Privacy Policy
Last updated: June 2026
1. Who we are
Merm is a personal relationship management service operated by Richard Sage, based in the United Kingdom (“we”, “us”, “our”). We are the data controller for the personal data described in this policy.
You can contact us at: hello@merm.me
2. What data we collect and why
Account data
When you create an account we collect your name and email address. This is handled by our authentication provider, Clerk. We use this data to identify you, send you service emails (alerts, reminders), and provide customer support.
Legal basis: performance of a contract (providing the service you signed up for).
Contact and interaction data
Merm stores the contacts you add — names, email addresses, phone numbers, birthdays, company details, notes, and interaction logs. This data belongs to you and is used solely to provide the core functionality of the service.
Legal basis: performance of a contract.
Gmail metadata (optional)
If you choose to connect your Gmail account, Merm reads email metadata only — specifically the sender, recipient(s), subject line, and date of emails. We do not read, store, or process the body content of any email.
This metadata is used exclusively to automatically log emails as interactions with contacts you have added to Merm. It is matched against your contact list and stored as interaction records in your account. Raw metadata is not retained beyond what is needed to create the interaction log entry.
Gmail access is entirely optional. You can connect and disconnect Gmail at any time from the Settings page. Disconnecting immediately revokes our access tokens and removes all stored Gmail credentials. Previously logged interactions are retained as they form part of your contact history, but no further email data will be accessed.
Legal basis: consent (you explicitly connect Gmail and can withdraw consent at any time).
Payment data
Payments are processed by Stripe. We do not store your card details. We retain a record of your subscription status (plan, renewal date, cancellation) to manage your access to paid features.
Legal basis: performance of a contract; legal obligation (financial record-keeping).
Usage data
We use Vercel Analytics and Speed Insights to collect anonymised, aggregated data about how the service is used (page views, performance metrics). This data cannot be used to identify individual users.
Legal basis: legitimate interests (improving the service).
3. How we store and protect your data
Your data is stored in a PostgreSQL database hosted by Neon (encrypted at rest). Gmail OAuth tokens — which grant Merm access to your Gmail account — are encrypted using AES-256-GCM before being stored. Access to the database is restricted and protected by credentials that are never committed to source code.
We use HTTPS for all data transmission. Security headers (including HSTS and Content-Security-Policy) are applied to all responses.
4. How long we keep your data
- Account and contact data is retained for as long as you have an active account.
- If you delete your account, all associated data is permanently deleted within 30 days.
- Payment records may be retained for up to 7 years to comply with UK financial regulations.
- Gmail credentials are deleted immediately when you disconnect Gmail from Settings.
5. Who we share your data with
We do not sell your personal data. We do not share it with third parties for marketing purposes. We share data only with the following service providers, and only to the extent necessary to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication and session management | USA |
| Neon | Database hosting | USA |
| Resend | Transactional email delivery | USA |
| Stripe | Payment processing | USA |
| Vercel | Application hosting and analytics | USA |
| Gmail API (only if you connect Gmail) | USA |
All US-based providers are subject to Standard Contractual Clauses or operate under the UK–US data bridge, providing adequate safeguards for transfers outside the UK under UK GDPR.
6. Your rights under UK GDPR
As a UK resident, you have the following rights regarding your personal data:
- Right of access — you can request a copy of all personal data we hold about you.
- Right to rectification — you can correct inaccurate data directly within the app, or by contacting us.
- Right to erasure — you can request deletion of your account and all associated data.
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
- Right to data portability — you can request your contact and interaction data in a machine-readable format.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent (e.g. Gmail sync), you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at hello@merm.me. We will respond within one month.
7. Cookies
Merm uses only functional cookies necessary to operate the service — specifically session cookies set by Clerk to keep you logged in. We do not use advertising cookies or third-party tracking cookies.
8. Complaints
If you have concerns about how we handle your personal data, please contact us first at hello@merm.me. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to registered users. The “Last updated” date at the top of this page always reflects the most recent version.