Legal
Privacy Policy
What data we collect, how we use it, who we share it with, and your rights.
This policy explains what data Mero collects, how we use it, who we share it with, and your rights. We've written this in plain English deliberately.
1. Data we collect
Account data
When you sign up: name, email address, and organization name. If you sign up via Google, we receive your name and email from Google.
Integration data
When you connect tools (Notion, Linear, Jira, Slack, GitHub, Intercom, Fireflies, Mixpanel, and others), we read content from those services - pages, issues, messages, tickets - to generate insights. We store the processed analysis output, not a full copy of your raw third-party content. Raw content is used transiently during processing and is not retained after insight generation is complete.
Usage and analytics data
We collect product usage events (features used, pages visited, insight generation runs) using PostHog. This includes anonymized device and browser information. PostHog sets cookies - see Section 6.
AI performance data
We collect token counts, model latency, and cost metrics per insight generation run. This is used purely for internal performance monitoring and unit economics. It does not include the content of your data or AI outputs.
Billing data
If you subscribe to a paid plan, payment is processed by Stripe. We do not store full credit card numbers - Stripe handles PCI compliance.
Communications
If you contact us by email or via in-app chat, we retain those communications to respond and improve support.
2. How we use your data
We use your data to:
- Provide the Service: generate AI-powered product recommendations
- Send transactional emails (account confirmations, billing receipts)
- Send onboarding and product update emails (you can unsubscribe any time)
- Monitor and improve Service performance, reliability, and quality
- Detect and prevent fraud and abuse
- Comply with legal obligations
We do not use your data to train AI models.
We do not sell your data to third parties. Ever.
3. AI and Anthropic
Mero uses Anthropic's Claude API to generate product insights. When you generate insights, your integration data (Notion pages, Linear issues, Slack messages, etc.) is sent to Anthropic's API for processing.
Important: Anthropic does not use data submitted via the API to train or improve their AI models. This is governed by Anthropic's API data use policy (anthropic.com/privacy). API usage is explicitly excluded from model training.
Your data is processed by Anthropic's systems transiently and is not stored by Anthropic beyond what's necessary to fulfill the API request.
4. Who we share data with
We share data only with trusted subprocessors necessary to operate the Service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI model inference | USA |
| Supabase | Database and storage | South Korea (ap-northeast-2) |
| Clerk | Authentication | USA |
| Vercel | Hosting and edge network | USA / Global CDN |
| PostHog | Product analytics | USA (EU instance available) |
| Inngest | Background job processing | USA |
All subprocessors are bound by data processing agreements and are required to implement appropriate security measures.
Note on data location: Our primary database is hosted in South Korea (ap-northeast-2 via Supabase). If EU data residency is a requirement for your organization, please contact us at hello@withmero.com - we can accommodate this on request.
5. Data retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion
- Integration data: Processed transiently; analyzed outputs retained until account deletion
- Usage analytics: Retained for 24 months
- AI performance metrics: Retained for 12 months
- Billing records: Retained for 7 years (legal requirement)
You can request deletion of your data at any time - see Section 7.
6. Cookies
We use the following cookies:
| Cookie | Purpose | Type |
|---|---|---|
__session | Authentication (Clerk) | Necessary |
ph_* | Product analytics (PostHog) | Analytics |
__vercel_* | Edge routing (Vercel) | Necessary |
You can opt out of analytics cookies via our cookie banner or by adjusting your browser settings. Necessary cookies cannot be disabled as the Service will not function without them.
7. Your rights
Depending on where you live, you may have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Ask us to correct inaccurate data
- Deletion: Ask us to delete your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain types of processing
- Restriction: Ask us to restrict processing in certain circumstances
- Withdraw consent: Where processing is based on consent
EU/EEA residents have these rights under GDPR. California residents have similar rights under CCPA.
To exercise any of these rights, email hello@withmero.com. We'll respond within 30 days.
8. Security
We take security seriously. Our measures include:
- Encryption in transit: All data transmitted using TLS 1.2+
- Encryption at rest: Database encrypted at rest via Supabase
- Access controls: Production access restricted to authorized personnel
- Authentication: Secure auth via Clerk with MFA support
- Infrastructure: Hosted on SOC 2 Type II certified platforms (Vercel, Supabase, Clerk, Anthropic)
See our Security page for full details.
9. Children
Mero is not intended for users under 16. If you believe a minor has created an account, contact us and we'll delete it promptly.
10. Changes
We'll notify you of material changes by email or in-app notice at least 14 days before they take effect. The "effective date" at the top of this page reflects when the current version took effect.
11. Contact and complaints
Privacy questions: hello@withmero.com
Website: withmero.com
EU residents: If you believe we've handled your data unlawfully, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EU).