Privacy Policy
Last updated: July 15, 2026
This Privacy Policy explains how [Legal Name / FOP], operating Mercur collects, uses, shares, and protects personal data when operating Mercur.
Mercur is a developer relay service. Because customers can expose local services and optionally save request logs, customer-controlled traffic may contain personal data or secrets. Customers are responsible for deciding what data they send through Mercur.
1. Personal Data We Collect
- Account data: email address, optional name, customer ID, password hash, account timestamps, and authentication session data.
- Guest data: generated guest customer ID stored in localStorage and a cookie, guest endpoint details, and migration state if you later register.
- Product configuration: proxy server IDs, protocols, startup modes, public/private settings, IP/CIDR whitelist rules, local ports, relay ports, server tokens, agent auth tokens, and route configuration.
- Tunnel and request data: methods, paths, query strings, headers, body previews, content types, source IP addresses, user agents, status codes, latency, timestamps, WebSocket metrics, TCP byte counts, active connection counts, and related runtime metadata.
- Device and usage data: IP address, browser or app information, operating system, log-in events, product interactions, diagnostics, and security events.
- Billing data: plan, subscription status, payment identifiers, invoices, tax data, and payment processor records when paid plans are enabled.
- Marketing and analytics data: cookie identifiers, page views, campaign data, events, and advertising audiences when analytics or marketing tools are enabled with required consent.
- Communications: messages you send to us, support requests, feedback, and related contact details.
2. Cookies and Local Storage
Mercur uses strictly necessary cookies and local storage for authentication, guest mode, security, preferences, and product functionality. Examples include session cookies, guest customer IDs, theme preferences, sidebar state, and cookie preference records.
If enabled, Google Analytics / Google Tag Manager and Meta Pixel may use cookies or similar technologies for analytics, attribution, advertising, retargeting, and campaign measurement. Where required, these tools should load only after consent.
You can manage non-essential categories on the Privacy Preferences page. Browser controls may also block or delete cookies.
3. How We Use Personal Data
- Provide, operate, secure, troubleshoot, and improve Mercur.
- Authenticate users, manage sessions, provision endpoints, connect agents, route traffic, enforce access controls, and display request history.
- Detect abuse, enforce the Terms, investigate security events, and protect users, systems, and the public.
- Process payments, invoices, taxes, billing communications, renewals, cancellations, and plan limits when paid plans are enabled.
- Respond to support requests, send service notices, and communicate product changes.
- Measure product and marketing performance, personalize campaigns, and build advertising audiences where allowed by law and consent choices.
- Comply with legal obligations and defend legal claims.
4. Legal Bases
Where GDPR, UK GDPR, or similar laws apply, we rely on contract necessity to provide Mercur, legitimate interests to secure and improve the service, consent for non-essential cookies and certain marketing, legal obligations for compliance, and, where applicable, vital or public-interest grounds for urgent security or safety issues.
5. Sharing of Personal Data
- Infrastructure and hosting providers that run the application, relay, databases, storage, networking, and monitoring.
- Database and cache providers used for account data, proxy configuration, request logs, metrics, sessions, and runtime state.
- Payment processors and billing providers when paid plans are enabled.
- Analytics and advertising partners, including Google Analytics / Google Tag Manager and Meta Pixel, when enabled and permitted by consent and law.
- Professional advisors, compliance providers, and support vendors where needed to operate the business.
- Authorities, courts, or third parties when required by law, to protect rights and safety, or to enforce our Terms.
- Successors in a merger, acquisition, financing, reorganization, or sale of assets.
6. Customer Traffic and Request Logs
When HTTP logging is enabled, Mercur may store request headers and body previews. These fields are capped and retained for a limited period, but they may still include secrets, tokens, cookies, payload data, or personal data supplied by you or by third parties calling your endpoint.
You should avoid logging sensitive data, redact sensitive data before it reaches Mercur where possible, and disable log modes when you do not need request inspection.
7. Retention
- Account data is retained while your account is active and for a reasonable period after closure where needed for legal, security, billing, backup, or dispute purposes.
- Guest customer cookies are currently set for up to 30 days unless cleared or migrated.
- Authentication sessions are currently configured for up to 30 days.
- HTTP request logs are currently designed to expire after 7 days and are also limited by a maximum item count per server.
- Runtime metrics and transient session state may be stored for shorter operational windows.
- Billing and tax records may be retained for the period required by applicable law.
8. International Transfers
Mercur may process data in countries other than where you live. When required, we use appropriate transfer safeguards such as standard contractual clauses, processor agreements, risk assessments, or other lawful mechanisms.
9. Your Rights
Depending on your location, you may have rights to access, correct, delete, export, restrict, object to processing, withdraw consent, opt out of certain targeted advertising or sale/share activity, and lodge a complaint with a regulator.
To exercise rights, contact [privacy@your-domain.com]. We may need to verify your identity and may refuse requests where allowed by law, such as where disclosure would harm another person, security, legal obligations, or trade secrets.
10. California and Similar US Privacy Rights
If California or similar US state privacy laws apply, you may have rights to know, access, correct, delete, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising rights.
Mercur does not knowingly sell personal information for money. When marketing pixels or advertising tools are enabled, some disclosures to advertising partners may be considered "sharing" or "sale" under broad US privacy definitions. You can manage these choices on the Privacy Preferences page.
11. Children
Mercur is not intended for children under 18. We do not knowingly collect personal data from children.
12. Security
We use reasonable administrative, technical, and organizational measures to protect personal data. No service can guarantee perfect security, especially when users choose to expose local services to the internet.
13. Changes and Contact
We may update this Privacy Policy as Mercur evolves. Material changes will be communicated through an appropriate channel.
Privacy questions and requests may be sent to [privacy@your-domain.com]. Operator: [Legal Name / FOP], operating Mercur, [Legal address].