Privacy Policy

1. Who We Are

Meridian ("we," "us," or "our") is a mobile application that lets you document your travels through journal entries, photos, and maps. The app is developed and operated by Vineet Antil, located at San Francisco, California, United States.

For the purposes of the General Data Protection Regulation (GDPR), we are the data controller of your personal information. For the purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we are the business responsible for your personal information.

If you have any questions about this Privacy Policy, please contact us at: support@meridianjournal.world

2. Information We Collect

2.1 Information You Provide Directly

• Account information: When you create an account with email and password, we collect your email address and the display name you choose. If you sign in with Google, we receive your display name and email address from your Google account.
• Home city: During onboarding, you may search for and set your home city. This search is powered by Google Places API. We store the city name and its coordinates as provided by Google Places. We do not collect your street address or precise home GPS coordinates.
• Journal entries: Text, notes, titles, and descriptions you write within the app.
• Photos: Images you upload from your device's photo library. We process EXIF metadata (including GPS coordinates and timestamps) embedded in photos to automatically tag entries with location information. EXIF data is extracted at the time of upload and stored as structured location data; we do not store raw EXIF bytes indefinitely.
• Travel dates and itineraries: Trip names, dates, and organizational information you create.
• Place information: Names, addresses, and coordinates of locations you pin, search for, or associate with entries.

2.2 Location Information

Location data is sensitive. We collect precise GPS coordinates when you tag a journal entry with a location. A record of your travel history — where you were and when — is built over time through your use of the app. You control whether to share location and may disable location access in your device settings at any time.

• Precise location (GPS): Collected when you explicitly tag an entry with your current location, with your permission via iOS location permissions.
• Home city: A city-level location you provide during setup by searching via Google Places API. This is city-level only, not a street address or precise coordinate.
• Place searches: When you search for a place or city to tag, your search query is sent to Google Places API to return results.
• Offline map regions: If you download an offline map, the geographic boundaries of that region are stored locally on your device and tile requests are made to Mapbox servers.
• Photo EXIF location: GPS coordinates embedded in photos you upload are extracted to auto-tag journal entries. You can disable location tagging on photos at the device level before uploading.

2.3 Device and Technical Information

• Device type, operating system version, and app version
• Anonymous device installation ID (generated by Mapbox SDK; contains no personally identifying information)
• IP address (processed by our infrastructure providers as part of normal server operations; we do not implement additional logging beyond what our infrastructure providers collect by default)
• Crash reports and performance diagnostics via Expo EAS

2.4 Information from Third-Party Sign-In

If you choose to sign in with Google, we receive the following information from Google with your permission:

• Your display name as set in your Google account
• Your Google account email address

We do not receive your Google password, contacts, calendar, or any other Google account data. This information is used solely to create and identify your Meridian account.

2.5 Subscription and Payment Information

If you subscribe to Meridian Pro, payment is processed entirely by Apple through the App Store. We do not receive or store your payment card details, billing address, or any raw payment information.

We receive the following subscription-related information via RevenueCat, our subscription management provider:

• Subscription status (active, expired, cancelled, in trial)
• Apple transaction IDs associated with your purchases
• An anonymous app user ID used to link your subscription to your Meridian account
• Subscription product identifier (e.g., annual Pro plan)

This information is used solely to determine whether Meridian Pro features should be active for your account. We do not use it for advertising or share it beyond what is described in this policy.

2.6 Information We Do Not Collect

• We do not access your device camera directly — photos must be selected from your existing photo library.
• We do not collect payment card numbers, billing addresses, or financial account information — payments are processed by Apple App Store.
• We do not collect biometric data, government IDs, or financial account numbers.
• We do not collect your street address or precise home GPS coordinates — home location is city-level only.

3. How We Use Your Information

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects. We do not use your data for targeted advertising.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Meridian service — creating and syncing journal entries, displaying maps, managing your account, enabling entry sharing, managing your subscription, and setting your home city.
• Legitimate interests (Article 6(1)(f)): Improving app performance through crash diagnostics, preventing fraud, and maintaining security, where these interests are not overridden by your rights.
• Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable law.
• Consent (Article 6(1)(a)): For precise GPS location access, which you grant through iOS location permission prompts and may withdraw at any time in your device settings.

5. Third-Party Services

Meridian integrates the following third-party services. Each receives certain information as part of delivering app functionality:

We do not allow these third parties to use your information for their own marketing purposes. Each provider acts as a data processor on our behalf (GDPR) or a service provider (CCPA), bound by appropriate data processing agreements.

Infrastructure providers including Supabase may collect server access logs (including IP addresses) as part of their standard operations. We do not implement additional server-side logging beyond what these providers collect by default.

6. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:

• Service providers: As described in Section 5 above, with third-party services that help us operate the app.
• Other Meridian users (with your action): When you choose to share a journal entry with another user, that entry becomes visible to the designated recipient. See Section 7 for full details.
• Legal requirements: When required by law, court order, or government authority, or when necessary to protect our rights, property, or the safety of our users.
• Business transfers: If Meridian is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your information becomes subject to a different privacy policy.
• With your consent: For any other purpose, only with your explicit consent.

We do not sell personal information. This applies to all categories of personal information, including precise geolocation data. As required by CCPA/CPRA, we disclose this explicitly.

7. Journal Entry Sharing

Meridian allows you to share individual journal entries with other Meridian users. Here is how this feature works and what it means for your data:

• Recipient must have a Meridian account: Shared entries are only accessible to users who have a Meridian account. The shared link cannot be viewed by anyone without an authenticated Meridian account.
• Delivery: When you share an entry, the recipient receives a link visible in their Meridian notifications and received links section.
• Your control: You retain full control over shared entries. You may stop sharing an entry at any time, which immediately revokes access for the recipient.
• Account deletion and shared content: If you delete your account, all of your journal entries — including those you have shared — are permanently and immediately deleted from our systems.
• No copies stored separately: We do not create separate copies of shared entries. The shared link references your original entry. Deletion of the entry or your account removes the underlying data entirely.

8. Data Retention

We retain your personal information for as long as your account is active. Specifically:

• Journal entries, photos, and location data: Retained until you delete them individually or delete your account.
• Account information: Retained for the duration of your account.
• Subscription data: Subscription status and transaction metadata are retained for as long as your account exists and for a reasonable period thereafter to comply with legal and financial record-keeping obligations.
• Account deletion: When you delete your account through the app, all of your personal data — including journal entries, photos, location data, home city, and account information — is permanently and immediately deleted from our systems. There is no recovery period.
• Infrastructure provider logs: Supabase and other infrastructure providers may retain server access logs according to their own retention policies. Please refer to the privacy policies in Section 5 for their specific retention practices.
• Shared entry links: When your account is deleted, all shared entry links become immediately inaccessible and the underlying data is deleted, as described in Section 7.

9. Security

We take reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS
• Encryption of data at rest within our Supabase database
• Row-level security in our database ensuring users can only access their own data
• Authentication controls through Supabase Auth including secure password hashing and session management
• Shared journal entries are access-controlled and require an authenticated Meridian account to view

However, no method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at support@meridianjournal.world.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by GDPR (within 72 hours) and applicable U.S. state law.

10. Children's Privacy

Meridian is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@meridianjournal.world and we will delete the information promptly.

If you are located in the EEA, the relevant age threshold is 16 (or the applicable age of digital consent in your country). If you are located in California, we comply with the Children's Online Privacy Protection Act (COPPA).

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:

Right of Access

You may request a copy of the personal data we hold about you.

Right to Rectification

You may correct inaccurate or incomplete personal data at any time within the app or by contacting us.

Right to Erasure

You may delete your account at any time through the app. All data is immediately and permanently deleted with no recovery period.

Right to Restriction

You may request that we restrict processing of your data in certain circumstances.

Right to Data Portability

You may request your data in JSON and/or CSV format. Contact us and we will provide an export of your journal entries, location data, and account information within 30 days.

Right to Object

You may object to processing based on legitimate interests. You may withdraw location consent at any time via iOS Settings.

Right to Withdraw Consent

Where processing is based on consent (such as location access), you may withdraw it at any time in your device settings without affecting prior processing.

Right to Complain

You may lodge a complaint with your local data protection authority at any time.

To exercise any of these rights, please contact us at support@meridianjournal.world. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

12. Your Rights Under CCPA / CPRA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

12.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by CCPA:

• Identifiers: Email address, display name (from account creation or Google Sign-In), anonymous device ID, anonymous app user ID (RevenueCat)
• Geolocation data (sensitive): Precise GPS coordinates tagged to journal entries, photo EXIF location data, and home city (city-level only)
• Commercial information: Subscription status and Apple transaction IDs processed via RevenueCat
• Internet or other electronic network activity: App usage diagnostics, crash reports, IP address (processed by infrastructure providers)
• Photos and other electronic data: Photos you upload from your photo library, journal entry text content
• Inferences: Travel patterns derived from your location history within the app

12.2 Your California Rights

• Right to Know: You may request that we disclose what personal information we have collected about you, the sources, the purposes for collection, and the third parties with whom we share it.
• Right to Delete: You may delete your account at any time through the app. All personal information is immediately and permanently deleted. For requests submitted by email, we will complete deletion within 45 days.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: We collect precise geolocation data, classified as sensitive personal information under CPRA. We use it only to provide core app functionality — mapping, journal geotagging, and place search. We do not use it for any secondary purpose.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

12.3 How to Submit a Request

To exercise your California rights, contact us at support@meridianjournal.world with the subject line "California Privacy Request." We will respond within 45 days. We may extend this period by an additional 45 days with notice.

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authorization.

13. International Data Transfers

Meridian is operated from the United States. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal information is transferred to and processed in the United States.

We rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with Supabase and other processors
• Adequacy decisions where applicable

By using Meridian, you acknowledge that your information may be transferred to the United States, which may have different data protection rules than your country.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (if you have provided one) or via a prominent in-app notice
• For significant changes affecting how we use your sensitive data (especially location), we will seek your renewed consent where required by law

Your continued use of Meridian after the effective date of the updated policy constitutes your acceptance of the changes.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

The Meridian Team
Email: support@meridianjournal.world
Location: San Francisco, California, United States

For GDPR-related requests, please include "GDPR Request" in the subject line.
For CCPA-related requests, please include "California Privacy Request" in the subject line.
For data export requests, please include "Data Export Request" in the subject line.