PRIVACY POLICY
Last updated April 4, 2026
This Privacy Notice for Meridian Labs ('we', 'us', or 'our'),
describes how and why we might access, collect, store, use, and/or share ('process') your personal information when you use our services ('Services'), including when
you:
- Download and use our mobile
application (Summit), or any other application of ours that links to this Privacy Notice
- Use Summit. Summit is a mobile application designed to help users build healthier habits and break unwanted patterns. The app provides
tools for tracking personal streaks, logging urges, identifying triggers, practicing cognitive reframing techniques, and completing guided intervention exercises. Users can set goals, monitor progress through insights and analytics, and
access a library of support resources. The app includes optional premium features available through a paid subscription.
- Engage with us in other
related ways, including any marketing or events
Questions or concerns? Reading this Privacy Notice will help you understand your
privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or
concerns, please contact us at support.summit.app@gmail.com.
SUMMARY OF KEY POINTS
This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by
clicking the link following each key point or by using our table of
contents below to find the section you are looking for.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal
information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.
Do we process any sensitive personal information? Some of the information may be considered 'special' or 'sensitive' in
certain jurisdictions, for example your racial or ethnic origins, sexual orientation, and religious beliefs. We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law. Learn
more about sensitive information we process.
Do we collect any information from third parties? We do not collect any information from third
parties.
How do we process your information? We process your information to provide, improve, and administer our Services,
communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn
more about how we process your information.
How do we keep your information safe? We have adequate organisational and technical processes and procedures in place to
protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other
unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe.
What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have
certain rights regarding your personal information. Learn more about your privacy
rights.
How do you exercise your rights? The easiest way to exercise your rights is by visiting support.summit.app@gmail.com, or by contacting us. We will consider and act upon any request in accordance with applicable data protection
laws.
TABLE OF CONTENTS
1. WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining
information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Personal Information Provided by You. The personal information that we collect depends on the context of your
interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:
Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law,
we process the following categories of sensitive information:
Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment
instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by RevenueCat. You may find their privacy notice link(s) here: https://www.revenuecat.com/privacy/.
Google and Apple Sign-In Data. We may provide you with the option to register or sign in to Summit using your Google or Apple account. If you choose to do so, we will collect a limited set of profile information from the chosen provider (such as your name and email address), as described in the section called 'HOW DO WE HANDLE GOOGLE AND APPLE SIGN-IN?' below.
Application Data. If you use our application(s), we also may collect the following information if you choose to provide
us with access or permission:
- Push Notifications. We may request to send you push notifications regarding your account or
certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.
This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our
internal analytics and reporting purposes.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such
personal information.
2. HOW DO WE PROCESS YOUR INFORMATION?
In Short: We process your information to provide, improve, and administer our Services, communicate with
you, for security and fraud prevention, and to comply with law. We process the personal information for the following purposes listed below. We may also process your information for other purposes only with your prior explicit
consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services,
including:
- To facilitate account creation and authentication and otherwise manage user accounts. We
may process your information so you can create and log in to your account, as well as keep your account in working order.
- To deliver and facilitate delivery of services to the user. We may process your
information to provide you with the requested service.
- To respond to user inquiries/offer support to users. We may process your information to
respond to your inquiries and solve any potential issues you might have with the requested service.
- To send administrative information to you. We may process your information to send you
details about our products and services, changes to our terms and policies, and other similar information.
- To protect our Services. We may process your information as part of our efforts to keep
our Services safe and secure, including fraud monitoring and prevention.
- To identify usage trends. We may process information about how you use our Services to
better understand how they are being used so we can improve them.
- To save or protect an individual's vital interest. We may process your information when
necessary to save or protect an individual's vital interest, such as to prevent harm.
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason
(i.e. legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfil our contractual obligations, to protect your rights, or to fulfil our legitimate business
interests.
If you are located in the EU or UK, this section applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your
personal information. As such, we may rely on the following legal bases to process your personal information:
- Consent. We may process your information if you have given us permission (i.e. consent) to
use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your
consent.
- Performance of a Contract. We may process your personal information when we believe it is
necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
- Legitimate Interests. We may process your information when we believe it is reasonably
necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order
to:
- Analyse how our Services are used so we can improve them to engage and retain users
- Diagnose problems and/or prevent fraudulent activities
- Legal Obligations. We may process your information where we believe it is necessary for
compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are
involved.
- Vital Interests. We may process your information where we believe it is necessary to
protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.
If you are located in Canada, this section applies to you.
We may process your information if you have given us specific permission (i.e. express consent) to use your personal information for a
specific purpose, or in situations where your permission can be inferred (i.e. implied consent). You can withdraw your consent at any
time.
In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including,
for example:
- If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
- For investigations and fraud detection and prevention
- For business transactions provided certain conditions are met
- If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
- For identifying injured, ill, or deceased persons and communicating with next of kin
- If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
- If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the
collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
- If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of
records
- If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the
purposes for which the information was produced
- If the collection is solely for journalistic, artistic, or literary purposes
- If the information is publicly available and is specified by the regulations
- We may disclose de-identified information for approved research or statistics projects, subject to ethics oversight and confidentiality
commitments
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
In Short: We may share information in specific situations described in this section and/or with the
following third parties.
We may need to share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with, or
during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- Subscription Management. We use RevenueCat to manage and process auto-renewing subscription transactions made through your Apple ID. RevenueCat receives an anonymous Summit user identifier and transaction details (such as product identifier, purchase date, and renewal status) from Apple in order to validate and synchronise your subscription status across devices. RevenueCat does not receive your name, email address, or any of the personal habit, streak, urge, or trigger data you log within Summit. For more information, see RevenueCat's privacy policy at https://www.revenuecat.com/privacy.
5. HOW DO WE HANDLE GOOGLE AND APPLE SIGN-IN?
In Short: If you choose to sign in to Summit using your Google or Apple account, we receive a limited set of profile information from the provider you select.
Summit offers you the ability to register and sign in using either your Google account or your Apple ID.
Google sign-in. When you choose Google, Google authenticates you and shares a limited set of profile information with Summit, typically your name, email address, and profile picture. Summit does not request access to your contacts, calendar, Google Drive, or any other Google product data.
Sign in with Apple. When you choose Apple, Apple authenticates you and shares your name (only the first time you sign in, and only if you choose to share it) and either your real email address or a private relay email address (an alias ending in “@privaterelay.appleid.com”) that forwards to your real address. We treat the relay email the same as a real email address for the purposes of sending you account-related communications. Summit receives an opaque, app-specific identifier from Apple but does not receive your full Apple ID.
We use the information we receive from Google or Apple solely to create and identify your Summit account and for the purposes described in this Privacy Notice. We do not control how Google or Apple themselves collect, use, or share your information. To understand each provider's practices, please review the Google Privacy Policy at https://policies.google.com/privacy and the Apple Privacy Policy at https://www.apple.com/legal/privacy/.
6. HOW LONG DO WE KEEP YOUR INFORMATION?
In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy
Notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a
longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users
have an account with us.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such
information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is
possible.
7. HOW DO WE KEEP YOUR INFORMATION SAFE?
In Short: We aim to protect your personal information through a system of organisational and technical
security measures.
We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any
personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot
promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your
personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
8. DO WE COLLECT INFORMATION FROM MINORS?
In Short: We do not knowingly collect data from or market to children under 18 years of age or the
equivalent age as specified by law in your jurisdiction.
We do not knowingly collect, solicit data from, or market to children under 18 years of age or the equivalent age as specified by law in
your jurisdiction, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or the equivalent age as specified by law in your jurisdiction or that you are the parent or guardian of
such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age or the equivalent age as specified by law in your jurisdiction has been collected, we will
deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18 or the equivalent age as specified by law in your
jurisdiction, please contact us at support.summit.app@gmail.com.
9. WHAT ARE YOUR PRIVACY RIGHTS?
In Short: Depending on your state of residence in the US or in some regions, such as the European Economic
Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country,
province, or state of residence.
In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may
include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and
(v) not to be subject to automated decision-making. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human
review. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below.
We will consider and act upon any request in accordance with applicable data protection laws.
Withdrawing your consent: If we are relying on your consent to process your personal
information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details
provided in the section 'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?' below.
However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows,
will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Account Information
If you would at any time like to review or change the information in your account or terminate your account, you can:
- Log in to your account settings and update your user account.
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However,
we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.
10. CONTROLS FOR DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ('DNT') feature or setting you can
activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As
such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will
inform you about that practice in a revised version of this Privacy Notice.
California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal
standard for recognising or honouring DNT signals, we do not respond to them at this time.
11. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa,
Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we
maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may
be limited in some circumstances by applicable law. More information is provided below.
Categories of Personal Information We Collect
The table below shows the categories of personal information we have collected in the past twelve (12) months. The table includes
illustrative examples of each category and does not reflect the personal information we collect from you. For a comprehensive inventory of all personal information we process, please refer to the section 'WHAT INFORMATION DO WE COLLECT?'
| Category |
Examples |
Collected |
| A. Identifiers |
Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal
identifier, online identifier, Internet Protocol address, email address, and account name |
YES |
| B. Personal information as defined in the California Customer Records statute |
Name, contact information, education, employment, employment history, and financial
information |
YES |
| C. Protected classification characteristics under state or federal law |
Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic
data |
NO |
| D. Commercial information |
Transaction information, purchase history, financial details, and payment information |
NO |
| E. Biometric information |
Fingerprints and voiceprints |
NO |
| F. Internet or other similar network activity |
Browsing history, search history, online behaviour, interest data, and interactions with our and other websites,
applications, systems, and advertisements |
NO |
| G. Geolocation data |
Device location |
NO |
| H. Audio, electronic, sensory, or similar information |
Images and audio, video or call recordings created in connection with our business activities |
NO |
| I. Professional or employment-related information |
Business contact details in order to provide you our Services at a business level or job title, work history,
and professional qualifications if you apply for a job with us |
NO |
| J. Education Information |
Student records and directory information |
NO |
| K. Inferences drawn from collected personal information |
Inferences drawn from any of the collected personal information listed above to create a profile or summary
about, for example, an individual's preferences and characteristics |
NO |
| L. Sensitive personal Information |
Account login information and health data |
YES |
We only collect sensitive personal information, as defined by applicable privacy laws or the purposes allowed by law or with your consent.
Sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. You may have the right to limit the use or disclosure of your sensitive personal information. We do not
collect or process sensitive personal information for the purpose of inferring characteristics about you.
We may also collect other personal information outside of these categories through instances where you interact with us in person, online,
or by phone or mail in the context of:
- Receiving help through our customer support channels;
- Participation in customer surveys or contests; and
- Facilitation in the delivery of our Services and to respond to your inquiries.
We will use and retain the collected personal information as needed to provide the Services or for:
- Category A - As long as the user has an account with us
- Category B - As long as the user has an account with us
- Category L - As long as the user has an account with us
Sources of Personal Information
How We Use and Share Personal Information
Will your information be shared with anyone else?
We may use your personal information for our own business purposes, such as for undertaking internal research for technological
development and demonstration. This is not considered to be 'selling' of your personal information.
We have not disclosed, sold, or shared any personal information to third parties for a business or commercial purpose in the preceding
twelve (12) months. We will not sell or share personal information in the future belonging to website visitors, users, and other consumers.
Your Rights
You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline
your request as permitted by law. These rights include:
- Right to know whether or not we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request the deletion of your personal data
- Right to obtain a copy of the personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under
California's privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ('profiling')
How to Exercise Your Rights
Under certain US state data protection laws, you can designate an authorised agent to make a request on your behalf. We may deny a request
from an authorised agent that does not submit proof that they have been validly authorised to act on your behalf in accordance with applicable laws.
Request Verification
Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information
in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request
that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.
If you submit the request through an authorised agent, we may need to collect additional information to verify your identity before
processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.
Appeals
Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing
us at support.summit.app@gmail.com. We will inform you in writing of any action taken or not taken in response to the appeal,
including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.
California 'Shine The Light' Law
California Civil Code Section 1798.83, also known as the 'Shine The Light' law, permits our users who are California residents to request
and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we
shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section
'HOW CAN YOU CONTACT US ABOUT THIS NOTICE?'
12. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: You may have additional rights based on the country you reside
in.
Australia and New Zealand
We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New
Zealand's Privacy Act 2020 (Privacy Act).
This Privacy Notice satisfies the notice requirements defined in both Privacy Acts, in particular: what personal information we collect
from you, from which sources, for which purposes, and other recipients of your personal information.
If you do not wish to provide the personal information necessary to fulfil their applicable purpose, it may affect our ability to provide
our services, in particular:
- offer you the products or services that you want
- respond to or help with your requests
- manage your account with us
- confirm your identity and protect your account
Republic of South Africa
If you are unsatisfied with the manner in which we address any complaint with regard to our processing of personal information, you can
contact the office of the regulator, the details of which are:
13. DO WE MAKE UPDATES TO THIS NOTICE?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated 'Revised' date at the top of this
Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice
frequently to be informed of how we are protecting your information.
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
Meridian Labs
PO Box 64
Auburn, New South Wales 1835
Australia
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal
information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These
rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please visit: support.summit.app@gmail.com.
5. HOW DO WE HANDLE GOOGLE AND APPLE SIGN-IN?