Privacy Policy.
How Meridian collects, uses, shares, retains, and protects personal information, and what rights you have.
1.Who we are
This Privacy Policy is issued by Meridian Ventures and Artificial Intelligence ("Meridian", "we", "us", "our"), operating from Dubai, United Arab Emirates. It describes how we collect, use, share, retain, and protect personal information, and what rights you have.
This Privacy Policy applies to:
- Visitors to our website at meridian.vc and any page or subdomain that links to this Privacy Policy.
- People who contact us, request an introduction, book a call, or otherwise interact with us in a business context.
- Individuals whose personal data is processed by the AI agents we build and operate for our clients, where that processing has been authorised by the client.
For data collected about website visitors and people who contact us directly, we act as a controller. For data processed by the agents we build and run on behalf of our clients (for example, conversations with prospective students, customers, or applicants), we act as a processor. Our client is the controller, and the client's own privacy notice governs their relationship with you.
2.Information we collect
2.1Information you provide directly
- Contact details (name, email address, company, role) when you request an introduction, book a call, or otherwise correspond with us.
- The contents of messages you send us by email or through our scheduling tool.
2.2Information processed by the agents we build for clients
When a client engages us to build and operate AI agents inside their business, those agents interact with individuals on the client's behalf. Depending on the deployment, the data those interactions generate can include:
- Chat transcripts between an individual and a text-based agent.
- Voice call audio, real-time transcripts, and call metadata when an agent is deployed for inbound or outbound voice.
- The contents of structured fields the agent collects in the course of its work (for example, programme of interest, intake timeline, contact details, qualification answers).
- Operational metadata such as session identifiers, timestamps, and the routing decisions made by the agent.
This data is owned and controlled by our client. We process it on the client's instructions, under the data processing agreement signed with that client. Individuals interacting with one of our voice or chat agents are informed at the start of the interaction that they are speaking with an AI agent, in line with applicable disclosure rules and the client's instructions.
We do not knowingly collect:
- Information from individuals under sixteen, unless the client has confirmed a lawful basis (for example, in an admissions or education context with appropriate parental consent in place).
- Biometric or health information, unless expressly contracted for and lawfully processed.
- Payment card data. Where transactions take place during an agent interaction, they are routed to the client's own payment provider; we do not store card numbers.
2.3Information processed during discovery and improvement
During the discovery phase of a new engagement, we observe a real operating cycle inside the client's business in order to document the processes the agents will eventually take on. This may include reviewing recorded calls, written communications, and other operational records the client makes available to us, some of which contain personal data.
Once an agent is in production, we review samples of real interactions to monitor performance, tune the agent's behaviour, and improve quality over time. The same processing terms apply throughout: the client is the controller, we are the processor, and the work is governed by the data processing agreement signed with that client.
2.4Information collected automatically on our website
Our website is hosted on Vercel. Standard request information (IP address, user agent, request path, timestamp, response status) is logged by our hosting provider for the purposes of operating the site, mitigating abuse, and diagnosing technical issues. IP addresses are not used to identify visitors and are not enriched against any visitor-identification service.
We do not run third-party analytics on this site. We do not use behavioural tracking, advertising cookies, B2B visitor-identification services, or cross-site tracking of any kind. We do not show a cookie banner because the site does not set cookies that require consent.
If we add analytics or similar technologies in the future, we will update this Privacy Policy and present an appropriate consent mechanism where one is required.
3.How we use information
We use personal information to:
- Provide, maintain, improve, and secure the agents and services we operate for clients.
- Reconstruct and analyse business workflows during discovery, so the agents we build reflect how the work actually gets done.
- Respond to inbound enquiries and operate our business administration (scheduling, contracts, invoicing).
- Detect, prevent, and investigate fraud, abuse, and security incidents.
- Comply with legal obligations, enforce our agreements, and defend our legal rights.
- Operate our website.
Where required by law, we rely on the following legal bases for processing: contract performance (delivering the services you, your employer, or your institution has engaged us to provide), legitimate interests (improving the services, security, business administration), consent (where consent is the appropriate basis under applicable law), and legal obligation (tax, accounting, and lawful regulatory requests).
4.Artificial intelligence
The agents we build use third-party large-language-model providers, currently including OpenAI and Anthropic. We may add or substitute providers over time as the agentic stack evolves. We use the paid business API tiers from these providers. Per the applicable terms of these tiers, data submitted to the API is not used to train the providers' public models. We will update this section to reflect material changes to our providers or to the applicable terms.
Agent outputs are designed against operational standards set by us and by the client. Where appropriate, outputs are reviewed by our team and by the client before they are relied on operationally.
5.How we share information
We share personal information only as described below.
Service providers (subprocessors) who operate parts of our infrastructure under written contracts that restrict their use of personal information. Our current subprocessors:
| Subprocessor | Purpose |
|---|---|
| Vercel, Inc. | Web hosting and edge infrastructure for our website |
| OpenAI, L.L.C. | Large-language-model inference |
| Anthropic, PBC | Large-language-model inference |
| Twilio Inc. | Voice telephony and call infrastructure for voice agents |
| Calendly, LLC | Scheduling of introductory calls |
| Google LLC | Business email and productivity tools |
Per-deployment subprocessors (databases, cloud infrastructure, regional telephony providers, and similar) vary by engagement and are documented in the data processing agreement signed with each client. We will update the list above if our standing subprocessors materially change.
We also share information with:
- The client whose business we are operating in, when we deliver agent outputs, transcripts, reports, or analyses on their behalf.
- Law enforcement, regulators, and other authorities, when we believe in good faith that disclosure is required by law, court order, or similar legal process.
- Successors, in connection with a merger, acquisition, financing, reorganisation, or sale of all or substantially all of our assets. If your personal information is affected, we will take reasonable steps to ensure it remains subject to protections substantially similar to this Privacy Policy.
We do not sell or rent personal information. We do not share personal information for third-party cross-context behavioural advertising. We have not done so in the preceding twelve months and have no plan to do so.
6.How long we keep information
We retain personal information for as long as we have a business need, as required to provide the services, or as required by law.
- Website request logs: thirty days.
- Inbound email and introductory correspondence: until the relationship or enquiry is closed, plus a reasonable archival period.
- Data we process on behalf of a client: for the duration of our contract with that client. On contract termination, or on documented request from the client or a data subject (routed via the client where appropriate), we delete or return the data.
- Account-level and billing information: for the life of the account plus any period required by law (generally up to seven years for tax and accounting records).
- Backups: expire on a standard rolling cycle dictated by our infrastructure providers.
You can request deletion of your personal information at any time. See Section 9.
7.Security
We apply reasonable administrative, technical, and physical safeguards designed to protect personal information, including:
- Encryption in transit (TLS 1.3 on all public endpoints) and, where provided by our infrastructure, encryption at rest.
- Access controls and least-privilege principles for internal access to client data.
- Authentication controls on data-ingestion and agent endpoints.
- Logging and monitoring designed to detect anomalous activity.
No security programme is perfect. In the event of a personal-data breach affecting your information, we will notify affected clients, and where required, regulators and affected individuals, promptly, and in any case within the timelines set by applicable law (including the 72-hour standard set by Article 33 of the EU GDPR, where it applies).
8.International transfers
We operate from the United Arab Emirates. The subprocessors listed in Section 5 (Vercel, OpenAI, Anthropic, Twilio, Calendly, Google) are headquartered in the United States and operate infrastructure across multiple regions. As a result, personal data processed under this Privacy Policy may be transferred to, stored in, and processed in jurisdictions outside the one in which you live, including the United States and the European Union.
Where required, transfers are made under the safeguards permitted by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU and UK GDPR (typically via the Standard Contractual Clauses), and equivalent regimes in other jurisdictions. The specific transfer mechanisms for each client engagement are documented in the data processing agreement signed with that client.
9.Your privacy rights
Depending on where you live, you may have some or all of the following rights:
- Access: ask what personal information we hold about you.
- Correction: ask us to correct inaccurate information.
- Deletion: ask us to delete your personal information.
- Portability: receive a copy of your information in a structured, commonly used, machine-readable format.
- Restriction or objection: ask us to stop or limit certain uses of your personal information.
- Withdrawal of consent: where processing is based on consent, withdraw it at any time.
- Non-discrimination: exercise these rights without being penalised for doing so.
To exercise any of these rights, email jose@meridiaventures.xyz. We will verify your identity and respond within the time required by applicable law (generally thirty to forty-five days). If your data was processed by an agent we operate for one of our clients, the client is the controller of that data; we will route your request to them and support them in responding.
10.Cookies and tracking technologies
We do not use cookies or similar technologies for analytics, advertising, or cross-site tracking on this website. The site does not set non-essential cookies, and there is no cookie banner because none is required. We do not respond to “Do Not Track” browser signals because there is no industry-standard interpretation of them.
If we add analytics, visitor-identification, or other tracking technologies in the future, we will update this Privacy Policy and present an appropriate consent mechanism where one is required.
11.Children
The services we offer are intended for use by businesses and institutions in a professional context. We do not knowingly collect personal information directly from anyone under sixteen.
Some agents we deploy for clients may interact with prospective students, applicants, or other individuals who are minors, for example in an admissions context. In those cases, the client's own consent and data handling policies govern, and we operate within them.
If you become aware that a child's personal information has been collected by us outside of a client-governed context, please contact us and we will delete it.
12.Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will provide reasonable notice through the website or by direct communication where appropriate. Your continued use of our services after the effective date of a change constitutes acceptance.
13.Contact us
Meridian Ventures and Artificial Intelligence
Dubai, United Arab Emirates
Email: jose@meridiaventures.xyz
For privacy questions, data subject requests, and any other matter covered by this Privacy Policy, please email the address above.