Privacy Notice

Mercury Security | Effective: September 2025

Introduction

Mercury Security respects your privacy. This Privacy Notice explains what personal data we collect, how we use it, and what rights you have under applicable laws including the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, and related data protection frameworks.

Data We Collect

We collect only the minimum personal data necessary to deliver our services. This may include:

  • Contact details (such as name, email, organization, and phone number) when you submit a contact form, book a meeting, or subscribe to research.
  • Uploaded files when you use our secure audit upload service. We strongly recommend redacting any unnecessary personal or sensitive information before uploading.
  • Usage data such as IP address, browser type, and interaction logs when you access our website.

We do not collect special category data unless you voluntarily submit it as part of audit evidence.

How We Use Data

Personal data is used to:

  • Provide requested services (such as audit reviews, research subscriptions, and consultations).
  • Communicate with you regarding inquiries, audits, or subscription services.
  • Maintain secure access controls and monitor for unauthorized activity.
  • Improve our website and services based on aggregate usage statistics.

We do not sell or lease personal data to third parties.

Legal Basis for Processing

Our processing is based on:

  • Contractual necessity (to deliver subscribed research and audit services).
  • Legitimate interest (to maintain system security and provide customer support).
  • Consent (for optional activities such as newsletter subscriptions).

Data Sharing and Hosting

We use vetted third-party hosting providers to store and process limited data. All providers are bound by Data Processing Agreements (DPAs) and must meet international security standards such as ISO/IEC 27001. Hosting regions can be selected to comply with jurisdictional requirements (European Union, 2016; ISO, 2023).

Retention and Deletion

Personal data is retained only as long as necessary for the purpose collected. Logs are typically retained for 12 months unless otherwise required for compliance. Subscribers and audit clients may request deletion at any time. Deletion is confirmed in writing once processed.

Your Rights

Under GDPR and related frameworks, you have the right to:

  • Request access to your personal data.
  • Request correction of inaccurate or incomplete data.
  • Request deletion (“right to be forgotten”).
  • Restrict or object to processing in certain circumstances.
  • Request data portability.

Requests can be submitted via email to privacy@mercurysecurity.io.

Cookies and Tracking

Mercury Security uses minimal cookies for site functionality and analytics. For details, see our separate Cookie Notice.

Security Measures

We apply encryption in transit and at rest, access controls, and tamper-evident logs to protect your information. While no system can guarantee absolute security, we are committed to continuous monitoring and improvement.

Contact

For privacy inquiries or to exercise your rights, contact:

Mercury Security – Privacy Office
Email: privacy@mercurysecurity.io
Website: https://mercurysecurity.io/privacy

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 27001:2022 Information security management systems. International Organization for Standardization.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram