Privacy Policy | Policies

Jump to section

Data we collect Subprocessors Security Cookies Your rights

1. Introduction

Meridian (meridian.surf) is a trade name of Surf Online ("we", "us", or "our"). This Privacy Policy explains how we collect, use, store, and share personal data when you use Meridian.

Data controller: Surf Online.

2. Information we collect

We collect information needed to run Meridian, including:

Account data: display name, @handle, email (when provided through linked sign-in), avatar, preferences, plan, and billing status.
Linked sign-in data: when you connect a provider, we receive profile fields that provider shares with us (for Discord account sign-in, typically user id, username, avatar, and email via the identify and email scopes).
Bot configurations: flows, settings, logs metadata, and content you create in the builder.
Bot-stored data: values your bots persist (for example Storage variables), optional transcripts, and short-lived interactive message variables.
Protected transcript access: if a transcript requires Discord role verification, we may request identify, guilds, and guilds.members.read in a separate OAuth flow to confirm access.
Payment data: billing contact and subscription metadata processed by Stripe. We do not store full card numbers.
Platform analytics: first-party operational metrics such as bot online counts, commands created, commands run, and button clicks. We do not use third-party advertising analytics on the dashboard.
Support and email: messages you send to us and transactional emails we send to you.

3. Controller and processor roles

For your Meridian account and platform operation, Surf Online is the data controller.

For personal data your bots collect from Discord users (messages, member identifiers, stored variables, transcripts, and similar), you are the controller and Surf Online acts as a processor hosting that data on your instructions through the Service. You must provide any notices and obtain any consents required by law for your bots.

Third-party applications you authorize through Meridian OAuth are independent controllers. We are not responsible for their processing. See our Developer terms.

4. How we use information

We use personal data to:

Provide, host, and secure the Service.
Run your bots and store configurations.
Process payments, account credit, and gift cards.
Send transactional and support messages.
Monitor platform health and aggregate usage trends.
Detect abuse, fraud, and technical issues.
Comply with law and enforce our policies.

We do not sell personal data.

6. Subprocessors

We use the following subprocessors to deliver Meridian. Each processes only the data needed for its role:

Subprocessor	Purpose	Location	Data processed
Convex	Backend, database, file storage, and real-time API	United States	Account data, bot configurations, variable definitions and stored values, transcripts, platform logs
Vercel	Frontend hosting and edge delivery	Global	HTTP request metadata, session cookies
Discord	Authentication and bot API	United States	OAuth profile fields, bot runtime data
Stripe	Payment processing and subscriptions	United States	Billing contact, payment method metadata (not full card numbers)
Cloudflare	CDN, edge, and runner traffic	Global	HTTP metadata, cached assets
Resend	Transactional email	United States	Email address, message content for service emails

We may update this list as our infrastructure changes. Material changes will be communicated according to our Terms of Service.

7. International transfers

We are based in the European Union. Some subprocessors process data in the United States or other countries. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission for transfers from the EEA/UK.

8. Data retention

We keep account data while your account is active. When you request deletion from Account → Danger zone, we delete personal data and bot configurations within 7 days after the grace period, unless a longer period is required by law.

If we terminate your account for abuse or legal reasons, we may retain relevant data for investigations, dispute resolution, or legal hold.

Short-lived data (for example interactive message variables) expires automatically on a shorter schedule.

9. Security and vulnerability reports

We use technical and organizational measures to protect data. No method of transmission or storage is completely secure.

Reporting bugs. Sensitive issues (authentication, sessions, billing, account takeover, or exposure of private user or bot data) should be reported through our help center while signed in. Do not post exploit steps, tokens, or customer data in public channels.

General UI bugs and feature requests may be shared in our Discord server.

Do not run bulk scans, credential stuffing, or denial-of-service tests against production. If you accidentally access data you should not have, stop and report it.

Contact: security@meridian.surf. Qualifying security reports may receive a bounty or account credit at our discretion. Nothing here is a binding offer.

10. Cookies and similar technologies

Surf Online uses cookies and similar technologies on Meridian (meridian.surf) to operate the Service, keep you signed in, and remember preferences.

Cookies are small text files stored on your device. We also use local storage and session storage for similar purposes.

Strictly necessary cookies. These are required for Meridian to work:

__session: short-lived access token (httpOnly) for authenticated requests.
__refresh: refresh token (httpOnly, limited path) to renew your session.
__session_handle: identifies your Convex session for real-time dashboard features.

Blocking these cookies may prevent you from signing in or using the dashboard.

Functional cookies and storage. We store preferences such as theme, builder settings, and UI state to improve your experience. Affiliate referrals use a signed __affiliate_ref cookie (30-day attribution window) when you arrive through a referral link.

Analytics. Meridian uses first-party operational metrics (for example aggregate bot counts and command usage) to run and improve the platform. We do not use third-party advertising cookies on the dashboard, and we do not sell cookie data.

Your choices. Most browsers let you block or delete cookies. Essential cookies are required for core features. We honor Do Not Track signals where applicable (see section 11).

11. Your rights and choices

Depending on where you live (including the EEA, UK, and California), you may have rights to access, correct, delete, restrict, or port your personal data, and to object to or withdraw consent for certain processing.

You can:

Download a data export from Account → Privacy (data takeout).
Request account deletion from Account → Danger zone.
Contact us at legal@meridian.surf or through support for other requests.

We honor Do Not Track signals where applicable. You may also lodge a complaint with your local supervisory authority.

12. Third-party services

Meridian integrates with Discord and other services. Data processed by those platforms is governed by their policies. Review their privacy terms before connecting your bots or accounts.

13. Children's privacy

Meridian is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child provided us data, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the last updated date. Continued use after changes means you accept the updated policy where permitted by law.

15. Contact

Privacy questions: legal@meridian.surf or our official support channels.