Legal

Privacy Policy

Effective date: June 25, 2026  ·  Jurisdiction: Ontario, Canada

1. Who We Are

Merba (“Merba”, “we”, “our”, or “us”) is a business platform operated from Ontario, Canada by Merba Corp. Merba provides scheduling, booking, client management, payments routing, discovery, intelligence, marketing, and related operational tools for independent clinics, salons, trades, mobile service operators, and service businesses.

This policy explains how we handle personal information under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario privacy law, and other privacy rules that may apply depending on how you use Merba. Merba provides privacy and security controls that customers can use as part of PIPEDA, PHIPA, or HIPAA-oriented workflows when the required signed terms, operational controls, and tenant-side obligations are in place. This policy is not legal advice and does not certify any specific customer's use of Merba.

2. Our Role

Merba processes some information for our own business operations, such as account registration, security, billing for Merba subscriptions and credits, support, fraud prevention, and platform improvement. We also process information on behalf of tenant businesses that use Merba to run their own operations.

When a tenant business enters client records, appointment details, chart notes, quotes, invoices, job logs, material serial numbers, photos, attachments, or similar records into Merba, that business remains responsible for its own collection, consent, notices, staff permissions, retention, access, correction, and professional obligations. Merba acts as a service provider supporting that business. If the tenant is a regulated health provider or health information custodian, it must determine and manage its own PHIPA or other health privacy obligations.

For sensitive operational records, Merba's role is deterministic platform processing: authenticated storage, tenant scoping, booking logic, charting workflows, approvals, quotes, invoices, job logs, exports, notifications, and payment-metadata routing. These workflows are not AI decision systems and are kept separate from Merba's intelligence, ad, and media-generation features.

3. Information We Collect

  • Account information, including name, email address, password hash, phone number, session data, verification codes, and security settings.
  • Business information, including business name, address, phone number, website, service list, prices, staff profiles, booking settings, discovery listing details, and uploaded branding.
  • Client and booking information entered by a tenant business or its clients, including names, contact details, appointments, appointment notes, preferences, opt-outs, and booking history.
  • Quote and invoice information, including line items, catalog categories, selectable options, quote acceptance status, deposits, balances, taxes, business or tax numbers, customer-facing notes, terms and conditions, payment status, and document delivery records.
  • Job-log information, including job notes, photos, attachments, service history, material details, serial numbers, warranty-support records, and exported job documents where a tenant business chooses to use those features.
  • Charting information, if a business chooses to use charting, including chart notes, treatment records, linked appointments, approval records, approver names/emails, signatures, and exported chart PDFs.
  • Payment and billing metadata, including Merba subscription status, credit purchases, tenant invoice and quote payment records, connected payment account identifiers, checkout/payment identifiers, refund/dispute metadata, payout metadata, and limited card metadata supplied by the payment processor.
  • Communications information, including transactional emails, SMS delivery metadata, support messages, and approval or booking notifications.
  • Intelligence and ad-generation inputs, including business context, website content you ask us to use, service and pricing data, prompts, strategy outputs, generated media, and ad-production job records.
  • Technical and security data, including IP addresses, user agents, rate-limit records, logs, error reports, audit logs, cookies, and device/browser information.

4. Health and Charting Information

Merba can store PHI-capable records when a tenant business uses charting, approval, appointment, invoice, or note fields for health-related services. Merba does not decide whether a record is personal health information under PHIPA; the tenant business must assess its own use case.

Charting records are tenant-scoped and access-controlled through authenticated memberships, plan gates, and role/permission checks. Chart notes are stored in Merba's database and transmitted over TLS. Chart PDFs are generated through authenticated routes. Merba maintains privacy audit logs for selected chart and client-profile access, creation, update, deletion, and denied attempts, with audit metadata designed not to duplicate note content, signatures, or contact details.

Merba does not intentionally route chart notes, chart approvals, chart PDFs, clinical records, client notes, payment card details, or broad client lists into ad creation, market intelligence, or ad AI prompts. Host provider calls use a sensitive-data boundary that blocks high-confidence PHI-labeled payloads before they reach AI providers. Because user-entered free text can contain sensitive information, customers should not type health information into ad, marketing, or public prompt fields.

5. How We Use Information

  • To provide, secure, support, and improve the Merba platform.
  • To authenticate users, enforce tenant membership, and protect accounts.
  • To run scheduling, booking, client, charting, quote, invoice, job-log, payment, discovery, and communication features.
  • To route tenant customer payments by invoice/e-transfer or, when the business connects a supported payment processor, by card through its connected payment account, and to process Merba-owned subscriptions, credits, and add-ons through Merba's payment account.
  • To generate ads, market intelligence, and business recommendations when you choose to use those features.
  • To send transactional email and SMS messages, such as booking notices, account notices, reminders, approval requests, and support responses.
  • To detect abuse, troubleshoot failures, maintain audit records, and comply with legal obligations.
  • To use de-identified, aggregated, or derived operational and quality signals to improve Merba's product, taxonomies, prompts, QA systems, and market/category knowledge.

We do not sell personal information. We do not use client records, chart notes, health records, payment card data, or tenant customer contact lists for third-party advertising.

6. AI and Intelligence Features

Merba uses AI and model providers for selected intelligence features, including ad creation, market analysis and generated media. These features use user-directed or user-approved prompts, business context such as service lists, pricing, website content, and public market context. AI is not used to process charting, booking, quote, invoice, job-log, payment, or client-record workflows as sensitive operational records.

Merba does not use personal data, client records, chart notes, health records, payment card data, or chart approvals to train third-party foundation models. Merba may use de-identified, aggregated, or derived operational and quality signals to improve Merba-owned systems. More detail is available in the Intelligence Policy.

7. Service Providers and Cross-Border Processing

Merba relies on service providers for hosting, database storage, object storage, payments, SMS, email, error monitoring, maps, integrations, AI/model processing, generated media, and similar functions. These providers may process information outside Canada, including in the United States, Europe, or other jurisdictions where local authorities may have lawful access rights. We review cross-border processing in light of guidance from the Office of the Privacy Commissioner of Canada.

Current provider names, use cases, and data boundaries are summarized in the Subprocessor Register. Agreement details, security documentation, and region-specific terms are available upon request where appropriate.

8. Retention, Export, and Deletion

We keep personal information for as long as needed to provide the service, maintain security and audit records, resolve disputes, comply with legal obligations, support tax/payment, quote, invoice, warranty, and job-log records, and operate requested features. Retention periods vary by data type.

Account export features do not necessarily include every specialized record in one file. For example, chart-note PDFs, quote PDFs, invoice PDFs, and job exports can be exported through their related workflows and may be separate from general account exports. Retention and deletion handling depends on the record type, legal obligations, backup lifecycle, audit requirements, and tenant-controlled workflows.

You can request access, correction, or deletion by contacting privacy@merba.app. End clients of a tenant business should usually contact that business first, because the business controls the client relationship and may have legal or professional retention duties.

9. Security

Merba uses technical and organizational safeguards for personal information, including:

  • TLS encryption in transit.
  • Password hashing with bcrypt.
  • Secure, HTTP-only session cookies.
  • Tenant membership checks and role/permission checks for workspace routes.
  • Rate limiting and abuse controls for sensitive endpoints.
  • Audit logging for selected sensitive actions, including chart and client-profile access.
  • Private server-side handling for chart PDF exports and authenticated routes for sensitive tenant media.

No electronic system is perfectly secure. If we discover a privacy or security incident, we will investigate, contain it, keep appropriate records, and notify affected businesses, individuals, service providers, or regulators where required. Our breach-response approach is informed by OPC guidance on PIPEDA breach reporting and Ontario IPC guidance for health privacy breaches.

10. Cookies and Analytics

Merba uses cookies and similar technologies required for authentication, security, preferences, and limited analytics or referral measurement. You can manage cookies in your browser, but disabling required cookies can break sign-in and core platform functionality.

If you accept optional cookies, Merba may use Google tag, Google Analytics, or Google Ads conversion measurement to understand how visitors find Merba and whether ads lead to useful actions such as signups, bookings, or purchases. We do not use tenant client records, chart notes, payment card data, or tenant customer contact lists for third-party advertising.

11. Children and Minors

Merba accounts are intended for adults and businesses. Tenant businesses may serve minors in their own operations. Those businesses are responsible for obtaining any required parent, guardian, client, or patient authority before entering information into Merba.

12. Changes to This Policy

We may update this Privacy Policy as Merba evolves. We will provide notice of material changes where required or appropriate. Continued use of Merba after an update means you accept the updated policy.

13. Contractual Privacy Addenda

Regulated or enterprise customers may need additional written terms beyond this Privacy Policy. Merba publishes customer-review versions of the Data Processing Addendum, PHIPA Addendum, and HIPAA Business Associate Agreement. These documents are not effective unless executed or incorporated into a signed agreement.

14. Privacy Law and Guidance References

15. Contact

Merba Corp.

Ontario, Canada

Email: privacy@merba.app

Web: merba.app

    Privacy Policy | Merba