Privacy & data retention
Merula monitors the public configuration of domains you own. To do that we collect a small amount of personal data — your email, the names you put on your account and on alert recipients, and the IP and User-Agent headers of authenticated requests to the API. This page sets out what we keep, for how long, and what you can do about it.
Data we collect
Roughly five categories, each tied to a clear purpose. We don't track you across the web; there are no advertising pixels, no remarketing and no behavioural profiling. The marketing website uses Google Analytics for visitor analytics, loaded only after consent, with Google Analytics advertising features disabled. See the Privacy notice for the full disclosure.
- Identity. Your email address, display name, and the identity-provider subject identifier used to verify you are who you say you are. Comes from sign-up; updated by you in Settings.
- Account state. Your account's name, country, VAT number (paid plans), plan, the team members you've invited, and which domains you've added.
- Monitoring data. The check results, change events, and alerts produced by Merula's engine running against your domains. Monitoring data is usually public technical configuration data about your domains rather than personal data about you. Because it is linked to your account, and because domain names or related metadata can sometimes identify an individual or sole trader, we treat it with the protections described here.
- Aggregate report data. When you enable DMARC or TLS-RPT report parsing for a domain, mail receivers send us aggregate reports that contain the IP addresses of hosts sending mail as that domain. Those addresses can be personal data about third parties (the senders); we process them on your behalf as processor — the Data Processing Addendum governs this.
- Request metadata. The IP address and User-Agent of each authenticated API request, recorded as part of the audit log for security purposes.
- Billing. Stripe is our payment processor and keeps invoices, card metadata, and tax records on its side. We store only your Stripe customer ID locally; the rest lives in Stripe.
How long we keep it
Retention is per-category, and the rules below apply uniformly to every plan. The defaults are set by what's necessary for the service, what we're required to keep under Swedish or EU law, and what's worth keeping as a security record.
| Category | Retention | After account closure |
|---|---|---|
| Identity (name, email, identity-provider ID) | While the account is active. | Hard-deleted 30 days after the closure is confirmed, unless the user is a member of other Merula accounts (the user record is shared and survives). |
| Account state | While the account is active. | Hard-deleted after the 30-day grace; the account row itself is anonymised (name = "Deleted account") so the audit log can still reference it. |
| Monitoring data (check results, changes, alerts) | Free: 7 days. Pro and MSP: 24 months. | Hard-deleted after the 30-day grace. |
| Audit log | As long as necessary as a security and legal record, then deleted or anonymised. | Retained as a security and legal record. Where immediate erasure is not possible, retention may be necessary for the establishment, exercise or defence of legal claims (GDPR Art. 17(3)(e)). Account-name references resolve to the anonymised "Deleted account" tombstone. |
| Billing | 7 years. | Retained 7 years per Swedish bokföringslag (GDPR Art. 17(3)(b) legal obligation). Held by Stripe; we keep only the Stripe customer ID locally. |
| Aggregate reports (DMARC / TLS-RPT) | Per plan retention window for the parent account. | Hard-deleted with the rest of the account's monitoring data. |
Your rights
Under GDPR you can request access to, correction of, or deletion of your personal data, and you can object to or restrict our processing of it. Merula's self-service surface covers two of these directly; the rest go via email.
Export your data (Art. 15)
Available from app.merula.io → Settings → Your data → Request export. The export is a JSON document containing your account profile, members, domains, recent check results, alerts, report-parsing activations, and the full audit log scoped to this account. Every plan can request one export per 24 hours per account. It's a right, not a feature.
Billing detail (invoices, card information, tax records) lives in Stripe and isn't included in the self-service export. For invoice copies, email support@merula.io.
Close your account (Art. 17)
Available from app.merula.io → Settings → Your data → Close this account. Closure is a two-step ritual: an admin clicks the button, then every admin receives a confirmation email. The first admin to click the link starts a 30-day grace period during which the deletion can still be cancelled by any admin. After the grace window expires, the data classified above as "hard-deleted" is purged and the account row is anonymised to a tombstone.
The 30-day window is intentional. It catches accidental clicks, gives a compromised inbox time to be noticed, and lets a team work out whether the closure was authorised before it becomes irreversible.
Other rights
For correction, restriction, objection, or any GDPR right that isn't covered above — including the data-portability follow-ups Stripe holds — email privacy@merula.io. We respond within 30 days. For complaints, you can also contact the Swedish data-protection authority (Integritetsskyddsmyndigheten, imy.se).
If you belong to multiple accounts
A user record is shared across the accounts you're a member of. Closing one account anonymises that account's data and removes your membership in it, but it does not delete your user record if you still belong to other Merula accounts. If you'd like your user record removed too — and you no longer belong to any account — email privacy@merula.io. A self-service path for this lands in a later iteration.
Sub-processors
A small number of services process personal data on our behalf:
- Amazon Web Services (AWS) — infrastructure hosting, including the managed database where your account and monitoring data live and the managed identity provider that holds password hashes, MFA enrolment state, and the audit trail of authentication events. EU-region only (Stockholm). The relevant residency vs sovereignty discussion is on the compliance page.
- Stripe — payments and tax. Holds invoice and card data on its side; receives email + name + VAT for customer creation; emits webhooks to us on subscription events.
- Google Analytics — website analytics for the marketing site only, loaded only after consent. Google Analytics advertising features, remarketing and personalised advertising are disabled. Not used in the application, and never on customer monitoring results, DMARC report data or domain-check history.
These providers run under their own privacy policies and EU contractual protections. If you need a fuller summary of how we manage these providers, write to security@merula.io.
Software Bill of Materials
Where the sub-processors above are the services Merula relies on, the SBOM is the other half of the same picture: the software components Merula is built from. We maintain a CycloneDX-format Software Bill of Materials of every component shipped in our deployed surface — the API, the check-runner, the marketing site, the dashboard, and the shared libraries they depend on. It is regenerated automatically on every release.
We do not publish the SBOM openly: an open copy would hand automated scanners an exact version map of the deployed surface while adding nothing for the procurement and security reviewers who actually need it. Instead it is available on request. Write to security@merula.io and we will send the current CycloneDX file, typically within one business day.
The SBOM lists software components only; the service-level dependencies that process data on our behalf are the sub-processors listed above.
Changes to this policy
Material changes are announced in-app at least 30 days before taking effect. The "last reviewed" line at the top of this page tracks the latest review date.