Legal

Privacy Policy

Effective date: April 8, 2026  ·  Jurisdiction: Ontario, Canada

1. Who We Are

Merba (“Merba”, “we”, “our”, or “us”) is a scheduling platform for independent service providers, operated from Ontario, Canada. We are small, we are careful with your data, and we want you to know exactly what happens with it. Our platform is accessible at merba.app and is managed by Visually Affirmed (www.visuallyaffirmed.ca).

This Privacy Policy governs how we collect, use, disclose, and protect personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law.

2. Information We Collect

2.1 Account & Business Information

  • Name, email address, and password (hashed and never stored in plain text)
  • Business name, address, phone number, and timezone
  • Profile images uploaded voluntarily

2.2 Client Data (Stored on Your Behalf)

When you use Merba to manage your business, you may enter personal information about your own clients (names, contact details, appointment history). You are the data controller for this information. We act as a data processor on your behalf and will not use your clients' data for any purpose other than providing the service to you.

2.3 Usage & Technical Data

  • IP addresses and browser/device information (collected by our hosting infrastructure)
  • Actions taken within the platform (for support and debugging purposes)
  • Session tokens stored in secure, HTTP-only cookies

2.4 Payment Information

We do not store credit card numbers or payment instrument details. All payment processing is handled by Stripe, Inc., a PCI-DSS compliant payment processor. We receive only non-sensitive billing metadata (subscription status, last-four digits, expiry).

2.5 Chain Booking Data (Merba Discovery)

When you use Merba Discovery to book services across multiple businesses (“chain bookings”), we collect and process:

  • Your name, email address, and phone number (provided during checkout)
  • A one-way hash (SHA-256) of your phone number, stored in our trust record system for fraud prevention
  • A fingerprint of your payment card (last four digits and expiry), used solely to detect duplicate or fraudulent bookings
  • A one-time verification code (OTP) sent to your phone via SMS — the code is stored temporarily in our database and deleted after verification or expiry

Your name and phone number are shared with each business in your chain booking so they can confirm your appointment and contact you if needed. By completing a chain booking, you consent to this limited sharing.

Inter-Business Privacy

When multiple businesses participate in a chain booking, each business can only see its own appointment details, deposit amount, and the customer's contact information. Businesses cannot see:

  • The names or identities of other businesses in the chain
  • Appointment times, services, or pricing at other businesses
  • Payment amounts received by other businesses
  • The customer's full itinerary or order of stops

Businesses are informed only that the customer is part of a multi-stop booking and which stop number they represent (e.g., “stop 2 of 4”). This protects competitive information between service providers while enabling the coordination necessary for a seamless customer experience.

2.6 Subscription and Usage Data

We store your subscription plan tier (Free, Sole Proprietor, or Team) and billing status. For businesses on the Free tier, we track aggregate discovery view counts (how many customers viewed your business listing on the Merba map each week). These counts are anonymized — we do not store which individual customers viewed your business. View counts are reset weekly and are used solely to provide you with business insights.

2.7 Ad Generation Data

When you use Merba’s video ad generation service, we collect and process:

  • Website content: If you provide a website URL, we scrape publicly available text, headings, images, brand colours, and font information from that site. This data is used solely to generate your requested ads and is not stored beyond the duration of the generation process.
  • Conversation content: Messages you exchange with the ad creation assistant (business description, preferences, creative direction) are processed to generate your creative brief. These are not stored after your ad job completes.
  • Email address: Used for ad delivery, free-tier tracking, and order records.
  • Generated videos: Rendered video files are stored in Vercel Blob storage and remain accessible via your account. You may delete them at any time.
  • AI processing: Your creative brief and business context are sent to Anthropic (Claude) for ad design and copy generation. Anthropic does not retain prompt data for training. See Anthropic’s Privacy Policy.

You are solely responsible for the accuracy and legality of content provided for ad generation. Merba does not review or endorse generated ad content.

2.7.1 AI Processing and Data Handling

When you use the ad generation service, your inputs are processed through multiple AI systems to produce your advertisements:

  • Website scraping: If you provide a URL, we extract publicly available text, images, metadata, and brand elements using automated tools. This data is processed in-memory and transmitted to our AI provider for brief generation. Scraped content is not stored in our database beyond the active generation session.
  • Market research: Your business category and location are used to generate market intelligence via AI inference. This research is produced by machine learning models and may include industry statistics, competitive analysis, and consumer behaviour inferences. These outputs are not independently verified and are used solely to inform creative direction.
  • AI model processing: Your creative brief, business information, scraped website content, and conversational inputs are transmitted to Anthropic PBC (“Claude”) for processing. Per Anthropic’s commercial API terms, prompt data submitted through the API is not used to train their models. See Anthropic’s Privacy Policy for details.
  • Output storage: Rendered video files are stored in cloud storage (Vercel Blob) and remain accessible through your account. Creative briefs and intermediate AI outputs (scene compositions, quality scores) are stored as part of your ad job record for support and quality improvement purposes.

By using the ad generation service, you consent to the collection, processing, and transmission of your inputs as described above, including the transmission of scraped website content and business information to third-party AI providers located in the United States.

For complete details on how our AI systems handle data, see our AI Policy.

3. Health Information

If a business uses Merba’s charting system to store clinical notes, treatment records, or health-related information about their clients (“Chart Notes”), the following applies:

3.1 Storage and Encryption

Chart Notes are stored with database-level encryption at rest and are transmitted using TLS encryption in transit. This means Chart Notes are encrypted both when stored in our database and when transmitted between your device and our servers.

3.2 Access Controls

Chart Notes are only accessible to authorized staff members at the business that created them. Access is enforced through role-based access controls within the Merba platform. No other business on Merba can access another business’s Chart Notes.

3.3 AI Exclusion

No AI system — including Merba’s ad generation service, market intelligence features, or any third-party AI provider — has access to Chart Notes or clinical data. Chart Notes are never processed by, transmitted to, or used as input for any artificial intelligence or machine learning system.

3.4 Data Export

Chart Notes are included in data export requests. If you request a copy of your business data under Section 7 (Your Rights), Chart Notes will be included in the export.

3.5 Retention and Deletion

Chart Notes follow the same 30-day post-deletion grace period as other business data (see Section 6). Upon account deletion, Chart Notes are permanently deleted after the 30-day grace period. Financial records associated with clinical appointments (invoices, transaction records) are retained for 7 years as required by the Income Tax Act (Canada).

4. How We Use Your Information

  • To create and manage your account and business profile
  • To provide, operate, and improve the Merba platform
  • To send transactional emails (booking confirmations, reminders, account notices) via our email provider
  • To process subscription payments and manage billing
  • To generate video advertisements using AI when you use the ad creation service
  • To respond to support requests and diagnose technical issues
  • To comply with legal obligations

We do not sell your personal information. We do not use your data for advertising or share it with third parties for their own marketing purposes.

5. Third-Party Service Providers

We engage the following sub-processors to deliver our service. Each is bound by contractual data protection obligations:

ProviderPurposeLocation
Vercel Inc.Application hosting and deploymentUSA (global CDN)
Neon Inc.PostgreSQL database storageUSA (AWS us-east-1)
Resend Inc.Transactional email deliveryUSA
Stripe Inc.Payment processing and billingUSA (global)
Stripe ConnectDeposit transfers to service providers (chain bookings)USA (global)
Twilio Inc.SMS notification deliveryUSA (global)
Anthropic PBCAI-powered ad design and copy generation (Claude)USA
Vercel BlobGenerated video file storageUSA

By using Merba, you acknowledge that your data may be processed in the United States. We rely on contractual safeguards (including standard contractual clauses where applicable) to ensure adequate protection.

6. Data Retention

  • Active account data is retained for as long as your account remains open.
  • Upon account deletion, personal data is removed within 30 days, except where we are required by law to retain it longer (e.g., financial records for 7 years under the Income Tax Act).
  • Anonymised and aggregated usage statistics may be retained indefinitely.

6.1 Account Deletion

You can delete your account at any time from Settings in your dashboard. When you delete your account:

  • Your business is immediately removed from the Merba map
  • All online bookings are stopped
  • Your data is permanently deleted after 30 days
  • Financial records (transaction history, payment records) are retained for 7 years as required by the Income Tax Act (Canada)
  • If you change your mind within 30 days, contact support@merba.app to restore your account

6.2 Client Data When a Salon Owner Deletes Their Account

When a salon owner deletes their account, client booking history associated with that business is also deleted after 30 days. Financial transaction records are anonymized and retained for 7 years as required by the Income Tax Act (Canada).

7. Your Rights (PIPEDA)

Under PIPEDA, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request that inaccurate information be corrected
  • Deletion — request deletion of your account and personal data
  • Withdrawal of consent — withdraw consent for non-essential data processing (note: withdrawal may prevent us from providing the service)
  • Complaint — file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

To exercise any of these rights, email privacy@merba.app.

8. Security

We implement industry-standard security measures including:

  • TLS encryption in transit for all data
  • Passwords hashed using bcrypt with a cost factor of 12
  • Database access restricted to authenticated application services only
  • Session tokens stored in secure, HTTP-only, same-site cookies

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable steps to protect your information.

9. SMS and Email Communications

When a client books an appointment through a Merba-powered booking page, they may receive transactional SMS and email messages related to that appointment (confirmations, reminders, cancellation notices, and rating requests). These messages are sent on behalf of the service provider whose booking page was used.

Opt-out: Clients may opt out of SMS or email notifications at any time by contacting the service provider directly or by following the unsubscribe link included in email communications. Once opted out, notification preferences are recorded in the system and respected for all future communications from that provider.

SMS messages are delivered via Twilio Inc. (USA). Standard carrier message and data rates may apply. Message frequency varies based on appointment activity.

10. Cookies & Tracking

We use only essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking cookies.

11. Children’s Privacy

Merba is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

13. Contact

For privacy-related inquiries:

Merba / Visually Affirmed

Ontario, Canada

Email: privacy@merba.app

Web: merba.app