GDPR Compliance

Mergerly acts as the data controller for all personal data processed through our platform. For any inquiries regarding data processing, you can contact us at privacy@mergerly.it.

We process personal data under the following legal bases as defined by GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Mergerly platform and services you have subscribed to.
• Legitimate interest (Art. 6(1)(f)): Platform security, fraud prevention, and service improvement.
• Consent (Art. 6(1)(a)): Optional communications and notifications you have explicitly opted into.
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations.

As a data subject under the GDPR, you have the following rights:

• Right of Access (Art. 15): You can request a full copy of all personal data we hold about you. Use the "Export My Data" feature in Settings > Account, or contact us directly.
• Right to Rectification (Art. 16): You can update or correct your personal information at any time through your account settings.
• Right to Erasure (Art. 17): You can request permanent deletion of your account and all associated data. Use the "Delete Account" feature in Settings > Account.
• Right to Data Portability (Art. 20): You can download your data in a machine-readable JSON format at any time.
• Right to Restriction (Art. 18): You can request that we limit the processing of your personal data under certain conditions.
• Right to Object (Art. 21): You can object to the processing of your personal data for specific purposes, including profiling.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

Mergerly uses the following categories of sub-processors:

• Cloud infrastructure: Hosting and database services within the EU (Vercel, Supabase).
• AI providers: Your own API keys are used to connect to AI services (OpenAI, Anthropic, Google). Mergerly does not share your data with these providers — you control the connection directly.
• Payment processing: Stripe, which is PCI DSS compliant and processes payment data independently.
• Email delivery: Resend, used solely for transactional emails (invitations, notifications).

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption at rest and in transit (TLS/HTTPS).
• AES-256-GCM encryption for sensitive credentials (API keys).
• Hashed passwords using bcrypt.
• Role-based access control (RBAC) with organization-level data isolation.
• Two-factor authentication (2FA/TOTP) support.
• Rate limiting and CSRF protection.
• Audit logging for compliance tracking.

Our primary database is hosted within the EU (Frankfurt, Germany). Where data is transferred outside the EEA (e.g., when using AI providers with your own API keys), such transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

Personal data is retained only for as long as necessary to provide our services. When you delete your account, all associated personal data is permanently erased. Audit logs may be retained for up to 90 days after account deletion for security and legal compliance purposes.

In caso di violazione dei dati personali che potrebbe comportare un rischio per i tuoi diritti e libertà, notificheremo l'autorità di controllo competente senza indebito ritardo e, ove possibile, entro 72 ore dal momento in cui ne siamo venuti a conoscenza, in conformità con l'Articolo 33 del GDPR. Se la violazione potrebbe comportare un rischio elevato, informeremo anche gli utenti interessati direttamente ai sensi dell'Articolo 34.

Mergerly utilizza l'AI per generare punteggi, analisi e raccomandazioni aziendali. Questi output dell'AI sono progettati esclusivamente come strumenti di supporto alle decisioni — non costituiscono un processo decisionale automatizzato con effetti giuridici o analogamente significativi come definito dall'Articolo 22 del GDPR. Tutte le decisioni finali riguardanti acquisizioni, investimenti o avanzamento delle operazioni sono prese da utenti umani. Hai il diritto di richiedere una revisione umana di qualsiasi output generato dall'AI.

In quanto startup in fase di costituzione, Mergerly non ha ancora nominato formalmente un Responsabile della Protezione dei Dati (DPO). Tuttavia, tutte le richieste relative alla protezione dei dati, i diritti e i reclami sono gestiti dal nostro contatto designato per la protezione dei dati:

Email: privacy@mergerly.it

Nomineremo un DPO formale se e quando richiesto dall'Articolo 37 del GDPR.

You also have the right to lodge a complaint with your local data protection supervisory authority.