SaaS Privacy Policy

1. Roles and Scope

This policy applies to authorized users of the hosted platform, APIs, reports, and related services provided by Mercury Forensics LLC, doing business as Mercury Forensics (Mercury, we, us, or our), support services (the Services). For account administration, billing, security, and our own business operations, Mercury generally acts as a business or controller. For personal data a customer submits to the Services or directs Mercury to process, Mercury acts as the customer's service provider, contractor, or processor as described in the Data Processing Agreement.

2. Data Processed by the Services

Account and organization data

• User names, work contact details, organization, role, permissions, and authentication records.
• Subscription, procurement, support, training, and customer-success information.

Customer data

• Target domains, URLs, merchant names, case labels, notes, watchlists, queries, and customer-uploaded files.
• Instructions, configurations, jurisdiction selections, report preferences, and workflow activity.
• Personal data contained in materials submitted by a customer or its authorized users.

Public-web evidence and intelligence

• Publicly accessible storefront content, product listings, claims, policies, license disclosures, pricing, and checkout signals.
• Public business contact information, domain and platform signals, payment indicators, and publicly available regulatory records.
• Screenshots, timestamps, source URLs, extracted text, classifications, risk scores, and report findings generated from that material.

Usage and technical data

• Login events, IP addresses, device information, feature usage, audit history, and administrative actions.
• Performance, error, security, and diagnostic logs.

3. Purposes of Processing

Mercury processes data to:

• Authenticate users and provide, support, and secure the Services.
• Discover, crawl, preserve, classify, compare, and report on relevant online storefront activity.
• Map findings to regulatory requirements and support authorized compliance and enforcement workflows.
• Generate evidence files, alerts, analytics, exports, and AI-assisted summaries requested by users.
• Prevent misuse, investigate incidents, maintain audit logs, and enforce contractual limits.
• Improve reliability and functionality using aggregated, de-identified, or otherwise lawfully processed data.
• Meet legal obligations and respond to valid legal process.

4. AI-Assisted Features

Certain features may use machine-learning or large-language-model services to classify content, summarize evidence, identify patterns, or help users query audit results. Outputs may be incomplete or inaccurate and require qualified human review. Mercury does not treat an automated output as a final legal, licensing, enforcement, credit, employment, or other high-impact determination. Customers must not submit unnecessary sensitive personal data to AI-assisted features.

5. Customer Responsibilities

Customers determine the targets and purposes of their use and are responsible for:

• Providing all required notices and obtaining any permissions or lawful basis needed for Customer Data.
• Limiting access to authorized personnel and maintaining accurate user permissions.
• Using the Services and reports only for lawful, authorized compliance, investigative, research, or enforcement purposes.
• Applying human review and independent judgment before taking action based on a finding.
• Avoiding submission of regulated or highly sensitive data unless expressly authorized in writing.

6. Disclosures and Subprocessors

Mercury may use subprocessors for cloud hosting, storage, database services, authentication, communications, security, support, and AI-assisted functionality. They may process data only to provide contracted services to Mercury and are subject to confidentiality and data-protection obligations. We may also disclose data when directed by the customer, required by law, or necessary to protect the Services and the rights or safety of others. Mercury does not sell Customer Data or use it for cross-context behavioral advertising.

7. Retention, Export, and Deletion

Customer Data is retained for the subscription term and any documented retention period selected by the customer or required for security, backup, dispute resolution, or law. Subject to the customer agreement, customers may export supported data during the term. Following termination, Mercury will delete or return Customer Personal Data in accordance with the DPA, except for legally required records and data in protected backups that is isolated from ordinary use until deletion through the backup cycle.

8. Security

Mercury maintains safeguards designed for the nature of the Services and data, including access controls, least-privilege permissions, logging, encryption in transit, protected cloud storage, vulnerability and dependency management, backup controls, and incident-response procedures. Customers remain responsible for securing their credentials, endpoints, exports, and downstream systems.

9. Rights Requests

Users may request access to or correction of their account information through their administrator or by contacting Mercury. If a request concerns Customer Data controlled by a Mercury customer, the request should be directed to that customer. Mercury will assist the customer as required by contract and applicable law.

10. Contact and Updates

Send privacy or security questions to info@mercuryforensics.com. We may update this policy as the Services, our providers, or applicable requirements change. Material changes will be communicated through the Services, by email, or by another reasonable method. Written correspondence may be mailed to Mercury Forensics LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA.