Privacy Policy
Effective Date: April 28, 2026
I. Introduction
Mergeroom Inc. (“Mergeroom,” “we,” “us,” or “our”) provides an AI-native virtual data room (“VDR”) for independent M&A advisors running sell-side mandates. This Privacy Policy describes how we collect, use, and handle information when you visit mergeroom.ai, sign up for early access, create an advisor account once the product launches, or otherwise interact with our services.
We do not sell or share personal information with third parties for their own marketing purposes. Mergeroom is a paid-subscription B2B service; we have no advertising business and no public directory of contacts.
If you want to access, correct, delete, or export information we hold about you, email us at contact@mergeroom.ai. We will respond within 30 calendar days.
II. How We Collect Information
Mergeroom collects information that you provide directly to us and information that is automatically collected when you use our site or services.
A. What Types of Information Does Mergeroom Collect and Process?
Waitlist Information. When you submit the early-access form on mergeroom.ai, we collect:
- Email address (required)
- Name (optional)
- Organization or firm (optional)
- The referral source of your visit (e.g., a utm_source parameter if present)
User Account Information (when the VDR product launches and you create an advisor account):
- Name and email address
- Firm or organization name and role
- Authentication credentials (managed by our auth provider, Clerk)
- Billing and payment information (processed by a future payment processor; we will not store credit card numbers)
Customer Content (post-launch). Advisors using the Mergeroom VDR will upload deal documents, buyer lists, and related transaction materials (“Customer Content”). Customer Content is the property of the advisor’s firm and the underlying deal parties, and is governed by a separate Data Processing Addendum (DPA) provided at the time of contracting.
Website Visitor Data. When you visit our site, our hosting provider’s servers automatically record standard server-log information, including IP address, browser type, pages viewed, and time and date of visit. We use minimal cookies described in Section V.
B. How Does Mergeroom Collect Information?
Information Submitted Through Our Site or Services. All personal information held by Mergeroom is submitted directly by you through our waitlist form, account signup, contact email, or use of the VDR. We do not collect personal information from public sources, third-party data brokers, or social-media scraping.
Automatically Collected Information. Limited information is collected via standard server logs and the cookies described in Section V.
C. How Does Mergeroom Handle Customer Information?
For advisors who become paying customers of the Mergeroom VDR (post-launch), we collect:
- Personal contact information regarding users of the services (“User Information”), including name, email, firm, and role
- Billing and payment information (processed securely by our future payment processor — we do not store credit card numbers)
- Usage logs and activity data, including logins, actions taken, timestamps, IP address, and other usage data (“Usage Data”)
- User-generated content, including data rooms, document uploads, buyer-list activity, and notes created through use of the VDR (“Customer Content”)
Use of Customer Information. We use Customer Information to provide and operate the VDR, respond to inquiries, complete transactions, provide customer support, send administrative information, and improve and personalize the service. We may use Customer Information to contact customers about service updates, security notices, and (with appropriate opt-out) general product news. We use Usage Data to test, develop, and improve the VDR.
We will not disclose Customer Information or Customer Content to any third party except (i) to subprocessors strictly necessary to operate the service (listed in Section IV), (ii) at the documented direction of the customer, (iii) in response to a bona fide legal dispute or valid compulsory legal process, or (iv) as otherwise required by law.
Mergeroom employs commercially reasonable security and back-up procedures to protect Customer Information. However, in the unlikely event there is a loss or corruption of Customer Information, Mergeroom is not responsible or liable for such loss except as expressly set forth in the customer’s signed agreement with us.
III. How We Use Information
We use collected information for the following purposes:
- Provide, maintain, personalize, and improve the site and services
- Send you information about early access to the Mergeroom VDR and updates about our development
- Process customer transactions and manage subscriptions (post-launch)
- Send technical notices, updates, security alerts, and administrative messages
- Respond to comments, questions, feedback, and support requests
- Create and authenticate user accounts
- Monitor and analyze trends, usage, and activities related to the site and services
- Detect, investigate, and prevent fraud, abuse, and other illegal activity
- Protect the rights and property of Mergeroom, our customers, and others
- Respond to requests from individuals exercising rights under applicable privacy law
- Comply with our contractual and legal obligations, resolve disputes, and enforce our agreements
- As required by law, regulation, or other governmental authority
IV. How We Share Information
Mergeroom does not sell or share personal information with third parties for those parties’ own marketing purposes. We share information only as described below.
Service Providers (Subprocessors)
Mergeroom relies on a small number of subprocessors to operate the site and services. These providers process personal information only as directed by us and are bound by contractual confidentiality and data-protection obligations:
- Clerk — user authentication, session management, and waitlist storage
- Vercel — site hosting, edge runtime, and content delivery
- Email delivery providers — transactional email (account verification, password resets, service notices). Today these emails are sent via Clerk; we may engage an additional email-delivery provider as we grow.
- Error and performance monitoring — we may engage an error-monitoring service to capture exception data necessary to keep the site reliable.
We will update this Section IV when we engage additional subprocessors.
Disclosures for Legal Reasons
We may disclose collected information to a third party if we believe in good faith that such disclosure is necessary or desirable: (i) to comply with lawful requests, subpoenas, search warrants, or court orders; (ii) to address a violation of law; (iii) to protect the rights, property, or safety of Mergeroom, its users, or the public; or (iv) to allow Mergeroom to exercise its legal rights or respond to a legal claim.
Business Transfers
In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business, information may be transferred to the successor entity, subject to terms substantially similar to this Policy.
Aggregated or De-Identified Information
We may share aggregated or de-identified information that cannot reasonably be used to identify an individual.
With Your Consent
We may share information with your explicit consent.
V. Cookies and Tracking Technologies
A “cookie” is a small text file that a website places on your device. Mergeroom currently uses cookies and similar technologies sparingly:
- Essential cookies. Required for the site to function, including authentication and session management via Clerk. These cannot be disabled if you wish to sign in.
- Functional storage. Browser localStorage may be used to remember your preferences (e.g., display settings). localStorage is not transmitted to our servers.
We do not currently use third-party analytics, advertising, or remarketing cookies on the marketing site. If we add analytics in the future, we will update this Policy, surface a cookie banner, and provide an opt-out before any non-essential tracking is loaded.
Global Privacy Control
There is no single industry standard for “Do Not Track” (DNT) browser signals, and we do not currently respond to DNT. We recognize and honor Global Privacy Control (GPC) signals to the extent applicable; given that Mergeroom does not sell or share personal information for advertising purposes, GPC has no operational effect on our processing today.
VI. Your Rights and Choices
You have rights regarding the personal information we hold about you. The mechanisms below apply to all individuals regardless of state of residence, even where state law would not otherwise grant the right.
A. Available Rights
You may:
- Access — request a copy of the information we hold about you
- Correct — request correction of inaccurate or outdated information
- Delete — request deletion of your information
- Port — receive your data in a portable, machine-readable format
- Opt out of marketing emails — unsubscribe via the link in any email
B. How to Submit a Request
Email contact@mergeroom.ai with the request type in the subject line (e.g., “Access Request” or “Deletion Request”). We may take reasonable steps to verify your identity before processing the request — typically by responding from the email address on file or asking you to confirm a code sent to that address.
C. Response Timelines
- We respond substantively within 30 calendar days of receipt of a verifiable request.
- If a request is unusually complex, we may extend the response window by an additional 30 days and notify you in writing of the extension.
D. Authorized Agents and Appeals
You may designate an authorized agent to submit a request on your behalf, subject to identity verification. If we deny a request in whole or in part, you may appeal by emailing contact@mergeroom.ai with the subject line “Privacy Request Appeal.” We will respond to appeals within 30 days.
E. Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge you different prices, or provide a different level of service because you exercised a right under this Policy. We do not offer financial incentives for the collection, sale, retention, or deletion of personal information.
F. Categories of Personal Information
The following table describes the categories of personal information we have collected in the preceding 12 months:
| Category | Collected | Sources | Business Purpose | Sold or Shared |
|---|---|---|---|---|
| Identifiers (name, email, organization) | Yes | Directly from you (waitlist or account signup) | Provide and improve services; communicate about early access and product updates | No |
| Internet or electronic network activity (IP address, browser type, pages viewed) | Yes (site visitors only) | Automatically collected via server logs and essential cookies | Site reliability, security, fraud prevention | No |
| Approximate geolocation (derived from IP) | Yes (site visitors only) | Automatically collected via server logs | Security, fraud prevention | No |
| Commercial information (subscription, billing, transaction history) | Will be collected once paid plans launch | Directly from customer | Process purchases, manage subscriptions, support customers | No |
| Customer Content (deal documents, buyer lists, notes) | Will be collected post-launch | Directly from advisor customers | Provide the VDR service to that customer; governed by separate DPA | No |
We do not collect “sensitive personal information” as defined under applicable state privacy laws.
We have not sold or shared any category of personal information in the preceding 12 months.
To the extent any state consumer privacy law applies — including the California Consumer Privacy Act (CCPA/CPRA) — we honor the rights described above for all individuals regardless of state of residence.
VII. Data Retention
We retain personal information only for as long as necessary for the purposes described in this Policy.
- Waitlist Information. Retained until you request deletion, or until 12 months after the Mergeroom VDR’s general availability, whichever comes first.
- User Account Data (post-launch). Retained for the duration of an active account. After account deletion, retained for 30 days, then permanently deleted, except where longer retention is required to comply with legal obligations.
- Customer Content (post-launch). Retained per the customer’s signed agreement and Data Processing Addendum.
- Server logs. Retained for up to 90 days for security, abuse prevention, and operational diagnostics.
- Records required by law. Tax records, contractual records, and similar materials are retained for the period required by applicable law.
After the applicable retention period ends, we delete the personal information or render it permanently de-identified.
VIII. General
Data Security. Mergeroom uses encryption in transit and at rest, access controls, and authentication measures provided by Clerk and Vercel to protect personal information. We follow generally accepted industry standards. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.
Children’s Privacy. Our site and services are directed to professional users — independent M&A advisors and their counterparties — and are not intended for individuals under the age of 16. We do not knowingly collect personal information from individuals under 16. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe we may have collected information from someone under 16, contact us at contact@mergeroom.ai.
Information for Individuals Outside the U.S. Mergeroom is a U.S. company headquartered in Delaware. Personal information we collect is stored and processed in the United States (and, in limited cases, in regions used by Clerk and Vercel). If you use our site or services from outside the United States, you understand that your information may be transferred to and processed in the U.S., where the laws regarding personal information may differ from the laws of your jurisdiction.
Links to Other Sites. Our site may contain links to third-party sites we do not own or control. We are not responsible for the privacy practices of those sites. This Policy applies only to information collected by Mergeroom.
Changes to This Policy. We may modify this Policy from time to time. If we make material changes, we will notify registered users and waitlist subscribers by email and update the effective date at the top of this page. Continued use of the site or services after the effective date of an update constitutes acceptance of the updated Policy.
IX. Contact Us
If you have questions or concerns about this Privacy Policy or your personal information, contact us:
- Email: contact@mergeroom.ai
- Mailing address: Mergeroom Inc., Delaware, United States