Privacy Policy

Throughwire, a service of Meridian Networks LLC

Effective Date: May 1, 2026 Last Updated: May 1, 2026

Table of Contents

  1. Who We Are
  2. Scope of This Policy
  3. Data Minimization Principle
  4. What We Collect
  5. What We Do Not Collect
  6. Why We Process Your Data
  7. Lawful Bases for Processing (GDPR / UK GDPR)
  8. Who We Share Data With
  9. International Data Transfers
  10. Data Retention
  11. Data Security
  12. Your Rights Under GDPR and UK GDPR
  13. Your Rights Under California Law
  14. Your Rights Under Other Laws
  15. How to Exercise Your Rights
  16. Government and Legal Process Requests
  17. Children's Privacy
  18. Cookies and Similar Technologies
  19. Automated Decision-Making
  20. Changes to This Policy
  21. Contact and Complaints

1. Who We Are

The data controller for personal data processed in connection with the Throughwire service is:

Meridian Networks LLC A limited liability company organized under the laws of the State of New Mexico, United States of America 1209 Mountain Road Pl NE, Ste N Albuquerque, New Mexico 87110 United States of America

For privacy inquiries: info@throughwire.net For legal inquiries: info@throughwire.net

In this Privacy Policy, "we," "us," or "our" refers to Meridian Networks LLC. "Throughwire" or the "Service" refers to the encrypted network connectivity service we operate under that brand name. "You" refers to the natural person or legal entity whose personal data we process.

Where you are an individual user, we act as the controller of your personal data. Where you are a business customer using the Service to process personal data of your employees, contractors, or other data subjects, you act as the controller and we act as the processor under the Data Processing Addendum incorporated into your subscription.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, share, and protect personal data in connection with:

  • the Throughwire websites, web applications, mobile applications, desktop applications, and account portals;
  • the connectivity service itself; and
  • communications between you and us in connection with the Service.

This Policy does not apply to:

  • third-party websites or services that you may access through the Service;
  • offline interactions outside the scope of the Service; or
  • aggregated or anonymized data that no longer identifies any individual.

3. Data Minimization Principle

The Service is designed around a principle of data minimization. We collect only the minimum data we need to deliver the Service, bill for it, support it, secure it, and meet our legal obligations. Where we can operate the Service without collecting a particular category of data, we choose not to collect it.

This is an architectural commitment that informs how we build and operate the Service. It is described in this Policy in precise language and we do not promise more than our architecture can deliver. Specific categories of data we deliberately do not collect are listed in Section 5.

4. What We Collect

4.1 Account Information

When you create an account we collect:

  • your email address;
  • a password (stored only as a salted, hashed value; we never see the plaintext password); and
  • where applicable, the name and registered business details of your organization (for business customers).

4.2 Billing Information

We use Stripe, Inc. ("Stripe") as our payment processor. Payment card data is collected directly by Stripe and processed under Stripe's PCI-DSS compliant systems. We do not receive or store full payment card numbers.

We do receive from Stripe and store the following billing-related data:

  • a Stripe customer identifier;
  • the brand, last four digits, and expiration date of your payment card (used to display your payment method in your account dashboard);
  • the country of issuance of your payment method (for tax purposes);
  • the billing address you provide;
  • a record of payments, refunds, and outstanding balances; and
  • where applicable, tax-relevant information you provide.

For a description of Stripe's privacy practices, see https://stripe.com/privacy.

4.3 Service Operation Data

To operate the Service we transiently process certain technical data, including:

  • the IP address from which your client connects to our authentication and routing infrastructure (used to authenticate your session and route traffic; not stored against your account in correlated form);
  • the volume of bandwidth consumed by your account during a billing period (aggregate counters used to enforce subscription limits and bill you);
  • the timestamp of each authentication event (used to detect abuse and credential compromise; retained as described in Section 10); and
  • the version of the Throughwire client application you are using (used to deliver compatible updates and diagnose issues).

4.4 Communications

When you contact our support, sales, or legal team we collect the contents of those communications and any attachments you provide, together with associated metadata (sender, recipient, timestamp). We use this information to respond to your inquiry and improve the Service.

4.5 Device and Diagnostic Information

The Throughwire client applications collect limited device information necessary to deliver the Service, including operating system, application version, and crash diagnostic data. Crash diagnostics are anonymized to the maximum extent feasible and are used solely to identify and fix software defects.

4.6 Marketing and Website Analytics

If we use website analytics, those tools and their cookies are described in our Cookie Policy. We do not sell your personal data, and we do not use the contents of communications transmitted through the Service for marketing purposes under any circumstances.

5. What We Do Not Collect

It is important to be specific about the categories of data we deliberately do not collect or retain. As an architectural matter, we do not log or store:

  • the content of any communications you send or receive while using the Service;
  • the websites, applications, or services you visit while connected to the Service;
  • the destination IP addresses or domain names of the traffic you route through the Service;
  • DNS queries you issue while connected to the Service;
  • session-correlated activity data that would link an individual session of network use to a specific destination, payload, or activity;
  • your physical location beyond the country-level information we may infer from your billing or connection IP for legal and security purposes; and
  • biometric, racial, ethnic, religious, political opinion, trade union membership, sexual orientation, or health data, except where you voluntarily provide it in a support communication and the context requires us to retain it briefly to assist you.

This list reflects our architectural commitments. Where law requires us to assist with a valid legal request, we can only produce the categories of data we actually retain. We cannot produce data we do not collect.

We do not represent that our infrastructure is incapable of collecting these categories of data; we represent that, as a matter of design and operation, we choose not to. If our practices change in any way that would expand the categories of data we collect, we will update this Policy in accordance with Section 20 and notify users in advance.

6. Why We Process Your Data

We process the personal data described in Section 4 for the following purposes:

(a) Service delivery. To authenticate your account, route your traffic through our infrastructure, enforce subscription limits, and deliver the Service you have purchased.

(b) Billing. To charge applicable fees, process refunds, calculate taxes, and maintain accurate financial records.

(c) Support. To respond to your inquiries, troubleshoot issues, and improve our support quality.

(d) Security and abuse prevention. To detect, investigate, and prevent fraudulent, abusive, or unauthorized activity, to protect the security and integrity of the Service, and to protect our users and third parties from harm.

(e) Legal compliance. To comply with legal obligations, including tax, accounting, sanctions, anti-money-laundering, and lawful response to valid legal process.

(f) Communications about the Service. To send you transactional communications about your account, billing, security, and material changes to the Service or these legal documents.

(g) Product improvement. To analyze aggregate, anonymized usage patterns to improve the reliability, performance, and design of the Service.

(h) Defense of legal claims. To establish, exercise, or defend legal claims involving you or third parties.

7. Lawful Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom General Data Protection Regulation, or equivalent Swiss legislation may apply to our processing of your personal data. Our lawful bases for processing are:

PurposeLawful basis
Service delivery, billing, account managementPerformance of a contract (Article 6(1)(b))
Support communications you initiatePerformance of a contract (Article 6(1)(b))
Security, abuse prevention, fraud detectionLegitimate interests (Article 6(1)(f))
Compliance with tax, accounting, sanctions, AML lawsLegal obligation (Article 6(1)(c))
Response to valid legal processLegal obligation (Article 6(1)(c))
Aggregate, anonymized product analyticsLegitimate interests (Article 6(1)(f))
Defense of legal claimsLegitimate interests (Article 6(1)(f))
Optional cookies and similar technologies (where used)Consent (Article 6(1)(a))

Where we rely on legitimate interests, we have conducted a balancing test and concluded that the relevant interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests by contacting info@throughwire.net.

Where we rely on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We do not knowingly process special category personal data (as defined in Article 9 GDPR). If you provide special category data in a support communication or otherwise, we will process it only as necessary to assist you and only for the duration required.

8. Who We Share Data With

We share personal data only as described in this Section.

8.1 Service Providers (Sub-Processors)

We share personal data with carefully selected third-party service providers that process data on our behalf to help us operate the Service. Each of these providers is bound by a written agreement that requires them to process personal data only on our instructions and to apply appropriate security measures. Our current sub-processors include:

  • Stripe, Inc. (United States): payment processing
  • Mercury Technologies, Inc. (United States): banking and financial operations
  • Infrastructure providers (multiple jurisdictions outside mainland China): hosting, networking, content delivery, and routing infrastructure for the Service. A current list of infrastructure sub-processors is maintained in the Data Processing Addendum and is available on request to business customers.

The current list of sub-processors is available at /legal/sub-processors. We will provide notice of material changes to this list as described in the Data Processing Addendum.

8.2 Professional Advisors

We may share personal data with our legal, accounting, audit, and similar professional advisors, in each case under obligations of confidentiality and only to the extent necessary for them to advise us.

8.3 Corporate Transactions

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, personal data may be transferred to the counterparty or successor entity, subject to confidentiality obligations and continued application of this Privacy Policy or a substantially equivalent successor policy.

We will share personal data with governmental or regulatory authorities only as described in Section 16. We do not voluntarily share user information with non-United States authorities.

We will share personal data with third parties where you give us consent or specific instructions to do so.

8.6 No Sale of Personal Data

We do not sell personal data, and we have not sold personal data within the meaning of the California Consumer Privacy Act (as amended by the California Privacy Rights Act) or any similar law. We do not share personal data for cross-context behavioral advertising.

9. International Data Transfers

Meridian Networks LLC is established in the United States, and our infrastructure is located in jurisdictions outside the People's Republic of China, including the United States, Canada, the European Economic Area, the United Kingdom, Japan, Singapore, and other locations selected for service quality and regulatory stability.

Where personal data of users in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States or to other jurisdictions that have not received an adequacy decision from the European Commission, the United Kingdom Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner, we rely on appropriate safeguards under Articles 44 to 49 GDPR and equivalent UK and Swiss provisions. These safeguards include:

(a) the European Commission's Standard Contractual Clauses (Module One, Two, Three, or Four as applicable);

(b) the United Kingdom International Data Transfer Addendum to the Standard Contractual Clauses, or the United Kingdom International Data Transfer Agreement, where applicable;

(c) supplementary technical and organizational measures consistent with the European Data Protection Board's recommendations following the Schrems II decision;

(d) for transfers covered by the EU-U.S. Data Privacy Framework or its UK or Swiss extensions, any adequacy mechanism that is in force at the time of transfer; and

(e) other lawful transfer mechanisms recognized under Applicable Law.

You may request a copy of the relevant safeguards by contacting info@throughwire.net. Sensitive commercial details may be redacted.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including the satisfaction of any legal, accounting, audit, security, or reporting requirements, or to establish, exercise, or defend legal claims.

CategoryRetention period
Account email and account recordFor the life of the account, plus thirty (30) days after termination, unless you request earlier deletion
Billing records (Stripe customer ID, payment metadata, invoices, refunds)Seven (7) years after the relevant transaction, to satisfy United States and other applicable tax and accounting record-keeping obligations
Authentication event logsUp to ninety (90) days, then deleted or anonymized; retained longer only where necessary to investigate a specific security incident
Aggregate bandwidth countersFor the duration of the billing period plus thirteen (13) months for billing dispute resolution
Support communicationsFor the duration of the relationship plus three (3) years, unless you request earlier deletion
Crash and diagnostic dataUp to ninety (90) days, anonymized where feasible
Cookies and website analytics dataAs described in our Cookie Policy
Records of consent or objectionAs long as necessary to demonstrate compliance
Legal hold materialsFor the duration of the relevant legal matter, plus the applicable limitation period

When the retention period expires, we delete personal data or render it irreversibly anonymized. Where deletion is technically infeasible (for example, in immutable backup media), we will isolate the data from active processing and delete it on the next routine destruction cycle.

11. Data Security

We maintain technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or alteration. Our measures include:

(a) encryption of personal data in transit and at rest using industry-standard cryptographic protocols;

(b) access controls limiting personnel access to personal data on a need-to-know basis, with multi-factor authentication for administrative access;

(c) network segmentation and firewall protection;

(d) regular security testing, including vulnerability scanning and penetration testing of critical components;

(e) employee confidentiality obligations and security training;

(f) incident response procedures, including a documented breach notification process;

(g) sub-processor due diligence and contractual security requirements; and

(h) physical security at our office locations and in our infrastructure providers' facilities.

No security measure is perfect. We do not guarantee that personal data will be free from unauthorized access, and you acknowledge this inherent limitation. In the event of a personal data breach affecting you, we will notify you and, where required, the competent supervisory authority, in accordance with Applicable Law.

12. Your Rights Under GDPR and UK GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data, subject to the conditions and limits set out in Applicable Law:

(a) Right of access. To obtain confirmation that we process your personal data and to receive a copy of that data.

(b) Right to rectification. To have inaccurate personal data corrected and incomplete personal data completed.

(c) Right to erasure. To request deletion of your personal data in the circumstances set out in Article 17 GDPR.

(d) Right to restriction of processing. To request that we limit our processing of your personal data in the circumstances set out in Article 18 GDPR.

(e) Right to data portability. To receive personal data you provided to us in a structured, commonly used, machine-readable format, and to have us transmit it to another controller where technically feasible.

(f) Right to object. To object to processing based on legitimate interests, including profiling, and (where applicable) processing for direct marketing.

(g) Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently engage in such automated decision-making, as described in Section 19.

(h) Right to withdraw consent. To withdraw any consent on which we rely, at any time, without affecting the lawfulness of prior processing.

(i) Right to lodge a complaint with a supervisory authority in the jurisdiction of your residence, place of work, or alleged infringement.

13. Your Rights Under California Law

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act, "CCPA/CPRA") provides you with the following rights:

(a) Right to know. To know what categories of personal information we have collected, the sources of that information, the purposes for which it is collected, and the categories of third parties with whom we share it.

(b) Right to access. To request a copy of the specific pieces of personal information we have collected about you in the preceding twelve months (or, where you so request, for a longer period back to January 1, 2022).

(c) Right to delete. To request deletion of personal information we have collected from you, subject to exceptions under Applicable Law.

(d) Right to correct. To request correction of inaccurate personal information.

(e) Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, but you may exercise this right at any time.

(f) Right to limit the use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information except as necessary to provide the Service or as otherwise permitted by Applicable Law without further opt-in.

(g) Right to non-discrimination. We will not discriminate against you for exercising any of these rights, including by denying service, charging different prices, or providing a different level or quality of service.

If you are an authorized agent acting on behalf of a California consumer, please follow the procedure set out in Section 15 and provide proof of authorization.

14. Your Rights Under Other Laws

Other privacy laws may grant you rights with respect to your personal data depending on your jurisdiction. We aim to honor equivalent requests from users in other jurisdictions to the extent feasible, including in jurisdictions covered by the Personal Data Protection Act of Singapore, the Act on the Protection of Personal Information of Japan, the Personal Data Protection Act of Malaysia, the Personal Information Protection Act of the Republic of Korea, the Privacy Act of Australia, the Personal Information Protection and Electronic Documents Act of Canada, and similar legislation. To exercise rights granted by laws not specifically addressed above, please contact us using the procedure in Section 15 and identify the applicable law.

We do not market the Service to residents of the People's Republic of China and do not direct the Service at PRC citizens. We make no representation regarding the application of the Personal Information Protection Law of the PRC to our processing.

15. How to Exercise Your Rights

To exercise any of the rights described in Sections 12, 13, or 14, please send a request to:

info@throughwire.net

Your request should include:

(a) the right you wish to exercise;

(b) sufficient information for us to identify your account (for example, the email address associated with your account);

(c) sufficient information for us to verify your identity (we may follow up to request additional verification); and

(d) where the request is made by an authorized agent, evidence of authorization.

We will respond to your request within thirty (30) days of receipt and verification of identity. We may extend this period by up to an additional sixty (60) days where the request is complex or where we have received a high volume of requests. We will inform you of any extension and the reasons for it.

Where you have exercised the right to deletion, and the request is verified and not subject to a legal exception, we will complete deletion within sixty (60) days of verification, except where retention is required by Applicable Law (in which case we will isolate the data and delete it when the legal requirement expires).

We do not charge a fee for responding to requests, except where requests are manifestly unfounded or excessive (in particular, repetitive), in which case we may charge a reasonable fee or refuse to act, as permitted by Applicable Law.

If we refuse to act on your request, we will inform you of the reasons and of your right to lodge a complaint as described in Section 21.

We commit to handling government and legal process requests in accordance with the following principles:

(a) United States legal process. We will comply with valid legal process from courts and authorities of the United States, including subpoenas, court orders, and warrants, where the process meets applicable legal standards. Where compelled to produce data, we can produce only the categories of data we actually retain (see Section 5).

(b) Foreign government and law enforcement requests. Requests from foreign governments and law enforcement authorities will be processed exclusively through the Mutual Legal Assistance Treaty ("MLAT") channels established between the United States and the requesting jurisdiction, or through other formal channels recognized under United States law. We will not voluntarily share user data with foreign authorities outside of these formal channels.

(c) Notice to affected users. Unless prohibited by Applicable Law, court order, or where we determine in good faith that notice would impede an investigation of harm to a person or to the integrity of the Service, we will give affected users notice of legal process requests directed at their account, with reasonable opportunity to challenge before disclosure.

(d) Challenges and pushback. We will challenge legal process that we believe is invalid, overbroad, or improperly issued, where we have a good-faith basis to do so.

(e) Transparency. We may publish a transparency report describing the volume and nature of legal process requests we receive. Any such report will be available at /legal/transparency.

We do not provide bulk access to user data to any government or third party. There is no "back door" in our systems for any party.

17. Children's Privacy

The Service is not directed to children under the age of eighteen (18). We do not knowingly collect personal data from persons under eighteen. If you believe that we have collected personal data from a person under eighteen, please contact info@throughwire.net and we will take prompt steps to delete the information and terminate the account.

18. Cookies and Similar Technologies

Our use of cookies and similar technologies on our websites is described in our Cookie Policy at /legal/cookies. The Throughwire client applications do not rely on web cookies for their core functionality.

19. Automated Decision-Making

We do not currently make decisions based solely on automated processing that produce legal effects concerning you or that significantly affect you in a similar manner. Sanctions screening, fraud detection, and bandwidth enforcement involve automated processing as a first step but are subject to human review where they affect access to your account.

20. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will provide notice to you by email to the address associated with your account, by in-product notification, or by a prominent notice on the Service, in each case at least thirty (30) days before the changes take effect. For non-material changes, we will update the Last Updated date at the top of this Policy.

We will preserve prior versions of this Policy in an archive accessible at /legal/archive so that you can review the history of our practices.

21. Contact and Complaints

For privacy inquiries, requests to exercise rights, or concerns about how we handle your personal data, please contact:

Privacy: info@throughwire.net Mailing address:

Meridian Networks LLC 1209 Mountain Road Pl NE, Ste N Albuquerque, New Mexico 87110 United States of America

If you are located in the European Economic Area, the United Kingdom, or Switzerland and you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction. Contact details for European Economic Area authorities are available at https://edpb.europa.eu; for the United Kingdom, see https://ico.org.uk; for Switzerland, see https://www.edoeb.admin.ch.

If you are a California resident and you believe we have not adequately addressed your concerns, you may contact the California Privacy Protection Agency at https://cppa.ca.gov.

This Privacy Policy is effective as of the Effective Date stated above and supersedes all prior privacy notices issued by Meridian Networks LLC for the Throughwire service.