Privacy Policy

Meridian Labs(“we,” “us,” or “our”) operates the Noomaplatform (“Service”), an AI-powered reporting and intelligence platform for marketing agencies. This Privacy Policy describes how we collect, use, store, and protect your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, organization name, and role within your agency. This information is used to provision your tenant and manage access.

1.2 Campaign and Advertising Data

With your authorization, we access campaign performance metrics from your connected advertising platforms (such as Google Ads) via their official APIs. This includes impressions, clicks, conversions, cost data, auction insights, and campaign configuration details. We do not access or store end-user personal data from your advertising campaigns.

1.3 Email Data

If you enable the email assistant feature, we access email content from your connected Gmail account via the Gmail API to calibrate AI voice matching and generate report drafts. Email content is processed to learn your communication style and is not used for any other purpose. We create drafts in your Gmail account but never send emails on your behalf without explicit action.

1.4 Usage Analytics

We collect anonymized usage data such as feature interactions, page views, and session duration through PostHog to improve the platform experience. We use Sentry to capture error reports for debugging and reliability improvements.

1.5 OAuth Tokens

When you connect third-party services (Google Ads, Gmail), we store encrypted OAuth tokens to maintain your authorized connections. These tokens are stored separately from your session data and are encrypted at rest.

2. How We Use Your Information

We use the information we collect to:

• Generate AI-powered campaign performance reports for your clients
• Match your communication voice and style for email drafts
• Apply your agency's business rules and benchmarks to report analysis
• Extract action items and recommendations from campaign data
• Provide white-labeled client portal experiences
• Monitor platform reliability and fix errors
• Improve our AI models and platform features
• Communicate with you about your account and service updates

3. Data Storage and Security

3.1 Infrastructure

Your data is stored in PostgreSQL databases hosted by Supabase with encryption at rest. Our application services are hosted on Vercel (frontend) and Railway (backend), with all data transmitted over HTTPS/TLS.

3.2 Multi-Tenant Isolation

Noomaenforces strict multi-tenant data isolation. Each agency's data is completely separated through Row Level Security (RLS) policies at the database level. Every database query is scoped to your tenant, ensuring that your data is never accessible to other agencies on the platform.

3.3 Token Security

OAuth tokens and API credentials are encrypted at rest and stored in dedicated tables, separated from user session data. We follow the principle of least privilege for all database access.

4. Third-Party Services

We integrate with the following third-party services to provide our platform:

• Google Ads API — to retrieve campaign performance data from your advertising accounts
• Gmail API — to calibrate voice matching and deliver report drafts to your inbox
• Anthropic (Claude API)— to power AI-generated reports, email drafts, and action item extraction. Your data is sent to Anthropic's API for processing and is subject to Anthropic's Privacy Policy
• Supabase — for database hosting and authentication services
• Sentry — for error monitoring and application reliability
• PostHog — for anonymized product analytics
• Vercel — for frontend hosting and deployment
• Railway — for backend service hosting

Each third-party service has its own privacy policy governing how it handles data. We select providers that meet our security and privacy standards.

5. Data Retention and Deletion

We retain your data for the duration of your active account. Campaign performance data is retained for historical reporting purposes as long as your account is active.

Upon account termination, we will delete your data within 30 days of your request. Some data may be retained for up to 90 days in backups before being permanently removed. Anonymized, aggregated data that cannot identify you or your clients may be retained indefinitely for platform improvement.

6. Data Sharing

We do not sell your personal information or your clients' data to third parties.

We share data only in the following circumstances:

• With third-party service providers listed above, solely to operate the platform
• When required by law, regulation, legal process, or governmental request
• To protect the rights, property, or safety of Meridian Labs, our users, or the public
• In connection with a merger, acquisition, or sale of assets (with advance notice to affected users)

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access — Request a copy of the personal data we hold about you
• Right to Correction — Request correction of inaccurate or incomplete personal data
• Right to Deletion — Request deletion of your personal data, subject to legal retention requirements
• Right to Data Portability — Request an export of your data in a machine-readable format
• Right to Restrict Processing — Request that we limit how we use your data
• Right to Opt Out of Sale — We do not sell personal data. No opt-out action is required.

To exercise any of these rights, contact us at privacy@poweredbynooma.com. We will respond within 30 days.

8. European Economic Area (GDPR)

If you are located in the European Economic Area, our legal basis for processing your personal data is:

• Contract performance — processing necessary to provide the Service you have subscribed to
• Legitimate interests — improving our platform, ensuring security, and preventing fraud
• Consent — where you have given explicit consent for specific processing activities (e.g., connecting Gmail)

You may withdraw consent at any time by disconnecting integrated services or contacting us.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. As stated above, we do not sell personal information.

To make a request under the CCPA, contact us at privacy@poweredbynooma.com.

10. Google API Services User Data Policy

Nooma's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we limit our use of Google user data to providing and improving theNooma platform. We do not use Google user data for advertising purposes, and we do not transfer Google user data to third parties except as necessary to provide the Service or as required by law.

11. Cookies

We use essential cookies for authentication and session management. We use analytics cookies through PostHog to understand how users interact with the platform. You can control cookie preferences through your browser settings.

12. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child, we will promptly delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. For significant changes, we will also notify you via email.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: