Privacy Policy
Last updated 14 July 2026
Meridian is a daily geography game. This policy explains what personal data we collect, why, the legal grounds we rely on, who we share it with, and the rights you have — including under the EU and UK General Data Protection Regulation (GDPR).
1. Who we are
Meridian (“we”, “us”, “our”) operates the website at meridiandaily.app and is the data controller for the personal data described here. If you have any question about this policy or want to exercise your rights, contact us at privacy@meridiandaily.app.
2. The short version
- You can play the daily puzzles with no account and no sign-in. Anonymous progress stays in your browser on your device.
- If you sign in, we store your email and your game progress so it syncs across your devices.
- Analytics are off until you opt in. We never sell your data, and we don’t show ads.
- You can export or delete everything from the You page at any time.
3. What data we collect
Account data (only if you sign in). Your email address, a unique account identifier, the date your account was created, and an optional display name. Meridian uses passwordless sign-in, so we do not store passwords.
Game progress and preferences. Your streaks, per-country mastery records, a log of the questions you’ve answered (the country, format, whether you were right, and how long you took), daily-tray completion, and your settings (region weighting, theme, sound, language, and whether you’ve opted into email reminders).
Anonymous, on-device progress. If you play without signing in, your progress is stored in your browser’s local storage on your device. It is not sent to our servers unless you later sign in and choose to save it to your account.
Analytics data (only with your consent). If you allow analytics, we and our analytics providers collect usage events (such as which puzzles you start and finish), page views, and general device and browser information. Approximate location may be derived from your IP address to distinguish regions; we do not use it to identify you.
Technical data. Like any website, our hosting provider processes limited technical information (such as IP address and request metadata) to deliver pages and keep the service secure.
4. Why we use it, and our legal basis
Under the GDPR we must have a lawful basis for each use of your data. Here is how that maps to what we do:
| What we do | Data used | Legal basis |
|---|---|---|
| Run your account and sync your progress across devices | Account data, game progress, preferences | Performance of a contract (Art. 6(1)(b)) |
| Keep the daily game working for anonymous players | On-device progress, essential cookies | Legitimate interests (Art. 6(1)(f)) |
| Understand usage and improve the product | Analytics data | Consent (Art. 6(1)(a)) |
| Send optional email reminders | Email address, reminder setting | Consent (Art. 6(1)(a)) |
| Keep the service secure and prevent abuse | Technical data, logs | Legitimate interests (Art. 6(1)(f)) |
Where we rely on consent, you can withdraw it at any time — see Your rights — without affecting anything we did before you withdrew it.
5. Cookies and local storage
We use a small number of essential cookies and browser storage to keep you signed in and remember your settings, and — only if you opt in — analytics cookies. Non-essential analytics are off by default; you choose whether to allow them via the banner or the You page. For the full list, see our Cookie Policy.
6. Who we share data with
We do not sell your personal data. We share it only with the service providers (“processors”) that help us run Meridian, each bound to process it only on our instructions:
| Provider | Purpose | Their privacy policy |
|---|---|---|
| Supabase | Database and authentication (accounts, progress) | supabase.com/privacy |
| Vercel | Website hosting and privacy-friendly usage/performance metrics | vercel.com/legal/privacy-policy |
| PostHog | Product analytics (only with your consent) | posthog.com/privacy |
| Resend | Sending sign-in links and optional email reminders | resend.com/legal/privacy-policy |
| Google / Apple | Sign-in, only if you choose to use them | Google · Apple |
We may also disclose data where required by law, or to protect the rights, safety, and security of Meridian and its users.
7. International data transfers
Some of our providers are located outside the European Economic Area (for example, in the United States). Where data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, or transfers to countries the Commission has found to provide an adequate level of protection.
8. How long we keep it
- Account and game progress: for as long as your account exists. When you delete your account, this data is deleted.
- Anonymous, on-device progress: until you clear it in your browser, or you sign in and merge it into an account.
- Analytics data: retained by our analytics provider for a limited period in line with their standard retention, then removed or aggregated.
- Technical logs: kept only briefly for security and reliability.
9. Your rights
If you are in the EEA or the UK, you have the right to access, correct, delete, restrict, or object to our use of your personal data, to data portability, and to withdraw consent at any time. You can act on most of these directly:
- Access and portability: use You → Export my data to download your account, mastery, and attempt history as CSV files.
- Erasure: use You → Delete my account to permanently delete your account and all associated data.
- Withdraw analytics consent: turn analytics off from the You page or the “Cookie preferences” link in the footer.
- Everything else: email us at privacy@meridiandaily.app and we’ll help.
You also have the right to lodge a complaint with your local data protection authority if you believe we’ve mishandled your data, though we’d appreciate the chance to put things right first.
10. Children
Meridian is intended for a general adult audience and is not directed at children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. How we protect your data
Access to your data is protected by authentication and database row-level security, so signed-in users can only reach their own records. Traffic is encrypted in transit (HTTPS). No system is perfectly secure, but we take reasonable measures to protect your information.
12. Changes to this policy
We may update this policy from time to time. When we do, we’ll revise the “Last updated” date above and, for material changes, provide a more prominent notice.
13. Contact us
Questions, requests, or concerns? Email privacy@meridiandaily.app. See also our Cookie Policy and Terms of Service.