Privacy Policy
Last updated: May 2025
At Mercon, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI CRM platform.
1. Information We Collect
- Personal Information: Name, email address, phone number, and billing information when you create an account.
- Business Information: Store data, product catalogs, customer information, and order data that you input into our platform.
- Usage Data: Information about how you interact with our platform, including log data, device information, and analytics.
- Communications: Messages and interactions between you, your customers, and our AI assistant.
2. How We Use Your Information
- To provide and maintain our AI CRM services.
- To process transactions and send related information.
- To improve our AI algorithms and platform features.
- To communicate with you about updates, support, and promotional materials.
- To ensure compliance with legal obligations.
3. Lawful Basis for Processing (GDPR)
- We process your data under the following lawful bases as defined by GDPR Article 6:
- Contract Necessity: Processing necessary to provide the Mercon platform services you have subscribed to.
- Legitimate Interest: Analytics, security monitoring, and platform improvement.
- Consent: Marketing communications and optional analytics cookies (you may withdraw consent at any time).
- Legal Obligation: Tax records, fraud prevention, and regulatory compliance.
4. Data Sharing and Disclosure
- Service Providers (Sub-Processors): We share data with the following categories of third-party vendors: Paddle.com (payment processing, Merchant of Record), Supabase (database hosting and authentication), OpenAI and Google (AI model providers for chat functionality), Cloudflare (CDN, DNS, and security), Vercel (frontend hosting), Google Cloud Platform (backend hosting).
- Integrations: When you connect third-party services (e.g., Instagram, Telegram, KeyCRM), data may be shared as necessary for integration functionality.
- International Transfers: Some of our sub-processors are located outside the EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), for all international data transfers.
- Legal Requirements: We may disclose information if required by law or to protect our rights and safety.
5. AI and Automated Processing
- Mercon uses AI to generate sales responses, product recommendations, and customer insights on your behalf.
- AI processes customer messages and your catalog data to provide the service. No automated decisions with legal or similarly significant effects are made without human oversight.
- We do not use your business data or customer data to train AI models for other customers or for general model improvement.
- You may request information about the logic involved in AI processing that affects you by contacting our support team.
6. Data Security
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption at rest and in transit, secure servers with SSL/TLS, role-based access controls, and regular security audits.
7. Support Access
- In order to provide technical support, troubleshoot issues, or fulfill service requests, authorized Mercon support personnel may temporarily access your account environment. This access is governed by strict technical and organizational safeguards:
- Time-Limited: Each support session is automatically limited to a maximum of 1 hour and cannot be extended.
- Scope-Restricted: During a support session, personnel cannot modify passwords, delete accounts, or make billing or payment changes.
- Fully Audited: Every support access session is recorded in an immutable audit log, including the identity of the support agent, the account accessed, the timestamp, and the duration.
- Role-Based: Only designated platform administrators have the technical ability to initiate support access. This capability is not available to general staff.
- The lawful basis for this processing is contractual necessity (providing the service you subscribed to) and legitimate interest (maintaining platform stability and security).
8. Data Retention
- Account data: Retained for the duration of your active account plus up to 90 days after account termination.
- Chat and order data: Retained for the duration of your subscription.
- Billing records: Retained for up to 7 years as required by tax and accounting regulations.
- Server logs: Automatically deleted after 90 days.
- You may request deletion of your data at any time by contacting support or using the data deletion page at mercon.app/data-deletion.
9. Your Rights (GDPR Data Subject Rights)
- Right of Access: Request a copy of all personal data we hold about you.
- Right to Rectification: Correct inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten").
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Restrict Processing: Limit how we process your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests, including profiling.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
- To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. Third-Party Integrations
Our platform integrates with third-party services such as Meta (Instagram), Telegram, Paddle (payments), and delivery providers. When you use these integrations, their respective privacy policies also apply. We recommend reviewing their policies.
11. Cookies and Tracking
- Essential Cookies: Required for the platform to function (authentication, session management). Cannot be disabled.
- Analytics Cookies: Help us understand how you use the platform. You can opt out via your browser settings.
- We do not use advertising or third-party tracking cookies.
12. Children's Privacy
Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via email at least 30 days before they take effect and by updating the "Last updated" date on this page.
14. Contact Us and Data Protection
- If you have questions about this Privacy Policy, our data practices, or wish to exercise your data subject rights, please contact us at: [email protected]
- If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.