Merula
Last updated 2026-07-01

Privacy notice

This page describes how Adspace Nordic AB, the legal entity operating Merula, processes personal data when you use this website or the Merula service. It is written in plain language and follows the structure of the EU General Data Protection Regulation.

1. Who we are

The data controller for account, billing, website and service administration data is Adspace Nordic AB, registered in Sweden.

You can reach us at privacy@merula.io for any question relating to this notice or to exercise your rights under GDPR.

Where Merula processes customer-controlled domain monitoring data or DMARC report data on behalf of a customer, the roles, instructions and safeguards are further described in the Data Processing Addendum.

2. What we collect

3. Why we process it

4. Who we share data with

We use a small number of service providers to operate Merula:

Core customer monitoring data is processed by AWS; billing data by Stripe. Website analytics and email delivery do not process your monitoring results, DMARC report data or domain-check history.

These providers process data only as needed to provide their services to us and are subject to contractual safeguards. We may also disclose data where required by law or to protect the security and integrity of the service.

5. Where data lives

Production infrastructure runs in the European Union, primarily in Stockholm. We use AWS for hosting and Stripe for billing.

Customer monitoring data is hosted in EU AWS regions as described in the Trust Centre. Some service providers may involve limited processing outside the EEA for billing, fraud prevention, support, analytics or edge delivery. Where such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.

6. How long we keep it

7. Your rights

Under GDPR you may request access to your data, correction, deletion, restriction of processing, objection to processing based on legitimate interests, or an export in a machine-readable format.

Where we rely on consent, you may withdraw that consent at any time.

Email privacy@merula.io to exercise your rights. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or with your local supervisory authority.

8. Cookies and analytics

The marketing website uses no advertising cookies and no cross-site advertising tracking.

We use Google Analytics on the marketing website to understand how visitors use the site and to improve content, navigation and product communication. Google Analytics may process information such as page views, approximate location, device and browser information, referrer information, interaction events and cookie or similar identifiers.

Google Analytics is loaded only after you have given consent. You can withdraw or change your consent at any time through the cookie settings on the website.

We do not enable Google Analytics advertising features, remarketing or personalised advertising. Google Analytics runs on the marketing website only — not in the Merula application, and never on customer monitoring results, DMARC report data or domain-check history.

The application, app.merula.io, uses a first-party session cookie for authentication. It is secure and strictly necessary.

If we add additional non-essential analytics, tracking or cookies, we will update this notice and request consent where required before they are used.

9. Changes

Material changes to this notice are announced by email at least 30 days before they take effect. Editorial changes, such as typo fixes or clarifications, may be made without notice. The "last updated" date at the top reflects the most recent change.