Meridian Legal Tech ("Meridian", "we", "us") provides SaaS software for Canadian immigration consulting practices. This policy explains how we handle information that flows through the platform — both information about our customers (the firms that subscribe) and information about their end clients (the people seeking immigration services).
1. Information we collect
From firm staff using the platform:
- Name, email address, phone, role and CICC license number
- Authentication credentials (passwords stored as bcrypt hashes; passkeys stored as public-key credentials)
- Audit logs of every action taken inside the system (who, when, what)
- If staff connect an external Gmail or Outlook account, OAuth refresh tokens (encrypted at rest)
From end clients of the firms (immigration applicants):
- Identity information: full name, date of birth, country of citizenship, contact details
- Immigration history and case data: application type, IRCC reference numbers, family composition
- Documents the client uploads via the secure portal: passports, education credentials, language test results, police certificates, financial statements, etc.
- Trust account transactions: deposits, payments to government, refunds
2. How we use this information
The information is used solely to provide the contracted SaaS service. Specifically:
- To allow the firm's authorized staff to manage their cases
- To present documents and case status to the end client through the secure portal
- To meet Canadian Immigration Consultants of Canada Regulator (CICC) audit requirements, including double-entry trust accounting and immutable hash-chain audit logs
- To send transactional emails to clients on the firm's behalf (e.g., "your retainer has been signed", "documents needed")
- To improve the security and reliability of the platform
Meridian does not sell, rent, or share customer or end-client data with third parties for marketing purposes.
3. Where data is stored
All Meridian data is stored on Cloudflare infrastructure with primary residency in Canada (Toronto and Montreal data centers). Trust account transactions, client identity data, and uploaded documents never leave Canadian Cloudflare data centers under normal operation.
Subprocessors we rely on:
- Cloudflare Inc. — hosting, storage (R2), database (D1), edge compute (Workers)
- Resend Inc. — transactional email delivery
- Anthropic PBC — AI-assisted email drafting (case context is sent to Anthropic's Claude API for inference; no data is retained by Anthropic per their commercial terms)
- Stripe Inc. — payment processing for Meridian's own SaaS subscriptions and (optionally) for client trust deposits
- Google LLC / Microsoft Corp — only when a staff member explicitly connects their own Gmail or Outlook account; we hold OAuth refresh tokens but do not access mailboxes outside the scopes the user grants
4. Encryption
Data in transit is encrypted using TLS 1.2 or higher. Sensitive at-rest fields (passport numbers, IRCC portal credentials, OAuth refresh tokens) are encrypted at the column level using AES-GCM with per-tenant keys. Magic-link tokens (for client document portals and partner portals) are stored as SHA-256 hashes — the live JWT is only ever in the recipient's email.
5. Retention
Customer data is retained for the duration of the firm's subscription plus 90 days after cancellation, after which it is permanently deleted. End-client data inside a firm's tenant is governed by the firm's own retention policy (which the firm controls inside the platform). Hash-chain audit log entries are retained for 7 years to meet CICC By-Law 9 record-keeping requirements, even after the underlying records are erased — only the hash chain remains, sufficient to prove no tampering occurred.
6. Your rights
End clients of subscribing firms have the right to access, correct, or request deletion of their information by contacting the firm directly (Meridian acts as a data processor on the firm's behalf, not a data controller).
Firm subscribers have the right to export all of their tenant's data at any time (full SQL dump + R2 file inventory) and to permanently delete their tenant on request.
7. Cookies
Meridian uses HTTP-only session cookies for staff authentication. We do not use third-party advertising or analytics cookies on the staff dashboard or the end-client portals. The marketing site at meridianlegal.ca uses no cookies at all.
8. Children
Meridian is not directed at children under 16 and does not knowingly collect information about minors except where a child appears as a dependent on a family-class immigration application (in which case the data is processed under the firm's legal authority to act on the family's behalf).
9. Changes to this policy
We may update this policy occasionally. Material changes will be communicated to firm administrators via email at least 30 days before they take effect.
10. Contact
Questions or requests about this privacy policy can be sent to: privacy@meridianlegal.ca