Skip to main content
← Back to home

Privacy Policy

Last updated: 2026-06-03

Beta posture. Meridian is currently in a public, open-ended beta. The Starter tier is free; Plus and Pro² are previewed but not currently offered for sale. Subscription, billing, and payment-related data flows described below are not currently active for Plus or Pro²; they apply when those tiers open at General Availability. We do not collect card details, Stripe subscription identifiers, or billing addresses while no tier is offered for purchase.

1. Who we are

Meridian is operated by INSIGHTS-2, a sole-proprietorship registered in Singapore (UEN 53523643C), trading as Insights² (“we”, “us”, “our”). Our principal place of business is 21 Hazel Park Terrace, #1-7, Hazel Park Condominium, Singapore 678946. We are the data controller for personal data collected through the Meridian platform at meridian.insights-2.com. For GDPR / UK-GDPR purposes we are the controller; for CCPA / CPRA we are a “business”.

Contact a human

  • General & privacy: hello@insights-2.com
  • Data Protection Officer (PDPA s.11): Mark Cunningham, routed via the address above.
  • EU representative (GDPR Art. 27): To be appointed. Until then please contact us directly using the address above.
  • UK representative (UK-GDPR Art. 27): To be appointed. Same fallback as above.

2. What personal data we collect

From you, when you sign up and use Meridian

  • Account information: name, email address, hashed password (provided via Supabase Auth, our authentication provider).
  • Subscription & billing: tier, subscription status, and Stripe customer / subscription identifiers. Card details are handled by Stripe and never reach our servers.
  • Project content: Business Case Canvas inputs (project names, business questions, audience descriptions, success criteria, stakeholder inputs, failure modes, data inputs, delivery timelines).
  • Dashboard screenshots: images you upload for assessment.
  • Bug reports: when you use the in-app bug-report widget — title, description, page URL, screenshot, browser user-agent, timestamp.
  • Waitlist: first name, last name, email, company name, and an optional project description if you join the Pro² waitlist.

Automatically

  • Usage data: assessment counts, project counts, and feature usage — used to enforce tier limits and detect abuse.
  • Vercel Analytics: page views, referrer, country (derived from IP — full IP not retained), device class, URL paths.
  • Server & rate-limit logs: standard request logs (HTTP method, status, timestamp, user-agent, request path) plus Upstash rate-limit counters keyed on IP or user identifier.
  • Session cookies: Supabase Auth session cookies (HttpOnly, Secure). No advertising cookies.

CCPA / CPRA categories

For California residents we collect: Identifiers (name, email, account ID, IP), Commercial information (subscription tier, transaction history via Stripe), Internet or other electronic network activity (analytics events, usage data), and Inferences (assessment scores derived from your uploaded content). We do not collect sensitive personal information beyond authentication credentials. We may also use project canvas content for AI model quality assurance and product improvement purposes — see Section 3.

3. Why we use it (purposes)

  • To provide and improve the assessment and certification service.
  • AI model quality and product research (human review). We may periodically review a sample of project canvas content to evaluate and calibrate the accuracy of our AI assessment models, and to understand how users are using the platform so we can improve it. This review is conducted by our team (currently the founder). Content reviewed for this purpose is treated as confidential and is not shared externally. You may object to this use at any time by emailing hello@insights-2.com — your right to use the platform is not affected.
  • To create and maintain your account, authenticate you, and enforce tier limits.
  • To process subscription payments (via Stripe) and issue receipts.
  • To communicate with you about your account, waitlist status, security incidents, and product updates.
  • To monitor and prevent fraud, abuse, and security incidents.
  • To meet our legal, accounting, and regulatory obligations in Singapore and any jurisdiction in which we have a customer.

4. Lawful basis (GDPR / UK-GDPR / PDPA)

If GDPR or UK-GDPR applies to you, we rely on the following Article 6 lawful bases, stated per purpose:

  • Service provision & account management: performance of a contract with you (Art. 6(1)(b)).
  • Billing: performance of a contract (Art. 6(1)(b)) and compliance with tax / accounting law (Art. 6(1)(c)).
  • Analytics & product improvement: your consent (Art. 6(1)(a)) for analytics where required, otherwise our legitimate interests (Art. 6(1)(f)) in operating and improving the platform.
  • AI model calibration and human content review: legitimate interests (Art. 6(1)(f)) in ensuring the accuracy and quality of our AI assessment models. We have conducted a balancing assessment and concluded our interest is not overridden by users' rights, given the closed-beta context, the confidential treatment of reviewed content, and users' right to object under Art. 21(1).
  • Security & abuse prevention: legitimate interests (Art. 6(1)(f)) in keeping the platform secure, balanced against your rights and freedoms.
  • Legal & tax compliance: compliance with a legal obligation (Art. 6(1)(c)).

If PDPA applies, we rely on consent (deemed or express) or one of the exceptions in the PDPA First and Second Schedules where consent is not required.

5. Subprocessors

We do not sell your personal data and we do not share it for cross-context behavioural advertising. We do use the following service providers, who process your data on our instructions under written agreements (we maintain a current list and will keep it accurate as the platform evolves):

  • Supabase (Supabase Inc., US/SG region) — authentication, user management, PostgreSQL database, and bug-report screenshot storage. Supabase privacy policy.
  • Vercel (Vercel Inc., US) — hosting, edge runtime, deployment, and Vercel Analytics.
  • Anthropic (Anthropic PBC, US) — primary AI vision provider. Dashboard screenshots and prompt context are sent via API for assessment.
  • OpenAI (OpenAI OpCo, LLC, US) — alternative AI vision provider, available when selected.
  • Google (Google LLC, US) — alternative AI vision provider (Gemini), available when selected.
  • Stripe (Stripe Payments Singapore Pte. Ltd. and affiliates) — payment processing, subscription management, and customer portal. Stripe is the processor for card data; we never see card numbers.
  • Resend (Resend Inc., US) — transactional email (account confirmation, password reset, billing notices).
  • Upstash (Upstash Inc., US/SG region) — Redis for rate limiting and short-lived caching.
  • GitHub (GitHub, Inc., US) — bug reports submitted via the in-app widget are converted into GitHub Issues for engineering triage.

We will also disclose personal data when required by law, to enforce our Terms, to detect or prevent fraud, or with your explicit consent. Written data-processing agreements (or equivalent) with each subprocessor are available on request.

6. Dashboard screenshots and AI vendor processing

When you upload a dashboard screenshot for assessment, the image is sent in real time to the selected AI provider (Anthropic by default; OpenAI or Google if chosen). The assessment result is returned and stored against your project; the screenshot is not permanently stored on our servers after processing.

You are responsible for ensuring uploaded content does not contain personally identifiable information you don't have authority to share. We strongly recommend redacting customer names, employee identifiers, and any sensitive figures before uploading.

AI vendor data-handling stance (please verify the current statements at the linked source before relying on them):

If you do not want any of these vendors to process your content, please do not upload it. Choosing not to use the assessment feature does not affect your access to other parts of the platform. If any vendor materially changes its data-handling stance, we will update this page promptly and notify active users by email.

7. International transfers

Our subprocessors are global. Personal data therefore leaves Singapore and may be processed in the United States, the European Union, the United Kingdom, or elsewhere. We rely on:

  • PDPA s.26: contractual undertakings ensuring a comparable standard of protection.
  • GDPR Chapter V: the European Commission's Standard Contractual Clauses (June 2021 version) included in our subprocessors' data processing addenda; or, where available, an applicable adequacy decision.
  • UK-GDPR: the ICO's International Data Transfer Agreement or the UK Addendum to the EU SCCs.

Copies of the relevant transfer mechanisms are available from us on request.

8. Data retention

  • Account data is retained while your account is active.
  • Project data (canvas, assessment results, history) is retained while your account is active.
  • Dashboard screenshots are not permanently stored after assessment processing.
  • Bug-report screenshots are stored in our Supabase Storage bug-reports bucket and remain until the corresponding GitHub issue is closed and the bucket is rotated (no longer than 12 months).
  • Waitlist submissions are retained until processed or until you request removal.
  • Billing & tax records are retained for 7 years from the relevant transaction date to meet IRAS income-tax and GST recordkeeping obligations (Singapore Income Tax Act, s.67).
  • Server / rate-limit logs: 90 days, then rotated.
  • On account termination or service discontinuation, uploaded content and project data are deleted within 30 days, except where retention is required by tax, accounting, or other applicable law. See the Termination & Service Discontinuation clause in our Terms of Service.

9. Your rights

Wherever you are, you can ask us to:

  • Tell you what personal data we hold about you and provide a copy (right of access).
  • Correct anything inaccurate or incomplete (rectification).
  • Delete your personal data and account (erasure). Account deletion is also available self-serve in your Settings page.
  • Stop or restrict processing.
  • Withdraw consent at any time without affecting the lawfulness of processing before the withdrawal.
  • Receive your project data in a portable, machine-readable format.
  • Object to processing carried out on the basis of legitimate interests.

We do not engage in solely-automated decision-making that produces legal or similarly significant effects. Assessment scores are AI-generated guidance to inform your decisions, not automated decisions about you.

How to exercise these rights: email hello@insights-2.com. We respond within 30 days of receiving a verifiable request, and we will not discriminate against you for asking.

Right to complain:

  • Singapore: Personal Data Protection Commission — pdpc.gov.sg.
  • EU: your local supervisory authority, or the lead authority via our EU representative once appointed.
  • UK: Information Commissioner's Office — ico.org.uk.
  • California: California Privacy Protection Agency / California Attorney General.
  • Australia: Office of the Australian Information Commissioner — oaic.gov.au.

10. Do Not Sell or Share my Personal Information (CCPA)

We do not sell personal data and we do not share it for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140).

We honour the Global Privacy Control (GPC) signal: if your browser sends a GPC header, we treat it as a request to opt out of any future sale or sharing. You can also opt out of analytics manually by setting the no_track flag, as described in our Cookies Policy.

11. Cookies

We use a small number of cookies and equivalent local-storage entries:

  • Essential — Supabase Auth session cookies (HttpOnly, Secure) for authentication and session management. Without these you cannot stay signed in.
  • Functional — sidebar state and limited UI preferences in browser local storage.
  • Analytics: Vercel Analytics, which is cookieless and writes nothing to your device. We run it on the basis of our legitimate interests (Art. 6(1)(f)) in operating and improving the platform, consistent with Section 4. We do not use advertising or cross-site tracking cookies. You can opt out at any time by setting the no_track flag or sending a Global Privacy Control (GPC) signal: see our Cookies Policy for how.

The full list, with retention, is on our Cookies Policy page.

12. Children

Meridian is intended for adult business users. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data, email hello@insights-2.com and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page reflects the latest version. For material changes that adversely affect your rights, we will give at least 30 days' notice on this page and via email or in-app notification before the change takes effect.

14. Contact

For any privacy enquiry — access, correction, deletion, complaint, or general questions — email hello@insights-2.com. We aim to acknowledge within two business days and respond substantively within 30 days.

INSIGHTS-2 (UEN 53523643C)
21 Hazel Park Terrace, #1-7, Hazel Park Condominium
Singapore 678946