Data protection

Privacy Policy

This policy explains how Meridian Spend collects, uses, shares, retains, and protects information across the website, product, support channels, and procurement operations workflows.

Last updated
January 12, 2026
Applies to
Website visitors, workspace users, administrators, and customer contacts

In summary

  • Meridian acts primarily as a service provider or processor for customer workspace data.
  • Customers control the vendor, invoice, document, and user records submitted to their workspace.
  • Meridian uses personal information to provide, secure, support, improve, and administer the service.

Roles and scope

This Privacy Policy applies to Meridian Spend websites, applications, support channels, events, and related services.

For customer workspace data, the customer generally determines the purposes and means of processing, and Meridian processes that data under the customer agreement and data processing addendum.

  • Workspace users should contact their organization for questions about records controlled by that organization.
  • Website visitors and prospects may contact Meridian directly about information collected by Meridian.

Information we collect

We collect information that users, administrators, and prospects provide directly, information generated through use of the service, and information received from connected systems when enabled by a customer.

The categories depend on the way the service is used and the integrations a customer configures.

  • Account details such as name, work email, role, workspace, authentication settings, and support history.
  • Procurement records such as vendors, invoices, purchase requests, approvals, comments, documents, and audit activity.
  • Technical data such as IP address, device information, browser type, logs, feature usage, and cookie identifiers.

How we use information

Meridian uses information to provide the platform, administer accounts, route workflows, deliver support, maintain security, communicate service updates, and comply with legal obligations.

We may also use aggregated or de-identified information to understand product performance and improve product reliability.

  • Authenticate users and enforce role-based access.
  • Process vendor, approval, invoice, document, and audit workflows.
  • Detect abuse, troubleshoot issues, maintain logs, and protect the service.
  • Send operational notices, security updates, and customer support communications.

Customer workspace data

Customer workspace data belongs to the customer and is processed according to customer instructions, the subscription agreement, and configured product workflows.

Meridian personnel access customer workspace data only when needed to provide support, maintain the service, investigate security issues, or comply with legal obligations.

  • Administrators can configure retention, exports, roles, and integrations.
  • Customer content is not sold and is not used for third-party advertising.
  • Support access is logged and limited to business need.

Cookies and product analytics

Meridian uses cookies and similar technologies to operate the website, keep users signed in, remember preferences, understand product usage, and protect against abuse.

Customers and users can control certain browser-level cookie settings, although disabling required cookies may affect authentication or product functionality.

  • Required cookies support authentication, security, routing, and user preferences.
  • Analytics data helps identify reliability issues and improve workflow usability.
  • Marketing cookies, when used, support campaign measurement and may be managed through browser or consent tools.

Sharing and sub-processors

Meridian shares information with service providers that help host, secure, support, deliver, monitor, and improve the platform.

Sub-processors are reviewed for appropriate privacy and security commitments before they process customer data.

  • Common sub-processor categories include cloud hosting, email delivery, observability, support tooling, and secure storage.
  • Meridian may disclose information to comply with law, protect rights, investigate abuse, or complete a corporate transaction.
  • A current sub-processor list is available to customers on request.

International transfers

Meridian may process information in countries other than the country where users or customers are located.

When required, Meridian uses appropriate transfer mechanisms such as standard contractual clauses, data processing terms, or other lawful safeguards.

  • Customer order forms may specify regional hosting or transfer commitments.
  • Support and security operations may require limited cross-border access by authorized personnel.

Security and confidentiality

Meridian uses administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, and disclosure.

Safeguards include encryption, access controls, logging, security review, vulnerability management, and employee confidentiality obligations.

  • No system can guarantee absolute security.
  • Customers should use SSO, MFA, least-privilege roles, and timely user deprovisioning.
  • Suspected security incidents can be reported to security@meridianspend.com.

Retention and deletion

Meridian retains information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain legitimate business records.

Customer workspace data is deleted or returned according to the customer agreement, configured retention settings, and applicable law.

  • Administrators may export many workspace records directly from the product.
  • Backups are removed according to backup lifecycle schedules.
  • Some logs and billing records may be retained when required for security, tax, legal, or accounting purposes.

Privacy rights

Depending on location, individuals may have rights to access, correct, delete, restrict, object to, or receive a copy of personal information.

For information controlled by a customer workspace, Meridian may refer the request to the customer or assist the customer in responding.

  • Requests can be sent to privacy@meridianspend.com.
  • Meridian may need to verify identity and authority before completing a request.
  • Users can update certain account details through the product or their workspace administrator.

Children and sensitive data

Meridian Spend is designed for business use and is not directed to children.

Customers should not submit sensitive personal information unless it is necessary for their procurement operations and permitted under their agreement and applicable law.

  • The platform is not intended for consumer financial services, medical records, or children data.
  • Customers are responsible for configuring appropriate controls for regulated data they choose to process.

Changes and contact

Meridian may update this Privacy Policy to reflect product, legal, or operational changes.

Material changes will be communicated through appropriate channels, such as the website, product notices, or customer communications.

  • Questions can be sent to privacy@meridianspend.com.
  • Security questions can be sent to security@meridianspend.com.
  • Customer agreement questions can be sent to legal@meridianspend.com.