Privacy Policy

Meridian Data Ltd is the data controller for personal data processed in connection with the Meridian Data platform ("Service"). If you have questions about how we handle your data, contact us at privacy@meridiandata.co.uk.

Account data: When you sign up, we collect your name, email address, and organisation name. This is handled by Clerk (our authentication provider) and stored securely.

Usage data: We record API call counts, endpoints accessed, and timestamps to enforce rate limits, detect abuse, and generate your usage reports. This data is stored in Supabase.

Saved preferences: Dashboard filter preferences and saved queries you create are stored against your account in Supabase to enable cross-device sync.

Billing data: Payment and subscription information is handled by Stripe. We do not store card details on our systems. We receive and store subscription status, plan tier, and billing email.

Technical data: Server logs may capture IP addresses, browser type, and request timestamps for security and debugging purposes. These are retained for up to 30 days.

• To provide, maintain, and improve the Service
• To authenticate you and manage your account
• To enforce plan limits and detect fraudulent or abusive usage
• To send transactional emails (account creation, billing, alerts)
• To comply with legal obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Meridian Data aggregates UK public-sector data — including FCA enforcement notices, His Majesty's Courts & Tribunals Service records, NHS performance data, Companies House filings, government contract notices, and local authority roadworks permits — and republishes it in structured, queryable form for compliance, legal, and commercial-intelligence professionals.

Some of this data contains personal data about identifiable individuals — for example, the names of regulated individuals named in FCA Final Notices, defendants named in published court judgments, or company officers listed at Companies House. Each record is sourced from a public register or official publication originally released by a UK government body, regulator, or court.

Lawful basis for processing this data:

• Legitimate interests (UK GDPR Art. 6(1)(f)): Our customers — compliance teams, law firms, journalists, and analysts — have a legitimate interest in efficient access to regulatory and judicial records. We have weighed this against the rights of data subjects and concluded the processing is proportionate, given the data is already publicly available and routinely consulted as part of due-diligence work.
• Public-interest task / freedom of expression (UK GDPR Art. 17(3)(a)–(b)): Where the underlying record forms part of the public regulatory or judicial record, processing it for journalistic, academic, archiving, or public-interest purposes is supported by the exemptions in Article 17(3).

Sources we draw from: the FCA Final Notices register, HMCTS published judgments, NHS England statistics, Companies House, Contracts Finder / Find a Tender, and local-authority street-works registers. We do not gather data from non-public sources and we do not enrich records with private information.

Special-category data: We do not knowingly process special-category personal data (health, religious belief, sexual orientation, etc.). Where a published record incidentally contains such data — for example a court judgment mentioning a defendant's medical condition — we will remove or redact the special-category element on request.

If you appear in one of our datasets and would like to exercise your rights, see Section 11 below or visit our data-subject requests page.

To grow Meridian Data we contact compliance, legal, and operations professionals at UK businesses who may benefit from our products. Where we identify a potential business contact (for example, a compliance officer at a regulated firm), we may process:

• Their name and job title, sourced from public registers (Companies House, FCA Register, public professional profiles) or business directories.
• A predicted work email address, derived either from the employer's published email-address pattern or from third-party business-data services (see Section 9, Hunter.io).
• A record of contact history with us — email sent, delivered, opened, replied to, bounced, or unsubscribed.

Lawful basis: our legitimate interests in business development (UK GDPR Art. 6(1)(f)), together with the "soft opt-in" and B2B provisions of the Privacy and Electronic Communications Regulations 2003 (PECR) for the email send itself. We only contact recipients in a business-to-business capacity at a work email address. We identify ourselves clearly in every message and provide a one-click unsubscribe link.

Retention: contact records are retained for up to 12 months from the date of last activity. Records of recipients who have unsubscribed or asked not to be contacted are retained on an indefinite suppression list, so we don't contact them again.

Your rights: if you do not wish to be contacted, reply "unsubscribe" to any outreach email or write to privacy@meridiandata.co.uk. You may also exercise the access, rectification, and erasure rights set out in Section 11.

Contract: Processing your account and usage data is necessary to perform our contract with you.

Legitimate interests: Security monitoring, fraud prevention, service improvement, and republishing public-sector records for compliance and journalistic use (see Section 4).

Public-interest task / freedom of expression: Republishing matters of public record, as supported by UK GDPR Article 17(3) (see Section 4).

Legal obligation: Retaining transaction records for HMRC compliance.

Consent: Optional analytics cookies, where applicable.

We use strictly necessary cookies to manage your authenticated session. These cannot be disabled without breaking the Service.

We may also use optional analytics cookies to understand aggregate usage patterns. You can accept or decline these via the cookie banner when you first visit. You can change your preferences at any time by clearing your browser cookies and revisiting the site.

We do not use advertising or tracking cookies.

Account data is retained for as long as your account is active, plus 90 days after termination (to allow for account reactivation or dispute resolution), after which it is deleted.

API usage logs are retained for 13 months for billing and audit purposes.

Server access logs are retained for 30 days.

We use the following sub-processors to deliver the Service. Each has signed a data processing agreement (DPA) with us, and where personal data is transferred outside the UK we rely on the UK Addendum to the EU Standard Contractual Clauses (or an applicable adequacy decision).

• Clerk (US, with EU residency available) — authentication and identity management. Receives: account email and name, password hash, multi-factor-authentication secrets, session tokens, sign-in IP address.
• Supabase (EU West, Ireland) — primary database and file storage. Holds: customer account records, usage logs, saved queries and preferences, and the published-dataset records (which include personal data sourced from UK public registers).
• Vercel (US, with global edge network) — application hosting and edge delivery. Receives: HTTP request metadata (IP address, user agent, request path) for routing and security. Does not persist application data.
• Stripe Payments UK Ltd (UK, with US group affiliates) — subscription and payment processing. Receives: customer name, billing email, billing address, payment method. Card details are tokenised within Stripe; we never see card numbers (Stripe is PCI-DSS Level 1 certified).
• Resend (US) — transactional and outbound email delivery. Receives: recipient email address, sender and subject line, email body, and delivery telemetry (opens, clicks, bounces) retained for up to 30 days.
• Hunter.io (France) — email-pattern detection for B2B outreach research (see Section 5). Receives: company domain names submitted for lookup. Returns the inferred email-address pattern used by that organisation. We do not transmit any individual's personal data to Hunter.

This list reflects all current sub-processors. We will update this section when we add, remove, or replace a processor; material changes will be notified via the "Last updated" date and, where appropriate, by email or in-product notice.

Some of our processors operate in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

Under UK GDPR, every individual whose personal data we process has rights. The way we respond depends on whether you are a Meridian Data customer (we hold account data about you) or a data subject who appears in one of our published datasets (we have republished data about you from a public source).

If you are a Meridian Data customer you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Request erasure of your data (subject to legal retention obligations)
• Restrict or object to processing
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time (where processing is consent-based)

If you appear in one of our published datasets (for example you are named in a published FCA Final Notice, court judgment, or Companies House record that we republish), you have the right to:

• Access: ask us what records mentioning you we hold.
• Rectification: ask us to correct factual inaccuracies. Where we can verify the correction against the source, we will update the record.
• Erasure / objection: ask us to remove your personal data from our datasets or stop processing it. We will weigh each request against the public-interest, freedom-of-expression and archiving exceptions in UK GDPR Article 17(3).

When we receive an erasure or objection request from someone named in a public-record dataset, we apply the following balancing test, in writing, before responding:

• Is the underlying record still published at source (e.g. still on the FCA register, still in HMCTS published judgments)? If yes, we will normally keep the record and direct you to the source; the source publication, not us, is what makes the record findable.
• Has the record been removed, redacted, anonymised, or formally expunged at source? If yes, we will remove our copy.
• Is the record materially inaccurate, out of date, or misleading without context? If yes, we will correct, add context, or remove it.
• Are there compelling personal grounds (for example a documented safety risk) that outweigh the public interest in continued processing? If yes, we will remove or restrict the record.

To exercise any of these rights, please use our data-subject requests page or email privacy@meridiandata.co.uk directly. We will acknowledge your request within 5 working days and respond substantively within 30 days, as required by UK GDPR.

If you are unhappy with how we have handled your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is completely secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-product notice. The "Last updated" date at the top of this page reflects the most recent revision.

Data-subject requests (access, correction, erasure): meridiandata.co.uk/privacy-requests

Data protection queries: privacy@meridiandata.co.uk

General: hello@meridiandata.co.uk