DataMerge

Privacy Policy

Last Updated: January 27, 2026

At DataMerge, we are committed to protecting the privacy and personal data of individuals whose information we process. This Privacy Policy explains how Poolside Ventures S.L. ("we", "us", "our", "DataMerge"), a company registered in Spain with company number B05370846, collects, uses, discloses, and protects personal data in compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

1. Data Controller Information

Data Controller: Poolside Ventures S.L.
Company Number: B05370846
Email: hello@datamerge.ai
Website: https://www.datamerge.ai

We act as:

  • a data controller for personal data related to operating our website and Services (including account administration, billing, security, marketing, and customer support); and
  • a data processor when we process personal data on behalf of our customers within the Services (as described below and in our DPA).

2. Scope and Applicability

This Privacy Policy applies to:

  • Customer and User Data: Personal information we collect directly from individuals who visit our website, create accounts, or subscribe to our Services.
  • Service Data (Processed on Behalf of Customers): Personal data processed within our Services under a customer's instructions, including professional contact data and related enrichment outputs stored in the customer's account/tenant.
  • Geographic Scope: This Privacy Policy applies to all personal data we process worldwide. As an EU-established company, we apply GDPR protections to all data subjects. California residents have additional rights under CCPA/CPRA, as described in Section 9.

3. Our Roles: Controller vs. Processor

3.1 When We Act as a Data Controller

We act as a data controller when we process personal data for our own business purposes, such as:

  • operating and securing our website and Services;
  • creating and administering customer accounts;
  • billing, payments, invoicing, and tax/accounting compliance;
  • communications with customers and prospects (including support and sales);
  • marketing our Services (subject to applicable consent/opt-out rules);
  • compliance, legal claims, and responding to lawful requests.

3.2 When We Act as a Data Processor (Service Data)

We act as a data processor when we process personal data on behalf of our customers (who act as data controllers) within the Services, such as:

  • processing customer-uploaded data for enrichment;
  • processing queries and workflows initiated by the customer within the Services to generate enrichment outputs; and
  • storing enrichment outputs within the customer's account/tenant so the customer can use, export, and manage the data.

No independent sourcing / no data brokerage. When processing Service Data, DataMerge does not process personal data for its own independent marketing, sales, prospecting, or data brokerage purposes, and processes Service Data only on customer instructions as described in our DPA.

When acting as a data processor, our processing is governed by our Data Processing Agreement (DPA) with the customer.

4. Categories of Personal Data We Process

4.1 Customer and User Personal Data (Data We Collect From You)

When you use our website or Services, we may collect:

  • Account and Registration Data: name, email, phone number, company name, job title, account credentials.
  • Payment and Billing Data: billing address and payment method information (processed through our payment service provider), transaction history, invoices/receipts.
  • Usage and Technical Data: IP address, browser type, device information, API usage data, integration activity, login timestamps, session information, and limited logs of queries/requests (subject to minimization).
  • Communications Data: support inquiries and correspondence, feedback, survey responses, marketing preferences.

4.2 Service Data (Processed Within the Services on Behalf of Customers)

Depending on how customers use the Services, we may process within a customer account/tenant:

  • Professional Contact Data: names, job titles/roles, business email addresses, business phone numbers/mobile phone numbers, professional profile URLs.
  • Company / Organization Data: company name, domain, website, industry, size, location, and related organizational attributes.

Important: Service Data is processed by DataMerge as a processor on behalf of the customer. Customers decide which queries to run, which records to save/export, and how to use the outputs, subject to our Terms of Service and applicable law.

5. Sources of Personal Data

5.1 Data Collected Directly From You

We collect personal data directly from you when you:

  • visit our website and fill out forms;
  • create an account or subscribe to our Services;
  • purchase credits or subscriptions;
  • contact us for support or inquiries; or
  • participate in surveys or provide feedback.

5.2 Service Data Sources (Processed on Behalf of Customers)

Service Data may originate from:

  • customer-provided inputs (e.g., uploaded company/contact lists, identifiers, CRM data); and/or
  • third-party service providers used to support enrichment workflows, where configured and instructed by the customer via the Services.

We require vendors supporting the Services to provide appropriate contractual assurances (including data processing terms) and security measures.

6. Purposes of Processing and Legal Bases (Controller Processing)

This section describes our processing where we act as a controller.

Purpose of Processing Categories of Data Legal Basis (GDPR) Retention Period
Account management & service provision Account data, usage/technical data Contract (Art. 6(1)(b)) Duration of account + 6 months
Payment processing & billing Payment/billing data, transaction records Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) 7 years (tax/accounting)
Customer support Communications data, account data, usage data Contract (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f)) 2 years from last interaction
Marketing communications Contact info, preferences Consent where required; Legitimate interests for B2B comms subject to opt-out Until consent withdrawn or 3 years from last engagement
Website analytics & improvement Usage data, cookies Legitimate interests; Consent for non-essential cookies Analytics: 26 months
Security & fraud prevention Technical data, usage data, account data Legitimate interests; legal obligation where applicable Security logs: 1 year; incident records: 3 years
Legal compliance & protection As necessary Legal obligation and Legitimate interests As required by law / limitation periods

6.1 Processing as a Processor (Service Data)

Where we process Service Data as a processor, the customer (controller) determines:

  • the purposes of processing;
  • the categories of data subjects and personal data processed; and
  • the lawful basis and transparency obligations (e.g., notices).

Our obligations and permitted processing for Service Data are described in our DPA with the customer.

7. Data Sharing and Recipients

7.1 Our Customers (Service Data)

Service Data processed within the Services may be made available to the relevant customer (controller) and their authorized users. Customers control how they use, export, and otherwise process Service Data, subject to our Terms and applicable law.

7.2 Service Providers (Processors/Sub-processors)

We engage trusted third-party service providers to support our operations and to deliver the Services, including:

  • payment processing;
  • cloud infrastructure and hosting;
  • email delivery providers for transactional communications;
  • customer support tools;
  • analytics providers; and
  • security and monitoring vendors;

and, where applicable, vendors used to support enrichment workflows.

Where required, these providers process personal data under contractual obligations designed to ensure appropriate safeguards.

7.3 Legal and Regulatory Authorities

We may disclose personal data to law enforcement, regulators, courts, or other public authorities when required by law, court order, or legal process; necessary to establish, exercise, or defend legal rights; or required to comply with regulatory investigations or requests.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, personal data may be transferred to a successor entity, subject to the protections outlined in this policy. We will provide notice where required.

7.5 "Sale" / "Sharing" Under CCPA/CPRA

We do not sell personal data in the commercial sense. However, California law defines "sale" and "sharing" broadly. Depending on how customers use the Services, certain disclosures of professional contact information may be considered a "sale" or "sharing" under CCPA/CPRA.

California residents may exercise opt-out rights where applicable (see Section 9.2). We do not sell customer account data, payment information, or website usage data.

8. International Data Transfers

As an EU-established company, we primarily process personal data within the EEA. However, some service providers and customers may be located outside the EU/EEA (including the United States). When we transfer personal data internationally, we implement appropriate safeguards such as adequacy decisions and/or Standard Contractual Clauses (SCCs), and additional measures where needed.

9. Your Privacy Rights

9.1 Rights Under GDPR (EU/EEA/UK Data Subjects)

If you are located in the EU/EEA/UK, you have rights including:

  • access, rectification, erasure, restriction;
  • data portability;
  • objection (including to direct marketing);
  • withdrawal of consent (where applicable); and
  • complaint to a supervisory authority.

Important note on Service Data: Where we process personal data as a processor, we may need to direct certain requests to the relevant customer (controller), but we will provide reasonable assistance as required by our DPA and applicable law.

9.2 Rights Under CCPA/CPRA (California Residents)

California residents may have rights including:

  • right to know/access;
  • right to deletion;
  • right to correct;
  • right to opt-out of sale/sharing;
  • right to limit use/disclosure of sensitive personal information (where applicable);
  • right to non-discrimination.

How to Opt-Out: Email hello@datamerge.ai with subject line "Do Not Sell My Personal Information" or use the contact form at https://www.datamerge.ai/contact.

9.3 How to Exercise Your Rights

Email: hello@datamerge.ai (Subject: "Privacy Rights Request")
Website: https://www.datamerge.ai/contact

We may verify your identity before responding, and may request additional information to confirm you are the data subject or an authorized agent.

10. Data Retention

We retain personal data only as long as necessary for the purposes described and to comply with legal obligations.

For Service Data processed on behalf of customers, retention is governed by our customer contract and DPA, and generally follows the customer's instructions and account settings, subject to legal requirements.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data (GDPR Art. 32), including encryption in transit, access controls, monitoring, and employee training. No system is 100% secure.

12. Data Breach Notification

We maintain an incident response process. Where required:

  • we will notify supervisory authorities within applicable timeframes; and
  • where we act as a processor, we will notify the relevant customer (controller) without undue delay after becoming aware of a breach involving Service Data.

13. Cookies and Tracking Technologies

We use cookies and similar technologies for essential site functionality, analytics, and marketing (where applicable). You can manage cookie preferences via our cookie banner/settings.

14. Contact Information and Privacy Inquiries

Privacy and Data Protection Team
Poolside Ventures S.L.
Email: hello@datamerge.ai
Website: https://www.datamerge.ai
Location: Barcelona, Spain

15. Children's Privacy

Our Services are intended for B2B use and are not directed at children. We do not knowingly collect personal data from children.

16. Changes to This Privacy Policy

We may update this policy from time to time. If we make material changes, we will update the "Last Updated" date and provide notice where required.

17. California "Shine the Light" Law

California residents may request information about disclosures of personal information for direct marketing purposes. Contact hello@datamerge.ai.

18. Nevada Residents

Nevada residents may have opt-out rights regarding certain sales of personal information under Nevada law. We do not currently sell personal information as defined by Nevada law.

19. Additional Information for Specific Jurisdictions

19.1 UK Data Subjects

UK data subjects have equivalent rights under UK GDPR. The supervisory authority is the ICO: https://www.ico.org.uk.

19.2 Swiss Data Subjects

Swiss data subjects may contact the FDPIC: https://www.edoeb.admin.ch.

20. Language

This Privacy Policy is provided in English. In case of conflict with translations, the English version prevails to the extent permitted by applicable law.

DataMerge mascot

Ready to Fetch Some Leads?

Free credits. Premium data. Zero tail-chasing.

Get 20 Free Credits

1 credit = 1 lead. No credit card required.