Privacy Policy

Effective: May 13, 2026

Last updated: May 13, 2026

Meriq ("Meriq," "we," "us," or "our") operates an AI assistance platform that includes chat, deep research, generation, file analysis, and an encrypted Cloud Vault. This Privacy Policy explains, in plain language and in legal terms, what we collect, what we cannot read, how long we keep what we do hold, with whom we share it, and the rights you can exercise.

1. Information We Collect

1.1 Account and profile information

• Email address and account identifiers.
• A salted, slow-hashed representation of your password. We do not store, transmit, or back up your password in plaintext.
• Display name, plan selection, language preference, theme, custom instructions, and other settings you provide.
• For social sign-in, the minimum identifiers your chosen provider returns to confirm who you are (typically an email address and a stable provider user ID).

1.2 Billing and subscription information

• All paid plans, credit packs, and other purchases are processed by Stripe. We do not receive or store your full card number, expiration date, CVV, or bank account number.
• We receive only the billing metadata required to manage your subscription, such as your Stripe customer identifier, subscription status, selected plan, invoice and receipt metadata, last four digits of the card brand presented on receipts, billing email when you provide one, and country code for tax purposes.

1.3 Technical, security, and operational data

• IP address, network classification (residential, datacenter, anonymizer where detectable), user agent, request timestamps, and request metadata required to route, secure, and bill the request.
• Abuse signals such as failed login attempts, rate-limit events, CAPTCHA outcomes, and similar protective telemetry.
• Application audit events for staff and admin actions on the platform, used for security review and incident response.

1.4 Content you choose to provide

• Prompts, conversation transcripts, AI outputs, file uploads, generated images, project documents, saved notes, saved prompts, and any memory entries you choose to keep.
• Account-level configuration that you place inside Custom Instructions, Project Instructions, or Project Memory.

Where your Cloud Vault is enabled, content in this category is stored only in encrypted form. See Cloud Vault Architecture.

1.5 Information we do not collect

• We do not collect biometric data.
• We do not collect precise geolocation data.
• We do not buy data about you from data brokers.
• We do not deploy advertising pixels, third-party behavioral trackers, or session-replay scripts on the Service.

2. How We Use Information

We use the information described above to operate, secure, and improve the Service, to bill paid usage, to communicate with you about your account, and to comply with applicable law.

Category	Purpose	Typical Retention
Account information	Authentication, account management, security notices, support, service communications	For the life of the account, plus a limited period after closure for legal, fraud, and tax obligations
Stripe billing metadata	Subscription management, billing support, fraud prevention, accounting and tax	For the life of the account and for the additional period required by tax and accounting law (typically 7 years)
Conversation data and saved content (Cloud Vault)	Provide chat history, continuity, exports, saved artifacts, projects, memory features	Per your selected retention setting. Default 60 days, configurable down to "session only" or up to your plan maximum
Conversation data (Local-Only mode)	Stored in your browser only. We process individual messages but do not retain history	Until you clear your browser storage
Temporary staged uploads	Pre-attachment analysis before a file is added to a conversation	Approximately 60 minutes if not attached to saved content, after which the staged copy is purged
Security and access logs	Protect the Service, enforce rate limits, investigate abuse, maintain reliability	30 days for application audit events, 7 days for routine request logs, longer where retention is required for a specific incident or legal hold

We may use de-identified, aggregated statistics (for example, total messages per day, error rates, latency percentiles) to monitor the health of the Service. These statistics are not linked back to you and are not used to build profiles of users.

3. Cloud Vault Architecture

This section explains, in non-technical terms, why we cannot read your saved content.

3.1 The working key is derived from your password

When you unlock the Cloud Vault, we combine a long random salt that we store, with a value derived from a vault password that we do not store, using a slow and intentionally expensive key-derivation step. The output is a 256-bit working key. Each user has a different salt, so two users with the same password still produce different keys.

If you sign in through a social provider, you choose a separate vault password the first time you enable the Cloud Vault. That vault password — not your social login — is what derives the working key, so unlocking your data always requires a secret only you hold.

3.2 The working key is never written to disk

The working key lives only in volatile server memory during your active session. On our production servers, we pin the memory pages holding the key so the operating system cannot copy them to swap. When you log out, when your session expires, or when our background workers finish a short-lived task, the key is wiped.

3.3 What is actually on our disks

The records we persist for your Cloud Vault content are ciphertext produced by AES-256-GCM, an authenticated encryption scheme that also detects tampering. Without your working key, the ciphertext is indistinguishable from random bytes. A server administrator with full filesystem access cannot decrypt it. A backup of our database cannot decrypt it. A subpoena served on us for that content can only produce that ciphertext.

3.4 What we cannot do

• We cannot read any vault-stored conversation, prompt, file, image, project document, note, or memory entry while you are logged out.
• We cannot recover your password. If you lose it and have not enabled an optional recovery mechanism that you control, your vault content is unrecoverable.
• We cannot disclose the plaintext of vault content in response to a lawful demand. We will respond honestly and indicate that we only hold ciphertext.

3.5 What we can do (and how briefly)

• For the few seconds while we are routing your current message to an AI provider, the message is processed in plaintext on our server. We do not write that plaintext to disk. As soon as the response is delivered, the plaintext is discarded from memory.
• For long-running tasks you initiated, such as a deep-research run or an agent session, the working key may be cached in server memory until that task completes or until a short timeout, whichever happens first.

3.6 Local-Only mode

If you opt into Local-Only mode in Settings, no conversation transcript leaves your browser. We still need to send your current message to an AI provider in order to produce a response. We do not retain that exchange after delivery.

4. AI Processing and Subprocessors

To generate a response, analyze a file, or run a feature you request, we may send the minimum necessary content to third-party AI, hosting, storage, and content-delivery providers. We select providers that contractually agree not to retain your content for training or for secondary uses beyond completing your request, except where you specifically opt in.

Examples of provider categories used to operate the Service include:

• AI inference providers who run the language and image models you select. The plaintext of the request you currently send is delivered to the provider you have chosen, and the response is returned to you and (if Cloud Vault is enabled) encrypted before storage.
• Payment processing by Stripe.
• Infrastructure and content delivery by Cloudflare and comparable vendors for security, edge caching, and reliability.
• Object storage for encrypted blobs (vault content, generated images, exported artifacts).
• Transactional email delivery for verification, password reset, and security notices.

A current list of categories and primary providers is available on request to [email protected].

5. When We Share Information

We disclose personal information only in the limited circumstances listed below.

• Service providers performing functions on our behalf, under written agreements that restrict their use of the information to the work we contracted them to do.
• Stripe for payment processing and subscription management. Stripe processes your card details under its own Privacy Policy.
• OAuth providers you choose (such as Google or Discord) receive the authentication request from you, not from us. We receive only the identifiers necessary to confirm your identity.
• Cloudflare and similar infrastructure vendors for security, reliability, and content delivery. See Cloudflare's Privacy Policy.
• Legal authorities and courts where disclosure is required by valid legal process or where we believe in good faith that disclosure is necessary to protect rights, safety, or to investigate fraud or abuse. See Section 13 for our process.
• Successors in connection with a merger, acquisition, financing, bankruptcy, or sale of assets. Any successor must honor the commitments in this Policy or provide you with reasonable notice and a meaningful choice.

6. What We Do Not Do

• We do not sell personal information or conversation content. We do not "share" personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act.
• We do not use your prompts, conversations, uploads, generated images, or related content to train AI models, ours or anyone else's.
• We do not deploy advertising pixels, conversion tags, or third-party behavioral analytics on the Service.
• We do not build advertising or marketing profiles based on what you do inside the Service.
• We do not store plaintext passwords, full payment card data, or a recoverable copy of your Cloud Vault working key.

7. Cookies and Local Storage

We use a small number of strictly necessary cookies and similar technologies that are essential for the Service to function. These include a session cookie that keeps you signed in, a CSRF token that protects authenticated form submissions, and security tokens issued by our content-delivery and bot-mitigation vendors.

We do not set advertising cookies, social media tracking pixels, or cross-site analytics cookies. We do not honor cross-site tracking because we do not perform it.

Some browsers send a Global Privacy Control signal. Because we do not sell or share personal information for cross-context behavioral advertising, that signal does not require any change in our handling.

8. Your Rights and Choices

You can exercise the rights below for free by writing to [email protected], or by using the in-product controls where available. We will verify your identity through your account before responding.

8.1 Rights available to all users

• Access the personal information we hold about you.
• Correct inaccurate or outdated personal information.
• Delete your account and the personal information associated with it, subject to limited retention for legal, fraud, or accounting obligations.
• Export conversations, projects, and other saved content from inside the product.

8.2 Additional rights for users in the European Economic Area, the United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR and UK GDPR.

• Restriction of processing in specific cases set out in Article 18 GDPR.
• Objection to processing based on our legitimate interests.
• Portability of personal information you have provided to us in a structured, commonly used, machine-readable format.
• Right to lodge a complaint with your local data protection authority.

Our legal bases for processing under the GDPR are: performance of a contract (delivering the Service you requested), legitimate interests (security, fraud prevention, product improvement), legal obligation (tax, accounting, lawful requests), and consent where required (for example, optional marketing communications you opt into).

8.3 Additional rights for California residents

If you are a California resident, you have rights under the California Consumer Privacy Act ("CCPA") as amended by the CPRA.

• Right to know the categories and specific pieces of personal information we collect and disclose.
• Right to delete personal information we have collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing: as stated, we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
• Right to non-discrimination for exercising any of the above rights.

An authorized agent may submit a request on your behalf by providing written proof of authorization.

9. Retention and Deletion

You can delete individual conversations, individual uploads, projects, generated images, and your entire account through controls inside the product.

• Active conversations follow your Chat Retention setting (default 60 days). Older messages are purged automatically.
• Deleted conversations and account-level deletions are removed from active systems promptly and from operational backups within 30 days under normal conditions.
• We may retain a minimal subset of records (such as Stripe invoices, abuse history for users we have banned, or records subject to a legal hold) for the period required to satisfy legal, accounting, fraud-prevention, or dispute-resolution obligations.

10. Security

We protect personal information using a combination of administrative, technical, and physical safeguards.

• All traffic between your client and Meriq is encrypted in transit using HTTPS/TLS.
• Cloud Vault content is encrypted at rest using AES-256-GCM with a working key derived from your password as described in Section 3.
• Passwords are stored as slow-hashed digests with per-account salts.
• Production systems require multi-factor authentication for staff access, and access is scoped to job function.
• We log access to administrative tools and review the logs for anomalies.
• We test the Service against the OWASP Top 10 categories and run dependency scanning continuously.

No security program is perfect. If you believe you have found a vulnerability, please write to [email protected] with reproduction steps. We do not pursue legal action against good-faith researchers who follow coordinated disclosure.

11. Children

The Service is intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child, we will suspend the account and delete the associated data. Parents or guardians who believe their child created an account may contact [email protected].

12. International Transfers

Meriq is operated from servers in Canada and the United States, with content delivery and security infrastructure that may transit data through other countries. By using the Service, you understand that your information will be processed in jurisdictions whose privacy laws may differ from those of your home jurisdiction.

For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or the Swiss equivalent where applicable) with our subprocessors, supplemented by additional technical measures such as the encryption practices described in Section 3.

13. Law Enforcement and Government Requests

We respond to lawful, properly served requests from courts, regulators, and law enforcement. Our process is as follows.

1. We require valid legal process appropriate to the data requested (for example, a search warrant for content where applicable).
2. We verify the authenticity of the request and the jurisdiction of the requester.
3. We disclose only what is required to respond and only the data we actually hold. For Cloud Vault content, we can only produce ciphertext, because we do not hold the working key. We will state that explicitly in our response.
4. Where not legally prohibited (for example, by a non-disclosure order accompanying the process), we notify affected users in advance so they have an opportunity to challenge the request themselves.
5. We publish aggregated transparency information about lawful requests we receive as the Service matures.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When changes are material, we will provide notice through the Service or by email at least 14 days before the change takes effect, unless a shorter period is required by law. The "Last updated" date at the top of this page will reflect the most recent version. Prior versions are available on request.

15. Contact

For privacy questions, data-subject requests, or to exercise any right described above, contact [email protected].

For security-vulnerability disclosures, contact [email protected].

For all other inquiries, contact [email protected].