Privacy Policy

Effective date: March 2026 · Last updated: March 2026

      Meridian is a personal cognitive health tracker. Your data is stored on your own
      server instance and is never sold or shared with advertisers.
    

1. What Meridian Collects

Meridian collects the following information when you use it:

Account information — your display name and date of birth (used to determine age-group baselines). No email address is required.
AI usage events — platform name (e.g. ChatGPT, Claude), session duration, interaction complexity, topics detected, timestamp, and device type (desktop / mobile).
Device & browser — the browser extension reads which AI tool website is active and for how long. It does not read the content of your prompts or responses.
Usage patterns — derived metrics such as cognitive score, dependency percentage, streak days, and rumination clusters. These are computed server-side from your usage events.

Meridian does not collect: prompt text, AI responses, browsing history outside tracked AI platforms, location, contacts, or payment information.

2. How Your Data Is Stored

All data is stored in your own Railway-hosted server instance (or self-hosted server), in local JSON/JSONL files under a configurable data directory.
Passwords are hashed using bcrypt and never stored in plain text.
API access is protected by signed JWT tokens (HS256). Tokens expire and must be re-issued via login.
No data is written to third-party analytics platforms, advertising networks, or data brokers.

3. How Your Data Is Used

To compute your daily cognitive health score and usage statistics shown on the dashboard.
To generate AI-powered weekly summaries and pattern detection insights. These requests are sent to the Anthropic API (claude-opus-4-6 model) using only your anonymised usage log — no account identifiers or prompt text are included in agent requests.
To send you local push notifications (mobile) or browser notifications (extension) when usage thresholds are exceeded. Notifications are generated on-device / in-extension; no notification content is sent to external servers.

4. Third-Party Services

Anthropic API — used to run cognitive pattern analysis on your usage log. See Anthropic's Privacy Policy.
Railway — used to host the server if you use the default deployment. See Railway's Privacy Policy.

No other third-party services receive your data.

5. Data Retention and Deletion

Your data is retained for as long as your account exists on the server. You can delete all your data at any time:

Via the API — send DELETE /api/users/{your_user_id} with your auth token. This permanently removes your profile, all interaction history, and all agent results.
Self-hosted — delete the contents of your DATA_DIR directory.

There is no account recovery after deletion.

6. Children's Privacy

Meridian is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided data through Meridian, contact us and we will delete it.

7. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete the personal data Meridian holds about you. Because all data is stored on your own server, you have direct access to it at all times. To exercise any rights, use the deletion endpoint above or contact us.

8. Changes to This Policy

We may update this policy as Meridian evolves. The "Last updated" date at the top of this page will reflect any changes. Continued use of Meridian after changes are posted constitutes acceptance of the updated policy.

9. Contact

If you have questions about this privacy policy, open an issue at the project repository or reach out via the contact details provided in the app store listing.