Privacy Policy
1. Who we are
Meridian (meridianintel.co) is a maritime container-tracking service operated by Arellano Global LLC ("we", "us"). For the personal data described in this policy we act as data controller. Privacy contact: privacy@arellanoglobal.org.
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Name, email address | Account creation, sign-in, support |
| Business details you choose to provide | Company name, tax identifier (e.g. RFC / EIN), contact phone, billing address, country, website | Billing, invoicing, and meeting tax and accounting obligations |
| Tracking data | Master Bill of Lading (MBL) and container numbers you register | Providing the tracking service |
| Billing data | Purchase records for credit packs (handled by our payment processor — we never see or store card numbers) | Payments, accounting |
| Service data | API request logs, webhook delivery logs, credit transactions | Operations, security, billing accuracy |
| Preferences | Your announcements opt-in choice and the timestamp it was set | Respecting your email preferences |
The marketing pages of this site set no cookies and run no analytics or tracking pixels. The dashboard uses authentication session state strictly necessary to keep you signed in.
We do not collect sensitive personal data and the service is not directed at minors.
3. How we use it
We process your data to deliver the service you signed up for (contract), to secure and operate the platform (legitimate interest), and to meet legal obligations such as tax record-keeping. We do not sell personal data and we do not use it for advertising. With your separate, opt-in consent we may send occasional product updates and announcements about Meridian (legal basis: consent); we send these to no one who has not opted in, and you can withdraw at any time from the toggle in your dashboard or by emailing privacy@arellanoglobal.org, with no effect on your use of the service.
4. Sub-processors and transfers
MBL and container numbers you submit are forwarded to one or more maritime data providers to retrieve shipment status. Our current sub-processors:
| Provider | Location | Purpose | Data shared |
|---|---|---|---|
| JSONCargo | USA / EU | Carrier tracking lookups | MBL & container numbers only |
| Sinay SA | EU (France) | Carrier tracking lookups (fallback) | MBL & container numbers only |
| Terminal49, Inc. | USA | Carrier tracking lookups (fallback) | MBL & container numbers only |
| Whop, Inc. | USA | Payment processing for credit packs | Billing contact, purchase metadata |
| Postmark (ActiveCampaign, Inc.) | USA | Transactional email (welcome, receipts) and, with consent, product announcements | Name, email address |
| Self-hosted infrastructure (Hostinger VPS) | USA | Application hosting, database, authentication | All categories above |
Our infrastructure is hosted in the United States. Where data of EU/EEA or Mexican residents is transferred, we rely on Standard Contractual Clauses, adequacy mechanisms, or your express consent under LFPDPPP Art. 36 respectively. We give at least 30 days' notice before adding a material sub-processor.
5. Retention
- Raw provider responses are purged automatically within approximately 48 hours; only normalized tracking fields (status, events, ETA) are retained.
- Account and tracking records are kept for the duration of your account plus 3 years.
- Billing records are kept 5 years for tax and accounting law.
- Business details you provide (company, tax identifier, address) are kept while your account is active and for 5 years after, to satisfy tax and invoicing obligations.
- Operational logs are kept up to 90 days.
6. Security
All traffic is encrypted in transit (TLS 1.2+). Tenant data is isolated per account using database row-level security and application-level scoping. Administrative access is limited to authorized personnel with a server-side-verified role, used solely for support, billing, operations, security and incident response — and every privileged administrative action is recorded in an append-only audit log. API keys are stored hashed, never in plaintext.
7. Your rights
GDPR (EU/EEA): access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. LFPDPPP (Mexico) — ARCO: Acceso, Rectificación, Cancelación, Oposición.
Exercise any right by emailing privacy@arellanoglobal.org. We respond within 30 days (GDPR) or 20 business days (LFPDPPP). EU residents may complain to their supervisory authority; Mexican residents to INAI (inai.org.mx).
8. Changes
Material changes to this policy will be announced by email or dashboard notice at least 30 days in advance. The effective date above always reflects the current version.