Table of Contents

    1.Information We Collect

    2.How We Use Your Information

    3.Data Sharing and Disclosure

    4.Data Retention

    5.Security

    6.Cookies and Tracking

    7.Third-Party Services

    8.Legal Basis (GDPR)

    9.Your Privacy Rights

    10.International Data Transfers

    11.Children's Privacy

    12.Links to Other Websites

    13.Changes to This Policy

    14.Contact Us

Privacy Policy

Last Updated: December 14, 2025

Table of Contents

    1.Information We Collect

    2.How We Use Your Information

    3.Data Sharing and Disclosure

    4.Data Retention

    5.Security

    6.Cookies and Tracking

    7.Third-Party Services

    8.Legal Basis (GDPR)

    9.Your Privacy Rights

    10.International Data Transfers

    11.Children's Privacy

    12.Links to Other Websites

    13.Changes to This Policy

    14.Contact Us

At Mercozy ("we," "us," or "our"), we value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, and share information about you when you access or use our website (mercozy.com) and mobile applications (collectively, the "Service").

Mercozy is an independent project operated by an individual developer. By using the Service, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect information in the following ways:

A. Information You Provide to Us
  • Account Data: When you register, we collect your name, email address, password (stored in hashed format), and organization name.
  • Billing Data: If you subscribe to a paid plan, our payment processor (Stripe) collects your billing address and payment method details. We do not store your full credit card information.
  • User Content: We collect the data you input into the Service, such as product details, inventory records, supplier information, and order history.
  • Support Communications: Information you provide when you contact us for support or feedback.
B. Information We Collect Automatically
  • Usage Data: We track how you interact with the Service, such as pages visited, features used, and time spent.
  • Device Data: We collect information about the device you use to access the Service, including IP address, browser type, and operating system.
  • Cookies & Tracking: We use cookies and local storage to maintain your session, remember your preferences (like language settings), and analyze Service performance.

2. How We Use Your Information

We use your information to operate and improve the Service, specifically to:

  • Provide, maintain, and optimize the Service's functionality.
  • Process payments and send transactional notifications (e.g., invoices, subscription confirmations).
  • Authenticate your identity and ensure the security of your account.
  • Respond to your comments, questions, and support requests.
  • Send you technical notices, updates, security alerts, and administrative messages.
  • Monitor and analyze trends, usage, and activities in connection with the Service.

3. Data Sharing and Disclosure

We do not sell your personal data. We share your information only in the following circumstances:

  • Service Providers: We share data with trusted third-party vendors who help us operate the Service (e.g., hosting via AWS/Cloudflare, payment processing via Stripe, email delivery). These providers are bound by confidentiality agreements.
  • Legal Compliance: We may disclose information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws or respond to a court order, judicial, or other government subpoena.
  • Protection of Rights: We may disclose information to enforce our Terms of Service or protect the rights, property, and safety of Mercozy, our users, or others.
  • Business Transfers: If Mercozy is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Retention

We retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain information for legal or legitimate business purposes.

5. Security

We take the security of your data seriously. We use industry-standard technical and organizational measures to protect your information, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest.
  • Secure password hashing using bcrypt.
  • Regular security assessments and updates.
  • Access controls and authentication mechanisms.

Data Breach Notification: If we become aware of a security breach that affects your personal data, we will notify you and any applicable regulator within 72 hours (or as required by applicable law) so that you can take appropriate protective steps.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with the Service.

Types of Cookies We Use:
  • Essential Cookies: Required for the Service to function properly (e.g., authentication, security, session management). These cannot be disabled.
  • Preference Cookies: Remember your settings and preferences (e.g., language, theme, display options).
  • Analytics Cookies: Help us understand how users interact with the Service to improve functionality and user experience.

Managing Cookies: Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies, some features of the Service may not function properly.

Do Not Track: Our Service currently does not respond to "Do Not Track" (DNT) signals from web browsers due to the lack of industry standardization.

7. Third-Party Services

We use trusted third-party services to operate and improve the Service. These services may collect information sent by your browser:

  • Hosting & Infrastructure: Amazon Web Services (AWS) and Cloudflare for hosting, content delivery, and DDoS protection.
  • Payment Processing: Stripe for secure payment handling. Stripe's privacy policy: stripe.com/privacy
  • Email Services: We use email service providers for transactional and support communications.

Each third-party service operates under their own privacy policy. We encourage you to review their policies. We are not responsible for the privacy practices of these third parties.

8. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

  • Contract Performance: Processing necessary to provide you with the Service you have requested and to fulfill our contractual obligations.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving our Service, preventing fraud, ensuring security, and communicating with you about your account.
  • Legal Obligation: Processing required to comply with applicable laws and regulations.
  • Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications). You may withdraw consent at any time.

9. Your Privacy Rights

A. Rights for All Users

Regardless of your location, we provide you with the following rights:

  • Access: Request access to the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data.
  • Data Portability: Request a copy of your data in a structured, machine-readable format (JSON or CSV).
  • Account Settings: Access and update your account information directly within the Service settings.
B. Additional Rights for EEA/UK Users (GDPR)

If you are in the EEA or UK, you also have the right to:

  • Restrict Processing: Request that we limit how we use your data in certain circumstances.
  • Object to Processing: Object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw Consent: Withdraw your consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
  • Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights.
C. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources of collection, and the purposes for which we use it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Do Not Sell or Share: We do not sell or share your personal information for cross-context behavioral advertising. California residents do not need to submit an opt-out request.

Exercising Your Rights: To exercise any of these rights, please contact us at privacy@mercozy.com. We will verify your identity before processing your request and respond within 30 days (or as required by applicable law, such as 45 days for CCPA requests).

10. International Data Transfers

Mercozy operates globally. Your information, including personal data, may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we rely on appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with our service providers that include appropriate data protection commitments.

By using the Service, you acknowledge that your data may be transferred internationally as described in this section.

11. Children's Privacy

Our Service is not directed to anyone under the age of 16 (or 13 in jurisdictions where permitted). We do not knowingly collect personal information from children. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we will take steps to remove that information from our servers.

12. Links to Other Websites

Our Service may contain links to third-party websites or services that are not owned or controlled by Mercozy. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last Updated" date, and, where appropriate, sending you an email notification.

We encourage you to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Contact Us

If you have any questions about this Privacy Policy, your privacy rights, or our data practices, please contact us:

Email: privacy@mercozy.com

Response Time: We aim to respond to all privacy-related inquiries within 30 days.

For EEA/UK users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.