This Privacy Policy explains how Bergline Digital OÜ("we", "us", "our") processes personal data when you use Meridian Trading and The Institutional Supply & Demand System(the "Service"). We process data in accordance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and other applicable privacy laws.
Last updated: 11 July 2026
1. Data controller
- Bergline Digital OÜ (registry code 17361392)
- Tartu mnt 67/1-13b, Kesklinna linnaosa, 10115 Tallinn, Harju maakond, Estonia
- Email: contact@berglinelabs.com
2. Personal data we collect
Depending on how you use the Service, we may process:
- Identity and contact data: name, email address
- Account data: user ID, authentication tokens, course access status
- Transaction data: purchase history, payment status, Stripe customer/session IDs (we do not store full card numbers)
- Usage data: lesson progress, completion status, dashboard activity
- Technical data: IP address, browser type, device information, pages visited
- Communications: messages you send to support
- Marketing and analytics data: event data, referral information, session replay data where enabled
3. How we collect data
- Directly from you when you sign up, purchase, or contact support
- Automatically through cookies, logs, and analytics when you use the website
- From payment provider Stripe when you complete checkout
- From authentication provider Supabase when you create or sign in to your account
4. Purposes and legal bases
We process personal data for the following purposes:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Contract performance |
| Providing course access and progress tracking | Contract performance |
| Processing payments and invoices | Contract performance; legal obligation |
| Sending transactional and lifecycle emails | Contract performance; legitimate interests |
| Analytics, product improvement, and session replay | Legitimate interests; consent where required |
| Security, fraud prevention, and abuse detection | Legitimate interests; legal obligation |
| Complying with tax, accounting, and legal requests | Legal obligation |
Where we rely on legitimate interests, we balance those interests against your rights. You may object to processing based on legitimate interests as described in Section 9.
5. Cookies and similar technologies
We use essential cookies and similar technologies required for authentication, security, and checkout. We also use analytics and session replay tools that may store identifiers in your browser or local storage.
Non-essential analytics cookies and session replay may require your consent under the ePrivacy Directive and Estonian Electronic Communications Act, depending on your jurisdiction and browser settings. You can limit tracking through browser controls and ad-blockers, though some features may not function correctly.
6. Session replay
We use PostHog session replay to understand how users interact with the Service and to improve usability. Inputs are masked by default and sensitive checkout areas are excluded from capture where technically possible. Replays are retained according to our PostHog project settings (currently up to 30 days unless changed).
7. Recipients and processors
We share data with trusted service providers only as needed to operate the Service:
- Supabase — authentication, database, and account storage (EU/US depending on project region)
- Stripe — payment processing
- PostHog — analytics and session replay (EU hosting available)
- Resend — transactional email delivery
- Vercel — website hosting and infrastructure
These providers act as data processors under GDPR Article 28 where applicable. We use contractual safeguards and, where relevant, Standard Contractual Clauses for transfers outside the European Economic Area.
We may also disclose data if required by law, court order, or to protect our rights, users, or the public.
8. International transfers
Your data may be processed in the European Economic Area and, where necessary to deliver the Service, in countries that may not provide the same level of data protection. When we transfer data outside the EEA, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms.
9. Retention
- Account data: retained while your account is active and for a reasonable period after closure
- Purchase records: retained for up to 7 years where required for accounting and tax law
- Analytics and session replay: retained according to provider settings, typically up to 30 days for replays
- Support correspondence: retained as long as needed to resolve the matter and for legal compliance
10. Your rights
Under the GDPR and Estonian law, you may have the right to access, rectify, erase, restrict, or port your personal data, and to object to certain processing. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise your rights, email contact@berglinelabs.com. We may need to verify your identity before responding. We aim to respond within one month as required by GDPR.
You also have the right to lodge a complaint with a supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) (https://www.aki.ee/en). You may also complain to the authority in your EU/EEA country of residence or work.
11. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided data to us, contact contact@berglinelabs.com and we will delete it promptly.
12. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and secure payment handling via Stripe. No method of transmission over the internet is completely secure; we cannot guarantee absolute security.
13. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.
14. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will change when we do. Material changes will be communicated where required by law.
15. Contact and related documents
Privacy enquiries: contact@berglinelabs.com
See also our Terms of Service.