MeRLIN Sourcing Service Privacy Policy


MeRLIN Sourcing’s Service Privacy Policy (“Policy”) describes MeRLIN’s privacy practices for the processing of personal information related to users of MeRLIN’s hosted software applications and related services (collectively, “Solutions”), obtained in connection with the use of the Solutions, where MeRLIN determines the purposes and means of the processing and makes decisions about processing activities.

This Policy does not cover MeRLIN’s personal information processing activities carried out on behalf of our business clients as part of MeRLIN’s services (“Platform”), as such processing is governed by the applicable Data Processing Addendum.

This Policy does not cover any information collected by MeRLIN for marketing purposes, which is governed by our Privacy Policy available at .


This Policy applies to MeRLIN Sourcing B.V. and all of its subsidiaries (which we refer to in this Policy as “MeRLIN” or the “Company”) and all of its directors, officers, employees, and contractors (“MeRLIN Team Members”).

Policy Summary

“Sensitive Personal Information” refers to a smaller subset of Personal Information that is considered more sensitive to the individual, such as race and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, physical or mental health information, or medical insurance data.

  • Information provided by Users
  • Information collected through the operation of our Solutions, including through cookies and similar technology


1. Definitions

Personal Information: Any information that identifies or can be used to identify a User. Common examples of Personal Information include:

Full name
Email address
Digital identity (login name or handle)
Device information

2. Purpose of Processing

Personal data processed by MeRLIN as described in Section 3 (Processing of Personal Information) are collected, accessed, used, and stored (“processed”) by MeRLIN for the purposes of:

  • Allowing Users to access and use the Solutions.
  • Ensuring traceability, auditability, reliability, and accountability of business transactions negotiated and managed through the Solutions; and
  • Ensuring security and avoiding unintended access and/or use of the Solutions.
  • Additional purposes of processing by MeRLIN include but are not limited to, legitimate business interests such as:
  • Product development and enhancement, where the processing enables MeRLIN to enhance or modify our Solutions and related support for the benefit of Users, and to better understand how Users interact with our Solutions,
  • Fraud or other crime detection and prevention,
  • Enhancement of our cybersecurity, including improving the security of the Solutions, our network, and other information systems, and
  • General business operations and due diligence,
  • Provided that, in each circumstance, we weigh the necessity of our processing for the purpose against privacy and confidentiality interests, including taking into account Users’ reasonable expectations, the impact of processing, and any safeguards that are or could be put in place. MeRLIN will limit such processing for our legitimate business interest to what is necessary for its purposes.

3. Personal Information processing by MeRLIN acting as Data Controller and as Data Processor

This section describes the MeRLIN’s processing of Personal Information about Users and its role in such processing.

In the course of providing services MeRLIN primarily acts as a Data Processor, under the instructions of a MeRLIN Client which acts as a Data Controller, as provided under a Data Processing Addendum.

However, there is a different set of Personal Information processed by MeRLIN as an independent Data Controller.

Regardless of the role in data processing, in the context of service provision, MeRLIN does not request or collect sensitive personal information.

MeRLIN determines the purposes and means of the processing of the below set of Personal Information, and makes decisions about processing activities for the information that Users provide or that MeRLIN collects when they use the Solutions:

  1. Users’ interaction with the Solutions, such as activity logs and/or other information associated with the activity of Users and their devices.
  2. Information Collected Through the Use of MeRLIN Solutions
  3. Provided Users elect to register in the Solutions to be included within MeRLIN’s supplier network of MeRLIN Supplier portal, MeRLIN processes Users’ registration data.
Personal data category Data Subject Purpose of processing Legal basis for data processing
User registration data
Name and Surname
Business email address
Optional fields data
Company, job title, etc.
Supplier users registering with MeRLIN under the MeRLIN Supplier Terms of Use Allowing Users to access and use the Solutions

Storing in as permitted or required to meet MeRLIN’s obligations under applicable law, and in the case, they are required to support the claims management process related to possible legal actions engaged by or against MeRLIN or MeRLIN’s Customers
Legitimate Interests

Performance of a contract to which the data subject is a party

Compliance with a legal obligation to which the controller is subject

Solutions interaction information and information Collected Through Cookies and Similar Technology:

Application logs,
IP addresses
OS information
Browser information
Language preferences
Navigation activities and Clickstream Data
Network data
Communication data
Authorized users accessing Solutions under a customer’s contractual agreement with MeRLIN

MeRLIN’s customers’ business contacts, customer’s suppliers

MeRLIN’s customers’ current and potential, customer’s suppliers current and potential

Supplier users registering with MeRLIN under the MeRLIN Supplier Terms of Use
Product development and enhancement

Security enhancement
Fraud or other crime detection and prevention

General business operations and due diligence

Meeting MeRLIN’s obligations under applicable law

Support the claims management process related to possible legal actions
Legitimate Interests

Performance of a contract to which the data subject is a party

Compliance with a legal obligation to which the controller is subject


Table 1 MeRLIN’s processing as Data Controller

(a) Information Provided by Users

When creating and signing into the Solutions, Users must provide Personal Information about themselves by completing forms for the credentials. This includes Users’ names and email addresses. Additionally, Users may enter Personal Information into the Solutions, such as business contact information or, an individual’s role in the User’s organization.

In some instances, Users may elect to provide MeRLIN with location and address information. Users may also provide MeRLIN with Personal Information about themselves when reporting a problem or asking questions about MeRLIN’s Solutions.

The Solutions may offer interactive and social features that permit Users to submit content and communicate with MeRLIN. Users may provide Personal Information to MeRLIN when they post information in these interactive and social features. Please note that postings in these areas of these sites may be publicly accessible or accessible by other Users.

When creating an account to use our Solutions on a mobile device, the application requires certain information such as a User’s name, email address, username, and password. Additionally, when a device syncs with MeRLIN’s application, certain data recorded on that device is transferred from the device to MeRLIN’s Solutions.

Users can choose not to provide certain information to MeRLIN, but as a result, may not be able to take advantage of some features of the Solution

(b) Information Collected Through the Use of MeRLIN Sourcing B.V.

MeRLIN collects certain information automatically, such as a User’s operating system version, browser type, and internet service provider. MeRLIN also collects information about Users’ interaction with the Solutions, such as creating or logging into accounts, or opening or interacting with the Solutions on mobile devices. The Solutions automatically collect and store this information in service logs. This also includes:

Web portal use details
Internet protocol address
Cookies and similar technology that uniquely identify a browser
The referring web page
Pages visited

MeRLIN may also collect and process information about a User’s actual location. This information may or may not include Personal Information, but MeRLIN may maintain it or associate it with Personal Information it collects in other ways or receives from third parties.

If granted access to a User’s location, MeRLIN may collect information about their location when they use the Solutions. Location can be determined by IP address and information about things near a device, such as Wi-Fi access points and cell towers. The specificity of the location data collected may depend on several factors, including the device in use (e.g., laptop, smartphone, or tablet) and the type of internet connection (e.g., via cable broadband connection, Wi-Fi).

When using the Solutions via a wireless device, MeRLIN may solicit permission to collect location data. If location services are enabled on our mobile application, MeRLIN may collect location data periodically as someone uses or leaves open our mobile application. MeRLIN may associate such location data with the Personal Information a User provides. Depending on the platform used to access our mobile application (e.g., Apple’s iOS, Google’s Android), Users may be able to control whether location data is collected from MeRLIN within “Settings” or other controls on their wireless device and/or mobile application

Some features within the Solutions may only function upon confirmation of a User’s location, and therefore, such features will not be available if a User chooses not to provide their location data to MeRLIN.

Additionally, MeRLIN may collect a User’s unique device ID. MeRLIN may use such information for internal purposes and to provide Users with a better experience, such as to troubleshoot Solution problems. MeRLIN may associate device ID with Personal Information Users provide to us. Users may learn more about opting out of any anonymous device ID collection via the privacy settings available within their mobile device.

(c) Information Collected Through Cookies and Similar Technology

MeRLIN uses various technologies to collect and store information when Users visit one of our Solutions, and this may include using cookies or similar technologies to identify a browser or device. The technologies we use for this automatic data collection may include:

Web Beacons
Clickstream Data

Cookies. A cookie is a small file placed on the hard drive of a device. Users may refuse to accept browser cookies by activating the appropriate settings on their browser. However, if this setting is selected, Users may be unable to access certain parts of the Solutions. Unless a browser is adjusted to refuse cookies, the Solutions will issue cookies when a browser accesses our Solutions. Some cookies are required for technical reasons for the Solutions to operate – we refer to these as “essential” or “strictly necessary” cookies. Other cookies could enable us to analyze the performance and use of the Solutions. Other cookies could enable us to target advertising to the interests of our visitors. More specifically, the types of cookies that could be served through the Solutions and their purposes are described below:

“Strictly necessary” cookies must be set to allow us to deliver the Solutions to you and to provide specific services that you request from us.

“Performance” or “Analytics” cookies, which help us to collect information about how visitors use our Solutions and help us analyze and improve the Solutions. Performance or analytics cookies will remain on your computer after you close your browser.

Web Beacons. Pages in the Solutions or e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit MeRLIN to perform simple analysis. For example, web beacons allow MeRLIN to count Users who have visited certain pages or opened an e-mail.

Clickstream Data. Clickstream data is information collected by the Solutions when Users request certain web pages. Clickstream data may include information such as the page served, the time spent viewing the page, the source of the request, the type of browser making the request, the preceding page viewed, and similar information. Clickstream data permits us to analyze how Users arrive at our Solutions, what type of content or activity is popular, and what type of Users in the aggregate are interested in particular kinds of content or activities in the Solutions.

4. Use and Disclosure of Personal Information

MeRLIN treats Personal Information as confidential, and MeRLIN only accesses Personal Information to provide the Solutions to its Users, fulfill requests related to the Solutions and enhance the use of the Solutions, as described in more detail in Section 2 (Purpose of Processing). MeRLIN does not sell any Personal Information to third parties. MeRLIN will only share Personal Information with third parties in the following circumstances:

When authorized by the User to do so in writing.

When it is reasonably necessary to comply with a legal process, such as a court order, subpoena or search warrant, government investigation, or other legal requirements, including to meet national security or law enforcement requirements.

In the course of any direct or indirect reorganization process, including, but not limited to, mergers, acquisitions, and sales of all or substantially all of our assets — and in such cases, sharing Personal Information would be subject to applicable laws and regulations such as obtaining prior consent where applicable; or

When necessary, for the prevention or detection of crime (subject in each case to applicable law) or to establish or defend a legal claim.

Additionally, Users may register in the Solutions to be included within MeRLIN’s supplier network (“MeRLIN Supplier Network”) under the MeRLIN Supplier Terms of Use. When registering for the MeRLIN Supplier Network, information will be shared with buyers who are Users as well as third-party service providers and vendors.

MeRLIN will only provide Personal Information to third-party service providers and vendors that are authorized by MeRLIN to provide Solutions on MeRLIN’s behalf and for the purposes described in this Policy, and only when agreements are in place that require each third party to protect the privacy and confidentiality of the personal information that is shared and comply with all applicable privacy and data protection laws.

5. MeRLIN’s Legal Basis for Processing Personal Information

MeRLIN processes Users’ Personal Information, based on one or more of the following:

  • Users consent to MeRLIN’s processing of personal information, such as in case of processing of User’s location, or completing “optional” fields when registering in the Solutions.
  • Legitimate interest in the performance of MeRLIN services related to Users, such as a contractual agreement with MeRLIN Clients to use our Solutions;
  • A legitimate business interest exists, including but not limited to the circumstances described in Section 2 (Purpose of Processing) above.

6. Users’ Rights

Users may have certain rights relating to their Personal Information, subject to local data protection laws. MeRLIN aims to provide Users with choices about how MeRLIN uses their Personal Information, whenever possible. We also aim to provide Users with access to their Personal Information. If a User informs MeRLIN that information requires amendment, we strive to provide ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. Subject to applicable law, Users may obtain a copy of Personal Information MeRLIN maintains about them, or they may update or correct inaccuracies in that information by contacting us. To help protect privacy and maintain security, MeRLIN will take steps to verify a User’s identity before granting access to the information.

7. Requesting and Accessing Personal Information

MeRLIN commits to resolving requests and complaints related to privacy and our collection or use of Personal Information. You may submit requests or complaints to All Users may update or correct information about themselves by making changes to their profile in the Solutions or by submitting a request via email to

You may also communicate with us at:
MeRLIN Sourcing B.V.
Stationsplein 8K NL-6221BT,

You may also contact our Data Protection advisory body ActiveMind.AG for any further information regarding the samevia email to

activeMind AG
Kurfürstendamm 56
10707 Berlin, Germany
Tel.: +49 (0)30 / 770 19 10 70

Please note that we may ask Users to verify their identity and request and/or to provide additional information to verify their request before taking further action on their request. We will not use this additional information for anything other than handling these requests. Users may designate an authorized agent to make a request on their behalf in certain circumstances.

MeRLIN may respond to requests by letter, email, telephone, or any other suitable method. If a User completely deletes all such information, then their account may become deactivated. MeRLIN may retain an archived copy of records as required by law, to comply with our legal obligations, to resolve disputes, to enforce our agreements, or for other legitimate business purposes.

In some cases, our ability to uphold these rights for Users may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver requested services. Where this is the case, we may inform Users of such dependencies in response to their request.

MeRLIN endeavors to respond to verifiable requests within 30 days of receipt, consistent with applicable laws.

We do not charge a fee to process or respond to a verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will explain why we made that decision and provide a cost estimate before completing the request.

At this time, MeRLIN does not share Personal Information referenced in this Policy with third parties for their direct marketing purposes.

8. Data Retention

MeRLIN only keeps Personal Information consistent with our legitimate business interests and as permitted and/or required by applicable law and, any timeframes outlined in the applicable contractual agreement with MeRLIN’s Client. We retain Personal Information even after business relationships end if reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, enforce our Terms of Service, or fulfill a request to “unsubscribe” from further messages from us.

9. Specific Jurisdictional Terms

Appendix A to this Policy includes terms specific to certain jurisdictions that may apply to Users. MeRLIN may update the Appendix from time to time, including to address changes in applicable laws without the requirement for notice. Appendix A is incorporated in and constitutes part of this Policy.

10. Questions about this Policy

If you have any questions relating to this Policy, please contact

11. Changes to this Policy

MeRLIN reserves the right to modify any part of this Policy from time to time. The most up-to-date version can be found on this website.

12. Related Policies and Procedures

Appendix A – Specific Jurisdictional Rights

Rights of Residents of the European Economic Area, United Kingdom, and Switzerland.
The European Economic Area’s General Data Protection Regulation (“GDPR”), and corresponding legislation in the United Kingdom and Switzerland, provide European, Switzerland, and United Kingdom residents with certain rights in connection with Personal Information Users have shared with MeRLIN. Residents in the European Economic Area may have the following rights:

The right to be informed. Users are entitled to be informed of the use of Personal Data (as defined under GDPR). This Policy provides such information.

The right of access. Users have the right to request a copy of their Personal Data which MeRLIN holds.

The right of correction. Users have the right to request correction or changes of the Personal Data if it is found to be inaccurate or out of date.

The right to withdraw consent. Users have the right to withdraw previously given consent for processing their Personal Data for a specific purpose.

The right to be forgotten. Users have the right to request MeRLIN, at any time, to delete their Personal Data from our servers and to erase their Personal Data when it is no longer necessary for us to retain such data. Note, however, that deletion of Personal Data will likely impact a User’s ability to use our Solutions.

The right to object (opt-out). Users have the right to opt out of certain uses of their Personal Data, at any time.

The right to data portability. Users have the right to a “portable” copy of the Personal Data they have submitted to us. Generally, this means their right to request that we move, copy, or transmit their Personal Data stored on our servers or information technology environment to another service provider’s servers or information technology environment.

The right to refuse to be subjected to automated decision-making, including profiling. Users have the right not to be subject to a decision and insist on human intervention if the decision is based on automated processing and produces a legal effect or a similarly significant effect.

The right to lodge a complaint with a supervisory authority. Users have the right to lodge complaints about our data processing activities by filing a complaint with MeRLIN or with the relevant Supervisory Authority. A list of Supervisory Authorities is available here:

MeRLIN may, directly or indirectly through third parties around the world, process, store, and transfer the information Users provide, including their Personal Information, as described in this Policy. Specifically, the information and Personal Information that we collect may be transferred to, and stored at, a location outside of a User’s jurisdiction. It also may be processed by persons operating outside of a User’s jurisdiction who work for us or one of the organizations outlined in this Policy in connection with the activities outlined in this Policy. When transferring, storing, or processing Users’ Personal Information MeRLIN will take all steps necessary to ensure that Personal Information is treated securely and under this Policy and applicable Data Protection Laws. We have put in place commercially reasonable technical and organizational procedures to safeguard the information and Personal Information we collect on the Solutions. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. If Users are located in the European Economic Area and have questions about their rights, they may also contact the Supervisory Authority of your country of residence (see