Privacy Policy

1. Introduction

Meridian Legal Technologies Inc. ("Meridian," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (meridianlegal.ca) and our AI-powered embeddable chat widget platform (collectively, the "Service").

Meridian is a B2B SaaS provider that delivers AI-powered chat widgets to Canadian immigration law firms. Our Service enables law firm clients to deploy conversational AI on their websites to assist visitors with immigration-related inquiries. This Privacy Policy covers personal information we collect from two categories of users:

• Law Firm Clients: Organizations and individuals who subscribe to and manage Meridian's platform
• End Users: Website visitors who interact with the Meridian widget deployed on law firm websites

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service. By accessing or using Meridian, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.

2. Information We Collect

We collect information in several ways to provide, improve, and protect our Service. The types of information we collect depend on how you interact with Meridian.

2.1 Information From Law Firm Clients

When you register for a Meridian account or subscribe to our Service, we collect the following information:

• Account Information: First name, last name, email address, phone number, job title, and firm name
• Billing Information: Billing name, billing address, postal code, and payment method details (processed through our Third-Party Payment Processor)
• Company Information: Firm name, firm address, firm size, practice areas, and legal jurisdiction
• Communication Preferences: Email subscription preferences, notification settings, and communication frequency
• Usage Information: Your interactions with the Meridian dashboard, including login history, API usage, and feature adoption

2.2 Information From End Users (Website Visitors)

When website visitors interact with a Meridian widget deployed on a law firm's website, we collect the following information:

• Conversation Data: The full text of conversations between the visitor and our AI, including questions about immigration matters
• IP Address and Network Information: The visitor's IP address and general location (city-level, not precise coordinates)
• Device Information: Browser type, operating system, device type, screen resolution, and device identifiers
• Interaction Metadata: Timestamp of interaction, duration of conversation, widgets visited, and user engagement metrics
• Language Preference: Browser language setting and selected interface language
• Behavioral Data: Pages visited before and after widget interaction, referring domain, and navigation patterns

2.3 Information Collected Automatically

We automatically collect certain information about your device and how you interact with the Service:

• Analytics Data: Usage patterns, feature engagement, session duration, feature adoption rates, and conversion metrics
• Log Data: Server logs including IP addresses, access times, pages requested, HTTP status codes, and error messages
• Cookie Data: Information stored in cookies and similar tracking technologies (see Section 9 for details)
• Performance Data: System performance metrics, API response times, and error tracking for Service reliability
• Security Data: Failed login attempts, suspicious activities, and security event logs

2.4 Information From Third Parties

We may receive information about you from third-party service providers:

• From Third-Party Payment Processor: Payment verification data, transaction history, and payment method validation (name, last four digits of card, billing address)
• From AI Subprocessors: Feedback on AI model performance and conversation quality metrics used to improve our Service
• From Infrastructure Provider: Infrastructure analytics, security event logs, and performance metrics
• From Law Firm Clients: Information about their end users that may be shared in the context of their use of our Service

2.5 Sensitive Information

Meridian does not intentionally collect sensitive personal information such as health information, racial or ethnic origin, religious beliefs, sexual orientation, criminal history, or biometric data. However, because our Service handles immigration-related inquiries, conversations may incidentally contain sensitive information disclosed by end users. We treat such information with appropriate care and security measures (see Section 5).

3. How We Use Information

We use the information we collect for various lawful purposes, always in accordance with Canadian privacy laws and with your consent where required.

3.1 Service Delivery and Improvement

• Provide the Service: To operate the Meridian platform, deploy widgets on law firm websites, and deliver AI-powered responses to end users
• Account Management: To create and maintain your account, manage your subscription, and provide technical support
• Service Improvements: To analyze usage patterns, identify feature requests, optimize performance, and develop new features
• Customization: To tailor the Service to your firm's preferences, branding, and configuration settings

3.2 Payment Processing and Billing

• Process Payments: To charge subscription fees, process refunds, and manage recurring billing
• Manage Subscriptions: To track subscription status, enforce usage limits, and manage tier transitions
• Billing Communications: To send invoices, payment confirmations, and billing-related notices
• Revenue Recognition: To maintain accurate financial records for accounting and tax purposes

3.3 AI Processing and Content Generation

• AI Model Processing: To send conversation data to our Third-Party AI Subprocessor to generate appropriate responses to immigration questions
• Model Improvement: To use anonymized conversation data (with explicit consent) to improve the AI model's accuracy and helpfulness
• Quality Assurance: To monitor AI response quality and identify cases where human legal review may be needed
• Safety and Compliance: To detect and prevent misuse of the AI system, including attempts to circumvent safety guidelines

3.4 Analytics and Usage Tracking

• Usage Analytics: To track conversation volume, engagement metrics, and feature adoption by subscription tier
• Performance Monitoring: To monitor system performance, identify bottlenecks, and optimize infrastructure
• Business Intelligence: To understand user behavior patterns and inform product roadmap decisions
• Benchmarking: To compare your firm's usage against industry standards and similar-sized firms

3.5 Customer Support and Communication

• Technical Support: To troubleshoot technical issues, diagnose problems, and provide customer service
• Transactional Emails: To send password resets, account confirmations, and system notifications
• Marketing Communications: To send newsletters, product updates, and promotional offers (only with your consent)
• Feedback Requests: To gather feedback about your experience with the Service

3.6 Security and Fraud Prevention

• Fraud Detection: To detect, investigate, and prevent fraudulent transactions and account compromise
• Access Control: To verify user identity and enforce proper authorization levels
• Threat Detection: To identify and mitigate security threats, unauthorized access, and malicious activities
• Incident Response: To investigate security incidents and implement remediation measures

3.7 Legal and Regulatory Compliance

• Legal Obligations: To comply with court orders, subpoenas, and lawful government requests
• Regulatory Compliance: To maintain records required by tax authorities and regulatory bodies
• Contractual Obligations: To fulfill our obligations under the Meridian Terms of Service and Data Processing Addendum
• Dispute Resolution: To defend against legal claims and resolve disputes with users

3.8 Aggregated and De-identified Data

We may use aggregated or de-identified information (that cannot be directly associated with you) for research, analytics, marketing, and other business purposes without restriction.

4. Data Sharing

Meridian does not sell, rent, or lease your personal information to third parties for their marketing purposes. However, we do share information with certain service providers and in specific circumstances as described below.

4.1 Data Sharing With Law Firm Clients

If you are an end user interacting with a Meridian widget deployed on a law firm's website, the law firm client who deployed that widget will have access to your conversation data, IP address, browser information, and engagement metrics. The law firm is responsible for disclosing this practice to you and obtaining your consent where required by law.

4.2 Data Sharing With AI Subprocessors

When you or an end user submits a question to the Meridian widget, the conversation text is transmitted to our AI Subprocessor's servers for processing. Our AI Subprocessor may process this data in the United States.

• API Processing: Our AI Subprocessor processes conversation data to generate intelligent responses
• Retention Policy: Our AI Subprocessor retains API request data for up to 30 days for security purposes pursuant to their Data Processing Agreement
• Model Training: Our AI Subprocessor is contractually prohibited from using your data for model training without explicit opt-in consent
• Data Security: Data is encrypted in transit and at rest on the AI Subprocessor's infrastructure

Legal Basis: This sharing is necessary to provide the core functionality of the Service and is covered under the Data Processing Addendum (DPA) executed between Meridian and customers.

4.3 Data Sharing With Third-Party Payment Processor (Payment Processing)

If you are a law firm client, we share your billing information with our Third-Party Payment Processor to process subscription payments.

• Information Shared: Billing name, billing address, postal code, and encrypted payment method details
• Purpose: To charge subscription fees, process refunds, and manage recurring billing
• Retention: Our Third-Party Payment Processor retains transaction data according to their Privacy Policy and PCI DSS requirements
• PCI Compliance: Our Third-Party Payment Processor is PCI DSS Level 1 certified and meets the highest payment security standards

4.4 Data Sharing With Infrastructure and AI Processors

To deliver the Service, Meridian utilizes enterprise-grade cloud infrastructure and advanced third-party artificial intelligence processors.

Your data is securely hosted and processed on distributed, enterprise-grade cloud networks. These providers act strictly as data subprocessors and are legally bound by Data Processing Addendums (DPAs) to maintain security standards equivalent to or exceeding Canadian legal requirements.

Conversation data is transmitted via encrypted API to secure, industry-leading large language model (LLM) providers to generate responses. Our AI subprocessors are strictly prohibited from using your conversation data or client inputs to train their baseline models without your explicit opt-in consent. Data processed by these APIs is retained only for the minimum duration required for security monitoring (typically 30 days) before being permanently deleted.

4.5 Data Sharing for Legal Compliance

We may disclose your personal information if required by law or if we have a good-faith belief that disclosure is necessary to:

• Comply with a court order, subpoena, or other legal process
• Investigate and respond to violations of the Meridian Terms of Service
• Enforce our contracts and protect our legal rights
• Protect the safety, privacy, or security of our users or the public
• Prevent or investigate possible wrongdoing

We will provide notice of such disclosure when legally permissible, except where prohibited by law.

4.6 Data Sharing in Business Transactions

If Meridian is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal information may be transferred as part of that transaction. We will notify you of such change and any choices you may have regarding your information.

4.7 Consent-Based Sharing

We may share your information with other third parties when you provide explicit consent to such sharing, such as integrations with third-party tools you authorize.

4.8 No Data Sales or Sharing for Marketing

Meridian does not sell, rent, lease, or share personal information with third parties for their marketing, advertising, or promotional purposes. We do not participate in data broker networks or sell customer lists.

4.9 Subprocessor Changes

Meridian currently engages the following subprocessors for the delivery of its services:

• Third-Party AI Subprocessor: Natural language processing for conversation responses
• Third-Party Infrastructure Provider: Secure cloud hosting, content delivery, and edge computing
• Third-Party Payment Processor: Subscription billing and payment processing

Meridian shall provide law firm clients with no less than thirty (30) days' prior written notice before adding or replacing any subprocessor that processes conversation data or personal information. Such notice shall be provided via email to the Client's registered account email address and shall include:

• The identity of the new subprocessor
• The nature of the processing
• The data protection measures in place

If the Client objects to a new subprocessor, the Client may terminate their subscription without penalty within thirty (30) days of receiving such notice.

5. Data Storage and Security

Meridian implements comprehensive technical, administrative, and physical security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

5.1 Infrastructure and Storage

Hosting: Meridian's platform is hosted on highly secure, geographically distributed cloud infrastructure.

Data Residency: Data is primarily stored and processed in North American data centers.

Compliance: Our infrastructure is designed to assist Canadian legal professionals in complying with provincial Law Society and College of Immigration and Citizenship Consultants (CICC) cloud computing guidelines. All client conversation data is secured using AES-256-GCM encryption at rest and TLS 1.3 encryption in transit.

• Geographic Redundancy: Data is replicated across multiple geographically distributed locations for disaster recovery
• Disaster Recovery: Regular backups are maintained with tested recovery procedures

5.2 Encryption

• At-Rest Encryption: All data at rest is encrypted using AES-256-GCM encryption
• In-Transit Encryption: All data in transit is encrypted using TLS 1.3
• Database Encryption: Database records are encrypted at the application and storage layer
• Key Management: Encryption keys are managed securely with appropriate access controls and rotation policies

5.3 Password Security

• Password Hashing: User passwords are hashed using PBKDF2 with 100,000 iterations and a unique salt per user
• No Plaintext Storage: Passwords are never stored in plaintext and cannot be recovered by Meridian staff
• Password Requirements: We enforce strong password requirements (minimum 12 characters, complexity)
• Password Reset: Forgotten passwords can only be reset through secure email verification

5.4 Access Controls

• Role-Based Access Control: User access is limited based on job function and organizational role
• Principle of Least Privilege: Employees have access only to data necessary for their role
• Multi-Factor Authentication: Admin and sensitive accounts require multi-factor authentication
• Audit Logging: All administrative access is logged and regularly reviewed

5.5 Audit Logging and Monitoring

• Access Logging: All access to personal information is logged with timestamp, user, and action
• Activity Monitoring: Suspicious activities and unauthorized access attempts are detected and investigated
• Security Monitoring: 24/7 monitoring for security threats and intrusion attempts
• Log Retention: Security logs are retained for at least 90 days for forensic analysis

5.6 Employee Training and Confidentiality

• Privacy Training: All employees receive privacy and data protection training
• Confidentiality Agreements: Employees sign confidentiality agreements prohibiting unauthorized disclosure
• Vendor Management: Third-party service providers are contractually bound to maintain data security
• Background Checks: Staff with access to sensitive data are subject to background checks

5.7 Security Reviews and Assessments

• Periodic Audits: Regular security audits and assessments are conducted by internal and external parties
• Vulnerability Testing: Penetration testing and vulnerability scanning are performed regularly
• Incident Response: A documented incident response plan is maintained and tested regularly
• Security Updates: Software is kept current with the latest security patches

5.8 Data Breach Notification

In the event of a confirmed security breach involving personal information that poses a real risk of significant harm (RROSH) as defined under PIPEDA, Meridian shall notify affected law firm clients within seventy-two (72) hours of confirming the breach. Notification shall include:

• The nature and scope of the breach
• The categories of personal information affected
• Measures taken to contain the breach
• Recommended steps for the Client to mitigate potential harm
• Contact information for Meridian's privacy officer

This notification timeline is designed to enable law firm clients to fulfill their own regulatory obligations to notify affected individuals, the Office of the Privacy Commissioner of Canada, and any applicable provincial privacy commissioners or Law Society regulatory bodies.

5.9 Limitations of Security

While we implement strong security measures, no security system is completely impenetrable. Meridian cannot guarantee absolute security of your information. If you have any concerns about the security of your personal information, please contact our Privacy Officer at the contact information provided in Section 14.

6. Data Retention

We retain personal information only for as long as necessary to provide the Service, comply with legal obligations, and resolve disputes. Retention periods vary based on data type and subscription tier.

6.1 Conversation Data

Retention of conversation data between end users and the Meridian widget depends on the law firm's subscription tier:

• Starter Plan: Conversation data retained for 7 days
• Professional Plan: Conversation data retained for 30 days
• Enterprise Plan: Conversation data retained for 90 days
• Custom Retention: Enterprise customers may negotiate custom retention periods (up to 1 year)

After the retention period expires, conversation data is automatically and permanently deleted from our systems.

6.2 Law Firm Account Data

• Active Accounts: Account information is retained for the duration of the subscription
• Closed Accounts: Account information is retained for 30 days after subscription termination to allow for dispute resolution or account recovery
• Backup Copies: Backups containing account data are retained for up to 90 days for disaster recovery purposes

6.3 Billing and Financial Records

• Billing Records: Billing information, invoices, and payment records are retained for 7 years to comply with Canadian tax law and accounting standards
• Tax Compliance: Transaction records are maintained as required by the Canada Revenue Agency (CRA)
• Dispute Resolution: Financial records are retained to resolve disputes and investigate charge-backs

6.4 Analytics and Usage Data

• Aggregated Metrics: Aggregated usage metrics are retained indefinitely for business intelligence and analytics
• User-Level Analytics: Individual user analytics are retained for 12 months then aggregated or deleted
• Session Logs: Detailed session logs are retained for 90 days for technical support and troubleshooting

6.5 Security and Access Logs

• Audit Logs: Administrative access logs are retained for 1 year
• Security Incident Records: Records of security incidents are retained for 3 years for investigation and compliance purposes
• Failed Login Attempts: Failed login attempt logs are retained for 90 days

6.6 Deletion Upon Request

Subject to legal obligations and contractual requirements, you may request deletion of your personal information. We will process deletion requests within 30 days, except where:

• We are required to retain information by law (e.g., tax records for 7 years)
• Information is necessary to resolve disputes or investigate misconduct
• Information is required to protect the rights, privacy, or security of others
• You have active legal holds placed on your account

To request deletion of your information, contact our Privacy Officer (see Section 14).

6.7 Archival and Backups

Even after deletion, your information may exist in backup copies for a limited period. Backup copies are retained for disaster recovery purposes (typically 90 days) and are subject to the same access controls and security measures as production systems.

7. Canadian Privacy Law Compliance

Meridian complies with all applicable Canadian federal and provincial privacy laws. This section outlines our compliance with the key privacy regimes that apply to our business.

7.1 Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is the federal privacy law governing how private sector organizations collect, use, and disclose personal information in Canada.

• Scope: Meridian complies with PIPEDA for all personal information collection and processing
• Principles: We follow PIPEDA's 10 principles including accountability, identifying purposes, consent, accuracy, safeguards, openness, individual access, and challenging compliance
• Consent: We obtain express consent before collecting sensitive personal information
• Accountability: Meridian designates a Privacy Officer responsible for PIPEDA compliance

7.2 Canada's Anti-Spam Legislation (CASL)

CASL regulates commercial electronic messages (email, SMS, social media) sent to individuals in Canada.

• Consent Requirement: We obtain express or implied consent before sending commercial electronic messages
• Identification: All marketing emails clearly identify Meridian and provide our business address
• Unsubscribe Mechanism: All marketing emails include a clear and functioning unsubscribe mechanism
• Promptness: We process unsubscribe requests within 10 business days
• Transactional Messages: Service-related emails (password resets, billing notices) are exempt from CASL requirements

7.3 Alberta Personal Information Protection Act (PIPA)

Alberta PIPA governs personal information handling by private sector organizations in Alberta.

• Scope: Applies to Meridian's collection and handling of personal information in Alberta
• Individual Rights: Alberta residents have the right to access, correct, and delete personal information
• Consent: We obtain consent consistent with Alberta PIPA requirements

7.4 British Columbia Personal Information Protection Act (BCPIPA)

BC PIPA is similar to Alberta PIPA and governs personal information handling in British Columbia.

• Scope: Applies to Meridian's collection and handling of personal information in British Columbia
• Consent: We obtain consent for collection and use of personal information
• Individual Rights: BC residents may request access to and correction of personal information

7.5 Quebec Law 25 (Loi 25)

Quebec Law 25 modernizes Quebec's privacy law and introduces stricter requirements for personal information handling.

• Scope: Applies to Meridian's collection and handling of personal information in Quebec
• Legitimate Interests: We rely on legitimate interests where appropriate under Quebec law
• Cookies: We obtain consent before placing non-essential cookies (see Section 9)
• Right to Explanation: Quebec residents may request an explanation of automated decision-making
• Data Breach Notification: We notify Quebec's privacy commissioner of significant data breaches

7.6 Law Society Cloud Computing Compliance

Meridian's data architecture is designed to assist lawyers and regulated immigration consultants in complying with provincial Law Society guidelines on cloud computing and data sovereignty, including but not limited to the Law Society of British Columbia's guidance on cloud computing, the Law Society of Ontario's technology guidelines, and the College of Immigration and Citizenship Consultants (CICC) requirements for technology use. Specifically, Meridian provides:

• Data Encryption: AES-256-GCM encryption at rest for all conversation data and uploaded documents
• Encryption in Transit: TLS 1.3 encryption for all data in transit
• Access Controls: Granular access controls ensuring only authorized personnel can access client data
• Audit Logging: Comprehensive audit logging of all data access events
• Data Retention Controls: Data retention controls configurable per subscription tier
• Data Export: Data export capabilities to facilitate regulatory compliance and client file management

Law firm clients retain full control over and responsibility for ensuring their use of Meridian complies with their specific Law Society's cloud computing and technology guidelines.

7.7 Right to Access

Subject to legal exceptions, you have the right to request access to your personal information. We will provide a copy of your information within 30 days of your request. A reasonable fee may be charged for access requests.

7.8 Right to Correction and Rectification

You have the right to request correction of inaccurate personal information. We will update your information within 30 days and notify any third parties who received the inaccurate information (where feasible).

7.9 Right to Deletion

Subject to legal retention requirements, you have the right to request deletion of your personal information. We will delete your information within 30 days unless we have a legal obligation to retain it.

7.10 Right to Withdraw Consent

You may withdraw consent to our collection, use, or disclosure of your personal information at any time. Upon withdrawal, we will cease collecting and using your information going forward (with limited exceptions where we have a legal obligation to continue processing).

7.11 Right to Complain

If you have concerns about Meridian's privacy practices, you have the right to lodge a complaint with the Privacy Commissioner of Canada or the applicable provincial privacy commissioner.

7.12 Privacy Officer Contact

Meridian's Privacy Officer is responsible for receiving and responding to privacy inquiries and complaints. Contact information is provided in Section 14.

8. AI-Specific Disclosures

Meridian's platform uses artificial intelligence to generate responses to immigration-related questions. This section explains how our AI system works and how your data is handled in the context of AI processing.

8.1 AI Model and Technology

• AI Technology: Meridian uses proprietary AI technology powered by industry-leading large language models accessed through secure API integration
• Model Type: Our AI engine uses generative AI models optimized for immigration-related conversational responses
• API Integration: We access AI capabilities through secure, enterprise-grade API integrations
• Model Version: We use the current production version of our AI models as specified in our subprocessor agreements

8.2 AI Subprocessor Disclosure

The identity of our current AI Subprocessors is available to law firm clients upon request and is disclosed as part of our enterprise onboarding process. Meridian maintains strict Data Processing Agreements with all AI Subprocessors that prohibit the use of client data for model training without explicit consent.

8.3 AI Limitations and Disclaimers

Important limitations and disclaimers regarding our AI system:

• Not Legal Advice: AI-generated responses are informational only and do not constitute legal advice. Responses should never be treated as a substitute for consultation with a qualified immigration lawyer
• Accuracy Limitations: The AI may make mistakes, provide outdated information, or misinterpret questions. We recommend human review of AI responses
• No Guarantee of Correctness: Meridian does not guarantee the accuracy, completeness, or appropriateness of AI responses
• Bias and Fairness: AI systems may reflect biases present in training data. We work to minimize bias, but cannot completely eliminate it
• Confidentiality: AI responses may reference general legal principles but should not be relied upon for case-specific confidential advice

8.4 Conversation Data and Model Training

• Subprocessor Policy: According to our AI Subprocessor's Data Processing Agreement, our AI Subprocessor does not use API conversations to train or improve AI models without explicit opt-in
• Opt-In Consent: By default, conversation data is NOT used for model training. Law firms must explicitly consent in their account settings to allow model improvement
• Anonymization: If a law firm opts in to model improvement, conversation data would be anonymized before use in training
• No Sale of Conversations: Meridian does not sell, rent, or share conversation data with subprocessors or third parties for training or improvement purposes without explicit consent

8.5 Data Transmission to AI Subprocessors

When a conversation is submitted to the AI:

• Transmission: The conversation text is transmitted to our AI Subprocessor's servers over an encrypted connection (TLS 1.3)
• Processing Location: Data may be processed on our AI Subprocessor's servers, which may be located in the United States
• Processing Time: Typically processed and deleted within seconds to minutes
• No Long-Term Storage: Our AI Subprocessor does not retain API request data beyond 30 days
• Data Handling Agreement: Meridian has executed a Data Processing Agreement with our AI Subprocessor governing the handling of transmitted data

8.6 Automated Decision-Making

• No Automated Decisions Affecting Rights: Meridian does not use AI to make automated decisions that affect legal rights, benefits, or eligibility
• AI Assists, Does Not Decide: The AI provides information and suggestions, but law firms and end users make their own decisions
• Human Review Available: End users can request human review and clarification of AI-generated responses from the law firm

8.7 Bias Monitoring and Mitigation

• Fairness Testing: We monitor AI responses for potential bias and unfair treatment
• Diverse Input Data: We test the AI with diverse questions and scenarios to identify biased patterns
• Mitigation Measures: We implement prompts and guidelines to reduce biased responses
• Transparency: We clearly disclose AI limitations and potential biases to end users

8.8 Right to Explanation

You have the right to request an explanation of how the AI generated a particular response. We will make reasonable efforts to explain the reasoning behind AI-generated content, though complex AI systems may not provide perfect explainability.

8.9 AI Transparency and Disclosure to End Users

• Clear Disclosure: The Meridian widget clearly discloses to end users that they are interacting with an AI system
• Disclaimer Display: Responses include disclaimers that the AI is not providing legal advice
• Escalation Path: End users can request connection to a human representative

9. Cookies and Tracking

Meridian uses cookies and similar tracking technologies to enhance your experience and gather information about how you use our Service.

9.1 What Are Cookies?

Cookies are small files stored on your device that contain information about your browsing activity. They allow websites to remember your preferences and track your activity over time.

9.2 Essential Cookies

Essential cookies are required for the Service to function properly. They are not subject to consent requirements as they are strictly necessary for service delivery.

• Session Management: Cookies that maintain your login session and remember your authentication status
• Security: Cookies that help prevent unauthorized access and detect suspicious activity
• Preference Storage: Cookies that remember your account settings and preferences
• CSRF Protection: Cookies that prevent cross-site request forgery attacks

9.3 Analytics Cookies

Analytics cookies help us understand how users interact with the Service. These are considered non-essential and require your consent (unless you are in an exempt category).

• Usage Tracking: Cookies that track pages visited, time spent, and features used
• Conversion Tracking: Cookies that measure whether users complete desired actions (e.g., sign-up, purchase)
• Analytics Tools: We use analytics services such as Google Analytics (opt-in only)
• Performance Metrics: Cookies that measure page load time and performance issues

9.4 No Advertising Cookies

Meridian does not use advertising or tracking cookies to profile you for targeted advertising. We do not participate in behavioral advertising networks.

9.5 Cookie Consent Mechanism

Upon first visit to the Meridian website, you will see a cookie consent banner. You may:

• Accept All: Accept essential and analytics cookies
• Reject Non-Essential: Accept only essential cookies
• Manage Preferences: Choose specific cookies to accept or reject

You can change your cookie preferences at any time in the cookie management center (typically accessible via a link in the footer).

9.6 Similar Tracking Technologies

In addition to cookies, we may use similar technologies including:

• Web Beacons: Invisible pixels that track whether certain pages have been viewed
• Local Storage: Browser storage that persists longer than cookies
• Session Storage: Temporary storage used during your browsing session

9.7 Third-Party Cookies

The Meridian website may contain links to third-party services that set their own cookies. Meridian is not responsible for third-party cookies. We recommend reviewing third-party privacy policies.

9.8 Do Not Track Signals

Some browsers include a "Do Not Track" feature. Meridian does not currently respond to Do Not Track signals, but you can disable cookies in your browser settings to limit tracking.

9.9 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a specified period (typically 12 months)
• Functional Cookies: May remain indefinitely until explicitly deleted

9.10 Disabling Cookies

Most browsers allow you to control cookies through your settings. You can typically:

• Disable all cookies
• Disable cookies from third-party sites
• Delete existing cookies
• Receive a warning before accepting cookies

Note: Disabling essential cookies may impair the functionality of the Service.

10. Children's Privacy

Meridian's Service is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18.

10.1 Age Restrictions

• Service Availability: Meridian is designed for law firms and adult website visitors only
• Terms of Service: Our Terms of Service require users to be at least 18 years old or the legal age of majority in their jurisdiction
• No Directed Collection: We do not actively collect information from children or market to children

10.2 Parental Involvement

If a parent or guardian believes a child has provided information to Meridian, please contact our Privacy Officer immediately (see Section 14). We will investigate and delete the child's information upon verification of parental consent requirements.

10.3 Parent/Guardian Responsibilities

Parents and guardians are responsible for supervising children's online activities and preventing unauthorized disclosure of personal information.

11. International Data Transfers

While Meridian is a Canadian company and primarily processes data in Canada, our data may be transferred to and processed in the United States or other jurisdictions in certain circumstances.

11.1 Data Processing Locations

• Cloud Infrastructure: Data is primarily processed in North American data centers (Canada and United States)
• AI Processing: Conversation data is transmitted to our AI Subprocessor's servers (which may be located in the United States) for AI processing
• Payment Processing: Payment data is processed through our Third-Party Payment Processor's infrastructure (may include US locations)

11.2 Legal Basis for Transfers

• Necessity: Data transfers to the United States are necessary to provide the Service (AI processing, payment processing)
• Contractual Obligations: Data Processing Addendums with third parties govern international transfers
• Data Protection Standards: Third parties are contractually required to maintain security standards equivalent to Canadian law

11.3 US Legal System Access

Please be aware that data transferred to the United States may be subject to access by US government agencies under US law (including the USA PATRIOT Act). We are not able to prevent such access but will notify you of legal demands where permitted by law.

11.4 Data Localization

For law firms that require data to remain within Canadian borders, Meridian offers Enterprise tier with Canada-only data storage. Contact our sales team for details.

11.5 Compliance With Applicable Laws

All international data transfers comply with PIPEDA, provincial privacy laws, and other applicable Canadian and international data protection laws.

12. Your Rights

Under Canadian privacy laws, you have the following rights regarding your personal information. These rights may vary depending on your province of residence and jurisdiction.

12.1 Right to Access

You have the right to access your personal information. You may request a copy of all personal information Meridian holds about you. We will provide this information in a clear and understandable format within 30 days of your request. A reasonable fee (not to exceed $25-50) may be charged for processing your access request.

How to Request: Contact our Privacy Officer (see Section 14) with your full name and account email address.

12.2 Right to Correction and Rectification

You have the right to correct inaccurate or incomplete personal information. If you identify information that is incorrect, outdated, or incomplete, you may request that we correct it. We will update your information and notify any third parties who received the inaccurate information (where feasible and practicable).

Common Corrections: You can often correct your information directly in your account dashboard (name, email, firm address). For other corrections, contact our Privacy Officer.

12.3 Right to Deletion

You have the right to request deletion of your personal information, subject to legal and contractual exceptions. We will delete your information within 30 days unless:

• We are required to retain it by law (e.g., tax records for 7 years)
• It is necessary to resolve disputes or investigate misconduct
• It is required to protect the rights, privacy, or safety of others
• You have an active legal hold on your account
• It is necessary to comply with contractual obligations

How to Request: Submit a deletion request to our Privacy Officer. We may ask you to verify your identity before processing the request.

12.4 Right to Data Portability

You have the right to receive your personal information in a portable format. We will provide your data in a commonly used, machine-readable format (such as CSV or JSON) that allows you to transfer it to another service. This right applies to information you have provided to us.

What's Included: Account information, billing history, and usage analytics are generally portable. Real-time conversation data and AI-generated responses may be subject to technical limitations.

12.5 Right to Withdraw Consent

You have the right to withdraw consent to our processing of your personal information. This applies to any processing that relies on your consent (such as marketing emails or analytics cookies). Upon withdrawal, we will cease processing your information for that purpose going forward (though prior processing remains valid).

How to Withdraw: You can withdraw consent by:

• Clicking the unsubscribe link in marketing emails
• Changing your privacy preferences in your account dashboard
• Contacting our Privacy Officer with a withdrawal request

12.6 Right to Explain Automated Decision-Making

You have the right to request an explanation of automated decision-making. If Meridian uses automated processes to make significant decisions affecting you, you may request an explanation of the decision and the factors considered.

Note: Meridian does not currently make automated decisions affecting legal rights or benefits. AI responses are informational only and do not determine eligibility for services.

12.7 Right to Complain to Privacy Authorities

You have the right to lodge a formal complaint with Canadian privacy authorities if you believe Meridian has violated your privacy rights.

• Federal Complaints: Privacy Commissioner of Canada (www.priv.gc.ca)
• Alberta: Alberta Information and Privacy Commissioner (www.oipc.ab.ca)
• British Columbia: BC Office of the Information and Privacy Commissioner (www.oipc.bc.ca)
• Quebec: Commission d'accès à l'information du Québec (www.cai.gouv.qc.ca)

12.8 Right to Not Be Discriminated Against

You have the right not to be discriminated against for exercising your privacy rights. Meridian will not deny services, increase fees, or provide inferior service as retaliation for requesting access to, correcting, or deleting your personal information.

12.9 Exercise of Rights

To exercise any of the above rights, contact our Privacy Officer (see Section 14) with:

• Your full name and email address
• A clear description of the right you wish to exercise
• Your preferred contact method for our response

We will acknowledge your request within 5 business days and respond substantively within 30 days (extendable to 60 days for complex requests).

13. Changes to This Policy

Meridian may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We encourage you to review this policy periodically to stay informed about how we protect your information.

13.1 How We Notify You

When we make material changes to this Privacy Policy, we will notify you by:

• Email Notice: We will send an email to the address associated with your account
• Website Notice: We will display a notice on our website for at least 30 days
• Website Banner: We may display a banner alerting you to policy changes
• Effective Date: We will update the "Last Updated" date at the top of this policy

13.2 Your Acceptance

Your continued use of the Service after policy changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not accept the changes, you may discontinue use of the Service and request deletion of your account.

13.3 Significant Changes

For significant changes (such as new data sharing practices or changes to fundamental data handling), we will provide notice at least 30 days in advance and may request explicit consent.

13.4 Archival of Past Policies

We maintain archival copies of previous versions of this Privacy Policy. You may request access to the policy that was in effect at a specific time by contacting our Privacy Officer.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Canadian Privacy Authorities

If you wish to lodge a formal complaint about our privacy practices, you may contact the applicable privacy authority:

• Federal (PIPEDA): Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H8 | Phone: 1-800-282-1376 | www.priv.gc.ca
• Alberta: Alberta Information and Privacy Commissioner, 9925 109 Street NW, Edmonton, AB T5K 2J8 | www.oipc.ab.ca
• British Columbia: BC Office of the Information and Privacy Commissioner, Complaint Investigation Office, Victoria, BC | www.oipc.bc.ca
• Quebec: Commission d'accès à l'information du Québec, 575 rue Saint-Amable, Quebec, QC G1R 5P1 | www.cai.gouv.qc.ca

Acknowledgment

By using Meridian's Service, you acknowledge that you have read and understood this Privacy Policy and agree to our privacy practices as described herein.

Disclaimer: This Privacy Policy is provided for informational purposes and reflects current privacy practices as of the Effective Date. This policy should be reviewed by legal counsel for your specific jurisdiction and circumstances. Meridian reserves the right to modify this policy at any time in accordance with applicable law.