Privacy notice
This page describes how Adspace Nordic AB, the legal entity operating Merula, processes personal data when you use this website or the Merula service. It is written in plain language and follows the structure of the EU General Data Protection Regulation.
1. Who we are
The data controller for account, billing, website and service administration data is Adspace Nordic AB, registered in Sweden.
You can reach us at privacy@merula.io for any question relating to this notice or to exercise your rights under GDPR.
Where Merula processes customer-controlled domain monitoring data or DMARC report data on behalf of a customer, the roles, instructions and safeguards are further described in the Data Processing Addendum.
2. What we collect
- Account data: email address, name, organisation name, billing address and authentication data required to run an account and bill it.
- Domain configuration: the public DNS, HTTP and TLS records of the domains you ask us to monitor. This is information that is already public.
- Usage and security data: sign-in timestamps, IP address at sign-in, security logs and feature usage in the dashboard. Sign-in IP logs are kept for 30 days for abuse prevention.
- Website analytics data: when you consent to analytics on the marketing website, Google Analytics may process information such as page views, approximate location, device and browser information, referrer information, interaction events and cookie or similar identifiers.
- Billing data: handled by Stripe; we store customer ID, plan, invoice references and billing status, but never card numbers.
- Support and contact data: messages you send to us, including support requests, partner enquiries and related correspondence.
- DMARC reports, when activated: aggregate XML reports your mail receivers send to the address we provision. These may contain IP addresses of senders, message counts and authentication results.
3. Why we process it
- To provide the service (Art. 6(1)(b), contract): account management, monitoring, alerting, billing administration and support.
- To comply with the law (Art. 6(1)(c)): bookkeeping, tax records and mandatory retention.
- For our legitimate interest (Art. 6(1)(f)): preventing abuse, securing the service, debugging, improving reliability and understanding product usage. We do not sell personal data and we do not use personal data for advertising profiles.
- For website analytics (Art. 6(1)(a), consent): understanding use of the marketing website and improving content, navigation and product communication. You may withdraw your consent at any time through the cookie settings on the website.
4. Who we share data with
We use a small number of service providers to operate Merula:
- AWS: hosting, storage, logging, email infrastructure and related cloud services.
- Stripe: billing, invoicing, tax calculation, payment processing and fraud prevention.
- Google Analytics: website analytics for the marketing website only, used only after consent. We do not use Google Analytics for advertising features, remarketing or personalised advertising.
- Amazon SES (AWS): delivery of service emails, alerts and support notifications. Support tickets are handled in-product; we do not use a third-party helpdesk.
Core customer monitoring data is processed by AWS; billing data by Stripe. Website analytics and email delivery do not process your monitoring results, DMARC report data or domain-check history.
These providers process data only as needed to provide their services to us and are subject to contractual safeguards. We may also disclose data where required by law or to protect the security and integrity of the service.
5. Where data lives
Production infrastructure runs in the European Union, primarily in Stockholm. We use AWS for hosting and Stripe for billing.
Customer monitoring data is hosted in EU AWS regions as described in the Trust Centre. Some service providers may involve limited processing outside the EEA for billing, fraud prevention, support, analytics or edge delivery. Where such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.
6. How long we keep it
- Account data: retained while your account is active, then deleted or anonymised after the 30-day closure grace period, except where retained for billing, security, legal claims or other legal obligations.
- Billing records: seven years, as required under Swedish bookkeeping rules.
- Check results: according to your plan's retention setting, currently from 7 days to 24 months depending on plan.
- Sign-in IP logs: 30 days.
- Google Analytics data: retained according to the analytics retention setting configured for the property, currently 2 months. We keep analytics retention as short as reasonably useful for website improvement.
- Raw inbound DMARC and TLS-RPT report messages: retained for 30 days. Parsed aggregate-report results follow the plan retention window.
- Support tickets: retained for the life of your account — so the history stays available to you and to us while you use the service — and deleted twelve months after the account is closed. Any screenshots you attach are deleted when the account is closed.
- Other contact messages (for example email to hello@merula.io): as long as needed to handle the request and for reasonable business records.
7. Your rights
Under GDPR you may request access to your data, correction, deletion, restriction of processing, objection to processing based on legitimate interests, or an export in a machine-readable format.
Where we rely on consent, you may withdraw that consent at any time.
Email privacy@merula.io to exercise your rights. We may need to verify your identity before acting on a request.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or with your local supervisory authority.
8. Cookies and analytics
The marketing website uses no advertising cookies and no cross-site advertising tracking.
We use Google Analytics on the marketing website to understand how visitors use the site and to improve content, navigation and product communication. Google Analytics may process information such as page views, approximate location, device and browser information, referrer information, interaction events and cookie or similar identifiers.
Google Analytics is loaded only after you have given consent. You can withdraw or change your consent at any time through the cookie settings on the website.
We do not enable Google Analytics advertising features, remarketing or personalised advertising. Google Analytics runs on the marketing website only — not in the Merula application, and never on customer monitoring results, DMARC report data or domain-check history.
The application, app.merula.io, uses a first-party session cookie for authentication. It is secure and strictly necessary.
If we add additional non-essential analytics, tracking or cookies, we will update this notice and request consent where required before they are used.
9. Changes
Material changes to this notice are announced by email at least 30 days before they take effect. Editorial changes, such as typo fixes or clarifications, may be made without notice. The "last updated" date at the top reflects the most recent change.