What we collect
Two categories. Account data for merchants who sign up: email, name, organisation, payment-method token (held by Stripe — we never see the card number), preferences, audit-log entries. End-customer data for shoppers on storefronts we host: name, shipping address, order history, and the payment-method token your processor returned to us. We act as the data processor; the merchant is the data controller.
Marketing-site visitors: nothing beyond what you submit via a form.
- Waitlist signups: email, optional first name + current platform + monthly-sales band
- Coming-soon notify: email + which surface you asked about
- Calculator usage: nothing stored unless you submit a form
- Server logs: IP, user-agent, request path — kept 30 days for security investigations
How we use it
- Operate the dashboard, the storefronts, and the marketing site
- Authenticate sessions (session cookies, no third-party tracking)
- Send transactional emails: order receipts, password resets, account alerts
- Send marketing emails — opt-in only, unsubscribe in every footer
- Detect abuse (rate limits, disposable-email blocklist)
- Aggregate analytics (no individual profiling)
Lawful basis (GDPR Article 6)
| Purpose | Lawful basis |
|---|
| Operating your Mercentia account | Contract performance |
| Sending transactional emails | Contract performance |
| Marketing emails / waitlist updates | Consent (opt-in) |
| Fraud detection + security | Legitimate interests |
| Compliance with tax / financial reporting | Legal obligation |
| Aggregated analytics | Legitimate interests |
Sub-processors
These vendors process personal data on our behalf. We have a Data Processing Agreement with each, and they're listed publicly so any merchant can review the chain before signing up. We give 30 days' notice before adding a new sub-processor.
| Vendor | Purpose | Data location |
|---|
| Railway | Application hosting | US / EU |
| Neon | PostgreSQL database hosting | EU (Frankfurt) |
| Stripe | Card processing — they handle PAN, we never see it | Global |
| Razorpay | Card processing in India | India |
| Paystack | Card processing in West Africa | Nigeria / South Africa |
| Resend | Transactional + marketing email | US |
| Cloudflare | CDN + edge cache | Global |
| IPINFO | Country lookup for currency display | US |
| Anthropic | AI features (composer, support agent) | US |
Cookies
We use a small set of first-party cookies. No third-party tracking cookies are set until you explicitly opt in via the consent banner.
| Cookie | Purpose | Lifetime | Category |
|---|
mc_geo | Detected country code, drives default currency / region copy | 7 days | Strictly necessary |
mc_currency | Your manually-chosen currency on the pricing or calculator pages | 7 days | Strictly necessary |
mc_consent | Records your choice on the cookie consent banner | 12 months | Strictly necessary |
You can change your consent choice any time via the Cookie settings link in the footer. Analytics and marketing scripts only load if you opted in for them.
Your rights
Under GDPR (EU/UK) and CCPA/CPRA (California) you have the right to access, correct, export, and delete your personal data, and to object to processing. For California residents specifically: the right to opt out of any "sale" or "sharing" of personal data — we don't sell or share personal data, so this opt-out is automatic for everyone.
- Access + export (GDPR Article 15 + 20, CCPA "right to know"): self-service in the dashboard under Settings → Privacy → Data export, or email [email protected]. Returns a machine-readable JSON archive of everything we hold.
- Correction (GDPR Article 16): edit any profile / org field directly in the dashboard.
- Deletion (GDPR Article 17, CCPA "right to delete"): Settings → Privacy → Delete account. We anonymise records we're legally required to retain (tax, audit) and erase the rest within 30 days.
- Restriction + objection (GDPR Article 18 + 21): email [email protected].
- Withdraw consent (GDPR Article 7): unsubscribe links in every marketing email; dashboard toggles per channel.
- Complain to a supervisory authority: ICO (UK), CNIL (FR), your national DPA (EU). We'd prefer you tell us first.
Data retention
- Account data: while your account is active + 90 days after deletion
- Order data: 7 years (financial reporting, tax)
- Server logs: 30 days
- Audit log: 7 years (security investigations)
- Backups: rolling 30-day window — your deletion request propagates within 30 days
International transfers
Mercentia is operated from the UK. Sub-processors may be in the US, India, or elsewhere — transfers outside the UK/EU rely on Standard Contractual Clauses (SCCs) and, where relevant, the EU-US Data Privacy Framework. The DPA covers the full list of safeguards.
Security
Detailed in the Security page. Highlights: TLS 1.2+ everywhere, AES-256 at rest via the database provider, row-level security for tenant isolation, argon2id password hashing, immutable audit log, no card data ever on Mercentia servers (Stripe / Razorpay / Paystack take that scope).
Children
Mercentia is not directed to children under 16. We don't knowingly collect personal data from anyone under that age. If you believe we have, email [email protected] and we'll delete the record.
Changes to this policy
Material changes — new sub-processors, new data categories, new uses — get 30 days' notice via email to the account owner. The change-history is logged at the bottom of this page once we've shipped enough versions to warrant it.
Contact
Mercentia Ltd, registered in England & Wales. Privacy questions: [email protected]. For Data Subject Requests we respond within 30 days (GDPR Article 12).