Privacy Policy

1. Introduction

Merno (“we,” “us,” or “our”) operates the website at merno.ai (the “Website”) and the Merno Chrome browser extension (the “Extension”), collectively referred to as the “Service.”

This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. By using the Service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and profile picture (if you sign in with Google). If you sign up with email and password, we store a securely hashed version of your password — we never store passwords in plain text.

2.2 Profile Information

You may optionally provide your job title, company name, and timezone to personalize your experience.

2.3 Achievement Data

The core of Merno is the text you write or capture describing your workplace achievements. This includes:

• Raw achievement text you type or capture
• AI-generated narratives based on your text
• Category and status labels you assign
• Achievement dates
• AI-generated review narratives and weekly summaries

2.4 Browser Extension Data

When you use the Merno Chrome Extension to capture an achievement:

• Selected text — the text you highlight and choose to save
• Page URL and title — the webpage where the capture occurred, for your reference

The Extension does not read, collect, or transmit any page content beyond what you explicitly select and save. It does not track your browsing history, monitor your activity, or collect data from pages you visit without your action.

2.5 Integration Data

If you connect third-party services (Slack, HubSpot, Salesforce), we collect:

• OAuth access and refresh tokens (encrypted at rest with AES-256-GCM)
• Workspace or organization identifiers
• Specific data from those services (e.g., messages matching achievement keywords from Slack, closed-won deals from HubSpot, closed opportunities from Salesforce) — only data relevant to achievement tracking

Integration data surfaces as “suggested” achievement candidates that require your explicit approval before becoming permanent achievements.

2.6 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status, but we never store credit card numbers, bank account details, or other payment credentials on our servers.

2.7 Usage and Error Data

We use Sentry for error monitoring to identify and fix bugs. When an error occurs, Sentry may collect:

• Error details and stack traces
• Browser type and version
• Page URL where the error occurred
• Session replay data (only when an error occurs)

3. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the Service
• Generate AI-powered achievement narratives and review summaries
• Send weekly digest emails and Friday reminder emails (you can opt out in Settings)
• Process payments and manage subscriptions via Stripe
• Send team invitations and manage team memberships
• Monitor and fix errors to improve reliability
• Send transactional emails (verification, password reset, review notifications)

4. AI Processing

Merno uses Anthropic's Claude API to generate achievement narratives, weekly summaries, and review documents. When we process your achievement text:

• Your achievement text is sent to Anthropic's API along with your name, job title, and company for context
• Anthropic does not use API inputs/outputs for model training (per their API privacy policy)
• Generated narratives are stored in our database alongside your original text

5. Data Sharing

We do not sell your personal information. We share data only with:

• Anthropic — achievement text for AI narrative generation (see Section 4)
• Stripe — billing information for payment processing
• Resend — email addresses for sending transactional and digest emails
• Sentry — error and performance data for monitoring
• Supabase — database hosting provider (PostgreSQL)
• Vercel — application hosting and deployment
• Inngest — background job processing (email scheduling, integration polling)

If you are part of a team, your manager can see your achievement counts, categories, activity status, individual achievement details (including AI-generated narratives and original text), and review cycle documents. This visibility is designed for performance review workflows such as 1:1 preparation and team activity tracking.

6. Data Security

We implement the following security measures:

• All data transmitted over HTTPS (TLS encryption in transit)
• Passwords hashed with bcrypt (12 rounds)
• OAuth integration tokens encrypted at rest with AES-256-GCM
• API tokens stored as SHA-256 hashes (original never stored)
• Row-level data isolation (users can only access their own data)
• Input sanitization on all user-submitted text
• Database hosted on Supabase with encryption at rest
• Session-based authentication with secure, httpOnly cookies

7. Data Retention

We retain your data for as long as your account is active. Specific retention details:

• Achievements — soft-deleted when you remove them (hidden from view but recoverable); permanently deleted upon account deletion
• Integration tokens — deleted when you disconnect an integration
• Email verification tokens — expire after 24 hours
• Password reset tokens — expire after 1 hour
• Team invite tokens — expire after 7 days

8. Your Rights

You have the right to:

• Access — view all your achievement data through the dashboard
• Edit — modify your achievements and profile information at any time
• Export — download your data as PDF through the Reviews page
• Delete — remove individual achievements or request full account deletion
• Opt out of emails — disable weekly digest and Friday reminder emails in Settings
• Disconnect integrations — revoke third-party access at any time in Settings

To request full account deletion, contact us at privacy@merno.ai. We will delete all your data within 30 days.

9. Cookies

We use cookies for:

• Authentication — a session cookie to keep you signed in (essential, cannot be disabled)
• OAuth state — temporary cookies during third-party login and integration setup (essential)

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

10. Chrome Extension

The Merno Chrome Extension has specific data practices:

• activeTab permission — used only when you click the extension icon or use the context menu. It accesses the page title and URL of the current tab only at that moment.
• Text selection — the content script detects when you select text (10+ characters) to show a capture button. No selected text is stored or transmitted unless you explicitly click “Save to Merno.”
• Storage — chrome.storage.sync stores your server URL and optional API token locally in your browser profile. This data is not sent to us.
• Authentication — the Extension primarily uses your existing browser session cookie (zero configuration). An API token is available as an optional fallback for advanced setups.
• No background collection — the Extension does not run background data collection, track browsing history, or monitor pages you visit.

11. Children's Privacy

Merno is designed for professionals in the workplace. We do not knowingly collect information from children under 16. If we learn we have collected data from a child, we will delete it promptly.

12. International Data Transfers

Your data may be processed in the United States, where our hosting providers (Vercel, Supabase) and service providers (Anthropic, Stripe, Sentry, Resend) operate. By using the Service, you consent to the transfer of your data to the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. For significant changes, we may also send you an email notification.

14. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

privacy@merno.ai