General Data Protection Regulation (GDPR)

Last update: March 31, 2023

At Merge, data protection is a top priority–and has been from the beginning. In order to support customers that collect and process the personal data of EU citizens, Merge has implemented a wide array of controls and procedures to comply with the obligations of a data processor under the GDPR. For more information please visit 

Individual in charge of GDPR compliance

Gil Feig, CTO

Data Protection Officer

Gil Feig, CTO

Purpose of Processing

To enable our API integration service (the “Service”). For more details, see our Privacy Policy under Types of Uses of Information & Personal Information (

Lawful Basis of Processing and Consent for End Customer data

Consent: Via End Customer’s acceptance of End Customer Terms during account linking process. The End Customer can withdraw its consent by unlinking their account with Merge customer’s Service.

Contract: Via contracts with Customers which give Merge permission to process personal data for the purpose of providing the Service  to Customers. 

For more information, see the Merge Data Protection Agreement is available on our website (

Withdrawal of consent (or opt out)

For Customers, withdrawal of consent or opting out after initial consent/opt-in will be available via termination of their agreement with us. 

For End Customers who have linked an account with Merge through a Customer Application, withdrawal of consent may be accomplished by unlinking their account on the Service where they originally linked it.

For visitors to the service, opting out can be done by emailing

Cookie Policy

Please reference the Cookies section under our Privacy Policy (

Deletion Policy

Deletion of data for Customers is available when terminating their agreement with us. Individual linked accounts can be deleted by Customers on behalf of End Customers who have linked an account at any time via the Merge API. 

Data Deletion on the website ( for visitors can be done by contacting


Data Access / Modification / Portability

Customers can access, modify and download their data directly from the dashboard. Visitors can request a copy or update of their data by emailing

Security Controls

We maintain ISO 27001 and SOC 2 Type 2 certification alongside industry best practices to keep data secure. More information about our security practices is available at

Notification of Data Breach

Merge’s data breach notification process is outlined within its Incident Response Policy, and made available via our Trust Center at