Data protection
Privacy Policy
This policy explains how Meridian Spend collects, uses, shares, retains, and protects information across the website, product, support channels, and procurement operations workflows.
- Last updated
- January 12, 2026
- Applies to
- Website visitors, workspace users, administrators, and customer contacts
- Contact
- privacy@meridianspend.com
In summary
- Meridian acts primarily as a service provider or processor for customer workspace data.
- Customers control the vendor, invoice, document, and user records submitted to their workspace.
- Meridian uses personal information to provide, secure, support, improve, and administer the service.
Roles and scope
This Privacy Policy applies to Meridian Spend websites, applications, support channels, events, and related services.
For customer workspace data, the customer generally determines the purposes and means of processing, and Meridian processes that data under the customer agreement and data processing addendum.
- Workspace users should contact their organization for questions about records controlled by that organization.
- Website visitors and prospects may contact Meridian directly about information collected by Meridian.
Information we collect
We collect information that users, administrators, and prospects provide directly, information generated through use of the service, and information received from connected systems when enabled by a customer.
The categories depend on the way the service is used and the integrations a customer configures.
- Account details such as name, work email, role, workspace, authentication settings, and support history.
- Procurement records such as vendors, invoices, purchase requests, approvals, comments, documents, and audit activity.
- Technical data such as IP address, device information, browser type, logs, feature usage, and cookie identifiers.
How we use information
Meridian uses information to provide the platform, administer accounts, route workflows, deliver support, maintain security, communicate service updates, and comply with legal obligations.
We may also use aggregated or de-identified information to understand product performance and improve product reliability.
- Authenticate users and enforce role-based access.
- Process vendor, approval, invoice, document, and audit workflows.
- Detect abuse, troubleshoot issues, maintain logs, and protect the service.
- Send operational notices, security updates, and customer support communications.
Customer workspace data
Customer workspace data belongs to the customer and is processed according to customer instructions, the subscription agreement, and configured product workflows.
Meridian personnel access customer workspace data only when needed to provide support, maintain the service, investigate security issues, or comply with legal obligations.
- Administrators can configure retention, exports, roles, and integrations.
- Customer content is not sold and is not used for third-party advertising.
- Support access is logged and limited to business need.
International transfers
Meridian may process information in countries other than the country where users or customers are located.
When required, Meridian uses appropriate transfer mechanisms such as standard contractual clauses, data processing terms, or other lawful safeguards.
- Customer order forms may specify regional hosting or transfer commitments.
- Support and security operations may require limited cross-border access by authorized personnel.
Security and confidentiality
Meridian uses administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, and disclosure.
Safeguards include encryption, access controls, logging, security review, vulnerability management, and employee confidentiality obligations.
- No system can guarantee absolute security.
- Customers should use SSO, MFA, least-privilege roles, and timely user deprovisioning.
- Suspected security incidents can be reported to security@meridianspend.com.
Retention and deletion
Meridian retains information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain legitimate business records.
Customer workspace data is deleted or returned according to the customer agreement, configured retention settings, and applicable law.
- Administrators may export many workspace records directly from the product.
- Backups are removed according to backup lifecycle schedules.
- Some logs and billing records may be retained when required for security, tax, legal, or accounting purposes.
Privacy rights
Depending on location, individuals may have rights to access, correct, delete, restrict, object to, or receive a copy of personal information.
For information controlled by a customer workspace, Meridian may refer the request to the customer or assist the customer in responding.
- Requests can be sent to privacy@meridianspend.com.
- Meridian may need to verify identity and authority before completing a request.
- Users can update certain account details through the product or their workspace administrator.
Children and sensitive data
Meridian Spend is designed for business use and is not directed to children.
Customers should not submit sensitive personal information unless it is necessary for their procurement operations and permitted under their agreement and applicable law.
- The platform is not intended for consumer financial services, medical records, or children data.
- Customers are responsible for configuring appropriate controls for regulated data they choose to process.
Changes and contact
Meridian may update this Privacy Policy to reflect product, legal, or operational changes.
Material changes will be communicated through appropriate channels, such as the website, product notices, or customer communications.
- Questions can be sent to privacy@meridianspend.com.
- Security questions can be sent to security@meridianspend.com.
- Customer agreement questions can be sent to legal@meridianspend.com.