Privacy policy

01 What we collect

Location

Meridian needs your precise GPS location to navigate and to share your position with convoy members. We collect this only while the app is active — or, if you grant background permission, while a convoy is running. We don't store your location history on our servers after a convoy ends.

Convoy data

When you're in a convoy, we process your real-time latitude, longitude, bearing, speed, display name, and a timestamp. This data is shared live with other members of the same convoy and deleted from our servers within 24 hours of the convoy ending.

Voice

The AI Voice Co-pilot processes your speech on-device using your device's built-in speech recognition. We don't record, store, or send your voice to our servers.

Music playback

The Now Playing feature reads your current track title, artist, and play/pause state from your device's local media session. It stays on your screen only — nothing is transmitted to us.

Account

If you create a Meridian account, we store your chosen username, display name, and email address. Passwords are hashed using industry-standard algorithms and are never readable by us.

Crash reports and diagnostics

We may collect anonymised crash reports to fix bugs and improve stability. These contain no personal information and cannot be linked back to you.

Payments

Subscription payments are handled entirely by Apple (App Store) or Google (Google Play). We never see or store your card details.

02 Why we process it

• Contract performance — to deliver the navigation and convoy features you asked for
• Legitimate interests — to keep the app stable, secure, and improving
• Consent — for precise location access (your device asks you) and optional marketing emails
• Legal obligation — where the law requires it

03 How we use it

• Showing your position on the map and routing you turn-by-turn
• Sharing your live position with convoy members you've joined
• Processing voice commands locally on your device
• Managing your account and Meridian Plus subscription
• Fixing crashes and improving the app via anonymised diagnostics
• Responding to support requests

04 Third-party services

Google Maps Platform

Map tiles, turn-by-turn navigation, route calculation, and destination search all run on Google's Maps Platform (including the Maps SDK, Navigation SDK, and Places API). When you navigate or search, your location and search query are sent to Google to return maps, routes, and nearby results. Google processes this under its own privacy policy — see policies.google.com/privacy. In-app purchases via the Google Play Store are also governed by Google's platform policies.

Anthropic (AI Co-pilot)

When you use the voice AI co-pilot feature, your spoken request, approximate location (to ~11 metres precision), and your current destination are sent to Anthropic's API to interpret your command. No voice or location data is stored by Anthropic after the request completes. You are asked for consent the first time you use this feature, and can withhold it by declining the prompt. Anthropic's privacy policy is at anthropic.com/privacy.

Supabase

Your account data, convoy records, and real-time position data are stored on Supabase's infrastructure (hosted in the EU). Supabase acts as a data processor under a data processing agreement and has no rights to use your data for its own purposes.

Expo (push notifications)

Push notifications are delivered via Expo's push service. Your device push token is shared with Expo solely to deliver notifications. Expo's privacy policy is at expo.dev/privacy.

Apple

In-app purchases via the App Store are managed by Apple per their platform policies.

05 Who we share it with

We don't sell, rent, or trade your data. The only circumstances where we share it:

• Convoy members — your live position and display name are shared only with people in a convoy you've actively joined
• Infrastructure providers — acting as processors under contract, no independent use
• Legal requirements — where required by law or to protect our users
• Business transfer — in a merger or acquisition, with appropriate notice to you

06 How long we keep it

• Live convoy location — deleted within 24 hours of a convoy ending
• Account data — kept while your account is active; deleted within 30 days of a verified deletion request
• Anonymised diagnostics — up to 12 months

07 Security

All data in transit is encrypted via TLS. We review our security practices regularly. No system is perfectly secure, but we take this seriously.

08 Your rights under UK GDPR

You have the right to access, correct, delete, restrict, or port your data — and to object to processing based on legitimate interests. To exercise any of these, email contact@novusstudio.co. We'll respond within 30 days.

You can also complain to the Information Commissioner's Office at ico.org.uk.

09 Children

Meridian isn't directed at children under 13. If you think a child has given us their data, contact us and we'll delete it.

10 International transfers

Most processing happens in the UK and EEA. Where data moves outside these regions (e.g. Google's global infrastructure), we ensure appropriate safeguards — including standard contractual clauses approved by the UK ICO — are in place.

11 Cookies

The Meridian website uses only strictly necessary cookies. No advertising cookies, no cross-site tracking. The mobile app uses no cookies at all.

12 Changes

We'll notify you of material changes via an in-app notice or email. The revision date is always at the top of this page.

13 Contact

• Privacy matters: contact@novusstudio.co
• General support: contact@novusstudio.co
• Novus Studio LTD, registered in England and Wales