Privacy Policy

Meridian Compass LLC, a Wyoming limited liability company located at 30 N Gould St STE R, Sheridan, WY 82801 (“Meridian Compass,” “we,” “us,” or “our”), operates themeridiancompass.com (the “Site”) and the buyer-side decision tools accessible through it (collectively, the “Services”). This Privacy Policy explains what information we collect, how we use it, with whom we share it, how long we retain it, and how we protect it.

1. Overview

This policy covers personal information collected when you browse the Site, run one of the free decision tools, or correspond with us. Meridian Compass LLC is the “controller” of personal information described here. The Services are directed to U.S. business users and follow data-minimization principles. We do not sell personal information and do not share it for cross-context behavioral advertising.

2. Information we collect

2.1 Information you provide

When you run a decision tool (Cost & Fit Check, Quote Decoder, RFP Decoder, or Provider Matcher), we collect the self-reported inputs you supply, which may include:

• Company size band, suspected CMMC level, contracting status, timeline pressure, IT-support profile, environment baseline, and CUI-handling posture.
• Sanitized text from vendor quotes or RFP / contract clauses that you choose to paste, when using the decoders. You are instructed to remove CUI, signatures, identifiers, and proprietary content before pasting.
• Optional email address, if you choose to provide one so the resulting readout can be retrieved later.
• Free-text correspondence you send to us through email or any contact form.

2.2 Automatically collected information

When you access the Site, our hosting infrastructure and first-party analytics receive the standard web request data: IP address, user-agent, device/browser type, operating system, screen dimensions, language preference, approximate geographic region (country/region only), referrer URL, pages viewed, session timing, and performance metrics. Collection is via Vercel Analytics and Vercel Speed Insights, configured to aggregate usage without third-party advertising cookies or cross-site trackers.

2.3 Publicly available provider information

The provider directory references publicly available information about CMMC providers, including listings on the Cyber AB Marketplace and vendor-owned websites, with retrieval dates and source URLs cited per record. This is information about businesses, not consumers, and is published as editorial reference material.

3. How we use information

We use collected information to:

• Compute and render the readout produced by each free decision tool.
• Store your readout under a randomly generated identifier so that you can return to the result URL.
• Operate, maintain, monitor, and improve the Services, including debugging, performance measurement, and feature changes.
• Detect, prevent, investigate, and respond to abuse, fraud, security incidents, and unlawful or harmful activity.
• Respond to inquiries, support requests, and correspondence.
• Generate de-identified, aggregated statistics about how visitors use the Services.
• Comply with applicable law, respond to lawful legal process, and establish, exercise, or defend legal claims.

Tool inputs are not used to train any third-party machine learning model. The scoring logic is rule-based; no model is in the request path.

4. Legal bases for processing

We rely on:

• Performance of a contract or pre-contractual steps you request, when computing a readout you submit.
• Legitimate interests in operating, securing, and improving the Services and in preventing abuse, where those interests are not overridden by your fundamental rights.
• Consent, where required, for any optional communications.
• Compliance with legal obligation, for tax, accounting, and regulatory requirements.

5. Sharing and disclosure

We do not sell personal information or share it for cross-context behavioral advertising. We disclose information only to the categories of recipients below, and only as needed.

Service providers. We rely on the following processors:

• Vercel, Inc. — application hosting, edge networking, server-side functions, analytics, and Vercel Blob object storage. Submission readouts are stored as JSON objects in Vercel Blob within Vercel’s U.S. infrastructure.
• GitHub, Inc. — source-code hosting only; no user data is stored in the repository.

Professional advisors. Lawyers, accountants, auditors, bankers, and insurers, when reasonably necessary, under professional and contractual confidentiality.

Legal process and rights protection. We may disclose information if we believe disclosure is necessary to comply with applicable law, subpoena, warrant, court order, or regulatory request; to enforce our Terms; to investigate or respond to suspected fraud, abuse, or policy violations; or to protect the rights, property, or safety of Meridian Compass, users, or the public.

Corporate transactions. If Meridian Compass merges, is acquired, reorganizes, finances, faces bankruptcy, or sells assets, personal information may transfer to the counterparty or successor under confidentiality obligations and equivalent or greater privacy protections.

6. Data retention

We retain personal information only as long as reasonably necessary for the purposes described above. Submission readouts are retained for the period needed to make the result URL functional and for reasonable backup and audit-trail purposes. We retain de-identified, aggregated data indefinitely. We retain records as needed to comply with tax, accounting, regulatory, and legal obligations and to defend legal claims.

7. Data security

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, or destruction, including transport encryption (TLS), access controls, least-privilege administration, and logging. We contractually require service providers to maintain appropriate safeguards.

No method of transmission or electronic storage is perfectly secure. We cannot guarantee absolute security. You are responsible for safeguarding any credentials and for promptly notifying us of any actual or suspected unauthorized access.

8. Your rights (U.S.)

Subject to applicable law and our right to verify your identity, you may:

• Access — request confirmation of whether we process your personal information and a copy.
• Correct — request correction of inaccurate personal information.
• Delete — request deletion, subject to retention exceptions.
• Portability — request a copy in a structured, commonly used, machine-readable format.
• Object or restrict — object to or request restriction of certain processing, such as legitimate-interest processing.

Submit requests by email to legal@themeridiancompass.com with subject line “Privacy Request.” We may verify your identity before acting on the request and may decline or limit requests where retention exceptions apply or where the request is manifestly unfounded, excessive, or repetitive. We will not discriminate against you for exercising these rights.

9. California residents (CCPA / CPRA)

Categories of personal information collected in the preceding 12 months may include identifiers (IP address, optional email, account identifiers), commercial information (Services usage), internet or other electronic network activity (page views, session metadata), and geolocation data limited to approximate, region-level information derived from IP.

We do not knowingly collect “sensitive personal information” categories including Social Security number, driver’s license, precise geolocation, racial/ethnic origin, religious beliefs, union membership, private communications contents, genetic data, biometric identifiers, health, or sexual-orientation information. We do not use personal information for purposes that would require a “Limit the Use of My Sensitive Personal Information” link.

No “sale” or “sharing.” We do not sell personal information as defined by the CCPA and do not share it for cross-context behavioral advertising. We do not offer a “Do Not Sell or Share My Personal Information” link because we do not engage in those activities.

California rights. California residents have the right to know, access, delete, correct, and to opt out of sale or sharing (not applicable here). To exercise California rights, email legal@themeridiancompass.com with subject line “California Privacy Request.” Authorized agents may submit requests with (i) signed written permission and (ii) sufficient identity verification.

Shine the Light. California Civil Code § 1798.83 permits California residents with an established business relationship to request certain information about third-party disclosures for direct marketing. We do not make such disclosures.

10. Cookies and tracking

We use only first-party, strictly necessary cookies required for basic Site operation (such as preserving session state) and first-party analytics provided by Vercel Analytics and Vercel Speed Insights, configured to aggregate usage without individually identifying cookies or third-party advertising trackers.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. Because our analytics do not involve targeted advertising, we are not specifically configured around “Do Not Track” (DNT) signals. Where applicable law recognizes Global Privacy Control (GPC) as an opt-out-preference signal, we treat a GPC signal as a valid sale/sharing opt-out request, even though we do not currently sell or share personal information.

11. Children

The Services are intended for adult business users and are not directed to children. We do not knowingly collect personal information from individuals under 18, and do not knowingly collect from children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA). If you believe a child has provided personal information, please contact us and we will delete it.

12. International users

The Services are intended for, hosted in, and operated from the United States. All collected data is processed and stored on U.S.-region infrastructure. If you access the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ and may not provide the same level of protection as your jurisdiction. By using the Services from outside the United States, you consent to that transfer and processing.

We do not currently offer the Services to users in the European Economic Area, the United Kingdom, or Switzerland, and do not make the representations required by the EU General Data Protection Regulation (GDPR) or UK Data Protection Act.

13. Third-party links

The Services contain links to third-party websites, including vendor websites referenced in the provider directory and the Cyber AB Marketplace. We are not responsible for the privacy practices or content of any third-party site. Review the privacy policy of any third-party site you visit.

14. Changes to this policy

We may update this policy from time to time. For material changes, we will indicate the change with a revised “Last updated” date and, where appropriate, provide an in-product notice. For non-material changes, we will simply update the “Last updated” date. Your continued use of the Services after the revised policy becomes effective constitutes acceptance.

15. Contact

For questions, requests, or complaints regarding this Policy or our privacy practices:

Meridian Compass LLC
Attn: Privacy
30 N Gould St STE R
Sheridan, WY 82801, USA
Email: legal@themeridiancompass.com