LEGAL
Privacy Policy
LAST UPDATED: MAY 2026
1. Introduction
At Meridius Advisory ("Meridius", "we", "our", or "us"), we are committed to protecting the privacy, confidentiality, integrity, and security of personal data processed in connection with our website, communications, and advisory activities.
This Privacy Policy explains how we collect, use, process, store, share, retain, and protect personal information obtained through our website, business interactions, communications, and advisory services.
This Privacy Policy has been prepared in accordance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law 13.709/2018).
By accessing or using our website, you acknowledge the practices described in this Privacy Policy.
2. Who We Are and Controller Identification
Meridius Advisory acts as the controller of personal data processed in connection with its website, communications, and advisory services. Meridius operates at the intersection of regulation, governance, strategy, and technology, supporting organizations navigating complex and evolving regulatory environments.
3. Categories of Information We Collect
We may collect and process the following categories of personal information.
3.1 Identification and Professional Information
We may process:
- Full name
- Business email address
- Company or organization name
- Job title or role
3.2 Communications Information
We may process information exchanged through:
- Website contact forms
- Email communications
- Meeting requests and scheduling platforms
- Introductory conversations and business interactions
- Advisory-related inquiries and communications
This may include information voluntarily shared regarding regulatory, governance, compliance, operational, privacy, cybersecurity, strategic, technology, or business matters.
3.3 Website Usage and Technical Information
When you access our website, we may automatically collect:
- IP address
- Browser type and version
- Device information
- Operating system
- Session and navigation information
- Pages visited and interaction patterns
- Referral URLs and session duration
- Cookies and similar technologies
3.4 Business and Regulatory Context Information
During business interactions, we may process information voluntarily shared regarding:
- Regulatory or supervisory context
- Governance, compliance, privacy, risk, cybersecurity, or operational matters
- Organizational needs and strategic priorities
- Technology, product, data, AI, or transformation initiatives
4. Purposes and Legal Basis for Processing
We process personal data only when supported by an applicable legal basis.
| Purpose | LGPD Legal Basis |
|---|---|
| Respond to inquiries and contact requests | Pre-contractual measures |
| Schedule meetings and introductory conversations | Pre-contractual measures and/or consent |
| Deliver advisory services | Contract performance |
| Comply with legal, regulatory, supervisory, or contractual obligations | Legal obligation |
| Website analytics, performance measurement, and non-essential cookies | Consent |
| Website security, operational integrity, fraud prevention, and business continuity | Legitimate interest |
| Exercise or defense of legal rights in judicial, administrative, regulatory, or arbitration proceedings | Exercise of rights and/or legal obligation |
Where consent is relied upon, it may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.
5. Cookies and Tracking Technologies
Our website may use cookies and similar technologies to support website functionality, analytics, performance, operational integrity, security, and user experience. Our website may rely on analytics, performance, infrastructure, hosting, and content delivery technologies provided by trusted service providers to support website functionality, improve performance, understand aggregate usage patterns, maintain operational integrity, and enhance user experience.
5.1 Types of Cookies
Strictly Necessary Cookies. Required for website functionality, technical operation, and security. These cookies do not require consent.
Analytics and Performance Cookies. Used to understand how visitors interact with the website, improve performance, and measure aggregated website usage metrics. These cookies require prior consent.
Functional and Preference Cookies. Used to remember preferences and improve user experience. These cookies require prior consent.
5.2 Cookie Consent
Upon first access to our website, users are presented with a cookie consent mechanism that enables them to accept, reject, or manage non-essential cookies before any non-essential processing takes place. Non-essential cookies are activated only after prior consent. Cookie preferences may be updated at any time through privacy or cookie preference settings available on the website, or through browser settings.
6. Data Sharing
We do not sell personal information. We may share personal data only when reasonably necessary and under appropriate safeguards.
6.1 Service Providers and Processors
We may share personal data with trusted third-party providers supporting our operations, including:
- Website hosting, infrastructure, and content delivery providers
- Cloud, storage, and operational support services
- Scheduling and meeting management platforms
- Communication and productivity tools
- Website analytics and performance providers
- Security, monitoring, fraud prevention, and operational resilience technologies
Such providers process personal information under contractual obligations and only in accordance with our instructions and applicable legal requirements. Meridius seeks to engage service providers that adopt commercially reasonable privacy, security, and confidentiality standards appropriate to the nature of the services provided.
6.2 Legal and Regulatory Obligations
We may disclose information where required by:
- Applicable law
- Regulation or supervisory requirement
- Court order
- Governmental, judicial, or regulatory authority
6.3 Protection of Rights
We may process or disclose personal information where necessary for the establishment, exercise, or defense of legal rights and claims, including judicial, administrative, regulatory, or arbitration proceedings. A list of material third-party processors may be requested through our privacy contact channel.
7. International Data Transfers
Depending on the technologies and service providers used, personal data may be transferred internationally and processed outside Brazil. Where international transfers occur, Meridius adopts safeguards recognized under applicable law, including:
- Adequacy decisions recognized by competent authorities
- Standard contractual clauses
- Contractual safeguards and technical protections
- Other legal mechanisms permitted under Article 33 of the LGPD
Meridius seeks to ensure an appropriate level of protection for transferred personal information.
8. Data Retention
We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, comply with legal or regulatory obligations, resolve disputes, or support legitimate business activities. As a general reference:
| Category | Retention Reference |
|---|---|
| Contact and communication data | Up to 5 years after the last active interaction |
| Client-related information | Up to 5 years after contract termination |
| Website analytics and usage data | Up to 2 years |
| Data subject to legal or regulatory obligations | As required by applicable law |
Upon expiration of retention periods, personal information is securely deleted, anonymized, or otherwise disposed of in accordance with applicable legal requirements.
9. Information Security
Meridius adopts administrative, technical, and organizational safeguards proportionate to the sensitivity and risk profile of the information processed. Such safeguards may include:
- Access controls and authentication measures
- Encryption in transit and at rest, where appropriate
- Monitoring and incident detection mechanisms
- Internal governance, privacy, and security procedures
- Restricted access based on business need
Meridius continuously seeks to maintain reasonable, proportionate, and commercially appropriate security standards designed to protect personal information from unauthorized access, disclosure, misuse, alteration, or destruction.
9.1 Security Incident Notification
In the event of a personal data security incident that may result in relevant risk or harm to individuals, Meridius will notify competent authorities and affected individuals where required by applicable law, including Article 48 of the LGPD.
10. Your Rights
Subject to applicable law, individuals may exercise rights regarding their personal data, including rights established under Article 18 of the LGPD. You may request:
- Confirmation of processing and access to personal data
- Correction of incomplete, inaccurate, or outdated information
- Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed information
- Portability of personal data, where technically feasible and legally applicable
- Deletion of personal data processed on the basis of consent
- Information regarding public and private entities with whom personal data has been shared
- Information regarding the possibility of refusing consent and the consequences of such refusal
- Withdrawal of consent at any time
- Opposition to unlawful or non-compliant processing activities
- Review of automated decisions, where applicable
To exercise your rights, contact: gabrielle@meridiusadvisory.com
If you believe your rights have not been adequately addressed, you may submit a complaint to the Brazilian National Data Protection Authority at ANPD.
11. Automated Decision-Making
Meridius does not currently engage in automated decision-making or profiling activities that produce legal effects or similarly significant effects on individuals. Should this practice materially change, this Privacy Policy will be updated accordingly.
12. Third-Party Links
Our website may contain links to third-party websites or services. Meridius is not responsible for the privacy, content, or security practices of third-party websites, and we recommend reviewing their respective privacy policies before providing personal information.
13. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of the Federative Republic of Brazil. Any disputes arising from or related to this Privacy Policy shall be submitted to the courts of São Paulo, State of São Paulo, Brazil, without prejudice to mandatory rights afforded to individuals under applicable law.
14. Updates to This Privacy Policy
Meridius may update this Privacy Policy from time to time to reflect legal, regulatory, operational, technological, or business changes. The updated version will be made available on this page together with its effective date. Where material changes affect data subject rights or processing practices, Meridius may take reasonable steps to provide additional notice.
15. Contact Information
For questions regarding this Privacy Policy, personal data processing practices, or to exercise your rights as a data subject, please contact: gabrielle@meridiusadvisory.com