Merula
privacy & data retention · last reviewed 2026-07

Privacy & data retention

Merula monitors the public configuration of domains you own. To do that we collect a small amount of personal data — your email, the names you put on your account and on alert recipients, and the IP and User-Agent headers of authenticated requests to the API. This page sets out what we keep, for how long, and what you can do about it.

Data we collect

Roughly five categories, each tied to a clear purpose. We don't track you across the web; there are no advertising pixels, no remarketing and no behavioural profiling. The marketing website uses Google Analytics for visitor analytics, loaded only after consent, with Google Analytics advertising features disabled. See thePrivacy noticefor the full disclosure.

How long we keep it

Retention is per-category, and the rules below apply uniformly to every plan. The defaults are set by what's necessary for the service, what we're required to keep under Swedish or EU law, and what's worth keeping as a security record.

CategoryRetentionAfter account closure
Identity (name, email, identity-provider ID)While the account is active.Hard-deleted 30 days after the closure is confirmed, unless the user is a member of other Merula accounts (the user record is shared and survives).
Account stateWhile the account is active.Hard-deleted after the 30-day grace; the account row itself is anonymised (name = "Deleted account") so the audit log can still reference it.
Monitoring data (check results, changes, alerts)Free: 7 days. Pro and MSP: 24 months.Hard-deleted after the 30-day grace.
Audit logAs long as necessary as a security and legal record, then deleted or anonymised.Retained as a security and legal record. Where immediate erasure is not possible, retention may be necessary for the establishment, exercise or defence of legal claims (GDPR Art. 17(3)(e)). Account-name references resolve to the anonymised "Deleted account" tombstone.
Billing7 years.Retained 7 years per Swedish bokföringslag (GDPR Art. 17(3)(b) legal obligation). Held by Stripe; we keep only the Stripe customer ID locally.
Aggregate reports (DMARC / TLS-RPT)Per plan retention window for the parent account.Hard-deleted with the rest of the account's monitoring data.

Your rights

Under GDPR you can request access to, correction of, or deletion of your personal data, and you can object to or restrict our processing of it. Merula's self-service surface covers two of these directly; the rest go via email.

Export your data (Art. 15)

Available from app.merula.ioSettingsYour dataRequest export. The export is a JSON document containing your account profile, members, domains, recent check results, alerts, report-parsing activations, and the full audit log scoped to this account. Every plan can request one export per 24 hours per account. It's a right, not a feature.

Billing detail (invoices, card information, tax records) lives in Stripe and isn't included in the self-service export. For invoice copies, email support@merula.io.

Close your account (Art. 17)

Available from app.merula.ioSettingsYour dataClose this account. Closure is a two-step ritual: an admin clicks the button, then every admin receives a confirmation email. The first admin to click the link starts a 30-day grace period during which the deletion can still be cancelled by any admin. After the grace window expires, the data classified above as "hard-deleted" is purged and the account row is anonymised to a tombstone.

The 30-day window is intentional. It catches accidental clicks, gives a compromised inbox time to be noticed, and lets a team work out whether the closure was authorised before it becomes irreversible.

Other rights

For correction, restriction, objection, or any GDPR right that isn't covered above — including the data-portability follow-ups Stripe holds — email privacy@merula.io. We respond within 30 days. For complaints, you can also contact the Swedish data-protection authority (Integritetsskyddsmyndigheten,imy.se).

If you belong to multiple accounts

A user record is shared across the accounts you're a member of. Closing one account anonymises that account's data and removes your membership in it, but it does not delete your user record if you still belong to other Merula accounts. If you'd like your user record removed too — and you no longer belong to any account — email privacy@merula.io. A self-service path for this lands in a later iteration.

Sub-processors

A small number of services process personal data on our behalf:

These providers run under their own privacy policies and EU contractual protections. If you need a fuller summary of how we manage these providers, write tosecurity@merula.io.

Software Bill of Materials

Where the sub-processors above are the services Merula relies on, the SBOM is the other half of the same picture: the software components Merula is built from. We maintain a CycloneDX-format Software Bill of Materials of every component shipped in our deployed surface — the API, the check-runner, the marketing site, the dashboard, and the shared libraries they depend on. It is regenerated automatically on every release.

We do not publish the SBOM openly: an open copy would hand automated scanners an exact version map of the deployed surface while adding nothing for the procurement and security reviewers who actually need it. Instead it is available on request. Write to security@merula.ioand we will send the current CycloneDX file, typically within one business day.

The SBOM lists software components only; the service-level dependencies that process data on our behalf are the sub-processors listed above.

Changes to this policy

Material changes are announced in-app at least 30 days before taking effect. The "last reviewed" line at the top of this page tracks the latest review date.

Back to the trust centre →