Privacy Policy.

1. Who we are

Meridian (legal entity neverstill.llc), a Texas-incorporated LLC. The company you transact with when you sign up for Merkava. Mailing address available on request — email [email protected].

2. What data we collect

From you, at signup: name, email, password (hashed), tenant configuration choices.

Through normal product use: the contacts, deals, content, employees, integrations data, support messages, and other operator data you load into Merkava. AI-generated drafts, recommendations, and outputs the executive team produces for you.

Automatically: IP address, browser type, basic device info, request logs (for security + abuse prevention), audit log of actions taken in your tenant.

From third-party integrations you authorize: the data scoped by the integration (e.g., HubSpot contacts, Stripe customers, GitHub repo access). Always limited to the scopes you approve at install.

From payments: Stripe holds your card details; we see metadata (last 4 digits, brand, billing zip) but never the full card number.

3. How we use your data

To deliver the service. Specifically: (a) running the AI executive team and their workflows, (b) syncing data with the integrations you authorized, (c) sending product, billing, and security notifications, (d) supporting you when you reach out, (e) detecting and preventing abuse, fraud, and unauthorized access, (f) improving the product (in aggregate, non-identifying form — your tenant data does not train shared models).

4. AI training — what we do not do

We do not train shared/foundation AI models on your tenant data. AI executive output for your tenant is generated against your tenant's context only. If we ever change this policy, it will require a new privacy version and explicit operator opt-in — we won't quietly update the policy and assume consent.

5. Sharing + subprocessors

We use a small number of subprocessors to deliver the service (cloud hosting, payment processing, email delivery, error tracking, AI inference). The current list lives at /security with each subprocessor's purpose. We don't sell your data, license it, or share it with advertisers, data brokers, or third parties for their own commercial use.

6. Data retention

Your tenant data is retained for as long as your subscription is active. After cancellation, your data is accessible for export through the end of your billing period; we delete it within 30 days of subscription end unless you request earlier deletion or longer retention. Audit logs are retained for 12 months for security investigations. Backups are pruned on a 30-day rolling schedule.

7. Your rights

Regardless of where you live, you can: (a) export your tenant data via Settings → Data Export, (b) request deletion of your account and data by emailing [email protected], (c) correct or update inaccurate personal information from your account settings, (d) object to specific processing activities by contacting us.

If you're in the EU/UK, you have the rights granted by GDPR including portability, restriction, and lodging a complaint with your supervisory authority. If you're in California, you have the rights granted by CCPA/CPRA — you can request a list of personal information we have, deletion, and opt out of sale (we don't sell personal information).

8. International data transfers

Merkava is operated from the United States. If you're outside the US, your data is transferred to the US and processed there, governed by Standard Contractual Clauses where applicable. EU data residency is on the public roadmap (see /roadmap) — until that ships, by signing up you consent to US processing.

9. Security

Encryption in transit (TLS 1.3) and at rest (AES-256). Tenant scoping enforced at the database layer. Per-row credential encryption rolling out. SOC 2 Type II audit kickoff Q3 2026. Breach disclosure within 72 hours of confirmed unauthorized access. Full security posture at /security.

10. Cookies + tracking

Strictly necessary cookies for authentication and session state. No advertising cookies, no third-party trackers, no fingerprinting. We use minimal first-party analytics to track aggregate usage (page-view counts, session duration) without identifying individual users. The Relay chat widget on this site stores a session token in local storage to maintain conversation context — you can clear it any time.

11. Children

Merkava is a B2B product not directed at children. We don't knowingly collect data from anyone under 16. If you believe we've inadvertently collected a child's data, email [email protected] and we'll delete it.

12. Changes

Material changes ship as a new version, posted to this page with the new effective date. Operators get an in-product or email notice at least 14 days before material changes take effect. Continued use after the effective date counts as acceptance. Non-material changes (typos, formatting, link fixes) ship without notice.

13. Contact

Privacy questions, data requests, complaints: [email protected]. General support: [email protected]. The founder reads every privacy inquiry directly during the early-customer phase.

By using Merkava, you acknowledge you've read this Privacy Policy. Custom Enterprise customers can negotiate a Data Processing Agreement (DPA) that supplements this page with HIPAA BAAs, GDPR DPAs, and similar.

Related: Terms of Service · Security · Developer Agreement