Meru Logo
Pricing

Privacy Policy

Last updated on

Privacy Policy

Effective Date: December 19, 2024
Last Updated: December 19, 2024

Introduction

MERU (“we,” “our,” or “us”) is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our inbound email API service (the “Service”).

As an inbound-first email API platform, we specialize in converting emails into structured JSON webhooks. Our SOC 2 Type II compliant architecture ensures we do not store, retain, or access the content of emails processed through our Service—your data privacy is built into our design from day one.

Information We Collect

Information You Provide Directly

  • Account Information: Name, email address, company name, and billing information when you create an account
  • API Credentials: API keys and authentication tokens for service access
  • Webhook Configuration: Webhook URLs and configuration settings for your inbound email addresses
  • Support Communications: Information you provide when contacting our support team
  • Payment Information: Billing details processed securely through our payment processors

Information We Collect Automatically

  • Usage Data: API request logs, response times, and service performance metrics
  • Technical Data: IP addresses, browser information, and device identifiers
  • Website Analytics: Information about your use of our website and documentation
  • Webhook Delivery Data: Success/failure rates, retry attempts, and delivery timestamps

Email Processing Data

Important: We do not store, retain, or access the content, subject lines, or attachments of emails processed through our Service. Our SOC 2 compliant stream-and-purge architecture ensures:

  • Emails are processed in real-time and immediately purged after webhook delivery
  • No email content is stored on our servers beyond the brief processing window
  • Only metadata (sender, recipient, timestamp, delivery status) is temporarily logged for service delivery
  • All processing occurs in secure, encrypted environments with reject-unknown at RCPT TO

How We Use Your Information

We use the information we collect to:

  • Provide the Service: Process inbound emails and deliver structured JSON webhook notifications
  • Account Management: Maintain your account, process payments, and provide customer support
  • Address Provisioning: Create and manage unique inbound email addresses via API
  • Service Improvement: Analyze usage patterns to improve our Service performance and reliability
  • Security: Monitor for abuse, fraud, and security threats with HMAC-signed webhooks
  • Legal Compliance: Comply with applicable laws and regulations

Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

Service Providers

We work with trusted third-party service providers who assist us in operating our Service:

  • Payment Processors: For secure payment processing
  • Infrastructure Providers: For hosting and technical infrastructure (multi-region MX records)
  • Analytics Services: For website and service analytics (anonymized data only)
  • Webhook Delivery Services: For reliable webhook delivery with retry mechanisms

We may disclose your information if required by law or to:

  • Comply with legal processes or government requests
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or the public

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

Data Security

Our SOC 2 Type II compliance ensures we maintain rigorous security standards:

  • Encryption: All data is encrypted in transit and at rest
  • Access Controls: Strict access controls and authentication mechanisms
  • Monitoring: Continuous security monitoring and incident response
  • Regular Audits: Annual SOC 2 audits by independent third parties
  • Data Minimization: We collect only the minimum information necessary to provide our Service
  • Stream-and-Purge: No long-term content storage, immediate purging after webhook delivery
  • HMAC Verification: All webhooks are HMAC-signed with replay protection

Data Retention

  • Account Information: Retained for the duration of your account and as required by law
  • Usage Data: Retained for up to 12 months for service improvement and security purposes
  • Email Content: Not retained - processed and immediately purged per our SOC 2 stream-and-purge architecture
  • Webhook Delivery Logs: Retained for up to 30 days for delivery verification and debugging
  • Support Communications: Retained for up to 3 years for customer service purposes

Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Portability: Request a copy of your data in a portable format
  • Opt-out: Opt out of certain data processing activities

To exercise these rights, please contact us at privacy@meruhook.com.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard contractual clauses approved by relevant authorities
  • Adequacy decisions by relevant data protection authorities
  • Other appropriate safeguards as required by applicable law

Children’s Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending an email notification to your registered email address
  • Providing notice through our Service

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@meruhook.com
Address: MERU, [Your Business Address]
Data Protection Officer: dpo@meruhook.com

California Consumer Privacy Act (CCPA) Notice

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Categories of Personal Information We Collect

CategoryExamplesPurpose
IdentifiersName, email, IP addressService provision, communication
Commercial InformationBilling information, transaction historyPayment processing, account management
Internet ActivityWebsite usage, API requestsService improvement, security
Professional InformationCompany name, job titleAccount management, support

Your CCPA Rights

  • Right to Know: Request information about personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Exercising Your Rights

To exercise your CCPA rights, please contact us at privacy@meruhook.com or call [Your Phone Number]. We will respond to your request within 45 days.

Authorized Agent

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization and we may verify the agent’s identity.

European Union General Data Protection Regulation (GDPR) Notice

If you are in the European Union, you have additional rights under the GDPR:

We process your personal information based on:

  • Contract: To provide our Service under our Terms of Service
  • Legitimate Interest: To improve our Service and ensure security
  • Consent: Where you have provided explicit consent
  • Legal Obligation: To comply with applicable laws

Your GDPR Rights

  • Right of Access: Request access to your personal information
  • Right to Rectification: Request correction of inaccurate information
  • Right to Erasure: Request deletion of your personal information
  • Right to Restrict Processing: Request limitation of processing
  • Right to Data Portability: Request transfer of your data
  • Right to Object: Object to processing based on legitimate interests

Data Protection Officer

Our Data Protection Officer can be reached at dpo@meruhook.com.

Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with the GDPR.