Privacy Policy

Introduction

At Merg we take your privacy seriously. This Privacy Policy explains what information we collect, why we collect it, the legal bases under the GDPR that we rely on, how long we keep it, and the rights you have to control it.

We are a Romania-based service (Merg, Uranus 19, Brasov, Romania) and process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Romanian Law 190/2018. If you have any question, email our Data Protection Officer at dpo@merg.ro.

1. Information We Collect

We collect the following categories of information:

• Account Information: username, email address, phone number, hashed password, date of birth, profile details. Used to deliver the service.
• Content: videos, photos, reservations, comments, likes and other content you create in the app.
• Firebase Analytics & Crashlytics (third-party):anonymous crash reports and aggregate feature-usage metrics processed by Google Ireland Limited. No advertising IDs are collected. This category is opt-in — OFF until you toggle it ON in Settings → Permissions → "Share analytics with Google".
• Product Improvement Telemetry (first-party):anonymous usage signals — feed swipes (counts only, not which videos), screens you navigate to, and the length of your session — sent to our own servers. Used to prioritise features and fix bugs. No advertising, no profiling, no third-party sharing, and your user ID is replaced with a pseudonymous hash before the signal is stored. This category is opt-out — ON by default, disabled from Settings → Permissions → "Help improve the app".
• Device Information: device type, operating system, app version, and a coarse device class derived from your User-Agent. Needed for security (fraud detection) and debugging.
• Location: approximate location derived from your IP address (hashed on the server, same-day). Precise GPS location is only used when you explicitly grant the Android runtime permission and only while you use map features.

2. Why We Use Your Information (Legal Bases)

Every processing activity we perform has a specific legal basis under GDPR Article 6:

• To provide the service you signed up for — account management, reservations, content you create. Legal basis: Art. 6(1)(b) performance of a contract.
• To detect fraud and abuse, and to keep the service secure — login audit, IP hashing for abuse detection, rate limiting. Legal basis: Art. 6(1)(f) legitimate interest.
• To improve the product — first-party Product Improvement Telemetry (see Section 1). Legal basis: Art. 6(1)(f) legitimate interest; you can object at any time via Settings → Permissions (Art. 21).
• To send you third-party analytics and crash reports — Firebase Analytics + Crashlytics. Legal basis: Art. 6(1)(a) explicit consent; you can withdraw at any time via Settings → Permissions.
• To comply with legal obligations — tax, accounting, law-enforcement requests. Legal basis: Art. 6(1)(c) legal obligation.

We do NOT sell your personal data. We do NOT profile individual users for targeted advertising. We do NOT share your content or personal information with advertisers.

3. Who We Share Information With

We share personal data only with the following categories of recipients, each under a written data processing agreement:

• Google Ireland Limited (Firebase Analytics, Crashlytics, Firebase Cloud Messaging). Only when you have opted in to "Share analytics with Google" in Settings → Permissions (Crashlytics is always on for operational stability and is limited to crash stack traces, no personal content).
• Cloud infrastructure providers hosting our servers (under EU-based contractual data processing agreements).
• Law-enforcement authorities, strictly where legally required.

We do NOT share personal data with advertisers, data brokers, or any third party for marketing purposes.

4. How We Protect Your Data

We apply the following technical and organisational measures:

• TLS 1.3 in transit for all API calls.
• Argon2 password hashing (industry standard).
• Pseudonymisation at rest — your IP address is hashed with a rotating server secret before it enters the audit log, and your user ID on telemetry rows is replaced with a pseudonym hash.
• Access controls, rate limiting, and security audits.
• Encrypted storage on the device for your session tokens (Android Keystore + AES-256-GCM).

No system is 100% secure. If we become aware of a personal-data breach that is likely to result in a high risk to your rights, we will notify you without undue delay as required by Art. 34 GDPR.

5. Your Rights Under GDPR

You have the following rights, exercisable free of charge:

• Right of access (Art. 15) — request a copy of your data. Available in-app via Settings → Notifications → "Request data export".
• Right to rectification (Art. 16) — correct inaccurate data via Settings → Account.
• Right to erasure (Art. 17) — delete your account via Settings → Account → Delete account.
• Right to object (Art. 21) — object to processing based on legitimate interest. For our first-party Product Improvement Telemetry, use Settings → Permissions → "Help improve the app" to turn it off. The opt-out takes effect immediately on your device and is synced to our servers.
• Right to portability (Art. 20) — the same data export download is structured JSON, machine-readable.
• Right to withdraw consent (Art. 7(3)) — for Firebase Analytics, toggle Settings → Permissions → "Share analytics with Google" off.
• Right to lodge a complaint — with the Romanian Data Protection Authority (ANSPDCP, www.dataprotection.ro) or your local DPA.

To exercise any right that isn't available in-app, email dpo@merg.ro. We respond within 30 days of receipt as required by Art. 12 GDPR.

6. How Long We Keep Your Data

We keep each category of data only for as long as necessary:

• Account data — for as long as your account exists. On deletion we remove your personal data within 30 days, except where law requires us to keep it longer (e.g. invoicing records for 10 years under Romanian tax law).
• Security audit log — up to 180 days, then deleted.
• Product improvement telemetry — up to 60 days in pseudonymised form, then deleted. Individual rows cannot be re-identified to you after the hash secret rotates.
• Firebase Analytics data — governed by Google's Firebase data retention policy (14 months by default).
• Backups — rolling 30-day window for operational recovery; not used for active data access.

7. Children's Privacy

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

For users between 13 and 18 years of age, we recommend parental guidance and supervision when using our service.

8. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.

When we transfer information internationally, we ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable data protection laws.

9. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this policy.

We will also notify you via email or through a prominent notice in our application before any material changes take effect. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: privacy@merg.ro
• Data Protection Officer: dpo@merg.ro
• Privacy Policy: https://merg.ro/privacy
• Address: Uranus 19, Brasov, Romania
• Phone: +40729108329

Hosts and businesses are subject to an additional privacy policy available at https://merg.ro/privacy/hosts.

We will respond to your inquiry within 30 days of receipt.