. We do not use third-party advertising cookies or cross-site tracking. You may manage cookie preferences through your browser settings.
We use the information we collect for the following purposes:
(a) Service Delivery: To create and manage your account, process API requests, route traffic to upstream providers, and deliver Our Service.
(b) Billing and Payments: To calculate usage, generate invoices, process payments, and prevent billing fraud.
(c) Security and Fraud Prevention: To detect, prevent, and respond to security incidents, abuse, and unauthorized access.
(d) Service Improvement: To analyze aggregated, anonymized usage patterns to improve performance, reliability, and features.
(e) Communication: To send transactional emails (account verification, billing receipts, security alerts) and, with your consent, product updates and marketing communications.
(f) Legal Compliance: To comply with applicable legal obligations, respond to lawful requests, and protect our legal rights.
We process your personal data on one or more of the following legal bases under Article 6(1) of the General Data Protection Regulation (GDPR):
(a) Contract Performance (Art. 6(1)(b)): Processing necessary to perform our contract with you, including account registration, service delivery, billing, and customer support.
(b) Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as fraud prevention, service security, analytics, and service improvement, provided these interests are not overridden by your rights and freedoms.
(c) Consent (Art. 6(1)(a)): Where we process data based on your consent (such as marketing communications), you may withdraw your consent at any time.
(d) Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable legal obligations, including tax, accounting, and regulatory requirements.
When you make an API request, we route your request to the upstream AI model provider you selected (e.g., Anthropic, OpenAI, Google, Meta, Mistral). Your prompt data is transmitted to these providers to generate a response. Each provider's data handling is governed by their own terms and privacy policies. We configure all provider integrations to disable training on your data wherever available.
We use third-party payment processors to handle billing. Your payment information is transmitted directly to these processors and is not stored on our systems.
We use cloud infrastructure providers to host Our Service. All data is encrypted in transit and at rest.
We do not sell, rent, or trade your personal data to third parties for advertising or marketing purposes.
Account data is retained for the duration of your account. Upon account deletion, your data is permanently erased or anonymized within thirty (30) days.
Usage logs (API metadata, not prompt content) are retained for a maximum of ninety (90) days for security and fraud prevention, after which they are automatically purged.
Prompt and response data is never stored. It is processed transiently in memory and discarded immediately upon request completion.
Billing records are retained as required by applicable tax and accounting legislation.
Our Service may involve the transfer of personal data outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
(a) Transfers to countries with an adequacy decision from the European Commission (Art. 45 GDPR);
(b) Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR), supplemented by additional technical and organisational measures where necessary;
(c) Binding Corporate Rules where applicable (Art. 47 GDPR).
You may request a copy of the relevant safeguards by contacting our DPO.
Under the GDPR, you have the following rights with respect to your personal data. You may exercise these rights at any time by contacting us at [email protected]:
Right of Access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): Request deletion of your data where it is no longer necessary for its original purpose.
Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
Right Regarding Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal effects.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
We will respond to all valid requests within one (1) month, with possible extension of up to two additional months for complex requests.
We implement appropriate technical and organisational measures to protect your personal data, including:
For a detailed overview of our security practices, please visit our Security page.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34 GDPR).
Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will promptly delete it.
We may update this Privacy Policy from time to time. We will notify you of material changes at least thirty (30) days in advance via email or in-service notification. Your continued use of Our Service after the changes take effect constitutes acceptance of the updated policy.
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:
Privacy Inquiries
Email: [email protected]
Data Protection Officer
Email: [email protected]