This Privacy Policy describes how personal data is collected, used, processed, stored, and protected in connection with the use of the Mersaly platform (mersaly.app). It applies both to business customers using the platform (“Customers”) and to end users who interact with those businesses through WhatsApp (“End Users”).
Mersaly operates through the official WhatsApp Business API.
We collect and process different types of data in connection with the use of the Mersaly platform:
Customer Data: Includes account registration details such as name, email address, and encrypted password, as well as company information, billing details, and usage data such as access logs and IP addresses.
End User Data: Includes phone numbers, names (as provided or uploaded by the Customer), message content, delivery status information, opt-in and opt-out records, as well as segmentation and tagging data created by the Customer.
Automatically Collected Data: Includes cookies, device and browser information, IP addresses, and website usage data such as page views and interactions.
Mersaly processes personal data for the following purposes: enabling message delivery and tracking through the WhatsApp Business API, managing and reporting on marketing campaigns, administering and maintaining customer accounts, and providing access to platform features and services. Data is also processed for analyzing platform performance, improving system functionality, and enhancing user experience.
In addition, data may be processed to provide customer support, respond to inquiries, and resolve technical or operational issues. Mersaly also processes data to ensure the security and integrity of the platform, prevent fraud and unauthorized access, and comply with applicable legal and regulatory obligations.
Where applicable, Mersaly complies with international data protection laws, including the General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA), and the Personal Data Protection Law (KVKK) for users located in Turkey. The applicability of these laws depends on the location of the data subject.
Mersaly implements industry-standard security measures to protect personal data. All sensitive data is encrypted at the field level using AES-256-GCM encryption. Each tenant is assigned a unique encryption key through an envelope encryption model to ensure data isolation and enhanced security. In addition, HMAC-SHA256 blind indexing is used to allow secure search functionality over encrypted data without exposing its contents. Data transmitted between systems is protected using TLS 1.3 encryption.
Mersaly retains data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Retention periods are defined as follows: customer account data is retained for the duration of the active account plus 30 days after termination, end user data is retained according to the customer’s configuration or default retention period of 12 months, message content is stored for up to 90 days, system logs are retained for 12 months, and backups are retained for up to 30 days before being securely deleted.
Mersaly does not sell or share personal data with third parties for their own marketing purposes without explicit user consent. However, personal data may be shared with the following categories of recipients where necessary for the operation of the service:
Meta (WhatsApp): Phone numbers and message content are processed through the WhatsApp Business API for message delivery and communication services.
Infrastructure Providers: Data may be shared with third-party hosting providers, cloud infrastructure services, and content delivery networks (CDNs) that support the operation, security, and performance of the platform.
Legal and Regulatory Authorities: Personal data may be disclosed if required by law, court order, or valid request from competent governmental or regulatory authorities.
Mersaly uses cookies and similar tracking technologies to ensure proper functioning of the platform and to improve user experience.
Essential Cookies: These cookies are strictly necessary for the operation of the platform and cannot be disabled as they enable core functionality such as authentication and security.
Analytics Cookies: These cookies collect anonymized usage data to help us understand how the platform is used and to improve performance and features. Users may choose to disable these cookies.
Preference Cookies: These cookies store user settings such as language selection and interface preferences to provide a more personalized experience.
Mersaly does not use third-party advertising cookies.
Where applicable under data protection laws such as the GDPR and KVKK, users have certain rights regarding their personal data, including the right to be informed, the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restrict processing, the right to data portability, and the right to object to processing.
Users may exercise any of these rights by contacting Mersaly at info@mersaly.app. All requests will be reviewed and responded to within thirty (30) days, unless a longer period is required by applicable law.
End User consent (opt-in) is required before sending any WhatsApp messages. Consent must be freely given, specific, informed, and unambiguous. The use of pre-checked boxes or any form of implied consent is strictly prohibited.
When collecting consent, the business name must be clearly presented, along with a clear description of the types of messages to be sent and their expected frequency. All messages sent through the platform must clearly identify the sending business and include a simple and accessible opt-out mechanism allowing users to unsubscribe at any time.
The Mersaly platform is not intended for use by individuals under the age of 18. Mersaly does not knowingly collect, process, or store personal data from children. If we become aware that personal data of a child has been collected inadvertently, we will take appropriate steps to delete such data in accordance with applicable laws
Mersaly may update or modify this Privacy Policy from time to time as necessary to reflect changes in legal, technical, or operational requirements. In the event of material or significant changes, users will be notified in advance via email and/or through in-platform notifications. Continued use of the platform after such updates take effect constitutes acceptance of the revised Privacy Policy.