Skip to main content
MERIT Logo
Contact Us
Log In
MERIT Logo
InstagramLinkedInFacebookTwitter
Copyright © 2015-2026. Merit Incentives. All rights reserved.
Legal CenterPrivacy PolicyTerms & Conditions
Back to Legal Center
Privacy Policy
Table of Contents
Last updated : February 2026

Privacy Policy

Data Collection Policy

Version Effective Date: 28.01.2026

01

Introduction

This Platform Privacy Policy (the “Policy” or “Privacy Policy”) explains how Merit, including its direct or indirect subsidiaries, Affiliates, and related entities worldwide (collectively, “Merit”, “we”, “us”, or “our”) , collects, uses, discloses, retains, and otherwise processes Personal Data in connection with your access (regardless of where such access to the Platform is from) to and use of the Merit Super Platform and the products offered therein (collectively the “Platform”). This Policy should be read together with the Data Processing Agreement (“DPA”), which contractually governs Merit’s processing of Personal Data carried out on behalf of you acting as a Data Controller.

The Platform is a unified, modular, software-as-a-service (SaaS) environment that enables you to configure, operate, and manage loyalty, rewards, engagement, and related programs and products through a single integrated interface. The Platform is designed as an interconnected system in which tools, modules, services, and functionalities operate together and may share data as necessary to deliver the Platform’s features and the products offered via the Platform.

This Policy is provided for transparency and informational purposes only.

Data might include, but not limited, to Personal Data processed:

  • at the Platform infrastructure level (such as account creation and administration, user authentication, access control, role and permission management, platform security, audit logging, KYB verification, subscription administration, credit card payment details and billing); and

  • within any products, tools, services, modules, or functionalities made available through, embedded in, or operated as part of the Platform.

This Policy is intended to provide transparent, high-level information regarding:

  • the categories of Personal Data processed;

  • the purposes and legal bases for such processing;

  • the safeguards implemented to protect Personal Data; and

  • the rights available to Data Subjects under applicable law.

This Policy is drafted in accordance with applicable data protection and privacy laws, including the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR), and reflects Merit’s commitment to processing Personal Data in a lawful, fair, transparent, secure, and accountable manner.

02

Definitions

“MERIT / WE / US / OUR” - Mylist Saudi Arabia For Trading Services LLC, including its direct or indirect subsidiaries, Affiliates, and related entities worldwide, responsible for operating the Platform and processing Personal Data as described in this Privacy Policy.

“PLATFORM / MERIT SUPER PLATFORM” - The unified, modular, software-as-a-service (SaaS) environment operated by Merit, enabling you to access, manage, and use loyalty, rewards, engagement, and other programs and Services.

“POLICY / PRIVACY POLICY” - This document (Platform Privacy Policy) that governs the collection, use, disclosure, retention, and processing of Personal Data through the Platform and the Products made available therein.

“PERSONAL DATA” - Any information relating to an identified or identifiable natural person, including end-users, employees, administrators, or your representatives, as processed through the Platform or the Products made available therein.

“DATA CONTROLLER” - The entity that determines the purposes and means of processing Personal Data. In this context, Merit or you may act as the Data Controller depending on the service or Product.

“DATA PROCESSOR” - The entity that processes Personal Data on behalf of a Data Controller, strictly following the Controller’s documented instructions. Merit acts as a Data Processor when processing Personal Data for you.

“JOINT CONTROLLERS” - When Merit and you jointly determine the purposes and means of processing Personal Data, both Merit and you are considered Joint Controllers with responsibilities allocated according to applicable law.

“DATA SUBJECT” - Any identified or identifiable natural person whose Personal Data is processed through the Platform, including end-users, employees, or loyalty program participants.

“PDPL” - Saudi Personal Data Protection Law, governing the collection, use, and processing of Personal Data in the Kingdom of Saudi Arabia.

“GDPR” - General Data Protection Regulation, EU regulation governing the processing of Personal Data of EU/EEA residents.

“KYB / KNOW YOUR BUSINESS” - Regulatory and compliance procedures to verify business identity and conduct, used for Account verification and risk management.

“B2B / B2B2C”

  • B2B: Business-to-business transactions.

  • B2B2C: Business-to-business-to-consumer transactions, where Personal Data of end-users may also be processed.

“DPA” - Data Processing Agreement, a contractual agreement governing the processing of Personal Data between Merit and you.

“SENSITIVE DATA / SENSITIVE PERSONAL DATA” - Special category Personal Data, including Data Subject to enhanced legal or regulatory safeguards, processed only when strictly necessary and compliant with applicable laws.

“STANDARD CONTRACTUAL CLAUSES / SCCs” - Legal mechanisms approved by the European Commission for lawful international transfers of Personal Data under GDPR.

“DPO” - Data Protection Officer, the contact point for privacy inquiries or rights requests related to the Platform or Policy (email: dpo@meritincentives.com ).

03

Who We Are and Our Role

  1. Data Controller- Platform And Service Access

    For the purposes of applicable data protection laws, including the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR), Mylist Saudi Arabia For Trading Services LLC acts as the Data Controller in respect of Personal Data processed in connection with:

    • registration for, access to, and use of the Platform;

    • creation, administration, and management of business accounts;

    • user authentication, authorization, and access control;

    • role, permission, and entitlement management;

    • Know Your Business (KYB) verification and compliance screening;

    • platform security, monitoring, logging, and audit functions; and

    • subscription management, payments, billing, and commercial administration.

    Controller details:

    Mylist Saudi Arabia For Trading Services LLC A company duly incorporated under the laws of the Kingdom of Saudi Arabia Registered Address: Saud Ibn Abdullah Ibn Jalawi Road, Al Qairawan, Building 2359, First Floor, Office Number 7, Riyadh, Kingdom of Saudi Arabia

    Contact:

    dpo@meritincentives.com

04

Categories of Personal Data Processed

Merit processes only those categories of Personal Data that are necessary, relevant, and proportionate to operate, secure, deliver, and administer the Platform and the services, products, tools, and functionalities made available through it, in accordance with this Privacy Policy, the DPA and applicable data protection laws.

The Platform is a business-to-business (B2B) platform that may support business-to-business-to-consumer (B2B2C) use cases. Accordingly, Merit processes Personal Data relating to:

  • Your authorised users and representatives; and

  • where applicable, end users or loyalty program participants, whose Personal Data is provided to or generated within the Platform by you in connection with your use of the Platform.

The categories of Personal Data that may be processed include, but are not strictly limited to, the following:

  1. Account, Identity, and Business Contact Data

    Personal Data processed in connection with the registration for, access to, and administration of Platform accounts and user access, including:

    • legal business name, commercial registration details, and other registered entity information;

    • corporate documentation and information submitted for Know Your Business (KYB), sanctions screening, or compliance verification;

    • names, job titles, and business contact details of administrators and other authorised users or representatives;

    • business email addresses, telephone numbers, and associated professional contact identifiers;

    • assigned user roles, permissions, access scopes, and entitlements; and

    • login credentials, authentication factors, and authentication-related metadata (such as login timestamps, access status, and session identifiers).

    Information relating solely to legal entities does not constitute Personal Data. However, where such information relates to an identified or identifiable natural person (such as a director, signatory, authorised user, end user or company representative), it constitutes Personal Data and is processed in accordance with this Privacy Policy and the DPA.

  2. Your Data and End-User Data (B2B2C Use Cases)

    Depending on the services, products, or modules subscribed to by you, the Platform may process Personal Data uploaded to, generated through, or otherwise made available via the Platform by you, which may include Personal Data relating to:

05

Purposes of Processing and Legal Bases

Merit processes Personal Data both at the Platform level and within individual products offered through the Platform. This processing is carried out in accordance with applicable laws, including the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR).

  • Platform-level processing: Merit acts as the Data Controller for Personal Data collected and processed to operate, secure, and administer the Platform itself, including account administration, authentication, role management, KYB verification, subscription management, and Platform security.

  • Product-level processing: Depending on the product or service, Merit may act as a Data Controller, joint controller, or Data Processor in respect of Personal Data processed within the product. Where Merit acts as a processor, it processes Personal Data solely on the documented instructions received from you, and you remain the controller of that data.

The table below summarises the main purposes of processing and the corresponding legal bases under PDPL and, where applicable, GDPR:

PurposePlatform vs ProductLegal Basis (PDPL / GDPR)Notes
Account registration, authentication, and access managementPlatform / ProductPerformance of a contractNecessary to provide you and your authorised users access to the Platform and subscribed products/services. For products, includes end-users who register for services.
Role, permission, and entitlement administrationPlatform / ProductPerformance of serviceRequired to assign and manage user roles, permissions, and entitlements in accordance with contractual obligations.
Know Your Business (KYB) verification and regulatory screeningPlatformLegal obligationMandatory under applicable regulatory and compliance requirements; processed only to the extent strictly necessary.

Where processing requires explicit consent (e.g., optional notifications, marketing communications, or other non-essential processing), Merit obtains freely given, specific, informed, and unambiguous consent from the relevant Data Subject.

Data Subjects may withdraw consent contacting Merit at dpo@meritincentives.com at any time without affecting the lawfulness of processing carried out prior to withdrawal.

06

Data Sharing and Disclosure

Merit is committed to limiting disclosures of Personal Data to the minimum necessary to fulfil the purposes described in this Policy, in accordance with the principles of data minimization and purpose limitation.

All disclosures of Personal Data, whether at the Platform level or within products, are conducted under strict safeguards:

  • International Transfers: Any transfer of Personal Data outside the Kingdom of Saudi Arabia is conducted in compliance with the PDPL transfer requirements, including obtaining any necessary approvals. Where GDPR applies, transfers are safeguarded using Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

  • Third-Party Processors and Affiliates: Personal Data processed by third-party processors, sub-processors, or Merit group companies is subject to the same security, retention, and access controls as data processed directly by Merit.

  • No Sale of Data: Merit does not sell Personal Data to third parties under any circumstances.

Merit may disclose Personal Data under the following circumstances, strictly limited to the purposes outlined in this Policy or the DPA:

  1. Merit Group Companies / Affiliates

    • Personal Data may be shared with Merit affiliates or group companies when operationally necessary to provide, maintain, or support the Platform and its products/services.
    • Access is restricted to authorized personnel on a need-to-know basis, and all recipients are bound by confidentiality and security obligations.
    • All Merit affiliates and group companies that access Personal Data are contractually bound to comply with the terms of the DPA, including confidentiality, security, and lawful processing obligations

  2. Authorized Service Providers / Processors

    • Merit may engage third-party service providers to perform Platform- or product-related functions, including hosting, cloud infrastructure, identity verification, security monitoring, billing, customer support, or other operational services.

    • All processors and sub-processors are bound by written data processing agreements (DPAs) that require them to:

      1. Process Personal Data only on documented instructions from Merit;

      2. Maintain confidentiality and implement appropriate technical and organizational security measures;

      3. Comply with all applicable data protection laws, including PDPL and GDPR where relevant;

      4. Ensure any sub-processors are similarly contractually bound.

  3. Regulatory Authorities, Courts, and Law Enforcement

07

International Data Transfers

Merit may transfer Personal Data outside the Kingdom of Saudi Arabia (KSA) only when necessary to operate, provide, maintain, or support the Platform and the products/services offered through it, including for hosting, cloud services, technical support, identity verification, or other operational purposes. All such transfers are conducted in strict compliance with Saudi PDPL, its Implementing Regulations, and, where applicable, the GDPR.

  1. Transfers under Saudi PDPL

    Transfers of Personal Data outside the KSA are conducted only where:

    • Permitted under the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations;

    • Appropriate safeguards, approvals, and protections are in place to ensure that Data is processed lawfully, securely, and only for the intended purpose;

    • Merit may require contractual assurances, data transfer agreements, or approvals from relevant Saudi authorities to satisfy legal requirements.

    These rules apply to both Platform-level administrative data and Product-level end-user data processed on behalf of you or for B2B2C services.

  2. Transfers under GDPR (where applicable)

    For Personal Data of EU/EEA Data Subjects processed by the Platform or within products:

    • Transfers to countries outside the EU/EEA are safeguarded through one or more of the following lawful mechanisms:

      1. Adequacy decisions issued by the European Commission;

      2. Standard Contractual Clauses (SCCs) approved by the European Commission;

      3. Other lawful transfer mechanisms recognized under GDPR, such as binding corporate rules or explicit consent where strictly necessary.

08

Data Retention

Merit retains Personal Data processed through the Platform and the products made available via the Platform only for as long as necessary to:

  • Fulfil the purposes described in this Privacy Policy;

  • Provide and support the services and products subscribed to;

  • Comply with applicable legal, regulatory, or contractual obligations;

  • Enforce or defend legal or contractual rights.

Retention practices are designed to comply with Saudi PDPL, its Implementing Regulations, and, where applicable, the GDPR, while minimizing storage of Personal Data and safeguarding its security and confidentiality.

  1. Retention Periods by Data Category

    Data CategoryRetention PeriodJustification
    Account and Identity Data (e.g., business contact info, administrator names, login credentials)Duration of your contractual relationship with Merit + 2 yearsTo allow for administrative closure, dispute resolution, and regulatory recordkeeping.
    your-Provided / End-User Data (e.g., loyalty program participants, reward recipients, employee data, or other participants within products)Duration necessary to provide the contracted Product/service, unless otherwise required by lawEnsures the delivery of services, proper functioning of products, and compliance with contractual obligations. Merit processes this data on behalf of you in accordance with your documented instructions.
    Operational, Security, and Audit Data (e.g., login logs, system events, configuration changes)
09

Artificial Intelligence and Automated Features

The Platform may include artificial intelligence (AI)–enabled or automated features designed to assist you in identifying, configuring, or selecting products, services, or functionalities based on Platform usage, interactions, and other relevant data. These features analyse inputs, behavioural patterns, and historical data to generate recommendations, insights, or alerts intended solely to support your decision-making.

  1. Principles of AI Processing

    Human Oversight: AI-enabled processing is designed to supplement, not replace, human decision-making. Automated outputs are informational only and do not produce legal, regulatory, or similarly significant effects without explicit human review.

    Inputs used for AI processing are limited to Personal Data strictly necessary to generate relevant insights and comply with applicable laws. AI processing is conducted under appropriate technical and organisational measures, including:

    • Ensuring accuracy, reliability, and auditability of outputs;
    • Preventing unauthorized access, modification, or misuse of data;
    • Implementing appropriate security controls for processing Personal Data in accordance with PDPL and GDPR.

    Where AI processing involves Personal Data, Merit ensures that such processing is lawful, fair, and transparent, in accordance with PDPL, GDPR (where applicable), and this Privacy Policy.

10

Advertising, Promotional Content and Recommendations

The Platform may display advertising, promotional content, product recommendations or sponsored content, including in relation to Merit’s own products and services or those of third parties (collectively, “Promotional Content”).

Promotional Content may be displayed based on contextual factors such as Platform functionality, product categories, usage patterns, or general Platform interactions. Promotional Content is displayed for purposes of operating, improving and commercialising the Platform, including informing business users about relevant products, services or offerings available through the Platform.

Where applicable, the display or prioritisation of Promotional Content may involve the processing of Personal Data, as further described in this Privacy Policy.

Merit does not sell Personal Data to third parties. Any processing of Personal Data in connection with Promotional Content is carried out in accordance with applicable data protection laws, including the Saudi Personal Data Protection Law (PDPL) and, where applicable, the GDPR, and is limited to what is necessary for the purposes described in this Privacy Policy.

Where required by applicable law, Merit will provide appropriate transparency, controls, or choices in relation to the display of Promotional Content, including mechanisms to object to or limit certain forms of processing.

Promotional Content is presented for informational or commercial purposes only and does not constitute an endorsement, guarantee, or representation by Merit of any third-party products or services. Promotional Content and any related recommendations do not produce legal effects or similarly significant impacts and are not used to make binding or automated decisions.

11

Information Security

Merit implements comprehensive technical, organizational, and administrative measures designed to protect all Personal Data processed through the Platform and the products made available via the Platform, including data relating to both client organisations or Platform customers and end users. These measures ensure the confidentiality, integrity, availability, and resilience of Personal Data and are designed to protect against unauthorized access, disclosure, alteration, loss, or destruction.

  1. Security Measures

    Merit’s security program includes, but is not limited to, the following:

    1. Access Control:

      • Role-based access and least-privilege principles for Platform administrators and product users; where applicable;
      • Strong authentication mechanisms, including multi-factor authentication for privileged accounts where supported.

    2. Data Protection:

      • Encryption of Personal Data at rest and in transit, where appropriate;
      • Secure storage and processing practices for sensitive or regulatory-required data;
      • Anonymisation or aggregation of end-user data where supported by the relevant product and use case, particularly in B2B2C operations.

    3. Monitoring and Logging:

      • Monitoring of systems and networks to detect anomalous or unauthorized activity;
      • Generation and review of audit logs, system events, and security alerts;
      • Logging of administrative and configuration changes to support accountability and compliance purposes.
12

Data Subject Rights

Merit respects the rights of Data Subjects under applicable data protection laws, including the Saudi Personal Data Protection Law (PDPL) and, where relevant, the EU General Data Protection Regulation (GDPR). These rights allow Data Subjects to exercise control over their Personal Data processed at the Platform and the products and services offered via the Platform.

  1. Rights under Saudi PDPL. Subject to applicable limitations under the PDPL, Data Subjects may have the right to:

    • Be informed about the collection and processing of their Personal Data;
    • Access their Personal Data;
    • Request correction, amendment, or updating of inaccurate or incomplete Personal Data;
    • Request destruction of Personal Data, where legally permissible;
    • Object to processing where the processing is not legally required.

  2. Rights under GDPR (where applicable). Where GDPR applies, Data Subjects may also have the right to:

    • Access, rectification, and erasure of their Personal Data;
    • Restriction or objection to the processing of Personal Data;
    • Data portability for Personal Data provided to Merit;
    • Withdraw consent at any time where processing is based on consent;
    • Lodge a complaint with a competent supervisory authority.

  3. Exercising Rights

    • Requests to exercise any of the above rights may be submitted to dpo@meritincentives.com .
    • Merit will verify the identity of the requester to protect Personal Data and prevent unauthorized disclosures.
13

Cookies and Similar Technologies

The Platform and the products made available through it may use cookies, web beacons, server logs, and other similar tracking technologies (collectively, “Cookies”) to operate, secure, and improve the Platform and its products. These technologies may automatically collect technical, usage, and analytics data about your device, location, browsing behavior, interactions, and patterns. Merit may also combine this information with other Personal Data you provide or that is collected in the course of using the Platform or products.

  1. Types of Cookies

    Merit uses the following categories of cookies:

    Strictly Necessary Cookies:

    • Essential for authentication, access control, and the security of the Platform and its products.
    • Enable core functionalities such as login sessions, user role management, subscription management, and product-specific operations.
    • These Cookies are necessary for the performance of the contract with you and do not require consent.

    Performance / Analytics Cookies:

    • Collect anonymized or pseudonymized information about how the Platform or products are used, including page views, navigation patterns, and technical performance.
    • Help Merit identify opportunities for improving system performance, usability, and reliability.
    • May require consent where mandated by applicable law; such consent is obtained through appropriate mechanisms where required.

    Functionality Cookies:

    • Retain user or administrator preferences, such as account identifiers, selected settings, or configuration choices, to enhance usability and efficiency across the Platform and products.

    Targeting / Advertising Cookies:

14

Third-Party Services and Integrations

The Platform may integrate with or provide access to third-party services, applications, or tools (“Third-Party Services”) to enhance Platform functionality, support business operations, or enable features within the products offered through the Platform.

  1. Responsibility and Compliance

    • Third-Party Services process Personal Data independently in accordance with their own privacy policies, terms of service, and applicable legal obligations.
    • Merit is not responsible for the privacy practices, security measures, or data processing activities of Third-Party Services.
    • Data Subjects are encouraged to review the privacy notices and terms of any Third-Party Service accessed through the Platform or its products.

  2. Platform-Level Safeguards

    • Where Merit shares Platform-level Personal Data with Third-Party Services (e.g., cloud hosting, security monitoring, identity verification, billing, payments, analytics, or technical support), such processing is subject to contractual safeguards, DPAs, and security obligations in accordance with PDPL, GDPR (where applicable), and industry best practices.

    • Agreements with Third-Party Service providers require them to:

      1. Process Personal Data only on documented instructions from Merit;

      2. Maintain confidentiality and implement appropriate technical and organizational security measures

      3. Comply with all applicable data protection laws;

      4. Restrict access to authorized personnel on a need-to-know basis.

15

Changes to This Policy

Merit may update this Platform Privacy Policy from time to time to reflect:

  • Changes in applicable laws, regulations, or regulatory guidance;
  • Updates or enhancements to the Platform, products, services, or business operations;
  • Expansion into new jurisdictions or territories; or
  • Other legitimate operational or compliance reasons.

  1. Material Changes

    • Material changes to this Policy, including changes that may significantly affect the rights of Data Subjects or the processing of their Personal Data, will be clearly communicated to you and when applicable end users through the Platform or via other appropriate communication channels.

    • Merit may provide a notice period for material changes where required by law or good practice.

  2. Review and Version Control

    • The Policy will include a Version Effective Date to ensure transparency and clarity.

    • Data Subjects are encouraged to periodically review the Policy and the DPA to remain informed of how their Personal Data is processed.

  3. Non-Material Updates

    • Non-material updates, such as minor clarifications, formatting changes, or editorial corrections, may be implemented without prior notice but will be reflected in the updated Version Effective Date of the Policy on the Platform.
16

Contact Information

For privacy inquiries or rights requests related to this Policy:

Email:

dpo@meritincentives.com

In these contexts, Merit determines the purposes and means of processing and is responsible for ensuring that Personal Data is processed in compliance with applicable data protection laws.

  • Processing in Connection with Subscribed Services and Products

    The Platform enables corporate customers like you to subscribe to and use different services, products, tools, and functional modules through a single unified environment. Depending on the nature of the subscribed service or product and the specific processing activity, Merit’s role under applicable data protection laws may vary.

    Accordingly:

    • Where Merit determines the purposes and means of processing Personal Data in connection with a service or functionality, Merit acts as a Data Controller.

    • Where Merit processes Personal Data strictly on documented instructions from you, and you determine the purposes and means of processing (for example, where you upload, manage, or operate Personal Data relating to your own end users, employees, or loyalty program users), Merit acts as a Data Processor on behalf of you.

    • Where Merit and you jointly determine the purposes and means of processing in relation to a specific service or functionality, Merit and you act as Joint Controllers, and both Merit’s and your respective responsibilities are allocated in accordance with applicable law.

    All such processing activities are governed by this Privacy Policy, together with the DPA.

    • loyalty program members, points balance, reward recipients, or participants;

    • end customers, users, or beneficiaries of program operated by you;

    • your employees, contractors, or agents ; and

    • transactional, engagement, or activity data generated through your-defined program rules, APIs, integrations, or your-configured workflows.

    In respect of such Personal Data, Merit acts as a Data Processor or service provider (as applicable) and processes the data on behalf of and in accordance with the documented instructions received from you, and you remain the Data Controller, unless otherwise expressly agreed in writing. Merit does not act as Data Controller for your end-users unless expressly agreed in writing in a separate document

  • Operational, Security, and Audit Data

    Data generated or collected to ensure the security, integrity, availability, performance, and auditability of the Platform and its services.

    Such Data constitutes Personal Data only to the extent that it relates to an identified or identifiable natural person, and may include, where applicable:

    • user activity records associated with named or identifiable user accounts;

    • access logs, login events, and session information linked to individual users;

    • role, permission, entitlement, and configuration changes attributable to specific users; and

    • system-generated logs, audit trails, or security alerts that include user-identifiable information (such as user IDs or IP addresses).

    Aggregated, anonymised, or purely technical data that cannot reasonably be linked to an identifiable individual does not constitute Personal Data and falls outside the scope of applicable data protection laws.

  • Commercial, Subscription, and Billing Data

    Personal Data processed for subscription management, billing, and commercial administration of the Platform, including:

    • subscribed services, products, plans, and service entitlements;

    • invoicing information, payment status, transaction references, and billing contacts; and

    • contractual usage limits, thresholds, consumption metrics, and entitlement records.

    Payment transactions are processed through certified third-party payment service providers. Merit does not store full payment card numbers or sensitive authentication data.

  • Sensitive Personal Data

    The Platform is not designed or intended to process sensitive or special category Personal Data, as defined under applicable data protection laws (including GDPR and the Saudi PDPL).

    Where the processing of such data is strictly required by applicable law (including, where relevant, regulatory or KYB obligations), such processing shall:

    • be limited to what is legally required;

    • be subject to enhanced technical and organisational safeguards; and

    • be carried out in compliance with all additional conditions and protections mandated by applicable data protection laws.

    • Platform and product security, auditability, and integrityPlatform / ProductLegitimate interests (as per the GDPR) / Legal obligationProcessed to prevent, detect, and mitigate security incidents, maintain system integrity, and comply with legal obligations including security measures necessary for Merit to operate the Platform securely and to support your-configured audit and monitoring features where applicable.
    Subscription administration and billingPlatform / ProductPerformance of a contractNecessary to manage subscription plans, billing, invoicing, and contractual entitlements.
    Your engagement, loyalty, and product-related interactionsProduct onlyPerformance of a contract / legitimate interest (as per the GDPR)Applicable where Merit processes end-user or loyalty program or app member data in B2B2C products. Processing is carried out on your behalf in accordance with your program configuration and documented instructions.
    Incident detection, prevention, and remediationPlatform / ProductLegitimate interests (as per the GDPR)Includes detection of technical issues, security breaches, or system misuse to maintain safe and reliable operations.
    Communications and support interactionsPlatform / ProductLegitimate interest (as per the GDPR)Includes handling of customer support requests, correspondence, or issue resolution for both administrative customers and end-users of products and services where such interactions are initiated by or routed through your-configured support channels.
  • Personal Data may be disclosed to comply with legal obligations, regulatory requirements, or lawful requests from competent authorities, including courts, government regulators, or law enforcement agencies.
  • Such disclosures are limited to the minimum Personal Data necessary to comply with the obligation or request.

  • Customers (Product-level processing / B2B2C)

    • For Product-level services where Merit acts as a processor, Personal Data of end-users (e.g., loyalty program members, reward recipients) may be shared with you in accordance with your instructions.
    • Merit will not use or disclose such data for any purpose other than providing the product or service, unless required by law.

  • All international transfers under GDPR are documented, monitored, and subject to ongoing compliance checks.

    • As required by law
    Ensures system integrity, auditability, and security incident investigation.
    Commercial and Billing Data (e.g., invoices, subscription history, payment records)Duration of contract + 3 yearsRetained to comply with tax, accounting, and contractual obligations.
    KYB / Regulatory Verification DataDuration of relationship + 5 years (or as legally required)Meets regulatory compliance and risk-management requirements.
    Sensitive Data (if processed under regulatory obligations)Retained only as strictly necessaryProcessed with enhanced security and access restrictions.

    Merit regularly reviews retention periods to ensure Personal Data is not kept longer than necessary.

  • Data Deletion and Anonymization

    • Upon expiry of the applicable retention period or termination of your business relationship with Merit, Personal Data is deleted, anonymized, or aggregated in accordance with applicable law, contractual requirements, and Merit’s internal data management practices.
    • Where deletion or anonymization is not immediately feasible due to technical, legal, or operational constraints, Personal Data is securely restricted from further processing and access until deletion or anonymization is completed.

  • Legal and Regulatory Exceptions

    • In some cases, legal, regulatory, or contractual requirements may necessitate longer retention periods. Merit ensures that such data is securely stored and access is strictly limited to authorized personnel.

  • Minimization and Review

    • Merit periodically reviews stored Personal Data to ensure it is relevant, up-to-date, and limited to what is necessary for the intended purpose.
    • Retention policies are regularly updated to reflect changes in law, regulation, and Platform operations.

  • Incident Management:

    • Processes to support the detection, assessment, and remediation of security incidents or data breaches;
    • Notification to affected Data Subjects and competent authorities as required by law (PDPL, GDPR).

  • Vendor and Third-Party Oversight:

    • Security and data protection requirements are imposed on third-party processors and service providers where applicable;
    • Written agreements requiring compliance with PDPL, GDPR, and contractual security obligations.

  • Operational Resilience:

    • Security testing activities, including vulnerability assessments and penetration testing, are conducted periodically where appropriate;
    • Business continuity and disaster recovery measures are implemented to support availability and integrity of data and services.

  • Governance and Continuous Improvement

    • Merit reviews and updates security measures regularly to address evolving threats and vulnerabilities.
    • Staff receive training on data protection and security best practices, and access to Personal Data is restricted to those with a legitimate operational need.
    • Security measures are designed to align with industry standards and best practices.
  • Response timeline: Merit will acknowledge receipt of requests promptly and, where required by law, respond within 30 days (or extended periods permitted by law, if necessary).
  • Merit may require additional information to process requests, particularly where records are extensive or verification is needed.

  • Limitations and Exceptions

    • Certain requests may be limited by legal obligations, contractual requirements, or legitimate interests (e.g., security logs, regulatory KYB data, or billing records).
    • Merit will communicate any refusal, limitation, or partial fulfillment of a request, including the reasons and applicable legal basis, in accordance with PDPL/GDPR.
  • May collect information about user interactions with the Platform or products to deliver relevant, personalized content or communications.
  • Any personal data shared with third parties for advertising or targeting purposes is pseudonymized or anonymized wherever possible.

  • Web Beacons and Log Files

    • Web Beacons / Pixel Tags: Pages of the Platform, products, or emails may include small electronic files (“Web Beacons”) that allow Merit to collect statistics on usage, email openings, content popularity, and system performance.
    • Log Files: Merit may collect system logs or audit trails that include user activity, accessed content, timestamps, and technical identifiers to ensure security, reliability, and regulatory compliance.

  • Third-Party Cookies and Data Sources

    • The Platform and products may integrate with third-party services (e.g., analytics, payment providers, delivery or loyalty services) that use cookies or similar technologies.
    • Merit is not responsible for third-party cookies; Merit does not control third-party cookies and encourages You to review the privacy notices or policies of such third parties.
    • Personal Data collected from third parties or publicly available sources (e.g., technical, identity, contact, financial, or transaction data) is processed in accordance with this Privacy Policy, the DPA and applicable laws.

  • Managing Cookies

    • you can manage, block, or delete cookies via browser settings or Platform-provided controls (of applicable).
    • Disabling essential cookies may limit Platform or product functionality.
    • Merit provides mechanisms to withdraw consent for non-essential cookies at any time without affecting prior lawful processing.
    • Product-Level Data and Integrations

    • For Product-level features, including B2B2C services (e.g., loyalty programs, engagement tools, reward delivery), Third-Party Services may process end-user Personal Data on your behalf.

    • In such cases, Merit ensures that:

      1. Data processing is conducted only on the documented instructions received from you, while you act as the Data Controller;

      2. Appropriate agreements and safeguards are in place with the third party to protect end-user Personal Data;

      3. Access, retention, and security controls align with PDPL, GDPR (where applicable), and this Privacy Policy.

  • Transparency to Users

    • Merit will provide clear information regarding the nature of Platform-level data shared with Third-Party Services, and, where feasible, guidance on Product-level integrations, to allow Data Subjects to make informed decisions about their data.