Privacy Policy

Merlonix (“we”, “us”, “our”) provides subscription software for monitoring SSL certificates, DNS configuration, and vendor status of customer-owned digital assets. The Service is operated from https://merlonix.com.

Data Controller: the operator, an Illinois sole proprietor doing business as Merlonix.

Contact for privacy matters: [email protected]

Mailing address: Merlonix, 1101 Poplar St, Lake In The Hills, IL 60156, United States

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have. It is written to satisfy the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws.

We deliberately collect the minimum data needed to operate the Service. Specifically:

2.1 Account data

• Email address (used as account login)
• Authentication method: passwordless single-use magic links and/or a linked OAuth identity (Google or GitHub). We do not set or store account passwords.
• Account creation timestamp
• Last login timestamp

2.2 Billing data (handled by Stripe)

• Billing name
• Billing address
• Payment method metadata (last 4 digits of card, brand, expiration — full card data is held by Stripe, never by us)
• Tax ID, where Customer provides one for invoicing
• Invoice and payment history

2.3 Monitored asset metadata

• Domain names, subdomains, certificate fingerprints, DNS records that the Customer chooses to monitor
• Customer-supplied notes or labels for monitored assets
• Notification destinations the Customer configures (email addresses, webhook URLs)

This data is provided by the Customer about their own infrastructure. We do not crawl, infer, or enrich it from external sources.

2.4 Service usage data

• IP address of requests to the Service (for security and abuse prevention)
• User-agent string of browsers used to access the application
• Request logs (HTTP method, URL, status code, timestamp) — retained 90 days
• Authentication events (magic-link request and redemption, OAuth sign-in, logout)

2.5 Support correspondence

• Email content sent to support@, billing@, legal@, or privacy@ at merlonix.com
• Retained 30 days after resolution unless required for legal or audit purposes

2.6 Analytics

We use Google Analytics 4 (GA4) for basic web analytics. GA4 is configured with IP anonymization enabled and does not receive any personally-identifying information beyond an anonymized session identifier.

For visitors in the European Economic Area or the United Kingdom, analytics tracking does not load until the visitor accepts the cookie consent banner.

We do not collect: phone numbers, government identifiers, biometric data, precise location, browsing history outside our domain, social media identifiers, health data, financial data beyond billing, or any “sensitive personal information” as defined under CCPA.

We do not process data for behavioral advertising, profiling, or automated decision-making with legal effect.

After retention windows expire, data is deleted from production systems and from backups within 35 days.

We share data only with the following sub-processors, each of which is bound by a data processing agreement and contractually limited to processing your data for the purpose of providing services to us:

We do not sell or rent personal data to third parties. We do not share data for cross-context behavioral advertising as defined under CCPA.

Our primary infrastructure (Supabase) is hosted in Frankfurt, Germany. Some sub-processors (Stripe, Anthropic, OpenAI) are based in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the United States, the transfer is governed by the European Commission’s Standard Contractual Clauses (SCCs) and any supplementary measures required by the data exporter. A copy of our DPA, including the SCCs, is available on request to [email protected].

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Get a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure (“right to be forgotten”): Have your data deleted, subject to legal retention requirements
• Restriction: Limit how we process your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interest, including direct marketing
• Withdraw consent: Where processing is based on consent (analytics), withdraw it at any time
• Non-discrimination: We will not discriminate against you for exercising your rights (CCPA)
• Right to know what is sold/shared: We do not sell or share personal data for cross-context behavioral advertising (CCPA)

How to exercise your rights

• Self-service: Most account data is editable in your account settings. You can export your data and delete your account from the same screen.
• Email fallback: Send a request to [email protected]. We will verify your identity (typically by email confirmation) and respond within 30 days. There is no fee unless requests are excessive.
• EU/UK data subjects: If you believe we have not handled your data lawfully, you may lodge a complaint with your local data protection authority. The lead supervisory authority for our processing in Germany is the Hessischer Beauftragte für Datenschutz und Informationsfreiheit (https://datenschutz.hessen.de/).
• California residents: You may also designate an authorized agent to make requests on your behalf.

Merlonix uses the minimum number of cookies necessary to operate the Service:

• Strictly necessary: session cookie for authentication, CSRF token cookie. These are essential to the Service and do not require consent.
• Analytics: Google Analytics 4 (GA4) cookies. These are loaded only after the visitor accepts the cookie banner. EU/UK visitors see the banner on first visit; US visitors can opt out at any time via the privacy preferences link in the footer.

We do not use third-party advertising cookies, retargeting pixels, or social media share trackers.

We protect personal data with administrative, technical, and physical measures appropriate to the risk:

• TLS 1.2+ for all data in transit
• Encryption at rest for the production database (Supabase managed) and object storage (Cloudflare R2)
• Application-level row-level security policies enforcing tenant isolation
• Passwordless authentication using single-use, time-limited magic links — no account passwords are stored or transmitted
• Bot and abuse protection (Cloudflare Turnstile) on authentication endpoints
• Regular dependency scanning and security patching
• Audit logging of administrative actions

No system is perfectly secure. If we discover a personal data breach that creates a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR and within timeframes mandated by applicable U.S. state laws.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it. If you believe we hold data on a child, contact [email protected].

We may update this Privacy Policy from time to time. Material changes will be announced by email to active accounts at least 14 days before they take effect, and the “Last Updated” date above will be revised. Continued use of the Service after the effective date constitutes acceptance.

For privacy questions, requests, or complaints:

• Email: [email protected]
• Mail: Merlonix, 1101 Poplar St, Lake In The Hills, IL 60156, United States

This Privacy Policy is written to comply with the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws. Where laws conflict, the more protective standard applies.