This app is under development. For inquiries, contact [email protected]

    MerkuriusSign in

    Version 2026-06-12

    Privacy Policy

    Version: 2026-06-12
    Last updated: 12 June 2026

    This Privacy Policy explains how [LEGAL_ENTITY_NAME] ("we", "us", "our") processes personal data when you visit our website or use the Merkurius application (the "Service").

    We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection law.

    1. Who we are

    Data controller (account and website):
    [LEGAL_ENTITY_NAME]
    Business ID (Y-tunnus): [BUSINESS_ID]
    Address: [REGISTERED_ADDRESS]
    Country: [COUNTRY]
    Privacy contact: [email protected]

    2. Controller and processor roles

    | Situation | Our role | Your role (typical) | |-----------|----------|---------------------| | Account sign-up, billing contact, support emails | Controller | Data subject | | Personal data of your staff stored in Customer Data you upload | Processor | Controller |

    When we process personal data on your behalf as processor, our Data Processing Agreement applies. This Privacy Policy primarily describes processing where we are controller.

    3. Personal data we collect

    | Category | Examples | Source | |----------|----------|--------| | Account data | Email, password hash, display name, company name | Sign-up and profile | | Usage and technical data | Session tokens, consent records, UI preferences, limited logs | Service use | | Customer Data | Products, demand, inventory, routings, forecasts, supply plans; may include business contact details you upload | Your imports and planning activity | | Support communications | Messages you send us | Email or support channels | | Legal records | Terms/Privacy version accepted, timestamp | Sign-up |

    We do not intentionally collect special categories of personal data (such as health or biometric data). Do not upload such data unless you have a lawful basis and appropriate safeguards.

    We do not use personal data for automated decision-making that produces legal or similarly significant effects.

    4. Purposes and lawful bases

    | Purpose | Lawful basis (GDPR Art. 6) | |---------|---------------------------| | Provide, operate, and secure the Service | Contract (Art. 6(1)(b)) | | Authentication and tenant isolation | Contract; legitimate interests (security) | | Record legal acceptances | Contract; legal obligation | | Respond to support and privacy requests | Legitimate interests; legal obligation | | Improve reliability, prevent abuse, and develop the Service | Legitimate interests (Art. 6(1)(f)) | | Anonymized and aggregated analytics for product improvement | Legitimate interests (Art. 6(1)(f)) |

    Where we rely on legitimate interests, you may object as described in Section 11. Cookie-based preferences rely on consent where required — see our Cookie Policy.

    5. Cookies and local storage

    We use cookies and browser storage for essential authentication and, with your consent, functional preferences. See our Cookie Policy for details and your choices.

    6. Recipients and subprocessors

    We use service providers to operate the Service. They process data only on our instructions and under appropriate contracts:

    | Provider | Role | Typical location | |----------|------|------------------| | Supabase | Authentication, database, storage | EU (confirm in Supabase dashboard) | | Vercel | Frontend hosting and delivery | EU and/or United States | | Supabase Auth (email) | Transactional email (signup, password reset) | As configured in Supabase |

    Standard contractual clauses or other transfer safeguards apply where data is processed outside the EEA. See provider DPAs: Supabase DPA, Vercel DPA.

    We do not sell personal data. We may disclose data if required by law or to protect rights, safety, and security.

    7. International transfers

    Where personal data is transferred outside the European Economic Area, we implement appropriate safeguards such as EU Standard Contractual Clauses or adequacy decisions.

    8. Retention

    | Data | Retention | |------|-----------| | Account and profile | Until account deletion, plus limited backup retention | | Customer Data | Until deleted by you or after termination per our Terms | | Legal acceptance records | Account lifetime plus statutory limitation periods | | Server and security logs | Limited operational retention |

    9. Security

    We implement technical and organizational measures including tenant isolation, row-level security, encrypted transport (HTTPS), access controls, and subprocessors vetted under data processing terms. No method of transmission or storage is completely secure.

    10. Personal data breaches

    If we become aware of a personal data breach affecting your account data where we are controller, we will notify you and, where required, the supervisory authority without undue delay in accordance with GDPR. If we process data on your behalf as processor, we will notify you without undue delay so you can meet your obligations.

    11. Your rights

    Under GDPR, you may have the right to:

    • Access your personal data
    • Rectify inaccurate data (profile settings in-app where available)
    • Erase your data
    • Restrict or object to processing
    • Data portability where applicable
    • Withdraw consent where processing is consent-based (without affecting prior lawful processing)
    • Lodge a complaint with a supervisory authority

    Finland — supervisory authority:
    Tietosuojavaltuutettu / Datainspektionen
    https://tietosuoja.fi

    Contact [email protected] to exercise your rights. We may need to verify your identity. We respond within one month unless extension is permitted by law.

    If your organization is controller for data in Customer Data, direct end-user requests to your organization; we will assist you as processor under the DPA.

    12. Account deletion

    Request deletion by emailing [email protected] from your registered address, including your user ID if available. Some data may be retained where required by law, dispute resolution, or limited backups.

    13. Children

    The Service is not directed at children under 16. We do not knowingly collect their data.

    14. Changes

    We may update this Privacy Policy. Material changes will be communicated via the Service or email. The version date above indicates the current version.

    15. Contact

    Privacy questions: [email protected]

    Enterprise DPA requests: [email protected] (subject: DPA)