The Meridian Protocol

Privacy Policy

Effective 20 April 2026

This Privacy Policy explains what data The Meridian Protocol (the “App”) collects, how that data is used, and the controls you have over it. The App is operated by Bloo Circle LLC (“we”, “our”). By creating an account you agree to this policy.

The App is a real-world scavenger game. Much of the data we collect exists to make that game work — locating zones, awarding points for tag scans, matching trades between operatives, and processing the optional entry fee. We collect only what the game requires and we do not sell your data.

1. What we collect

Data	Why we collect it
Phone number	Account creation and sign-in via Firebase Authentication’s SMS verification.
Codename	Your public in-game identity. Visible to other operatives on the leaderboard and in trade offers.
Precise location	Detecting when you enter a game zone, calculating proximity to tags (“heat signal”), and rendering your position on the map. Location is processed on-device and only summarised zone/heat state is sent to our servers.
Game state	Your scanned tags, score, team membership, trade history, and lockbox progress. Required to run the game.
Purchase records	The optional entry fee is processed by Stripe. We store a reference to the Stripe payment intent and its status so we can grant paid features and eligibility for the prize pool.
Avatar photo (optional)	If you upload one, it’s stored in Firebase Storage and shown alongside your codename in the admin live-map view.
Push token	A device-specific identifier from Apple Push Notification service / Firebase Cloud Messaging used to deliver game notifications (clues, trade offers, game start/end).
Diagnostic + usage data	Firebase Analytics collects anonymous session, device, and feature-use metrics, and aggregate crash reports. Used to find bugs and improve the game.

We do not collect your contacts, your messages, your browsing history, your microphone audio, or any biometric data. We do not run ad networks or cross-app tracking SDKs.

2. Who processes your data

We use the following third-party service providers:

Google / Firebase — Authentication, Firestore database, Cloud Functions, Cloud Messaging, Cloud Storage, Analytics. Data resides in the US (us-central1). See Firebase privacy.
Stripe, Inc. — Payment processing for the optional entry fee. We never see your card number; Stripe handles PCI compliance end-to-end. See Stripe privacy.
Apple Inc. — Push Notification service and App Store Connect for distribution. See Apple privacy.

We do not share your data with any other third party. We do not sell your data. We do not use your data to train machine-learning models.

3. How your data is used

App Functionality: everything above is required to run the game and your account.
Analytics: aggregate product metrics via Firebase Analytics. Not linked to identity.
Account Management: phone-based sign-in and support responses.
Push Delivery: sending clues, trade alerts, and game status pushes.

We do not use your data for advertising, profiling, or tracking across other apps or websites.

4. How long we keep it

Game data (scans, trades, codename, scores) is retained while your account exists and for 90 days after the operation ends so we can resolve disputes and announce winners.
Stripe payment references are retained for 7 years for tax and accounting purposes.
Diagnostic data is retained by Firebase Analytics per the default Firebase retention (14 months).
Push tokens are deleted when you uninstall or sign out.

5. Your rights

Regardless of where you live, you can request the following at any time by emailing privacy@meridianprotocol.app:

A copy of the data associated with your account.
Correction of inaccurate data.
Deletion of your account and all associated data.
Withdrawal of consent for processing.

If you are in the European Economic Area (GDPR) or the United Kingdom, you additionally have the right to lodge a complaint with your local data-protection authority.

If you are a California resident (CCPA / CPRA), you have the additional right to request categories of data collected, to know whether we sell or share data (we do not), and to non-discrimination when exercising these rights.

6. Account deletion

You can delete your account from within the App under Profile → Settings → Delete Account, or by emailing us. Deletion removes your player document, scan history, trade records, hive membership, and push token. Aggregated analytics counters and Stripe payment references (where legally required) may persist as described in Section 4.

7. Children

The Meridian Protocol is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. The optional entry fee and real-money prize pool mean most players will be 18 or older. If you believe a child has provided us personal data, contact us and we will delete it.

8. Security

All traffic between the App and our servers is encrypted in transit with TLS. Data at rest in Firestore and Firebase Storage is encrypted by Google. Firestore security rules gate access to player data so only you (and our server-side game logic) can read or modify your own documents. We take reasonable organisational measures to secure your data, but no system is perfectly secure.

9. International transfers

Our servers are located in the United States. If you access the App from outside the United States, your data will be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses between Bloo Circle LLC and Google (through the Firebase Data Processing and Security Terms).

10. Changes to this policy

We may update this policy as the App evolves. The effective date at the top of this page will change. Material changes will be announced in-app or via push. Continued use of the App after a change constitutes acceptance of the revised policy.

11. Contact

Questions or requests: privacy@meridianprotocol.app

Bloo Circle LLC
Postal address on request.