Privacy Policy

Last Updated: October 28, 2025

Introduction

Mercana Corporation ("Mercana," "we," "us," or "our") is committed to protecting your privacy and ensuring transparency in how we collect, use, and share personal information. This Privacy Policy describes our practices regarding personal data we collect through our customer data enrichment platform and related services (the "Services").

This policy applies to customers of our business clients (DTC brands and e-commerce companies) whose personal information is processed through our Services. If you are a direct user of our platform (e.g., an employee of a client organization), additional terms may apply.

Our Role: Data Processor

When processing customer data on behalf of our business clients, Mercana acts as a data processor. Our clients (DTC brands) are the data controllers who determine what data is collected and how it is used. We process customer data solely according to our clients' instructions and our Data Processing Addendum (DPA). We never use customer data for our own marketing purposes or share it with third parties except as necessary to provide the Services.

1. Information We Collect
Personal information collected through our Services

1.1 Information Provided by Our Clients

Our business clients (e.g., e-commerce brands) provide us with customer information obtained through purchases and interactions on their platforms, including:

  • Contact Information: Name, email address, phone number
  • Location Data: Billing and shipping address, city, state, ZIP code, country
  • Transaction Information: Purchase history, order value, customer lifetime value, purchase frequency
  • Customer Identifiers: Customer ID, account information

1.2 Information We Collect from Public Sources

To enhance customer profiles and provide better insights to our clients, we augment the information provided by our clients with publicly available data, including:

  • Professional Information: Job title, company name, industry, LinkedIn profile
  • Public Social Profiles: Social media profiles and publicly shared content
  • Property and Location Data: Property values, homeownership status, neighborhood demographics (from public records)
  • Business Information: Company size, revenue estimates, business type (for B2B customers)

We do not collect or enrich profiles with sensitive personal data such as race, ethnicity, religious beliefs, health information, political affiliations, or sexual orientation.

2. How We Use Your Information
Purposes for which we process personal data

We use the personal information we collect and enrich for the following purposes:

  • Customer Insights and Analytics: To provide our clients with deeper understanding of their customer base, including demographics, interests, and purchasing behavior
  • Personalization: To enable our clients to personalize marketing messages, product recommendations, and customer experiences
  • Segmentation: To help clients identify and create customer segments for targeted marketing campaigns
  • Service Improvement: To improve our data enrichment algorithms and service quality
  • Compliance and Legal Obligations: To comply with legal requirements, respond to legal requests, and protect our rights
3. How We Share Your Information
Third parties with whom we share personal data

3.1 With Our Clients

We share enriched customer profiles with the business clients who originally provided us with your information. Our clients are the data controllers and are responsible for their own use of this information in accordance with their privacy policies.

3.2 With Service Providers

We share personal information with third-party service providers who perform services on our behalf, including:

  • Parallels: Data enrichment and enhancement services
  • Apify: Web scraping and data collection for public information
  • BrightData: Business intelligence and public data aggregation
  • Google Gemini AI: AI-powered data analysis and processing
  • Supabase: Cloud database and data storage
  • Typesense: Search infrastructure and indexing

These service providers are contractually obligated to use personal information only to provide services to us and not for their own purposes.

3.3 For Legal Reasons

We may disclose personal information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), or to protect our rights, property, or safety.

4. Data Retention
How long we keep your personal information
  • Enriched Customer Profiles: Retained for 90 days from the date of enrichment, unless you request deletion
  • Raw Third-Party Responses: Deleted immediately after processing and extracting relevant data
  • Opt-Out Records: Retained indefinitely to honor your privacy preferences
  • Privacy Audit Logs: Retained for 12 months for compliance and regulatory purposes

When personal information is no longer needed, we securely delete or anonymize it in accordance with our data retention policies and applicable laws.

5. Geographic Restrictions and Compliance
How we comply with regional privacy laws

5.1 European Union and United Kingdom (GDPR)

Automatic Blocking: We do not enrich personal data for residents of the European Economic Area (EEA) or United Kingdom without a valid legal basis under the General Data Protection Regulation (GDPR). If you are an EU/UK resident and believe your data was processed in error, please contact us immediately at privacy@mercana.so.

Legal Basis: Where we do process EU/UK personal data, we rely on legitimate interests or consent as our legal basis.

5.2 United States (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect, use, and share
  • Right to request deletion of your personal information
  • Right to opt out of the "sale" or "sharing" of personal information for targeted advertising
  • Right to non-discrimination for exercising your rights

To exercise these rights, visit our Privacy Rights page or email us at privacy@mercana.so.

5.3 Canada (PIPEDA)

We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Canadian residents can access, correct, or request deletion of their personal information by contacting us at privacy@mercana.so. We obtain appropriate consent for data processing as required by Canadian law.

5.4 US Military Addresses (APO/FPO/DPO)

Addresses with APO (Armed Forces Pacific), FPO (Armed Forces Europe), or DPO (Diplomatic Post Office) designations are treated as United States jurisdiction for privacy compliance purposes.

6. Your Privacy Rights
Rights you have regarding your personal information

Depending on your location, you may have the following rights:

  • Right of Access: Request a copy of the personal information we hold about you
  • Right to Correction: Request correction of inaccurate or incomplete personal information
  • Right to Deletion: Request deletion of your personal information (subject to certain legal exceptions)
  • Right to Opt-Out: Opt out of data enrichment and sharing for targeted advertising purposes
  • Right to Data Portability: Receive your personal information in a structured, machine-readable format (where applicable)
  • Right to Object: Object to processing of your personal information for certain purposes
  • Right to Withdraw Consent: Withdraw consent for processing where consent was the legal basis

To exercise any of these rights, please visit our Privacy Rights page or contact us at privacy@mercana.so. We will respond to your request within the timeframes required by applicable law (typically 30-45 days).

7. Data Security
How we protect your personal information

We implement industry-standard technical and organizational security measures to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption: TLS 1.2+ for data in transit and AES-256 encryption for data at rest
  • Access Controls: Multi-factor authentication (MFA) for administrative access
  • Infrastructure Security: SOC 2 Type II compliant cloud hosting providers
  • Network Security: Network segregation, firewalls, and intrusion detection systems
  • Security Audits: Regular vulnerability assessments and penetration testing
  • Employee Training: Annual security and privacy training for all staff
  • Incident Response: 24/7 monitoring and documented breach notification procedures

While we implement robust security measures, no method of transmission or storage is 100% secure. We will notify you and applicable authorities within 72 hours in the event of a data breach as required by law.

8. Children's Privacy

Our Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information as quickly as possible. If you believe we have collected information from a child, please contact us at privacy@mercana.so.

9. Cookies and Tracking Technologies
How we use cookies on our website and platform

We use cookies, web beacons, and similar tracking technologies to provide and improve our Services:

  • Essential Cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with our platform (e.g., Google Analytics, Segment). You can opt out via your browser settings.
  • Preference Cookies: Remember your settings and preferences for a better user experience.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may limit functionality. For more information about cookies and how to control them, visit www.allaboutcookies.org.

10. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your country.

When we transfer personal information from the European Economic Area (EEA) or United Kingdom to countries outside these regions, we implement appropriate safeguards including:

  • EU Standard Contractual Clauses (SCCs): Approved by the European Commission under Decision 2021/914
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK
  • Supplementary Measures: Additional technical and organizational safeguards where required

By using our Services, you acknowledge and consent to the transfer of your personal information to the United States and other countries where we operate.

11. We Do Not Sell or Share Personal Information
Our commitment under California CPRA and other privacy laws

Mercana does not sell or share personal information for cross-context behavioral advertising or any other purpose. We do not:

  • Sell customer data to third parties
  • Share customer data with third parties for their own marketing purposes
  • Use customer data for any purpose other than providing our Services
  • Engage in cross-context behavioral advertising using customer data

When we share data with service providers (see Section 3.2), they are contractually bound to use the data only to provide services to us and not for their own purposes. This means sharing with service providers does not constitute a "sale" under California law.

If our practices change in the future, we will update this policy and provide opt-out mechanisms as required by law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page and update the "Last Updated" date. If we make material changes, we will provide additional notice as required by law, such as by email or through a prominent notice on our website or platform.

13. Contact Us
Questions about this Privacy Policy or your personal information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Inquiries: privacy@mercana.so

General Support: dev@mercana.so

Postal Address:
Mercana Corporation
Attn: Privacy Team
New York, NY 10014, United States

For specific privacy rights requests (access, deletion, opt-out), please visit our Privacy Rights page where you can submit requests directly through our secure form.

We will respond to all requests within the timeframes required by applicable law (typically 30-45 days).

← Back to Privacy Rights