Privacy Notice
Mercury Security | Effective: September 2025
Introduction
Mercury Security respects your privacy. This Privacy Notice explains what personal data we collect, how we use it, and what rights you have under applicable laws including the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, and related data protection frameworks.
Data We Collect
We collect only the minimum personal data necessary to deliver our services. This may include:
- Contact details (such as name, email, organization, and phone number) when you submit a contact form, book a meeting, or subscribe to research.
- Uploaded files when you use our secure audit upload service. We strongly recommend redacting any unnecessary personal or sensitive information before uploading.
- Usage data such as IP address, browser type, and interaction logs when you access our website.
We do not collect special category data unless you voluntarily submit it as part of audit evidence.
How We Use Data
Personal data is used to:
- Provide requested services (such as audit reviews, research subscriptions, and consultations).
- Communicate with you regarding inquiries, audits, or subscription services.
- Maintain secure access controls and monitor for unauthorized activity.
- Improve our website and services based on aggregate usage statistics.
We do not sell or lease personal data to third parties.
Legal Basis for Processing
Our processing is based on:
- Contractual necessity (to deliver subscribed research and audit services).
- Legitimate interest (to maintain system security and provide customer support).
- Consent (for optional activities such as newsletter subscriptions).
Data Sharing and Hosting
We use vetted third-party hosting providers to store and process limited data. All providers are bound by Data Processing Agreements (DPAs) and must meet international security standards such as ISO/IEC 27001. Hosting regions can be selected to comply with jurisdictional requirements (European Union, 2016; ISO, 2023).
Retention and Deletion
Personal data is retained only as long as necessary for the purpose collected. Logs are typically retained for 12 months unless otherwise required for compliance. Subscribers and audit clients may request deletion at any time. Deletion is confirmed in writing once processed.
Your Rights
Under GDPR and related frameworks, you have the right to:
- Request access to your personal data.
- Request correction of inaccurate or incomplete data.
- Request deletion (“right to be forgotten”).
- Restrict or object to processing in certain circumstances.
- Request data portability.
Requests can be submitted via email to privacy@mercurysecurity.io.
Cookies and Tracking
Mercury Security uses minimal cookies for site functionality and analytics. For details, see our separate Cookie Notice.
Security Measures
We apply encryption in transit and at rest, access controls, and tamper-evident logs to protect your information. While no system can guarantee absolute security, we are committed to continuous monitoring and improvement.
Contact
For privacy inquiries or to exercise your rights, contact:
Mercury Security – Privacy Office
Email: privacy@mercurysecurity.io
Website: https://fairbydesign.org/privacy
References
European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu
ISO. (2023). ISO/IEC 27001:2022 Information security management systems. International Organization for Standardization.
Leave a Reply
You must be logged in to post a comment.