Privacy Policy

Identity and contact

Mercemur is operated by Zemuria Inc., a company registered in Bengaluru, India. For the purposes of GDPR, our Data Protection Officer can be reached at support@mercemur.com. Where required, our EU representative under GDPR Article 27 is appointed and listed in the most recent version of our Data Processing Addendum.

Information we collect

• Account data: email, name, hashed password, company name, billing address, optional phone number.
• Operational data: products you create, orders placed on your store, customers who interact with your storefront, subject to your role as their controller, see below.
• Usage data: feature usage, page views, and click patterns within the admin dashboard.
• Support data: communications with support, screenshots you share, ticket history.
• Marketing data: email engagement metrics and opt-in preferences.
• Technical: IP address, user agent, device type, operating system, browser, referrer.
• Cookies: see our Cookie Policy.

Your role and ours

If you are a Mercemur merchant, you are the Data Controller for your end customers' personal data, and Mercemur is your Data Processor governed by our Data Processing Addendum. If you are an end customer of a Mercemur merchant, that merchant is your controller. This Privacy Policy describes Mercemur's processing in its supporting processor role; for data-subject requests, your primary contact is the merchant.

Legal basis for processing

Under GDPR Article 6 and India DPDP Section 7, we rely on:

• Contract, to provide the platform to merchant accounts.
• Legitimate interest, for platform security, fraud prevention, abuse detection, and product improvement.
• Consent, for marketing communications and non-essential cookies.
• Legal obligation, for tax records, AML, and audit retention.

How we use your information

To operate the platform, process payments via integrated providers, deliver transactional email, provide support, detect and prevent fraud and abuse, comply with legal obligations, improve the product through aggregated and anonymized analytics, communicate updates and security advisories, and send consent-based marketing.

Sharing and sub-processors

We share personal data only with the sub-processors listed at mercemur.com/legal/subprocessors. Each sub-processor is bound by a data processing agreement and equivalent security obligations. We do not sell personal data. We disclose to law enforcement only on valid legal process, and where applicable, after notifying you, unless prohibited by law.

International transfers

Primary processing happens in the EEA (OVH France for compute, Wasabi Frankfurt for object storage). Transfers to non-EEA jurisdictions, including our Wasabi us-east-1 disaster-recovery replica, Cloudflare's global edges, Stripe's US infrastructure, and Resend's US servers, are covered by the EU Standard Contractual Clauses. India operations are subject to DPDP cross-border rules.

Retention

• Account data: lifetime of account plus 90 days.
• Operational data: lifetime of the merchant relationship plus 90 days, anonymized thereafter.
• Support data: 5 years from ticket close.
• Marketing engagement: 2 years from last interaction.
• Audit logs: 7 years under legal hold.
• Backups: 35 days rolling plus 12 months of monthly snapshots.

Security measures

Industry-standard technical and organizational measures, summarized: encryption in transit and at rest, enforced MFA, role-based access, 24/7 logging and monitoring, quarterly backup drills, annual external penetration testing, and a SOC 2 Type 2 program in progress. The full Annex II of our DPA describes the controls in detail.

Your rights

Under GDPR Articles 15 to 22 and India DPDP Sections 11 to 15, you have rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent. You can lodge a complaint with your supervisory authority. Submit requests to support@mercemur.com or via the in-app Privacy form. Response within 30 days (GDPR) or 14 days (DPDP). Identity verification is required. Free of charge unless excessive or repetitive.

Children's data

The service is not directed at minors under 18 (or the local age of digital consent if higher). We do not knowingly collect data from minors. If we discover that we have, the data is deleted under our DSAR procedure.

Cookies and tracking

See our Cookie Policy for what we set, why, how long it lasts, and how to control it.

Changes to this policy

Material changes will be communicated by email to account holders 30 days in advance and posted publicly. The current version is 1.0, effective May 30, 2026.

Contact

For privacy questions, write to support@mercemur.com. For postal correspondence, write to Zemuria Inc., Bengaluru registered office. Our EU representative, where required, is listed in the current DPA.