Mereor
Back to home

Privacy Policy

Last updated: May 10, 2026

1. Overview

This Privacy Policy explains what personal information Mereor collects, how we use and share it, your rights, and how to contact us. It applies to mymereor.com and the Mereor application (the "Service").

2. Notice at Collection (California)

At or before collection, we tell you the categories of personal information we collect, the purposes for use, whether we sell or share personal information, and how long we keep it. See the tables below. We do not "sell" personal information for money and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

3. Categories of Personal Information We Collect

Mereor collects a limited set of personal information necessary to provide the Service. This includes identifiers such as your name, email address, account ID, and IP address, together with customer-record and contact information including business name, mailing address, and phone number where you choose to provide it. We collect commercial information about the invoices you issue, the products or services you describe on those invoices, and the payment status of each invoice.

We also collect internet and network activity information generated through your use of the Service, including log data, device and browser details, the pages you view, and the features you interact with. We derive approximate geolocation information from your IP address and the U.S. state you select in your settings. We collect professional and business information such as your client lists, contract templates, and the business profile you maintain within the Service, and we generate limited inferences from usage patterns solely for the purpose of improving features. We do not engage in profiling that produces legal or similarly significant effects.

Sensitive personal information collected by Mereor is limited to account credentials, which we store only as password hashes, and we do not use sensitive personal information for any purpose beyond providing the Service. When you connect Stripe, we receive limited information from Stripe including account status, connected-account identifiers, and payout or payment status; we do not receive or store full payment card numbers.

4. Sources of Information

Directly from you (signup, settings, invoices you create); automatically from your device (logs, cookies); and from service providers (Stripe, email/auth providers).

5. Business and Commercial Purposes for Use

We use personal information to provide and operate the Service, which includes creating and sending invoices, calculating totals, and storing the records you generate. We use it to authenticate users, secure accounts, and prevent fraud and abuse, and to send transactional emails such as receipts, invoice deliveries, and account notices. We also use personal information to send service announcements and, where consent is required, product updates. In addition, we process personal information to comply with legal obligations and respond to lawful requests, and to debug, audit, improve existing features, and develop new functionality.

We do not use personal information for cross-context behavioral advertising, and we do not use it to make automated decisions that produce legal or similarly significant effects without human review.

6. How We Share Personal Information

We share personal information with a limited set of service providers that act as our processors or contractors under written agreements restricting their use of the information to providing services on our behalf. These providers include our cloud hosting and database infrastructure (Supabase and Lovable Cloud), our payments processor (Stripe), our email-delivery provider (Resend), and our analytics tooling. We also share information with your clients when you send them an invoice or related communication, because doing so is the purpose of the Service.

We may disclose personal information where necessary to comply with applicable law, valid legal process, or lawful government requests, and where we believe in good faith that disclosure is necessary to protect our rights, the safety of our users, or the security of the Service. In the event of a merger, acquisition, financing, or sale of all or part of our assets, personal information may be transferred as part of that transaction, and we will provide notice to affected users.

Mereor does not sell personal information for money, and we do not share personal information for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

7. Retention

We keep account, invoice, and financial records while your account is active and for a reasonable period afterward to comply with tax, accounting, audit, fraud-prevention, and legal-defense obligations (typically up to 7 years for financial records). Server logs are retained for up to 12 months. On account deletion, we delete or de-identify personal information within 30 days except where retention is required by law or necessary for legal claims.

8. Security

We use TLS in transit, encryption at rest for our database, hashed passwords, role-based access controls, principle-of-least-privilege, audit logging, and periodic reviews. No system is perfectly secure; we cannot guarantee absolute security.

9. Data Breach Notification

If a security incident affects your personal information in a manner requiring notice under applicable U.S. state breach-notification laws (e.g., Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, and similar laws in all 50 states), we will notify affected users without unreasonable delay, by email and/or in-app notice, with the information required by law.

10. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know the categories and specific pieces of personal information we have collected; (b) delete your personal information; (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information (we do not sell or share); (e) limit use of sensitive personal information (we do not use it beyond providing the Service); (f) data portability; and (g) be free from retaliation for exercising your rights.

Submit a request by emailing support@mymereor.com or via our "Do Not Sell or Share My Personal Information" page. We will verify your identity using account-based authentication. We respond within 45 days (extendable by 45 days). You may use an authorized agent. We do not discriminate against you for exercising your rights.

11. Virginia, Colorado, Connecticut, Utah, Texas, and Other State Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, and other states with comprehensive privacy laws have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. We do not engage in targeted advertising, do not sell personal data, and do not profile in ways that produce legal or similarly significant effects.

Submit requests to support@mymereor.com. We respond within the timeframe required by your state law (generally 45 days). You may appeal a denial by replying to our response email; we will respond to appeals within 60 days (or as required).

12. Cookies and Similar Technologies

We use first-party cookies and local storage strictly for login persistence, session security, and basic product analytics. We do not use third-party advertising or cross-site tracking cookies. Browser-level signals such as Global Privacy Control (GPC) are honored as an opt-out of sale/sharing where applicable (although we do not sell or share). You can clear cookies in your browser; doing so will sign you out.

13. Children's Privacy (COPPA)

The Service is not directed to and is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it. The Service is also not intended for users under 18; users must be 18 or older to create an account.

14. U.S.-Based Service

Mereor is intended for U.S.-based freelancers and our infrastructure is operated in the United States. By using the Service, you understand your information is processed in the U.S.

15. "Do Not Track" Signals

Our Service does not respond differently to browser "Do Not Track" signals because there is no industry consensus on how to interpret them. We honor Global Privacy Control as described above.

16. Changes

We will notify you of material changes by email or in-app notice at least 14 days before they take effect (or longer where required). Continued use constitutes acceptance.

17. Contact

Privacy requests: support@mymereor.com (Subject: "Privacy Request"). Mailing address available on request.