Meridix

Your Data Rights

Last updated: April 7, 2026

1. Overview

Meridix is committed to your data rights under GDPR, CCPA, and other applicable privacy regulations. This page explains your rights and how to exercise them.

2. Right to Access

You can access all your personal data stored in Meridix at any time through the application:

  • Email data — visible in your inbox (Priority, Stream, Records)
  • Account data — visible in Settings
  • Login history — visible in Settings > Security
  • AI processing history — visible in Settings > AI Privacy

For a formal data access request, email [email protected]. We will respond within 30 days.

3. Right to Export (Data Portability)

You can export your email data at any time via Settings > Security > Export Data. Exports are provided in JSON format and include:

  • All emails (subject, body, headers, attachments)
  • Contacts and sender profiles
  • Labels and mailbox rules
  • Calendar events and contacts (CalDAV/CardDAV)
  • Signatures and snippets
  • AI preferences and opt-out settings

Export files are generated as a background job and available for download within 24 hours. You will receive an email notification when your export is ready.

4. Right to Rectification

You can update your personal information (name, display name, timezone) at any time in Settings. Organization administrators can update org details in the Admin Console. If you believe data is incorrect and cannot self-correct, contact [email protected].

5. Right to Erasure (Right to be Forgotten)

You can request deletion of your account and all associated data via Settings > Security > Delete Account, or by emailing [email protected].

When you delete your account:

  • All emails are permanently deleted from our database
  • Your Stalwart mailbox and all IMAP/CalDAV/CardDAV data are removed
  • Attachments are deleted from Cloudflare R2
  • Secure portal messages you sent are revoked (recipients can no longer view them)
  • Your authentication identity is removed from Bulwark
  • Audit logs referencing your user ID are anonymized after 90 days

Account deletion is permanent and cannot be undone. We process deletion requests within 30 days. Encrypted backups containing your data are rotated out within the backup retention period (7 daily, 4 weekly, 6 monthly).

6. Right to Restrict Processing

You can restrict specific types of processing without deleting your account:

  • AI processing — disable via Settings > AI Privacy. Your emails will not be sent to any AI model.
  • Analytics — contact [email protected] to opt out of usage analytics
  • Marketing — unsubscribe from product emails using the link in any marketing message

7. Right to Object

You may object to processing of your data for legitimate interest purposes. Contact [email protected] with your objection and we will assess whether our interests override your rights.

8. Automated Decision-Making

Meridix uses automated processing for email classification (Priority / Stream / Records), security scanning (Emadeus), and the Gatekeeper (unknown sender screening). These systems can be overridden manually at any time. No automated decisions with legal or similarly significant effects are made without human review.

9. Contact

Data Protection Officer: [email protected]
Response time: within 30 days for formal requests
Supervisory authority complaints: you have the right to lodge a complaint with your local data protection authority