Privacy Policy — Meridian Capital Markets
Legal

Privacy Policy

Effective: 1 March 2026 Last updated: 4 May 2026 Framework: PDPA 2012 (Singapore) · GDPR-aware
01.

Introduction

Meridian Capital Markets Pte. Ltd. ("Meridian", "we", "us", "our") is committed to protecting the personal data of individuals who access or use the Meridian platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data in connection with the Service.

This Policy is drafted in compliance with the Personal Data Protection Act 2012 (PDPA) of Singapore and is written with awareness of the General Data Protection Regulation (GDPR) of the European Union for users accessing the Service from within the European Economic Area or the United Kingdom. Where applicable law requires higher standards, those standards apply.

02.

Data Controller and Data Protection Officer

The data controller is Meridian Capital Markets Pte. Ltd., registered at 80 Robinson Road, #02-00, Singapore 068898 (UEN: 202418746K).

Meridian has appointed a Data Protection Officer (DPO) as required under the PDPA. The DPO is responsible for overseeing data protection compliance and may be contacted at:

Data Protection Officer — Meridian Capital Markets Pte. Ltd.
Email: [email protected]
Post: 80 Robinson Road, #02-00, Singapore 068898 (marked: Attention DPO)

03.

Information We Collect

Information you provide directly:

  • Account registration data: email address, username, and password;
  • Payment and billing information for paid subscription tiers (Pro, Vault), processed via third-party payment processors — Meridian does not store full card details;
  • Support and correspondence: content of messages submitted via support channels or email;
  • Survey and feedback responses where voluntarily provided.

Information collected automatically:

  • IP address and approximate geolocation (country level);
  • Browser type, operating system, device identifiers;
  • Pages visited, features used, time spent, and interaction patterns;
  • Cookies and similar tracking technologies (see Section 7).

On-chain data submitted for analysis:

  • Public wallet addresses submitted by users for portfolio or position analysis are processed in real time and are not retained beyond the active session cache (maximum 30 days).

Meridian does not collect, store, or have access to: private keys, seed phrases, recovery phrases, or any credential that would permit Meridian to transact on your behalf. We have no custody of your assets.

04.

Purposes of Collection (PDPA Section 13)

Meridian collects and uses personal data for the following purposes:

  • Service delivery: providing, maintaining, and improving the features and functionality of the Service;
  • Account management: creating and administering user accounts, verifying identity, and managing access;
  • Billing and payments: processing subscription payments and managing billing records in compliance with the Singapore Companies Act;
  • Security: detecting, preventing, and responding to fraud, abuse, and security incidents;
  • Communications: responding to support requests, sending service notifications, and (where consented) sending marketing communications;
  • Product improvement: analysing usage patterns to improve the Service, develop new features, and conduct research;
  • Legal compliance: meeting obligations under applicable law, including responding to lawful requests from public authorities.
05.

Consent

Where consent is the basis for processing, we obtain consent via a clear affirmative act at the point of collection (e.g., ticking a checkbox or submitting a form accompanied by a notice). Consent is not bundled with the acceptance of Terms of Use for processing activities that are not essential to service delivery.

Certain processing activities that are strictly necessary to provide the Service (such as maintaining your session and storing your account credentials) are conducted on the basis of deemed consent under section 15 of the PDPA, as the collection is necessary to fulfil the purpose for which you engaged Meridian.

You may withdraw consent to any processing activity not strictly necessary for service delivery at any time by contacting [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

06.

Legal Bases for Processing (GDPR Article 6 — EU/UK Users)

For users accessing the Service from within the EEA or the United Kingdom, the legal bases for processing personal data are:

  • Performance of a contract (Art. 6(1)(b)): account creation, service delivery, billing;
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product improvement, and analytics — where our interests are not overridden by your rights;
  • Consent (Art. 6(1)(a)): marketing communications, non-essential cookies;
  • Legal obligation (Art. 6(1)(c)): compliance with applicable law, including responses to lawful regulatory or judicial requests.
07.

Cookies

The Service uses the following categories of cookies:

  • Strictly necessary: Session token, authentication state, language preference (localStorage key: lang). These cannot be disabled without impairing service functionality.
  • Analytics: Aggregate, anonymised usage data. Enabled only with your consent. We do not use any third-party analytics service that tracks you across unrelated websites.
  • Preferences: Your filter settings, display preferences, and risk profile selections, stored in localStorage for session continuity.

You may manage or block cookies through your browser settings. Blocking strictly necessary cookies will impair the Service. For analytics cookies, you may withdraw consent at any time through the cookie settings interface.

08.

Disclosure of Personal Data

Meridian does not sell personal data. We may disclose personal data to the following categories of recipients where strictly necessary:

  • Cloud infrastructure providers: Primary hosting on AWS APAC (Singapore) region; backup capacity in EU/US regions. Data processing agreements are in place with all cloud providers.
  • Analytics providers: Anonymised and aggregated data only, where analytics services are enabled with your consent.
  • Payment processors: Billing data shared with our payment processor solely for the purpose of processing subscription payments. Payment processors are independently PCI-DSS compliant.
  • Professional advisers: Legal counsel, accountants, and auditors subject to professional duties of confidentiality.
  • Legal compliance: Public authorities, regulators, or courts where required by applicable law or a valid legal process, and only to the extent required.
09.

International Transfers

Meridian is headquartered in Singapore. Personal data may be transferred to, stored in, or processed in jurisdictions outside Singapore in connection with our cloud infrastructure and third-party service providers. In all cases, Meridian ensures that personal data transferred internationally is afforded a standard of protection comparable to that required under the PDPA (section 26) and, where applicable, the GDPR.

For transfers to GDPR-adequate jurisdictions (including the EU and the UK under the applicable adequacy decisions), no additional safeguards are required. For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Specific transfer mechanisms are available on request from [email protected].

10.

Data Retention

Meridian retains personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.

Data Category Retention Period Basis
11.

Your Rights (PDPA and GDPR)

Subject to applicable law, you have the following rights with respect to your personal data:

  • Access (PDPA s.21; GDPR Art. 15): Request confirmation of whether we hold personal data about you and a copy of that data;
  • Correction (PDPA s.22; GDPR Art. 16): Request correction of inaccurate or incomplete personal data;
  • Withdrawal of consent (PDPA s.16): Withdraw consent to any processing activity where consent is the legal basis;
  • Erasure (GDPR Art. 17 — EU/UK users): Request deletion of personal data where no longer necessary or where processing is unlawful;
  • Portability (GDPR Art. 20 — EU/UK users): Receive your personal data in a structured, machine-readable format;
  • Restriction and objection (GDPR Art. 18, 21 — EU/UK users): Request restriction of processing or object to processing based on legitimate interests.

To exercise any of these rights, submit a written request to [email protected]. We will respond within 30 calendar days of receipt. We may need to verify your identity before fulfilling a request. We will not charge a fee for reasonable requests.

12.

Security Measures

Meridian implements and maintains technical and organisational security measures appropriate to the risk profile of the personal data we process. These include: TLS 1.3 encryption for data in transit; AES-256 encryption for data at rest; role-based access controls with the principle of least privilege; multi-factor authentication for all staff with access to personal data systems; and annual third-party security reviews.

In the event of a personal data breach, Meridian will notify affected individuals and the relevant supervisory authority in accordance with applicable law: as soon as practicable under the PDPA, and within 72 hours of becoming aware under the GDPR where legally required.

13.

Children

The Service is not directed at persons under the age of 18. Meridian does not knowingly collect personal data from minors. If we become aware that personal data of a person under 18 has been collected, we will take steps to delete it promptly. If you believe a minor has provided us with personal data, contact [email protected].

14.

Marketing Communications

Marketing communications (including newsletters, product updates, and research dispatches) are sent only to users who have expressly opted in to receive them. You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting [email protected]. Opting out of marketing communications does not affect service-essential communications (such as billing notifications or security alerts).

15.

Complaints

If you have a concern about how Meridian has handled your personal data, please contact our DPO in the first instance at [email protected]. We will endeavour to resolve your concern within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the relevant supervisory authority:

  • Singapore residents: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
  • EU residents: The supervisory authority in your EU member state of residence or workplace
  • UK residents: The Information Commissioner's Office (ICO) — ico.org.uk
16.

Changes to This Policy

Meridian may update this Privacy Policy from time to time. Material changes will be communicated via notice on the Service or, where required by applicable law, by email. The "Last updated" date at the top of this Policy will be revised accordingly. Your continued use of the Service following notification of material changes constitutes acceptance of the updated Policy.

17.

Contact

For all privacy-related enquiries, data subject requests, and Data Protection Officer correspondence, contact: [email protected]

Written requests should be addressed to: Meridian Capital Markets Pte. Ltd., Attention: Data Protection Officer, 80 Robinson Road, #02-00, Singapore 068898.