Privacy Policy
Last updated: March 30, 2025
This Privacy Policy explains how Mercardo("we," "us," or "our") collects, uses, stores, and protects the information you provide when using our AI-powered marketing automation platform ("the Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Account Information
When you register or sign in, we collect:
- Via Google OAuth: Your name, email address, and profile picture as provided by Google. We do not receive or store your Google password.
- Via Email / Password: Your email address and a bcrypt-hashed (one-way encrypted) version of your password. We never store plain-text passwords.
1.2 Content You Create
When you use the Service to generate marketing content, we collect and store the following data in our database:
- Campaign Prompts:The text descriptions ("Content Vision") you provide to generate images, videos, and reels.
- Business DNA Data: Brand information you submit, including brand name, tagline, tone of voice, core values, color palette, and any reference images you upload for logo recognition.
- Generated Assets: URLs of AI-generated images stored via our cloud providers. We do not claim ownership of any content you create.
- Campaign Metadata: Content type (image, video, reel), aspect ratio, distribution channels selected, review/approval status, and timestamps.
1.3 Third-Party Platform Tokens
To upload content to social platforms on your behalf, we may store OAuth access tokens for:
- YouTube (Google): To upload videos and Shorts to your connected YouTube channel.
- Instagram (Meta): To publish images, videos, and Reels to your connected Instagram Business or Creator account.
These tokens are stored securely and used exclusively to perform uploads you explicitly approve or schedule within the Service.
1.4 Automatically Collected Data
We collect limited technical data to operate and improve the Service:
- Session tokens (JWT) stored securely in HTTP-only cookies
- Server logs including request timestamps and error traces
- Browser and device type for compatibility purposes
We do not use tracking pixels, behavioral advertising cookies, or sell your data.
2. How We Use Your Information
- Authentication: To verify your identity and maintain your session securely.
- AI Content Generation:Your campaign prompts and Business DNA data are sent to Google's Gemini AI API to generate marketing content. These inputs are processed under Google's API terms and are not used to train Google's models.
- Social Publishing: Your approved content is uploaded to the social platforms (YouTube, Instagram) you explicitly connect and authorize.
- Analytics: Aggregated, anonymized statistics about campaign performance are displayed within your personal dashboard.
- Service Improvement: We may review aggregated, de-identified usage patterns to improve the platform.
We do not sell, rent, or share your personal data with advertisers or data brokers.
3. Data Sharing with Third Parties
We share data only with third-party services that are necessary to operate the platform:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Google (OAuth & Gemini AI) | Authentication via Google Sign-In; AI content generation | View → |
| Meta (Instagram API) | Publishing approved content to Instagram | View → |
| YouTube Data API | Uploading approved videos and Shorts to YouTube | View → |
| Prisma + Database Provider | Secure storage of account, session, and campaign data | Internal |
| Resend (Email) | Transactional emails such as email verification | View → |
We contractually require all third-party service providers to protect your data in accordance with applicable privacy laws.
4. Data Retention
- Account Data: Retained for as long as your account is active.
- Campaign Logs:Retained until you use the "Clear Logs" function within the dashboard, or until you delete your account.
- Generated Assets: URLs to generated assets are retained in our database. The underlying media files are stored in our cloud bucket and may be purged after 90 days.
- Social Platform Tokens: Retained until you revoke access or disconnect the platform from your account settings.
5. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your account and associated data.
- Portability: Request your data in a machine-readable format.
- Revocation: Revoke third-party platform (Google, Meta) permissions at any time through your account settings on those platforms.
To exercise any of these rights, contact us at mail@mercardo.in.
6. Data Security
We implement industry-standard security measures to protect your data, including:
- HTTPS encryption for all data in transit
- bcrypt hashing for all stored passwords
- JWT-based sessions with HTTP-only cookies
- Restricted database access limited to server-side application code
No system is completely secure. If you discover a security vulnerability, please report it immediately to mail@mercardo.in.
7. Children's Privacy
The Service is not directed to individuals under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us immediately.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or a prominent notice within the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.
9. Contact Us
For questions, requests, or concerns about this Privacy Policy, please contact us:
Mercardo
Email: mail@mercardo.in
© 2026 Mercardo. All rights reserved.