Privacy Policy

This Privacy Policy explains what personal information Meridian Rewards Group, LLC ("Meridian," "we," "us," or "our") collects through meridianrewardsgroup.com, the organization portal, the recipient booking pages, and related services (collectively, the "Service"); how we use it; who we share it with; and the choices you have. By using the Service you confirm that you have read this Policy.

1. Who this Policy covers

Two groups of people interact with Meridian, and this Policy covers both:

• Organization users — the people who register and run a Meridian organization account on behalf of a business, charity, or nonprofit (admins, program managers, team members).
• Recipients — the individuals an organization sends to us to redeem a travel package they were awarded, gifted, or won.

If you are a recipient, your relationship is primarily with the organization that gave you the package. They decided to share your contact information with us so we could deliver your trip. If you have questions about how that organization handles your information internally, please contact them directly.

2. Information we collect

2.1 Information you provide

• Registration: when an organization registers at /register, we collect the organization name, organization type, the registering person's full name, email address, and the fact that they accepted these Terms.
• Profile information: any optional details an organization adds later — phone, website, industry, billing address, additional team members' names and emails, etc.
• Booking information: when a recipient books a trip, we collect their full name, email, phone number, mailing address, dates of travel, traveler names and ages, and any preferences or accessibility notes they provide. Some suppliers require passport numbers, dates of birth, or similar identifiers; we collect those only when needed for the booking.
• Communications: messages you send to us through the contact form, support email, or our concierge channels.
• Payment-related information: we use third-party processors for invoicing and payments. We do not store full credit-card numbers on our servers; they are held by our payment provider.

2.2 Information collected automatically

• Device & usage data: IP address, browser type, device type, operating system, referring page, the pages you view on the Service, and the time and date of your visit.
• Cookies & similar technologies: see Section 5 for details.
• Authentication metadata: sign-in events, session tokens, and security log entries needed to keep your account safe.

2.3 Information from third parties

If your organization is added by an admin (rather than registering directly), we receive your name and email from that admin. If a recipient is given a package by an organization, we receive the recipient's email and any other contact information the organization shares for fulfillment.

3. How we use information

We use personal information to:

• Create and operate organization accounts; let admins invite and manage team members.
• Curate, display, price, and unlock travel packages for organizations.
• Process bookings and coordinate travel with the underlying suppliers (resorts, hotels, charter operators, activity providers).
• Send transactional emails — invite emails, password resets, booking confirmations, alternate-date offers, decision notifications, invoice notices, etc.
• Provide customer support and 24/7 concierge service.
• Bill organizations and collect on outstanding invoices.
• Monitor, secure, debug, and improve the Service.
• Send relevant product or program updates to organization admins. We don't send marketing email to recipients except as needed to deliver their trip.
• Comply with our legal and contractual obligations, prevent fraud, and enforce our Terms of Service.

We do not sell personal information, and we do not use personal information to train third-party AI models.

4. How we share information

We share personal information only when one of these applies:

• With your organization. If you are a team member or recipient, the organization that brought you onto Meridian can see information related to your involvement with their program — for example, the recipient's name, email, and trip status are visible to the program admin.
• With travel suppliers. Booking a trip requires us to share the traveler's name, contact information, dates, and any required identifiers with the resort, hotel, charter operator, or activity provider that will host them.
• For legal reasons. When we believe in good faith that disclosure is required by law, regulation, legal process, or a lawful government request, or is necessary to investigate or address fraud, security, or technical issues, or to protect our rights, property, or safety or that of others.
• In a corporate transaction. If Meridian is involved in a merger, acquisition, financing, or sale of all or part of our business, personal information may be transferred as part of that transaction. We will notify affected users where required.
• With your consent. Any other sharing only happens with your consent.

5. Cookies and analytics

We use cookies and similar technologies for two purposes: keeping you signed in (essential cookies) and understanding how the Service is used (analytics cookies, set by Google Analytics 4 and PostHog). Most browsers allow you to refuse or delete cookies through their settings. Disabling essential cookies will prevent you from staying signed in.

Aggregate analytics let us see things like the number of visitors per page and which packages are being browsed, but they aren't used to build a profile of you for advertising. We don't run third-party advertising trackers on the Service.

6. How long we keep information

We keep personal information for as long as we need it to operate the Service and to meet our legal, accounting, and reporting obligations. Specifically:

• Organization records, invoices, and booking history are retained for the life of the organization's relationship with Meridian and for at least seven years afterwards for tax and accounting purposes.
• Recipient booking records are retained for at least seven years after the trip date, primarily to support travel-supplier audits and chargeback windows.
• Authentication and security logs are retained for up to two years.
• Marketing-list entries are retained until you unsubscribe.

We may retain information longer when required by law or to defend a legal claim.

7. How we protect information

We use industry-standard administrative, technical, and physical safeguards to protect personal information — including TLS encryption in transit, encryption at rest for our managed databases, role-based access controls, audit logging, and routine security reviews. No system is perfectly secure, however, and we cannot guarantee absolute security. If we ever become aware of a personal-data incident affecting you, we will notify you and any required regulators in line with applicable law.

8. Your choices and rights

Depending on where you live, you may have rights under privacy laws like the California Consumer Privacy Act (CCPA/CPRA) or the EU/UK General Data Protection Regulation (GDPR). These can include the right to:

• Access the personal information we hold about you and request a copy.
• Correct information that is inaccurate or incomplete.
• Delete personal information we no longer need to keep.
• Restrict or object to certain processing.
• Receive your information in a portable format.
• Withdraw consent where we rely on consent (you can withdraw consent at any time without affecting prior processing).
• Lodge a complaint with a data-protection regulator.

You can exercise these rights, or ask any privacy question, by emailing hello@meridianrewardsgroup.com. We will verify your identity before fulfilling a request and respond within the timeline required by applicable law. We do not discriminate against anyone for exercising a privacy right.

You can unsubscribe from non-transactional emails at any time using the link at the bottom of those emails. We must continue to send transactional messages — invites, password resets, booking confirmations, invoice notices — for as long as your account is active.

9. Children

The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us and we will delete it.

10. International users

Meridian operates from the United States, and our service providers are located primarily in the United States and the European Union. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. United States privacy laws may differ from those in your country.

11. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify your organization's contact email. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.

12. Contact

To ask a privacy question or make a request:

Meridian Rewards Group, LLC
Email: hello@meridianrewardsgroup.com
Phone: (615) 880-6174