Privacy Policy

Last updated: April 20, 2026.

Meridian Compass LLC, a Wyoming limited liability company with its registered office at 30 N Gould St STE R, Sheridan, WY 82801, USA (“Meridian Compass,” “we,” “us,” or “our”), operates Upwind— a capture decision-support platform for federal government contractors. This Privacy Policy explains what information we collect when you visit our websites, submit a Growth Audit, subscribe to Signal, engage the Growth service, or otherwise interact with us (collectively, the “Services”); how we use, share, retain, and protect that information; and the choices you have with respect to it.

This Policy is incorporated by reference into our Terms of Service. Capitalized terms used but not defined in this Policy have the meanings given in the Terms of Service.

1. Overview
2. Information We Collect
3. How We Use Information
4. Legal Bases for Processing
5. Sharing & Disclosure
6. Data Retention
7. Data Security
8. Your Rights (U.S.)
9. California Residents (CCPA/CPRA)
10. Cookies & Tracking
11. Children
12. International Users
13. Third-Party Links
14. Changes to This Policy
15. Contact

1. Overview

This Policy covers personal information we collect about you when you access or use the Services. For purposes of U.S. state privacy laws that use the term, Meridian Compass LLC is the “controller” (or, under some laws, “business”) of personal information collected through the Services. Except as expressly stated, this Policy does not apply to information collected by third-party websites, applications, or services that may link to or from the Services.

The Services are directed to business users in the United States. We design our practices around the principle of data minimization: we collect what we need to deliver the Services, retain it only as long as we need it, and do not sell personal information.

2. Information We Collect

2.1 Information you give us

When you interact with the Services you may provide us with:

Contact and account information: full name, business email address, company name, company website URL, state of operation, ZIP code, and, where you create an account, a password (stored only in hashed form).
Business-profile information submitted through the Growth Audit form: primary NAICS code(s), Unique Entity Identifier (UEI), set-aside or socio-economic certifications (for example 8(a), HUBZone, SDVOSB, WOSB, VOSB, SB), target agency interest, and any free-text notes, descriptions, or narrative fields you choose to complete.
Subscription and billing information: for paid tiers, billing name, billing address, and a reference to your payment method. Full payment-card data (card number, CVC, expiry) is collected and processed directly by our payments processor, Stripe, and is not stored on our servers. We receive from Stripe only limited tokenized identifiers and transaction metadata.
Communications: the content of emails, support messages, and other communications you send to us, including any attachments.

2.2 Information collected automatically

When you access the Services, we and our service providers may automatically collect certain technical information about your device and interaction:

Log and device data: Internet Protocol (IP) address, user-agent string, device and browser type, operating system, screen dimensions, language preference, approximate geographic region derived from IP (not precise location), and timestamps of access.
Usage data: pages and screens viewed, referring URL, search terms, links clicked within the Services, feature interactions, session identifiers, and session duration.
Performance data: load times, rendering metrics, error traces, and other diagnostic signals collected by our hosting and performance providers.

We collect automatic information using Vercel Analytics and Vercel Speed Insights, which are configured to aggregate usage signals without storing personally identifying data in cookies or using third-party advertising trackers. We do not use advertising, retargeting, or cross-site tracking cookies.

2.3 Public federal data about your firm

To generate Growth Audit and Signal outputs, the Services reference information about your firm that is already publicly available through federal government data sources, including but not limited to:

SAM.gov: System for Award Management registration status, representations and certifications, NAICS and PSC codes, CAGE code, set-aside codes, and business-type indicators.
FPDS (Federal Procurement Data System): historical prime-contract award records.
USAspending.gov: sub-award records and related spending data.
SBA.gov: dynamic small-business search results and certification status.

We treat such information as public, but we apply the same security and access controls to our stored copy as to the Customer Data you submit directly.

2.4 Information from third-party integrations

If you choose to connect a third-party account (for example by signing in via an identity provider or linking a billing account), we will receive limited information from that third party, such as an email address or account identifier, in accordance with the permissions you authorize and the third party’s terms.

3. How We Use Information

We use the information described in Section 2 to:

deliver the Services, including generating and sending the Growth Audit, producing Signal briefs, and providing the Growth service;
create, authenticate, and secure your account, and to operate login, session, and password-reset flows;
process payments, manage subscriptions, issue receipts and invoices, and collect amounts owed;
maintain, operate, monitor, and improve the Services, including debugging, measuring performance, testing features, and developing new functionality;
detect, prevent, investigate, and respond to fraud, abuse, security incidents, violations of our Terms of Service, and other harmful or unlawful activity;
send transactional and service-related communications, including delivery of your Growth Audit, your Signal subscription brief, account notices, billing notices, security alerts, and updates to our Terms or this Policy;
respond to your inquiries, support requests, and feedback;
generate de-identified, aggregated statistics and insights (for example, aggregate signals about procurement trends) that do not identify you and that we may use for any lawful business purpose, including research, benchmarking, and product improvement; and
comply with applicable law, respond to lawful legal process, and establish, exercise, or defend legal claims.

We will not send you marketing email unless you expressly opt in. You may unsubscribe from optional communications at any time by following the unsubscribe instructions in the message or by emailing ops@upwindgrowth.com. We may still send transactional messages (such as Growth Audit delivery, subscription briefs, security notices, and billing notices) that are necessary to provide the Services.

4. Legal Bases for Processing

Where applicable law requires us to identify a legal basis for processing personal information, we rely on one or more of the following:

Performance of a contract with you— to provide the Services you have requested and to administer our relationship with you;
Legitimate interests— to operate, secure, and improve the Services; to prevent fraud and abuse; to generate aggregated analytics; and to communicate with you about our products, in each case in a manner that does not override your fundamental rights and freedoms;
Consent— where you have provided it, for example for optional marketing communications. You may withdraw consent at any time; and
Compliance with a legal obligation— to comply with tax, accounting, regulatory, and legal-process requirements.

We share personal information only in the circumstances described below. We do not sell personal information, and we do not share personal information with third parties for cross-context behavioral advertising.

Service providers. We share information with third-party vendors that process personal information on our behalf to deliver the Services, subject to written agreements that restrict their use of the information to the purposes we specify. These currently include: Vercel, Inc. (hosting, edge networking, analytics, and speed-insights infrastructure); Stripe, Inc. (payment processing and billing); and Supabase, Inc. (managed Postgres database and authentication). If and when we enable transactional email (for delivery of Growth Audits, subscription briefs, and account notices), we will engage an email delivery provider as an additional service provider. We may also use customer support, productivity, and communications tools to operate the business. The specific list of subprocessors may change from time to time as we update our infrastructure.
Professional advisors. We may share personal information with our lawyers, accountants, auditors, bankers, insurers, and similar advisors where reasonably necessary for them to provide services to us, and subject to professional or contractual duties of confidentiality.
Legal process and protection of rights. We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, a subpoena, warrant, court order, regulatory request, or other lawful legal process; (b) enforce our Terms of Service or other agreements; (c) investigate and respond to suspected fraud, abuse, or violations of our policies; or (d) protect the rights, property, or safety of Meridian Compass, our users, or the public.
Corporate transactions. If Meridian Compass is involved in a merger, acquisition, reorganization, investment, financing, bankruptcy, or sale of all or a portion of its assets, personal information may be transferred to the counterparty or successor, subject to confidentiality obligations and to equivalent or greater privacy protections than those set out in this Policy.
With your direction or consent. We may share personal information for other purposes with your direction or consent.

6. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, which may include the duration of your account plus a reasonable period thereafter to: (a) maintain reliable backups and disaster-recovery copies; (b) preserve audit trails and transaction records; (c) comply with tax, accounting, regulatory, and other legal obligations; (d) establish, exercise, or defend legal claims; and (e) detect and prevent fraud, abuse, or security incidents.

Specific retention periods vary by data category. For example, billing records are typically retained for the period required by applicable tax and accounting law; security and audit logs are retained for a period appropriate to our risk management program; and de-identified, aggregated data may be retained indefinitely because it does not identify you. We periodically review our retention schedules and delete or de-identify personal information when it is no longer needed.

7. Data Security

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, or destruction, including measures such as encryption in transit, access controls, least-privilege administration, logging, and hardening of our hosting and database infrastructure. We also contractually require our service providers to maintain appropriate safeguards. However, no method of transmission or electronic storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for promptly notifying us of any actual or suspected unauthorized access to your account.

8. Your Rights (U.S.)

Subject to applicable law and to our right to verify your identity, you may make the following requests about personal information we hold about you:

Right of access: request confirmation of whether we process personal information about you, and a copy of that information;
Right to correct: request that we correct inaccurate personal information;
Right to delete: request that we delete personal information we hold about you, subject to exceptions for data we are required or permitted to retain;
Right to portability: request a copy of your personal information in a structured, commonly used, machine-readable format; and
Right to object or restrict: object to, or request restriction of, certain processing, such as processing based on our legitimate interests.

You may submit a request by emailing ops@upwindgrowth.comwith the subject line “Privacy Request.” We may ask you to verify your identity (for example by confirming information associated with your account) before we act on your request, and we may decline or limit a request where an exception applies or where the request is manifestly unfounded, excessive, or repetitive. We will not discriminate against you for exercising any of these rights.

If you are covered by a U.S. state privacy law that provides an appeals process (for example Colorado or Virginia), you may appeal a denial of your request by replying to our response email with the subject line “Privacy Appeal.”

9. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), provides you with additional rights regarding your personal information.

9.1 Categories of personal information we collect

In the preceding twelve (12) months, we have collected the following categories of personal information, as defined in the CCPA:

Identifiers (name, business email, company name, account identifiers, IP address);
Commercial information (subscription and billing records, purchase history, service usage);
Internet or other electronic network activity information (pages viewed, session metadata, referrer, interactions with the Services);
Geolocation data (approximate, region-level, derived from IP address; we do not collect precise geolocation);
Professional or employment-related information (company role, UEI, NAICS, set-aside certifications, and other business-profile data); and
Inferences drawn from the above to support capture decision-support outputs.

Sensitive personal information.We do not knowingly collect categories of “sensitive personal information” as defined by the CCPA (such as Social Security number, driver’s license number, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of private mail, genetic data, biometric identifiers, or information about health or sexual orientation), and we do not use personal information for purposes that would require a “limit the use of my sensitive personal information” link.

9.2 Sources, purposes, and disclosures

The sources and purposes of collection, and the categories of third parties with whom we share personal information, are described in Sections 2, 3, and 5 above.

9.3 No “sale” or “sharing”

We do not “sell” personal information as that term is defined in the CCPA, and we do not “share”personal information for purposes of cross-context behavioral advertising. Because we do not sell or share personal information, we do not offer a “Do Not Sell or Share My Personal Information” link. We have not “sold” or “shared” personal information in the preceding twelve (12) months, and we have not sold or shared personal information of consumers under sixteen (16) years of age.

9.4 Your California rights

Right to know and access, including to a copy of your personal information;
Right to delete, subject to exceptions permitted by law;
Right to correct inaccurate personal information;
Right to limit use of sensitive personal information (not applicable to us because we do not collect such information for purposes that would require such a limit);
Right to opt out of sale or sharing (not applicable because we do not sell or share); and
Right to non-discrimination for exercising your CCPA rights.

To exercise a California right, email ops@upwindgrowth.comwith the subject line “California Privacy Request.” An authorized agent may submit a request on your behalf by providing (i) written permission signed by you and (ii) sufficient information for us to verify your identity. We will respond as required by law.

9.5 Shine the Light

California Civil Code § 1798.83 permits California residents who have an established business relationship with us to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not make such disclosures.

10. Cookies & Tracking

We use the following categories of cookies and similar technologies:

Strictly necessary (first-party): cookies required for basic operation of the Services, such as authentication, session continuity, and security protections (for example CSRF tokens). These cannot be disabled through our interface without impairing core functionality.
First-party analytics: aggregate usage signals collected through Vercel Analytics and Vercel Speed Insights. These are configured to avoid placing individually identifying information in cookies and do not feed third-party advertising networks.

We do not usethird-party advertising cookies, retargeting pixels, or cross-site tracking technologies. Because our analytics do not involve targeted advertising, our services are not meaningfully configured around industry “Do-Not-Track” (DNT) signals; however, where applicable law recognizes the Global Privacy Control (GPC) as an opt-out-preference signal, we treat a GPC signal from a California browser as a valid request to opt out of sale or sharing (even though we do not currently sell or share personal information).

Most browsers let you refuse or delete cookies through their settings, though this may affect your use of the Services.

11. Children

The Services are intended for adult business users and are not directed to children. We do not knowingly collect personal information from any individual under the age of eighteen (18), and in any event we do not knowingly collect personal information from children under the age of thirteen (13) in violation of the Children’s Online Privacy Protection Act (COPPA). If you believe a child has provided personal information to us, please contact us at ops@upwindgrowth.com, and we will take steps to delete that information.

12. International Users

The Services are intended for, hosted in, and operated from the United States. Data we collect is processed and stored on servers in the United States (primarily on Vercel and Supabase U.S.-region infrastructure). If you access the Services from outside the United States, you understand and agree that your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those of your country and may not provide the same level of protection. By using the Services from outside the United States, you consent to that transfer and processing. We do not currently offer the Services to users in the European Economic Area, the United Kingdom, or Switzerland, and we do not make the representations required by the EU General Data Protection Regulation (GDPR) or the UK Data Protection Act with respect to such users.

13. Third-Party Links

The Services may contain links to third-party websites, applications, or resources, including federal government data sources such as SAM.gov, FPDS, USAspending.gov, and SBA.gov. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of each third-party site you visit.

14. Changes to This Policy

We may update this Policy from time to time. If we make a material change, we will notify you by email to the address associated with your account or by in-product notice at least thirty (30) days before the change takes effect, unless applicable law requires a shorter period or immediate effect. For non-material changes, we will update the “Last updated” date above. Your continued use of the Services after the effective date of the revised Policy constitutes your acceptance of it.

15. Contact

Questions, requests, or complaints regarding this Policy or our privacy practices should be directed to:

Meridian Compass LLC
Attn: Privacy
30 N Gould St STE R
Sheridan, WY 82801
USA
Email: ops@upwindgrowth.com

← Back to Upwind