Privacy Policy

1. Introduction

BC Holdings LLC, a District of Columbia limited liability company, doing business as Meridian CPA Review ("Company," "we," "us," or "our"), respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, store, and safeguard your information when you visit our website at www.meridiancpareview.com and use our services, applications, and features (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy applies to information we collect through the Service, in email, text, and other electronic messages between you and the Service, and when you interact with our advertising and applications on third-party websites and services if those applications or advertising include links to this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when you use the Service, including:

• Account Information: Email address, password (stored in encrypted form), full name, and display name
• Profile Information: Study preferences, target exam sections, exam dates, and NTS (Notice to Schedule) information
• Payment Information: When you make a purchase, our payment processor (Stripe) collects billing information including credit card details; we do not store complete payment card information on our servers
• Communication Data: Information you provide when you contact customer support, submit feedback, respond to surveys, or communicate with us via email
• User-Generated Content: Notes you create on questions, feedback you submit about questions, and feature ideas you share
• AI Interaction Data: Messages you send to the Meridian Navigator AI tutor and to Plan with Navigator (the cross-section AI study advisor)

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

• Device Information: Device type, operating system, unique device identifiers, browser type, browser version, and screen resolution
• Log Data: IP address, access times, pages viewed, links clicked, and the page you visited before navigating to the Service
• Usage Data: Information about how you use the Service, including features accessed, time spent on pages, and interaction patterns
• Study Performance Data: Practice question attempts, scores, accuracy rates, time spent per question, topic performance, mastery levels, study session duration, and streak information
• Exam Simulation Data: Exam simulation attempts, scores, section performance, and debrief results
• Location Data: General geographic location based on your IP address (we do not collect precise GPS location)

2.3 Information from Third Parties

We may receive information about you from third parties, including:

• Google OAuth: If you sign in using Google, we receive your email address, name, and profile picture from Google
• Payment Processors: Transaction confirmation and payment status from Stripe
• Analytics Providers: Aggregated and anonymized usage statistics from Google Analytics

2.4 AI Interaction Data

When you use our AI-powered features, we collect different categories of data depending on which feature you use:

Per-Question Navigator (the AI tutor attached to a single practice question, quiz, or exam-simulation review):

• The text of your messages and the AI's responses
• The current question's identifier and topic
• Topic-level performance summary statistics for the topic of the current question only (the per-question Navigator does not see your scores from other sections or topics)
• Timestamps and usage counts

Plan with Navigator (the cross-section AI study advisor at the dedicated coaching page):

• The text of your messages and the AI's responses
• Performance scores across every section (FAR, AUD, REG, TCP, BAR, ISC)
• Your exam dates and discipline-section choice
• AICPA blueprint reference data routed alongside your message
• Timestamps and usage counts

Safety and operational metadata. Each AI message is tagged with safety and operational metadata. Categories include:

• Model identifier: which underlying model handled the response.
• Routing reason: why that model was selected.
• Prompt-injection / content-safety detector results: whether the message triggered any input-side safety system.
• Contradiction-detection flag: whether the AI's response was flagged as potentially contradicting Meridian's authoritative content.
• Distress-classifier score: the per-message score described in Section 2.5.
• Persistent crisis flag: the thirty-day boolean signal further described in Section 2.5.
• Operational signals: latency and whether conversation history was truncated to fit context limits.

2.5 Safety and Wellbeing Data

The Service's AI features include automated detection for content indicating crisis, severe distress, or potential harm. When such content is detected, the AI may surface external crisis-support resources (for example, the 988 Suicide & Crisis Lifeline) and the conversation may be flagged for review.

We collect and retain the following safety and wellbeing signals:

• Per-message distress score: A numerical score (zero to one) computed at the time of each AI interaction, stored alongside the message in our database.
• Per-session distress score: An aggregate score persisted with the session record.
• Recent-crisis boolean flag: A thirty-day signal on your account indicating whether any session within the prior thirty days exceeded the elevated-distress threshold. This flag carries forward into new sessions to inform safety responses.

Safety and wellbeing data is used solely to inform safety responses (such as surfacing crisis resources, suppressing speculative or harmful AI behavior, and prompting human review of flagged interactions). It is not used for marketing, model training, advertising, or any other purpose unrelated to safety. We treat this data as Sensitive Personal Information under applicable privacy laws.

You may request deletion of safety and wellbeing data under the right described in Section 7.1. California residents may also exercise the Right to Limit Use of Sensitive Personal Information described in Section 7.2 to restrict how this data is used. Deleting or limiting these signals may reduce the Service's ability to deliver context-aware safety responses in future sessions.

3. How We Use Your Information

We use the information we collect for various purposes, including:

3.1 Providing and Improving the Service

• Creating and managing your account
• Providing access to practice questions, simulations, study materials, and the video library
• Personalizing your learning experience through our Prime Meridian adaptive algorithm
• Tracking your progress and providing performance analytics
• Operating AI features including the per-question Navigator tutor and Plan with Navigator (the cross-section study advisor)
• Sending NTS expiration reminders and score release notifications
• Improving and optimizing the Service

3.2 Communications

• Sending transactional emails (account confirmation, password reset, purchase receipts)
• Responding to your inquiries and support requests
• Sending promotional communications about new features, updates, and offers (with your consent)
• Conducting surveys and collecting feedback

3.3 Business Operations

• Processing payments and preventing fraud
• Analyzing usage patterns and trends to improve the Service
• Conducting research and analytics (using aggregated, anonymized data)
• Enforcing our Terms of Service and other policies
• Complying with legal obligations

3.4 Safety and Security

• Protecting against unauthorized access, fraud, and abuse
• Monitoring for security incidents and responding to threats
• Maintaining the integrity of the Service

4. How We Share Your Information

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Supabase, Inc.: Database hosting, user authentication, and data storage
• Vercel, Inc.: Website hosting, content delivery, and (with your analytics consent) Vercel Analytics
• Stripe, Inc.: Payment processing (when paid plans are introduced)
• Resend, Inc.: Transactional and product-update email delivery
• Anthropic, PBC: AI model provider for the per-question Navigator and Plan with Navigator. Anthropic processes your AI conversations as a data processor on our behalf under the Anthropic Data Processing Addendum, which is incorporated into our agreement with Anthropic by reference. Based on Anthropic's publicly published policies as of the effective date of this Privacy Policy: Anthropic does not train its models on data submitted through our use of its API; Anthropic's default retention is up to thirty (30) days; and Anthropic may retain conversations flagged for Usage Policy violations for up to two (2) years. Anthropic publishes its subprocessor list at trust.anthropic.com/subprocessors and its data-handling documentation at platform.claude.com.
• Google LLC (Google Analytics 4): Website analytics and usage tracking — loaded only after you accept analytics cookies via our consent banner
• Microsoft Corporation (Microsoft Clarity): Session-level usage analytics — loaded only after you accept analytics cookies via our consent banner

These service providers are contractually obligated to protect your information and may only use it to provide services to us. They are not permitted to use your personal information for their own purposes.

4.2 Legal Compliance and Protection

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• To comply with a legal obligation, court order, or legal process
• To protect and defend our rights or property
• To prevent or investigate possible wrongdoing in connection with the Service
• To protect the personal safety of users of the Service or the public
• To protect against legal liability

4.3 Business Transfers

If BC Holdings LLC is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

4.4 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. This data may be used for industry analysis, research, or other purposes.

5. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account Data: Retained while your account is active and for a reasonable period thereafter to allow for account reactivation or to comply with legal obligations
• Practice and Performance Data: Retained while your account is active to provide personalized learning experiences
• AI Conversation Logs (Meridian-side): Retained by Meridian for up to ninety (90) days for quality improvement, safety review, and contradiction-flag triage
• AI Conversation Logs (Anthropic-side): Retained by Anthropic for up to thirty (30) days under its standard commercial terms; up to two (2) years if Anthropic flags a conversation for a Usage Policy violation. Anthropic's retention is governed by Anthropic's own published policies (see Section 4.1). A request to delete your conversation history can clear Meridian's records but does not directly accelerate Anthropic's retention TTLs.
• Recent-Crisis Flag: The thirty-day boolean signal described in Section 2.5 persists for thirty (30) days from the most-recent triggering session. The signal is independent of conversation log retention.
• Per-Message Safety Metadata: Retained alongside the AI conversation log it tags (same ninety-day Meridian-side window).
• Payment Records: Retained as required by applicable tax and accounting laws (typically seven years)
• Communication Records: Retained for as long as necessary to resolve support issues and comply with legal requirements
• Analytics Data: Aggregated analytics may be retained indefinitely

When we no longer need your personal information, we will securely delete or anonymize it in accordance with applicable laws.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption: Data is encrypted in transit using TLS/SSL and at rest using industry-standard encryption
• Password Security: Passwords are hashed using secure cryptographic algorithms and are never stored in plain text
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis
• Security Monitoring: We monitor our systems for security incidents and unauthorized access attempts
• Regular Updates: We regularly update our software and systems to address security vulnerabilities
• Incident Response: We have procedures in place to respond to data breaches and security incidents

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you provide information at your own risk.

7. Your Rights and Choices

7.1 All Users

Regardless of your location, you have the following rights:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your account and personal information, subject to certain exceptions
• Safety and Wellbeing Data Deletion: Request deletion of the safety and wellbeing data described in Section 2.5 (per-message and per-session distress scores, recent-crisis flag). Deleting these signals may reduce the Service's ability to deliver context-aware safety responses in future sessions.
• Data Export: Request a copy of your data in a portable format
• Marketing Opt-Out: Unsubscribe from marketing communications at any time via the unsubscribe link in emails or by contacting us
• Cookie Preferences: Manage cookie preferences through your browser settings

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale: We do not sell personal information, but you have the right to opt-out if we ever do
• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at support@meridiancpareview.com. We will respond to verifiable requests within forty-five (45) days. You may designate an authorized agent to make requests on your behalf.

7.3 European Economic Area, United Kingdom, and Switzerland Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent laws:

• Right of Access: Request access to your personal data
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request restriction of processing of your personal data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data for direct marketing or based on legitimate interests
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent for processing
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority

To exercise these rights, contact us at support@meridiancpareview.com. We will respond within thirty (30) days. Our legal bases for processing include: consent, performance of a contract, legitimate interests, and compliance with legal obligations.

7.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

• Email: support@meridiancpareview.com
• Subject Line: "Privacy Rights Request"

We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of the Service.

8.1 Types of Cookies and Storage We Use

We use cookies and similar local-storage technologies in two categories:

Strictly Necessary (always active). Required for the Service to function. These cannot be turned off.

Analytics (active only after you accept the consent banner). These do not load until you click "Accept" on our cookie banner. If you click "Decline" or never see the banner, none of the analytics scripts below run.

Cookie names and durations reflect the providers' published behavior at the effective date of this Privacy Policy. Specific durations are controlled by the providers and may change. The set of strictly-necessary cookies may also vary slightly by browser and session state.

8.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. Note that disabling certain cookies may affect the functionality of the Service.

8.3 Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) feature. At this time, we do not respond to DNT signals. However, you can manage your privacy preferences through browser settings and the choices described in this policy.

8.4 Google Analytics

We use Google Analytics to analyze usage patterns. Google Analytics uses cookies to collect information about your use of the Service. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout

9. Children's Privacy

The Service is not intended for individuals under eighteen (18) years of age. We do not knowingly collect personal information from individuals under 18. At signup, every user is required to affirm via an explicit checkbox that they are at least 18 years old; the timestamp of that affirmation is recorded.

If we learn or have reason to believe that an account holder is under 18 years of age, we will terminate the account immediately and delete associated personal data, except where retention is required by law (for example, retention of legal records of misrepresentation in account creation).

Parents or guardians who believe their child has provided us with personal information without consent should contact us at support@meridiancpareview.com. We will treat the report as a deletion request and act on it within thirty (30) days.

10. International Data Transfers

Your information may be transferred to, and processed in, countries other than the country in which you reside. Our servers and service providers are primarily located in the United States.

If you are located outside the United States, please be aware that information we collect will be transferred to and processed in the United States. By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission, and our service providers' certifications under applicable data protection frameworks.

11. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of any third party.

We encourage you to review the privacy policies of any third-party services before providing any personal information or using such services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" and "Effective Date" at the top of this policy
• Post the updated policy on the Service
• Where feasible, send email notification to the address associated with your account

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

13. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

We will make every reasonable effort to respond to your inquiry within thirty (30) days.

Summary: Data We Collect and Why