Այլ երկրներում:GEGeorgiaTRTürkiyeRSSerbiaAEUAECYCyprus

Privacy policy

Privacy policy covering data we collect, how we use it, retention, and your rights under GDPR, UAE PDPL, Cyprus PDPL, KVKK, and CCPA.

Important. This is a sample / template policy. The binding policy for a specific engagement is the one referenced in the signed Master Services Agreement.

1. Who we are

merch.am ("we", "us") is a B2B corporate-merchandise sourcing and production service operating across Armenia, Cyprus, Georgia, Serbia, Turkey, and the UAE. We process personal data both as Controller (for our own business contacts) and as Processor (for client recipient lists and fulfillment data).

2. Personal data we collect

  • Business contact data — name, work email, phone, company, role, country
  • Account data — username, hashed password, MFA settings, API key fingerprints
  • Recipient fulfillment data — name, address, phone, optional personalization fields (T-shirt size, dietary preferences) — provided by clients to enable kit delivery
  • Usage data — pages visited, IP address, device, browser, language, referrer
  • Communications — emails, support tickets, call recordings (where notice given)
  • Payment data — invoice information, billing addresses, banking details (for B2B remittance)

3. Why we process it (legal bases)

  • Contract performance — to deliver services we have agreed with you
  • Legal obligation — tax records, customs documentation, sanctions screening
  • Legitimate interest — securing our systems, preventing fraud, improving services
  • Consent — marketing communications, optional analytics cookies

4. How long we keep it

CategoryRetention
Active client contact dataDuration of engagement + 7 years
Recipient fulfillment dataOrder completion + 12 months (then deleted, unless extended in DPA)
Tax / accounting records7-10 years per local law
Marketing prospect dataUntil consent withdrawn or 24 months idle
Web analytics26 months
Security logs13 months

5. Sharing

We share personal data only with: (a) our suppliers and logistics partners as needed to fulfill orders, under contractual data-protection commitments; (b) professional advisors (lawyers, auditors, accountants) under confidentiality; (c) authorities when legally required; (d) potential acquirers under NDA (in event of corporate transaction). We do not sell personal data.

6. International transfers

Data may be transferred between our 6 served countries and to sub-processors elsewhere. EU-to-third-country transfers rely on Standard Contractual Clauses (SCCs) plus a transfer impact assessment where required. UAE-to-EU transfers rely on the UAE PDPL adequacy framework or contractual safeguards.

7. Your rights

Depending on your jurisdiction, you have rights to: access your data, rectify inaccurate data, erase data, restrict processing, object to processing, data portability, withdraw consent, and lodge a complaint with a supervisory authority.

  • EU / EEA — GDPR rights; complaint to the local DPA
  • UAE — UAE PDPL rights; complaint to the UAE Data Office
  • Cyprus — GDPR + Cyprus PDPL; complaint to the Cyprus Office of the Commissioner for Personal Data Protection
  • Turkey — KVKK rights; complaint to KVKK
  • California — CCPA / CPRA rights; right to know, delete, opt out of sale (we don't sell)
  • Serbia — Serbia LPDP; complaint to the Commissioner
  • Georgia — Georgia PDP Law; complaint to the Personal Data Protection Service
  • Armenia — Armenia PDP Law; complaint to the Personal Data Protection Agency

Submit requests to privacy@merch.am. We respond within the statutory window (typically 30 days, extendable to 90 in complex cases).

8. Security

We follow industry-standard security practices: TLS 1.2+ in transit, AES-256 at rest for sensitive stores, MFA for all employee access, role-based access control, audit logging, regular vulnerability scanning, and annual penetration testing. We are pursuing ISO 27001 certification by Q4 2026.

9. Children

Our services are B2B; we do not knowingly process data of persons under 16. If you believe we have done so in error, contact us and we will delete promptly.

10. Changes

We may update this policy. Material changes are communicated to active clients by email at least 30 days before effective date.

11. Contact

Data Protection contact: privacy@merch.am. For EU representations, an EU representative is appointed where required by Article 27 GDPR.