Merritt
ProductTeamContactLog in

Legal

Privacy policy

How Merritt Performance, Inc. collects, uses, and shares information when you visit our site or use our services.

Last updated May 18, 2026

Back to home

1. Introduction

This Privacy Policy explains how Merritt Performance, Inc. ("Merritt," "we," "us," or "our") collects, uses, and shares information when you visit our website at https://www.merritt.app (the "Site") or use our performance management software (collectively, the "Services").

We are a Delaware corporation with offices at 131 Continental Dr, Suite 305, Newark, DE 19713. If you have questions about this policy, contact us at darla@merritt.app

2. Information we collect

From website visitors:

  • Contact information submitted through forms (name, email, company, role)
  • Any messages or information you choose to send us

From product users:

  • Account information (name, email, role, company)
  • Authentication credentials (passwords are encrypted at the field level — see our Security page for details)
  • Profile and team information you provide

Customer content:

  • Performance feedback, goals, role expectations, 1:1 notes, reviews, and other content submitted through the Services
  • Customer content is owned by the customer organization that submits it

Automatically collected:

  • IP address, browser type, device information, operating system
  • Pages visited, time spent, referring URL
  • Usage patterns and product interaction data

3. Cookies and tracking technologies

We and our service providers use cookies and similar technologies to operate the Site and Services. These fall into the following categories:

  • Strictly necessary cookies: Required for the Site and Services to function, including authentication and security.
  • Functional cookies: Remember your preferences and settings.
  • Analytics cookies: Help us understand how visitors use the Site and Services so we can improve them. We use Rudderstack for product analytics.
  • Error monitoring: We use Sentry to detect and diagnose application errors.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services.

4. How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Services
  • Improve, personalize, and expand the Services
  • Communicate with you, including responding to inquiries, providing customer support, and sending product updates
  • Process transactions and send related information
  • Detect, prevent, and address technical issues and security concerns
  • Develop new products, services, features, and functionality
  • Comply with legal obligations

We do not sell personal information.

5. AI and machine learning

The Services include features powered by artificial intelligence and machine learning. Here's how we use information in connection with AI/ML:

What we send to LLM providers:

  • We use OpenAI as our LLM provider.
  • Customer content — including feedback, goals, role expectations, and feedback drafts — is sent to OpenAI when generating review drafts or providing feedback coaching suggestions.
  • Data sharing settings with OpenAI are disabled, meaning OpenAI does not use this data to train their models.

Our own model improvement:

  • We may use de-identified customer content to improve our AI features.
  • Customers can opt out of having their organization's data used for model improvement by contacting us at amber@merritt.app.

Important: AI-generated content may be inaccurate. AI features are intended to assist managers, not replace their judgment. Managers remain responsible for decisions about their teams.

Customers with a separate written agreement with us are also subject to the AI and machine learning terms in that agreement.

6. How we share information

Sub-Processors

We share information with third-party service providers ("sub-processors") who help us operate the Services. Each sub-processor only has access to the information necessary to perform its function and is bound by contractual obligations to handle that information consistent with this policy.

Sub-processorPurposeData accessedRegion
Google Cloud PlatformCloud hosting and infrastructureAll application data (encrypted)US (us-east4)
Google Cloud SQLManaged databaseAll application data (encrypted)US (us-east4)
OpenAIAI/ML features (review drafts, feedback coaching)Customer content sent in prompts; data sharing disabledUS
MailjetTransactional email deliveryEmail content (may include performance data)US
SentryApplication error monitoringAnonymized error dataUS
RudderstackProduct analyticsUsage data; minimal personalized dataUS
StripePayment processingBilling information (company name, address, billing contact)US
Google Workspace (Gmail)Customer communicationsEmail correspondenceUS

We may update this list as our service providers change. Material changes will be reflected in updates to this policy.

Other disclosures

We may also share information:

  • With your consent or at your direction
  • To comply with applicable law, legal process, or government requests
  • To protect the rights, property, or safety of Merritt, our customers, or others
  • In connection with a merger, acquisition, financing, or sale of all or a portion of our business
  • With professional advisors (lawyers, accountants, auditors) who are bound by confidentiality obligations

7. Data retention and deletion

We retain personal information for as long as necessary to provide the Services and for the purposes described in this policy. For customers with a paid subscription, we retain customer content for the duration of the subscription.

Upon termination of your subscription or upon your written request, we will delete customer content within 60 days, including from backups. Aggregated or de-identified data may be retained beyond this period.

To request deletion of your personal information, contact us at amber@merritt.app.

8. Your rights and choices

Depending on your location, you may have certain rights regarding your personal information, including:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete information
  • Deletion: Request that we delete your personal information, subject to certain exceptions
  • Portability: Request a copy of your information in a structured, machine-readable format
  • Objection: Object to certain processing activities
  • Restriction: Request that we restrict the processing of your information
  • Withdrawal of consent: Where we rely on your consent, you may withdraw it at any time

To exercise any of these rights, contact us at amber@merritt.app. We will respond to verifiable requests in accordance with applicable law.

California residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete that information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information.

We do not sell personal information. To exercise your California rights, contact us at amber@merritt.app.

European residents

If you are in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and similar laws give you the rights listed above. The legal basis for our processing depends on the context — typically your consent, performance of a contract, legitimate interest, or legal obligation.

You have the right to lodge a complaint with your local data protection authority.

For customers submitting personal data governed by GDPR through the Services, a Data Processing Agreement (DPA) is available upon request. Contact us at amber@merritt.app.

Note for customers

When you submit data about your employees or other individuals through the Services, you are the data controller for that information, and we act as a data processor. Individuals whose data you submit should direct privacy requests to you in the first instance.

9. International data transfers

The Services are hosted in the United States (Google Cloud Platform, us-east4 region). If you access the Services from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence. By using the Services, you consent to this transfer.

10. Children's privacy

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child under 18, please contact us and we will delete it.

11. Security

We implement reasonable technical and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. For details about our security practices, see our Security page.

12. Third-party links

The Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you visit.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this policy. If we make material changes, we will notify you by email or by posting a prominent notice on the Site.

14. Contact us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Merritt Performance, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
United States

Email: darla@merritt.app

Questions?

We're happy to walk through any of this with you.