MeridianWork Privacy Policy
Data Controller: MeridianWork Limited (incorporated in Ireland, CRO)
Effective date: June 2026
Privacy contact: support@meridian.work
Supervisory authority: Data Protection Commission (DPC), Ireland — www.dataprotection.ie
1. Who We Are
MeridianWork Limited ("MeridianWork", "we", "us", or "our") is a private limited company incorporated in Ireland under the Companies Act 2014. We operate the MeridianWork mobile application (the "App"), a corporate wellness platform deployed by employers for use by all of their employees.
MeridianWork acts as the data controller under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Irish Data Protection Act 2018 — meaning we determine the purposes and means of processing your personal data.
We have assessed that, given our current scale of processing, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. This assessment will be reviewed as the business grows. In the meantime, all data protection queries should be directed to support@meridian.work.
2. Who This Policy Applies To
This policy applies to all individuals who use the MeridianWork App ("users"), including employees whose employers have purchased access to the platform.
This policy does not govern the relationship between MeridianWork and corporate clients (employers). That relationship is governed by a separate Data Processing Agreement (DPA), under which your employer acts as the data controller for their organisational data and we act as a data processor on their behalf for those purposes only.
3. What Personal Data We Collect
3.1 Account and Identity Data
Full name and email address
Password (stored using cryptographic hashing — we cannot retrieve your plain-text password)
Profile information you optionally provide (e.g. profile photo)
Employer/company affiliation
3.2 Health Screening Data (Collected at Onboarding)
During onboarding, we collect PAR-Q (Physical Activity Readiness Questionnaire) responses — seven yes/no questions about your medical and physical history. This is special category data under Article 9 GDPR. It is used solely to flag whether you should seek medical advice before beginning physical activity. It is not shared with your employer.
3.3 Health and Wellness Data (Actively Entered by You)
Daily Readiness Score inputs: sleep quality, energy levels, stress, mood, muscle soreness
Check-in responses (daily and weekly), including custom questions configured by your employer
Body map logs: body part, location, pain or soreness type, severity rating (1–10)
Injury logs: body part, injury type, severity, recovery notes, daily severity updates
Body measurements: weight, body fat percentage, and up to 13 circumference measurements
Sleep: hours and optional quality rating
Steps and daily activity data
Resting heart rate
Caloric intake and hydration
Workout logs: exercises performed, sets, reps, duration, notes
Meal plans and food diary entries (including items scanned by barcode)
Habit tracking data
Progress photos (optional; stored securely and only visible to you)
3.4 Special Category Health Data
The following data is classified as "special category" data under Article 9 GDPR and is processed only with your explicit consent:
Menstrual cycle and reproductive health data — collected only if you actively opt in to the Cycle Tracker feature
Physical health condition indicators derived from your PAR-Q responses, body map entries, and injury logs
Cycle tracker data is completely excluded from all company reports and employer-accessible views. Under no circumstances can your employer or any administrator access your cycle data.
3.5 Wearable and Third-Party Device Data
If you choose to connect a supported wearable or health platform, we receive data via OAuth-authorised API access. Connecting a device is always optional. The data received may include:
Oura Ring: sleep scores, readiness scores, HRV, activity data
WHOOP: strain scores, recovery scores, sleep performance data
Garmin: workout data, activity metrics
Apple Health (iOS): steps, sleep, heart rate, HRV, VO2 max, and other metrics you explicitly authorise
Android Health Connect: equivalent health metrics on Android devices
Wearable data is used to personalise your AI coaching and Daily Readiness Score. It is never shared with your employer in identifiable form. You can disconnect any integration at any time from the Integrations screen in the App.
3.6 AI Coach and Conversation Data
Your messages to the AI Coach and the AI responses generated
Morning and evening briefing content personalised for you
Thumbs up / thumbs down feedback on AI responses
Your AI Coach conversation history is private to you alone. Your employer, company administrator, and MeridianWork staff do not have access to your individual conversation history.
3.7 Technical and Usage Data
Device type and operating system version
App version
Session activity and navigation data
Push notification preferences
Error and crash logs (used for debugging and App stability)
Session tokens (used to maintain authenticated sessions; stored as secure HTTP-only cookies)
4. Legal Basis for Processing
Under Article 13 GDPR, we are required to inform you of the legal basis for each type of processing. We rely on the following:
4.1 Performance of a Contract (Article 6(1)(b))
Processing your account data and delivering core App functionality is necessary to perform our contract with you (or to take steps prior to entering into it). This covers:
Account creation and authentication
Delivering check-ins, workouts, nutrition, coaching, and body map features
Processing your Daily Readiness Score
Sending transactional emails (account verification, password reset)
4.2 Legitimate Interests (Article 6(1)(f))
We process certain data on the basis of our legitimate interests, having balanced those interests against your rights and confirmed they do not override your fundamental rights. This covers:
App performance monitoring, debugging, and security — our interest: maintaining a safe, reliable service
Generating anonymised, aggregated company wellness reports for employers — our interest: fulfilling our B2B service obligations; your interest protected by: reports being fully anonymised and never identifying individuals
Fraud prevention and abuse detection
4.3 Explicit Consent (Articles 6(1)(a) and 9(2)(a))
For special category data and optional features, we rely on your explicit consent:
PAR-Q health screening data (collected and stored with your consent at onboarding)
Cycle tracker data (collected only upon active opt-in)
Wearable device health data (collected only upon OAuth connection)
You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawing consent for the PAR-Q or cycle tracker will result in those features being disabled. To withdraw, contact support@meridian.work or delete the relevant data from within the App.
4.4 Legal Obligation (Article 6(1)(c))
Retaining records where required by applicable Irish or EU law
4.5 Requirement to Provide Data
Providing your name, email address, and PAR-Q responses is required to use the App. If you do not provide this data, we cannot create your account or provide the service. All other data (body measurements, wearable connections, cycle tracking, progress photos) is optional.
5. Who We Share Your Data With
We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.
5.1 Your Employer
Your employer receives access to anonymised, aggregated company-level wellness reports only. These show trends across all employees (e.g. average readiness, stress indicators, check-in completion rates) and never identify individuals. Specifically:
Pain and injury data only appear in aggregate reports when severity is rated 4 or above, AND a minimum of 5 employees have reported data in that category
Your employer cannot access your individual check-ins, AI conversations, cycle data, body map logs, injury entries, meal logs, or any other personal data
Custom check-in questions configured by your employer generate only anonymised aggregate responses visible to them
5.2 Sub-Processors
We use the following third-party processors under binding data processing agreements:
Infrastructure and database
Neon Inc. — PostgreSQL cloud database hosting all personal data. US-based; data transfers governed by Standard Contractual Clauses (EU Commission Decision 2021/914).
AI processing
Anthropic PBC — powers the AI Coach (Claude). Your conversation context and relevant wellness data is sent to Anthropic's API per session to generate personalised responses. Anthropic processes this data solely to provide the service and does not use it to train AI models. US-based; SCCs in place.
Email delivery
Resend Inc. — transactional email delivery (account verification, password reset, data export notifications). EU region (Ireland) servers.
Wearable integrations (only if you connect a device)
Oura Health Oy (Finland) — Oura Ring
WHOOP Inc. (US) — WHOOP band
Garmin Ltd (Switzerland/US) — Garmin devices
Apple Inc. (US) — Apple Health (iOS)
Google LLC (US) — Android Health Connect
App distribution
Apple Inc. — iOS App Store distribution
Google LLC — Android Play Store distribution
5.3 Legal Disclosure
We may disclose personal data to law enforcement, regulatory authorities, or courts where required by law, or where necessary to protect the rights, property, or safety of MeridianWork, our users, or the public.
6. International Data Transfers
Several of our sub-processors are based in the United States (Neon, Anthropic, WHOOP, Apple, Google). We transfer data to these processors under Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR, which provide appropriate safeguards for your data. Oura is based in the EU (Finland). Resend operates EU-region servers.
By using the App and connecting third-party services, you acknowledge that your data may be transferred to and processed in countries outside the EU/EEA.
7. Data Retention
We retain personal data for as long as necessary for the purposes described in this policy, subject to the following specific periods:
Account and identity data: retained for the lifetime of your active account
Health and wellness data (check-ins, body map, workout logs, etc.): retained for the lifetime of your active account
AI Coach conversation history: retained until you delete individual conversations, or until account deletion
PAR-Q responses: retained for the lifetime of your active account for safety purposes
Cycle tracker data: retained until you delete it within the App, or until account deletion
Wearable sync data: retained for the lifetime of your active account; deleted when you disconnect the integration
Technical logs and error data: retained for up to 90 days
Anonymised aggregate data: may be retained indefinitely as it cannot identify you
Post-deletion: all personal data is permanently deleted within 30 days of account deletion, except where retention is required by applicable law
If your employment ends and your employer requests account removal, we will process this in accordance with the applicable Data Processing Agreement and notify you where possible.
8. Data Security
All data in transit is encrypted using TLS (HTTPS)
Data at rest is stored in an encrypted PostgreSQL database (Neon)
Access to production systems is restricted to authorised personnel only, using access controls and audit logging
Passwords are stored using strong cryptographic hashing; we cannot recover your password
Authenticated sessions use secure, HTTP-only, same-site cookies
Your data is never used to train AI models
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach poses a high risk to you individually, we will also notify you directly without undue delay, as required by Article 34 GDPR.
9. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at support@meridian.work. We will respond within one calendar month (extendable by a further two months for complex requests, with notice).
Right of access (Article 15) — obtain a copy of the personal data we hold about you and information on how it is processed
Right to rectification (Article 16) — request correction of inaccurate or incomplete data
Right to erasure (Article 17) — request deletion of your data where it is no longer necessary, consent is withdrawn, or processing is unlawful
Right to restriction (Article 18) — ask us to restrict processing while a dispute is resolved
Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format (applies to consent-based and contract-based processing)
Right to object (Article 21) — object to processing based on legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds
Right to withdraw consent (Article 7(3)) — withdraw consent at any time for consent-based processing without affecting prior processing
Rights related to automated decision-making (Article 22) — we do not make solely automated decisions that produce legal or similarly significant effects on you
You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC): www.dataprotection.ie, or with the supervisory authority in your EU member state of habitual residence.
10. Cookies and Session Tokens
The MeridianWork App does not use browser cookies. We use secure, HTTP-only session tokens to maintain your authenticated session within the App. These are essential for the App to function and cannot be disabled. We do not use tracking pixels, advertising cookies, or third-party analytics cookies.
11. Children
The App is intended for use by adults aged 18 and over in a professional workplace context. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, contact us immediately at support@meridian.work and we will delete it without delay.
12. Changes to This Policy
We may update this Privacy Policy. When we make material changes, we will notify you via an in-App notice and update the "Effective date" at the top. For changes that significantly affect your rights or the way we process special category data, we will seek fresh consent where required. Continued use of the App following notification of non-material changes constitutes acceptance.
13. Contact
MeridianWork Limited
Privacy queries: support@meridian.work
Website: meridian.work
Registered in Ireland under the Companies Act 2014