Merrie
← Back

Privacy

What we keep, and don't.

Last updated 2026-05-10.

Hello. Merrie is built with a strong stance on privacy: visitors get no surveillance, contributors get the data they put in (and only that), subscribers are sacred. This policy explains how each of those works.

Merrie is in public preview. The data practices below are what we operate by today. If they change as the product matures we'll update this page, increment the version, and ask you to re-acknowledge per our Terms.

If you're just visiting

You don't have an account. You're reading a page, browsing events, maybe RSVPing.

We collect nothing about you beyond the absolute minimum required to serve the page:

  • No analytics. No Google Analytics, no Plausible, no anything.
  • No tracking pixels. Not Facebook's, not anyone's.
  • No cookies, except the one Supabase uses to keep you logged in, and only if you log in.
  • No browser fingerprinting.
  • No "anonymized" behavioral data sold or shared with third parties. We don't have any to sell.

Server logs at our hosting provider record the minimum needed to operate the service (IP, request path, timestamp, user agent for abuse-handling). We don't analyze them, profile you, or share them.

If you've RSVP'd to an event

Anonymous RSVPs are stored without your name or email. Just a count.

If you provided a first name or email when RSVPing (because the event host asked), that's stored on the host's record so they know who's coming. Hosts see your email; the public RSVP list shows only first name and an optional blurb. We don't use your email for anything else.

There's an unsubscribe / data-deletion link at the bottom of any email Merrie sends you on a host's behalf.

If you have a Merrie page (contributor)

To run a contributor account, we store:

  • Account. Email address, login session.
  • Profile. Name, slug, tagline, bio, hero image, avatar, timezone, contact email. Whatever you put in.
  • Events you publish. Title, date, time, venue, description, and so on. All covered by the Commons license in our Terms.
  • Subscribers to your list: email, optional first name, when they subscribed, where (form, import, RSVP), unsubscribe state.
  • Newsletter sends. Which content went out, to whom, when, delivery status.
  • Operational logs. When actions happened. Used to debug and to honor rate limits.

You can export your data, correct it, or delete your account from in-product settings. We don't make you email support.

Subscriber lists are a fiduciary trust

This is the most important section.

A subscriber trusts the contributor they signed up to, not us. We hold their data on the contributor's behalf. The rules are tight:

  • No cross-pollination. Contributor A never sees Contributor B's subscribers. Not in queries, logs, error messages, or any API response. Database row-level security enforces this; application logic is the second wall, not the only one.
  • No platform use. Merrie never emails subscribers for its own purposes. Only the contributor they subscribed to can reach them, through Merrie's send tools.
  • No bulk admin access. There's no "all subscribers" admin view. Deliberately.
  • Unsubscribe is immediate and permanent. HMAC-signed unsubscribe links. One click. No "are you sure."
  • No analytics aggregation across lists. We don't compute stats that span contributors.

If a contributor closes their account, their subscriber list is preserved as exportable for 30 days, then deleted.

If something goes wrong

If we discover unauthorized access to personal information we hold, we'll notify you without unreasonable delay. Pennsylvania's Breach of Personal Information Notification Act (73 P.S. § 2301 et seq.) and comparable laws call this a "breach." Notice goes by email if we have your address, plus an in-product banner. If a breach affects more than 500 Pennsylvania residents we'll also notify the Pennsylvania Attorney General as the law requires.

We don't store the kinds of data (Social Security numbers, driver's license numbers, financial account numbers) that trigger credit-monitoring obligations under the Act. We do hold email addresses, contributor profile data, and contributor-side subscriber lists; those are what we'd be reporting on if anything went wrong.

Our incident-response procedures are operated to be consistent with the notification requirements of the Act.

Who we share data with (subprocessors)

We use a handful of vendors to operate the service. They process data on our behalf, under contracts that bind them to handle it the way we say:

  • Supabase. Database, authentication. US.
  • Cloudflare R2. Image storage for posters, avatars, hero and cover images. US.
  • Resend. Transactional and contributor-sent emails. US.
  • Railway. Application hosting. US.

Every uploaded image is re-encoded through Sharp on our servers. EXIF and GPS metadata are stripped before the image touches R2. Your phone's location stays on your phone.

We don't sell data. We don't share it with advertisers (we don't have any). Law-enforcement requests get answered only when properly served and legally required; we'll tell you when we can.

The data we don't keep

  • Visitor analytics (none).
  • Behavioral profiles (none).
  • Geographic location data from images (stripped on upload).
  • Content of failed or undelivered emails after the operational debug window (~30 days).
  • Anything we don't have a stated reason to keep.

Logs are pruned on rolling windows: rate-limit logs at ~24h. Audit logs of sensitive transitions (suspensions, unsubscribes) are kept longer, with actor IDs hashed via a salted hash so a leaked snapshot can't reconstruct identities.

Your rights

Wherever you are, the rights below apply. If your jurisdiction has a stronger version (GDPR, CCPA, etc.), the stronger version applies and we honor it.

  • Export. Pull your data out, including subscriber list (CSV).
  • Correct. Edit or fix anything you've put in.
  • Delete. Close your account; we delete your private data within 30 days. Public event data already in the Commons stays under CC BY 4.0. You granted that license. It doesn't unwind.
  • Object. Tell us a use bothers you. Email [email protected].
  • Portability. Subscriber-list export is standard CSV. Event data has a public API.
  • Complain. If you think we're not honoring this policy, write to us. You also have the right to complain to your jurisdiction's data-protection authority.

Children

Merrie is not for users under 13. We don't knowingly accept account creation from minors under 13. If you believe we have data on a child under 13, write to [email protected] and we'll delete it.

Changes

If we change this policy materially, we'll notify you (in-product banner; email if you have an account) and update the version above. Smaller corrections (typos, clarifications) won't trigger a notice.

Contact

[email protected] for data questions, deletion requests, or complaints. Real human, single inbox.