Privacy Policy — Meridius

We built Meridius to help you build better habits — not to harvest your data. This policy explains what we collect, why we collect it, and what we never touch. We've written it in plain language on purpose.

What we collect

Meridius collects only what is necessary to make the app work for you:

Email address — used to create and authenticate your account. Required to sign in.
Display name — optional. You can use the app without one. Shown to your accountability partner if you set one up.
Habit data — the names of your habits, their completion timestamps, and your current streak counts.
Weekly reflection text — your written responses to the three weekly reflection prompts. Stored privately on your account.
Push notification token — a device-level token from Apple used to send you reminders you've opted into. Never used for marketing.
Accountability partner relationships and messages — if you invite a partner, we store that relationship and any encouragement messages sent between you.

What we don't collect

We do not collect your real name (it's not required), your location, your contacts, or access to your camera. We don't use any advertising SDKs. We don't run analytics that profile your behavior for third parties.

If you connect Meridius to Apple Health, that data is read locally on your device only and is never transmitted to our servers. HealthKit access is processed entirely on-device.

How we use your information

We use what we collect only to operate the app:

To authenticate your account and keep it secure.
To store your habits, completions, and reflections so they persist across devices.
To calculate streaks, completion rates, and weekly summaries.
To send push notifications you have opted into — habit reminders and partner encouragements only.
To manage your subscription tier and grant access to Pro features.

We do not use your habit data or reflection text to train machine learning models. Your words are yours.

Who we share data with

We share data with a small number of infrastructure partners who are necessary to run the service. No data brokers. No advertising networks.

Supabase

Our database and authentication provider. Your data is stored on Supabase infrastructure in the EU and US. Data is encrypted at rest and in transit.

RevenueCat

Handles subscription management and receipt validation for App Store purchases. RevenueCat receives your App Store receipt and subscription status — not your habit data.

Apple (APNs)

Push notifications are delivered through Apple Push Notification service. Apple receives only the notification token and the content of the notification you've triggered.

Your rights and choices

You are in control of your data:

Delete your account — from Settings inside the app, you can permanently delete your account. All your data — habits, reflections, partner relationships, and push tokens — is permanently removed within 30 days.
Export your data — you can request a copy of your data via the in-app settings or by contacting us at privacy@meridius.app.
Opt out of notifications — you can revoke notification permissions at any time in iOS Settings.
Remove your accountability partner — you can disconnect a partner from within the app at any time. All messages are removed.

Data security

All data transmitted between the Meridius app and our servers uses TLS encryption. Data stored in our database is encrypted at rest by Supabase. We use industry-standard authentication practices including secure session tokens.

No method of transmission or storage is 100% secure. If you discover a security issue, please report it to privacy@meridius.app and we'll respond promptly.

Children's privacy

Meridius is not directed at users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child, please contact us and we will delete it.

Contact us

Questions about this policy or your data? Write to us at privacy@meridius.app. We're a small team and we read every message.