Merlon
Legal

Privacy Policy

Last updated: 25 May 2026

1. Who we are

Merlon (Merlon) is a European cybersecurity consultancy. For the purposes of the General Data Protection Regulation (GDPR), we act as the data controller for personal data processed through this website and our direct client engagements.

For any privacy-related question or request, contact us at info@merlon-security.eu.

2. What data we collect

We aim to collect as little personal data as possible. In practice we process:

  • Contact data you provide voluntarily (name, email address, organisation, message content) when you reach out to us by email or through the contact page.
  • Engagement data exchanged during a client engagement, governed by the specific contract and non-disclosure agreement in place.
  • Technical data such as IP address, user agent and request timestamps, processed transiently by our hosting providers for the purposes of operating and securing the site.

We do not use advertising cookies, marketing trackers, or third-party analytics that profile visitors.

3. Why we process it

We process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR), for delivering services to clients.
  • Legitimate interest (Art. 6(1)(f) GDPR), for responding to inbound enquiries and securing our infrastructure.
  • Legal obligation (Art. 6(1)(c) GDPR), where applicable laws require retention of certain records.

4. Where it is stored

Consistent with our sovereignty principles, personal data processed by Merlon is stored and handled within the European Union. We do not transfer personal data outside the EU or EEA unless explicitly agreed in writing with the data subject or required by law.

5. How long we keep it

Enquiry correspondence is kept for as long as needed to handle the conversation and any follow-up, and then deleted.

For client engagement data, we apply a strict retention period of exactly one year from the end of the engagement, after which the data is deleted. A longer retention period only applies where explicitly required by the relevant contract or by applicable professional or legal obligations.

6. Your rights

Your privacy is something we genuinely care about, not a checkbox. We especially understand and respect the right to be forgotten: if you ask us to erase your personal data, we will do so without hesitation wherever no contractual or legal obligation prevents it.

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate data;
  • Request erasure of your data, where applicable;
  • Object to or restrict certain processing activities;
  • Request data portability;
  • Lodge a complaint with your national data protection authority.

To exercise any of these rights, email info@merlon-security.eu. We aim to acknowledge every request promptly and will do our best to comply as quickly as possible, and in any case within the one-month period required by the GDPR.

7. Cookies

This website does not set tracking or advertising cookies. Only strictly necessary cookies that are required for the site to function may be used.

8. Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the "Last updated" date at the top of this page.