Meris — Privacy Notice

Effective Date: May 18, 2026 · Last Updated: May 18, 2026 · Version: Beta 1.1

READ THIS FIRST. Meris is currently a Beta product. The Beta does not encrypt the data you submit and does not implement enterprise-grade data privacy controls. Meris personnel and contractors may access the data you submit for any operational, support, development, or product-improvement purpose. You should treat any information you submit to the Beta — including financial figures, deal terms, Profit Participant names, and any documents you upload — as non-confidential. Do not submit information whose disclosure, alteration, or loss would cause material harm. This Notice explains what we collect, how we use it (including, in narrow form, training of artificial intelligence models on de-identified, aggregated data only), and the rights you have. By using the Service or signing up — including signing up to use the public demo — you accept this Notice. If you do not agree, do not use the Service.

1. Who We Are

This Privacy Notice (the "Notice") describes how RAVOK Studios, Inc., a Delaware corporation with offices in Los Angeles, California, doing business as Meris ("Meris," "we," "us," or "our"), collects, uses, discloses, and otherwise processes personal information in connection with the Meris website at merisbeta.com (and any successor domain, including app.meris.film), the Meris software-as-a-service platform, application programming interfaces, demos, calculators, exports, reports, communications, and all related services and features (collectively, the "Service").

This Notice supplements the Meris Terms and Conditions (the "Terms") and uses defined terms from the Terms unless otherwise stated. In the event of a conflict between this Notice and the Terms, the Terms control with respect to contractual rights and licenses (including the AI/ML training scope in Section 11 of the Terms), and this Notice controls with respect to the categories of personal information processed and your statutory privacy rights.

2. Scope

This Notice applies to personal information we process about:

• Account holders and Authorized Users of the Service, including production professionals, financiers, talent, and their representatives;
• Demo and waitlist users — anyone who signs up to access the public interactive demo, the waterfall calculator, or the beta waitlist, even if they never proceed to a paid Account. Demo users sign up before using the demo, and the personal information collected at signup is processed under this Notice;
• Visitors to merisbeta.com and any other Meris website or marketing surface;
• Third parties whose information you submit to the Service, including investors, talent, crew, vendors, profit participants, and other deal counterparties; and
• Business contacts, including prospective customers, investors, and partners we engage with by email, calendar, or other communications.

If you submit personal information about another person to the Service, you represent that you have the legal right and any required consent to do so, and you are responsible for informing that person of how Meris will process their information as described in this Notice.

3. Personal Information We Collect

We collect the following categories of personal information. The categories below also serve as our notice at collection under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

3.1 Information you provide directly

Payment information will be collected only when paid features become available. The current Beta is free and does not collect payment-card or banking information.

3.2 Information collected automatically

3.3 Information from third parties

In the future, Meris may add integrations with third-party budgeting, payroll, accounting, or payment-processing tools (for example, Movie Magic, payroll providers, or Stripe). When that happens, this Notice will be updated to describe the categories of information received from each such integration. No such third-party integrations are active in the current Beta.

3.4 Sensitive personal information

We do not intentionally collect sensitive personal information as defined under CCPA (e.g., government identifiers, financial-account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, contents of mail/email/text not directed to us, genetic/biometric data, health data, sex life or orientation). You should not submit any such information to the Beta Service. If you nevertheless submit such information, you direct us to process it for the purposes described in Section 4 and you agree we may delete it without notice. We do not use or disclose sensitive personal information for purposes that, under CCPA Section 1798.121, would require a right to limit.

4. How We Use Personal Information

We use the personal information described above for the following business and commercial purposes:

• Operate the Service — provide accounts, demos, calculators, dashboards, projects, calculations, exports, and notifications;
• Generate Outputs — perform waterfall, recoupment, IRR, scenario, payout, and reporting calculations;
• Authenticate and secure access — verify identity, prevent fraud and abuse, detect and respond to security incidents, and enforce the Terms;
• Communicate with you — send service messages, respond to support requests, send beta announcements, and (where permitted) marketing;
• Improve the Service and develop new features — analyze usage, conduct research, debug, and prioritize roadmap;
• Train artificial intelligence and machine-learning models on de-identified, aggregated data — see Section 5;
• Produce de-identified and aggregated data — see Section 5;
• Process payments — only when paid features are introduced; not currently applicable in Beta;
• Comply with law and protect rights — respond to legal process; cooperate with regulators; assert, exercise, or defend legal claims; protect Meris, our users, and the public; and
• Business operations — corporate transactions (financings, acquisitions, restructurings), accounting, audits, and other normal business activities.

Legal bases (for users in jurisdictions that require them, including the EEA/UK if applicable): performance of the Terms (a contract to which you are party); your consent (where applicable, including for certain marketing, cookies, and the future opt-in AI training described in Section 5); compliance with legal obligations; and our legitimate interests in operating, improving, securing, and growing the Service — balanced against your interests and rights.

5. Artificial Intelligence and Machine-Learning Training; De-Identified Data

Meris uses only de-identified and aggregated data to train AI/ML models. We use Customer Data, Outputs, and usage information only after it has been de-identified or aggregated — meaning the data has been processed so it does not reasonably identify you, your Workspace, any specific project, or any individual — to develop, train, fine-tune, evaluate, benchmark, and improve artificial intelligence, machine-learning, statistical, predictive, and generative models (collectively, "AI Models"), whether developed by Meris alone or jointly with affiliates, contractors, or partners.

We will not use your raw, identified Customer Data to train AI Models without your explicit opt-in consent. If and when Meris introduces AI-powered features in the Service (for example, an AI co-pilot for waterfall configuration), any training on identified Customer Data will be governed by a separate opt-in consent mechanism, will not be enabled by default, and may be withdrawn by you at any time, subject to the limitations described below.

Where Meris produces model parameters, weights, embeddings, vector representations, or other model artifacts derived solely from de-identified or aggregated inputs, Meris may retain, use, license, sublicense, and commercialize those artifacts and any inferences, predictions, recommendations, benchmarks, or aggregated industry statistics derived from them — in any current or future product or service of Meris or its affiliates (including the broader RAVOK Studios portfolio), with no obligation of accounting to you.

Deletion of your Account or the live copy of your Customer Data does not require Meris to retrain, retract, or unwind AI Models, model artifacts, or De-Identified Data already produced from non-identifying inputs.

If you do not agree to the de-identified data uses described in this section, your sole remedy is to refrain from using the Service.

6. How We Share Personal Information

We disclose personal information to the following categories of recipients, only for the business or commercial purposes described above:

• Service providers and processors — cloud hosting and infrastructure providers; database, storage, and backup vendors; analytics and product-telemetry vendors; error and crash reporting; email and communications vendors; customer support tools; security and fraud-detection vendors; AI/ML training infrastructure providers, model providers, and labeling vendors (used only on de-identified or aggregated data, per Section 5); and accounting, legal, audit, and other professional advisors.
• Affiliates — our parent, subsidiaries, and other entities under common control with RAVOK Studios, Inc., including other Meris-related portfolio entities, for the purposes described in this Notice.
• Authorized Users in your Workspace — Customer Data is visible to anyone you or your Workspace administrator has invited to that Workspace, in accordance with the role and permissions assigned.
• Integrations you enable — if and when third-party integrations become available in the future, third-party services you connect will receive the data you authorize. No such third-party integrations are active in the current Beta.
• Compliance, safety, and legal process — courts, regulators, and law enforcement when we believe in good faith that disclosure is required or appropriate to comply with law or legal process, to enforce the Terms, to investigate fraud or security incidents, or to protect Meris, our users, or the public.
• Business transfers — in connection with any merger, financing, acquisition, sale of assets, reorganization, bankruptcy, or similar transaction involving Meris or RAVOK Studios, Inc., personal information may be transferred as a business asset, subject to customary confidentiality protections.
• With your consent or at your direction — when you ask us to disclose your information to a third party.

We do not "sell" personal information for money. Some uses of online identifiers and usage data with analytics vendors may, depending on how those terms are interpreted under CCPA, qualify as "sharing" for cross-context behavioral advertising or as a "sale." Your right to opt out of any such sharing or sale is described in Section 11. We do not knowingly sell or share the personal information of consumers under the age of 16.

7. AI Model Providers and Sub-Processors

When we use third-party AI infrastructure (for example, large-language-model providers or training compute providers) to operate or develop the Service, those providers process data on our behalf as service providers / processors under contracts that restrict their use of the data to providing services to us. Per Section 5, the data made available to these providers is de-identified and aggregated unless you have separately opted in to AI training on identified Customer Data. In light of the Beta posture (no encryption, no enterprise data segregation), you should not assume that the contractual restrictions provide complete technical protection against access by Meris personnel and contractors.

A current list of major sub-processors is available on request by emailing legal@ravokstudios.com.

8. Cookies and Similar Technologies

The Service uses cookies, local storage, and similar technologies for the following purposes:

• Strictly necessary — authentication, session management, security, load balancing.
• Functional — remembering your preferences and Workspace selection.
• Analytics — understanding aggregate usage and performance.
• Marketing (limited) — measuring the effectiveness of our marketing campaigns.

You can control cookies through your browser settings. Some Service features may not work if you block strictly-necessary cookies. We honor the Global Privacy Control (GPC) browser signal as a request to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising under CCPA. Where required by law (for example, in the EEA, UK, or other jurisdictions with cookie-consent regimes), the Service will request affirmative consent for non-essential cookies through an in-product banner.

9. Data Retention

We retain personal information for as long as needed for the purposes described in this Notice, including:

• Account and Workspace data — for the life of the Account, plus a reasonable period afterward for backup, dispute, and legal-hold purposes;
• Demo / waitlist signup data — until you ask us to delete it or until we determine the contact is no longer relevant;
• Communications — typically up to seven (7) years for legal, tax, and audit purposes;
• Logs and telemetry — typically 12–24 months;
• Backups — overwritten on rolling cycles;
• AI Model artifacts and De-Identified Data — retained indefinitely, even after deletion of the underlying Account or live data, as described in Section 5 (note: these artifacts are derived only from non-identifying inputs unless you have separately opted in under Section 5);
• Information subject to legal hold — for the duration of the hold.

Specific retention periods may vary based on the type of data, the purpose, and legal requirements.

10. Security

We use commercially reasonable administrative, technical, and physical measures consistent with the early-stage Beta posture of the Service. However:

• The Beta Service does not implement encryption of Customer Data at rest or in transit, nor enterprise-grade access controls, nor strict data segregation.
• Meris personnel and contractors may access your Customer Data for any operational, support, development, or model-training purpose described in this Notice.
• No internet-based service is fully secure. We cannot guarantee that personal information will not be accessed, disclosed, altered, or destroyed by breach of our or any third party's safeguards.

You acknowledge and accept these risks as a condition of using the Beta Service.

11. Your Rights and Choices

Subject to applicable law, you may have the following rights:

11.1 Rights for California residents (CCPA/CPRA)

• Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes, and the categories of recipients.
• Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions (e.g., to complete a transaction, comply with law, defend legal claims, or for limited internal uses reasonably aligned with your expectations).
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of "sale" or "sharing" — direct us not to sell your personal information or share it for cross-context behavioral advertising. We honor the GPC signal as such a request. To make a manual request, email legal@ravokstudios.com with the subject line "Do Not Sell or Share My PI."
• Right to limit use of sensitive personal information — we do not currently use or disclose sensitive personal information for purposes that would require a right to limit.
• Right to non-discrimination — we will not deny you the Service, charge you a different price, or provide a different level of quality solely because you exercised a privacy right (subject to lawful financial-incentive programs).

Important limitations on the rights to delete and correct:

• The right to delete does not require us to delete information from backups (until they are overwritten in the ordinary course), from legal-hold archives, or from De-Identified Data or AI Model artifacts already produced from non-identifying inputs.
• We will respond to verifiable consumer requests within the timeframes required by law (generally 45 days, extendable by an additional 45 days).
• An authorized agent may submit requests on your behalf with appropriate written permission and verification.

11.2 Rights for users outside California

If you are located in a U.S. state with a comprehensive privacy law (e.g., Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others), you may have rights similar to those above. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data-protection laws (e.g., GDPR, UK GDPR, Brazil LGPD, Quebec Law 25), you may have additional rights including access, rectification, deletion, restriction, portability, and objection, and you have the right to lodge a complaint with your local data-protection authority. Note that the Service is operated from the United States and personal information is processed in the United States.

11.3 How to exercise your rights

Email legal@ravokstudios.com with your request and enough information for us to verify your identity (e.g., the email associated with your Account). For security, we may ask additional questions before completing your request. We aim to acknowledge receipt within seven (7) business days and to complete verified requests within the timeframes required by applicable law.

11.4 Marketing communications

You can opt out of marketing emails by clicking "unsubscribe" in any marketing message or by emailing legal@ravokstudios.com. Service messages (e.g., security alerts, billing, and material changes to the Terms or this Notice) cannot be opted out of so long as you have an Account.

11.5 AI training opt-in (future feature)

If and when Meris introduces AI-powered features that train on identified Customer Data, that training will be opt-in only. You will not be opted in by default. You may revoke your consent at any time; revocation stops future use of your identified Customer Data for AI training but does not require Meris to retract or unwind De-Identified Data or model artifacts already produced.

12. International Users; Cross-Border Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction. By using the Service, you consent to this transfer to the maximum extent permitted by law.

13. Children

The Service is not directed at, intended for, or designed to attract anyone under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, contact legal@ravokstudios.com and we will delete it.

14. Third-Party Sites and Services

The Service may contain links to, or integrate with, third-party websites and services. This Notice does not apply to any third-party site or service. Review the privacy notice of any third party before providing it with personal information.

15. Changes to This Notice

We may update this Notice from time to time. When we do, we will update the "Last Updated" date and, if the changes are material, we will provide additional notice (for example, by email or in-product banner). Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Notice.

Beta to General Availability. When the Beta transitions to a generally available commercial release, we will provide at least thirty (30) days' advance notice and a new version of this Notice reflecting the commercial release.

16. Contact Us

If you have questions, requests, or concerns about this Notice or our processing of your personal information:

Meris (a venture of RAVOK Studios, Inc.)
Attn: Privacy
Privacy and Legal: legal@ravokstudios.com
General: merisbeta@ravokstudios.com
Website: https://www.merisbeta.com

By creating an Account, signing up for the demo or beta waitlist, submitting any information to the Service, or otherwise using the Service, you acknowledge that you have read this Notice — including the disclosures regarding the Beta security posture (Section 10), the absence of encryption and the access permitted to Meris personnel (Sections 3 and 10), the use of de-identified and aggregated data only to train AI/ML models in the current Beta (Section 5), and your rights and choices (Section 11) — and you agree to the processing of your personal information as described.