Privacy Policy

Effective April 10, 2026

We believe your data is yours. This policy explains what we collect, why, and what we do with it. The short version: as little as possible.

What we collect

Account information

Your email address. That's the only piece of personal information required to use Merrie. We use it to authenticate you (via magic link, not passwords) and to contact you about your account if necessary.

Profile information you choose to share

Your contributor name, tagline, bio, avatar, and any links you add to your profile. This information is public — it appears on your Merrie page.

Content you create

Collections, picks, blurbs, essays, event data, posters, and newsletters. Content you publish is public. Draft content is visible only to you.

Subscriber lists

If you're a curator or group, you may collect email subscribers. Those email addresses belong to you, not to us. We store them securely to deliver newsletters on your behalf. We never share one contributor's subscriber list with another contributor, with advertisers, or with anyone else.

Technical data

Basic server logs (IP addresses, browser type, timestamps) for security and debugging. We retain server logs for no more than 90 days. We don't use this data for tracking, profiling, or advertising.

What we don't collect

  • We don't use third-party analytics or tracking pixels
  • We don't sell or share your data with advertisers
  • We don't build behavioral profiles
  • We don't use cookies for tracking (only for authentication)
  • We don't collect payment information (Merrie is free)

How event data works

Event data — titles, dates, times, locations, descriptions — represents public facts about things happening in the world. When you create or contribute event data through Merrie, it is published to the Neighborhood Commons under a Creative Commons Attribution 4.0 (CC BY 4.0) license. This is permanent and irrevocable by design: event facts are public knowledge, and they remain public knowledge.

This means other applications and services can use event data you contribute, with attribution. A local event app might display an event you posted, crediting your group or contributor page.

Your editorial content — blurbs, essays, commentary, posters — is a different category entirely. It is not included in the open data layer and is not released under an open license. Editorial content is displayed on Merrie and may appear in partner applications (like the Fiber app) that consume the Merrie content API, but it remains under your control and our service license — not the Commons.

How your content surfaces in other apps

Merrie is part of a broader ecosystem. Content you publish may appear in:

  • The Fiber app — your editorial picks and event data may surface in personalized feeds, direct messages to Fiber users who follow you, and neighborhood discovery features
  • Third-party applications — developers can build on the Neighborhood Commons data standard; your event data (under CC BY 4.0) is part of that shared layer
  • Search engines — your public Merrie page is indexable

We're building toward a world where event data flows freely and community voices reach people wherever they are. Your participation in Merrie is a contribution to that vision.

Image handling

When you upload images (posters, avatars, cover photos), we re-encode them through a server-side pipeline that strips all metadata — including EXIF data, GPS coordinates, camera information, and any embedded content. The processed image is stored on Cloudflare R2. We do not retain the original upload.

Service providers

We use a small number of third-party services to operate Merrie. Each handles only the data necessary for its function:

  • Supabase — database and authentication
  • Cloudflare — image storage and delivery
  • Resend — newsletter and transactional email delivery

We do not share your data with any other third parties.

Data storage and security

Account and content data is stored in Supabase (PostgreSQL) with row-level security. Images are stored on Cloudflare R2. All data is transmitted over HTTPS. We use industry-standard security practices, but no system is perfectly secure.

Data breach notification

If we confirm a breach that affects your personal data or subscriber data, we will notify affected accounts within 72 hours of confirmation. The notification will describe what happened, what data was involved, and what steps we're taking.

Government and law enforcement requests

If we receive a government or law enforcement request for your data, we will notify you before complying unless we are legally prohibited from doing so. We will challenge requests that are overly broad, and we will never voluntarily provide bulk access to user data.

Your rights

You can:

  • Export your data — your subscriber list, profile, collections, and editorial content are exportable from your workspace. We will never lock your data inside Merrie. See our Anti-Lock-In Pledge in the Terms of Service
  • Delete your account — email us at [email protected] and we'll complete removal of your account and associated data within 30 days. Event data already published to the Neighborhood Commons under CC BY 4.0 cannot be recalled — event facts are public by design and remain so permanently
  • Update your information — edit your profile, content, and subscriber list at any time through your workspace

Children

Merrie is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, contact us and we'll remove it promptly.

Changes to this policy

We may update this policy. If we make material changes, we'll notify you by email at least 14 days before they take effect. Continued use after changes means you accept them.

Contact

Questions about privacy? Email us at [email protected].