← Back

Privacy Policy

How we collect, use and protect personal data. This page describes your rights and our responsibilities.

Effective date / last updated: 8 December 2025

Language:RU/EN

Controller, DPO and representatives

Controller: MergeCrew [S.L./S.L.U., reg. number, address] (“MergeCrew”). Data protection / privacy contact / DPO: privacy@mergecrew.com. Where required, we will appoint EU/UK representatives; their details will be published on this page.

Scope

This Policy applies to all MergeCrew websites, applications and APIs and describes how we process personal data of candidates, companies and their representatives when they use our services.

Categories and sources of data

Categories:

  • Identification and contact data (name, avatar, email, phone, language, country/region, time zone);
  • Profile / professional data (skills, experience, education, rates, availability, preferences);
  • Company data (legal name, details, domains, job titles of representatives);
  • Content (jobs/tasks, portfolio, messages/attachments, reviews and ratings, feedback);
  • Technical data (IP address, device/browser identifiers, cookie/SDK identifiers, event logs, diagnostics);
  • Location data (approximate location from IP / GPS where enabled);
  • Payments/escrow (provider tokens, amounts, statuses; full card details stored with provider, not with us);
  • Verification (KYC/AML: ID document/selfie with provider, screening results, sanctions lists, PEP checks);
  • Derived signals (Match Index, anti-fraud scores, behavioural metrics, recommendations);
  • Referrals/endorsements (references, skills confirmations).

Sources: you (directly), automatic means (cookies/SDKs), providers (KYC/payment/anti-fraud), business customers (under contract), public profiles.

Purposes and legal bases (GDPR/LQPD)

PurposeLegal basisExamples
Providing the ServicePerformance of a contractRegistration, matching, chat, escrow, payouts
Security and complianceLegitimate interest / legal obligationAnti-fraud, KYC/AML, logs, moderation
Analytics and improvementsLegitimate interestUsage metrics, UX research, A/B testing
Marketing (email / in-app)Consent or legitimate interest with opt-outNewsletters, recommendations
Legal obligationsLegal obligationTax, sanctions, accounting

We do not intentionally request special categories of data (e.g. health). If you choose to disclose such data in your profile or chats, you can remove it at any time.

Recipients and sub-processors

Data may be shared with other users as part of matching and conversations, and with our providers (hosting, analytics, communications, payments/escrow, KYC/AML, anti-fraud). A list of sub-processors is published at /legal/subprocessors and kept up to date.

International transfers

Data may be transferred outside your country. Andorra benefits from an adequacy status for the EU; for other locations we rely on Standard Contractual Clauses and additional safeguards. Details of transfers and data centre locations are described in the DPA.

Retention periods

  • Account/profile — until deletion + 12 months (for claims and bookkeeping);
  • Deals/payments — 6–10 years (as required by local law);
  • Security logs — 12–24 months;
  • KYC/AML — 5–10 years (if required by law);
  • Cookies/SDKs — see Cookie Policy.

Data subject rights

You have rights of access, rectification, erasure, restriction, portability and objection; and the right to withdraw consent where we rely on it. You may also lodge a complaint with the APDA or your local supervisory authority. Contact us via account settings or privacy@mergecrew.com. We normally respond within 30 days (extendable by 60 days for complex requests).

Profiling and automated decisions

We use algorithms to rank matches and detect fraud. Decisions that may significantly affect your rights (e.g. de-listing) involve human review. You may request an explanation of the main logic and a human review of such decisions.

Marketing, GPC and Do-Not-Track

We respect Global Privacy Control signals for categories requiring consent, and provide preference centres for cookies and emails. You can opt out of marketing communications via the unsubscribe link in emails or in settings.

Security and incidents

We use TLS, at-rest encryption by cloud providers, access control (RBAC/MFA), logging and data minimisation. In case of a breach likely to result in a risk to rights and freedoms, we will notify the supervisory authority within 72 hours and users where required.

Children

The Service is not directed to individuals under 18. If we become aware of children’s data being processed, we will take steps to delete it.

Regional add-ons (EEA/UK/US/BR/CA)

  • EEA/UK/CH: you have the right to lodge a complaint with your local supervisory authority. Details of EU/UK representatives will be published when appointed.
  • US (CCPA/CPRA): California residents have additional rights. We do not “sell” or “share” personal identifiers for cross-context behavioural advertising in the EEA/UK without your consent; in the US we honour applicable industry opt-out mechanisms where relevant.
  • BR (LGPD): contact information for the local representative (encarregado) will be published.
  • CA (PIPEDA): additional rights of access and correction; complaints can be filed with the Office of the Privacy Commissioner of Canada.

Changes and contacts

We may update this Policy from time to time and, where required, request your consent to material changes. Contact: privacy@mergecrew.com.