Privacy Policy

1. Who We Are and Scope

Meridian Voyager CRM (the "Service") is a cloud-based customer relationship and donor management platform available at https://voyager.meridian-group.ai. The Service is operated by Meridian Group (operated by AllianceOptimal LLC), a company organized under the laws of the State of Delaware, USA ("Meridian," "we," "us," or "our").

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with (a) the Service itself and (b) marketing interactions such as our website, emails, and other communications we send to prospective or existing customers. By using the Service, you agree to the practices described in this policy.

Customers who use the Service to manage their own contacts, donors, and records are referred to as "Customer" throughout this policy. The individuals whose data Customers store in the Service (for example, a nonprofit's donors or a small business's leads) are referred to as "End Users."

2. Information We Collect

(a) Account Data

When a Customer creates an account, we collect the account holder's name, email address, and a securely hashed password. We do not store passwords in plain text. Customers may also provide optional profile information such as an organization name and contact details.

(b) Customer Data

The Service allows Customers to import and store records about their own contacts, donors, giving history, projects, and related information ("Customer Data"). Meridian acts as a data processor with respect to Customer Data: the Customer remains the data controller and determines the purposes and means of processing. We process Customer Data only as directed by the Customer and as described in this policy and in our Terms of Service.

(c) Payment Data

Subscription billing is handled by Stripe, Inc. When a Customer subscribes to a paid plan, payment information (such as credit or debit card numbers) is collected directly by Stripe and is subject to Stripe's own privacy policy. We receive only a tokenized reference and summary billing metadata (such as the last four digits of a card and the expiration date). We do not store full payment card numbers on our servers.

(d) Google Calendar Data

Customers may optionally connect their Google account via OAuth to enable the scheduling and booking features. When connected, we access free/busy availability information and calendar events solely to display available appointment times to visitors and to write confirmed bookings to the calendar the user selects. The scope of data accessed is limited to what is necessary for these functions.

(e) Usage, Device, and Log Data; Cookies

When you access the Service, our servers automatically record standard log information, including your IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps. We also use cookies and similar technologies to maintain your session, remember preferences, and analyze aggregate usage patterns. You can configure your browser to decline cookies; some features of the Service may not function as expected if cookies are disabled.

3. Google API Limited Use Disclosure

Meridian Voyager CRM's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain language: Meridian Voyager CRM connects to Google Calendar only when you explicitly authorize us via OAuth. We use Google Calendar data solely to power the scheduling and booking feature: specifically, to read free/busy information so we can display open appointment slots to your visitors, and to write confirmed bookings to the calendar you select. We do not use Google Calendar data for advertising. We do not sell it. We do not transfer it to third parties except as strictly necessary to provide the scheduling feature, with your consent, or as required by law. No Meridian employee or contractor reads your Google Calendar data except with your consent, for security or abuse investigation purposes, to comply with applicable law, or in aggregated and anonymized form that does not identify you. You can disconnect your Google account at any time from within the Service settings, and upon disconnection we permanently delete the associated OAuth tokens.

4. How We Use Information

We use the information we collect for the following purposes:

• To create and maintain your account and provide the Service to you.
• To process billing and manage your subscription through Stripe.
• To provide the scheduling and booking feature using your Google Calendar data.
• To send transactional emails such as booking confirmations, password reset links, and workspace invitation notices.
• To monitor and analyze aggregate usage patterns in order to improve and develop the Service.
• To detect, investigate, and prevent security incidents, fraud, or abuse.
• To comply with legal obligations and enforce our Terms of Service.
• To communicate with you about updates, new features, or service announcements.

Legal Bases (for EU/EEA Users under GDPR)

Where the General Data Protection Regulation (GDPR) applies, we process personal data on the following legal bases: (i) performance of a contract, when processing is necessary to deliver the Service you have subscribed to; (ii) legitimate interests, when we analyze aggregate usage or maintain the security of the Service, provided those interests are not overridden by your rights; (iii) your consent, for Google Calendar access and for optional marketing communications (you may withdraw consent at any time); and (iv) compliance with a legal obligation, when required by applicable law.

5. How We Share Information

We do not sell personal information. We share information only in the limited circumstances described below.

Subprocessors

We engage the following categories of third-party service providers ("subprocessors") to help us operate the Service. Each subprocessor is bound by data protection obligations consistent with this policy:

• Vercel, Inc. (hosting and edge infrastructure)
• Neon, Inc. (managed PostgreSQL database)
• Stripe, Inc. (payment processing and subscription billing)
• Google LLC (Google Calendar API, used for scheduling and booking features)
• SMTP email provider (transactional email delivery, such as booking confirmations and workspace invitations)

Legal and Safety Disclosures

We may disclose information if we believe in good faith that doing so is necessary to comply with applicable law, respond to a valid legal process (such as a subpoena, court order, or government request), protect the rights, property, or safety of Meridian, our customers, or the public, or to detect and prevent fraud or security incidents.

Business Transfers

If Meridian is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, information we hold may be transferred as part of that transaction, subject to the acquiring party honoring the commitments in this policy or providing notice to affected users.

6. Data Retention and Security

Retention

We retain account data and Customer Data for as long as the Customer's account is active or as needed to provide the Service. When a Customer terminates their account, we provide a data export window as described in our Terms of Service, after which we delete Customer Data from our active systems. We may retain anonymized or aggregated data for analytical purposes. Certain information may be retained for longer periods when required by law.

Google Calendar OAuth tokens are deleted immediately upon disconnection of the integration. Stripe payment tokens and billing records are retained as required for tax and accounting purposes, typically for seven years.

Security

We implement administrative, technical, and physical safeguards to protect information against unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit using TLS and encryption of data at rest. Access to production systems and Customer Data is restricted to authorized personnel on a need-to-know basis and is governed by access control policies. While we take these measures seriously, no system is completely secure, and we cannot guarantee the absolute security of your information.

7. Your Rights

General Rights

Subject to applicable law, you may have the right to access the personal information we hold about you, to request correction of inaccurate information, to request deletion of your information, to request a portable copy of your data, and to object to or restrict certain processing activities. To exercise these rights, contact us at privacy@meridian-group.ai.

GDPR Rights (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights under the GDPR: the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21), and rights related to automated decision-making and profiling (Article 22). You also have the right to lodge a complaint with your local supervisory authority.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected about you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. Meridian does not sell or share personal information as those terms are defined under the CCPA/CPRA, so there is nothing to opt out of with respect to selling or sharing.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a request under the CCPA/CPRA, contact us at privacy@meridian-group.ai. We will respond within the timeframes required by applicable law.

8. Controller and Processor Roles

With respect to the personal information of a Customer's own End Users (for example, the donors or contacts stored in a nonprofit's workspace), the Customer is the data controller and Meridian acts as a data processor operating under the Customer's instructions. End Users who wish to exercise data rights with respect to information stored by a Customer should direct those requests to the Customer directly. We will assist Customers in fulfilling verifiable End User requests to the extent we are able as processor, consistent with our legal obligations.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or under the age of 16 for users in the European Union). We do not knowingly collect personal information from children below these ages. If we learn that we have inadvertently collected such information, we will take steps to delete it promptly. If you believe we have collected information from a child in violation of this policy, please contact us at privacy@meridian-group.ai.

10. International Data Transfers

Meridian is based in the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you acknowledge this transfer. Where required by applicable law, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses) to facilitate lawful cross-border data transfers.

11. Cookies

The Service uses session cookies to keep you signed in and functional cookies to remember your preferences (such as display theme). We do not currently use advertising or cross-site tracking cookies. You may manage cookie preferences through your browser settings. Disabling session cookies will prevent you from remaining signed in to the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the revised policy on this page and update the "Last updated" date above. If changes are material, we will provide notice via email or a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: