Last updated: March 2026
In the course of delivering our services, Merkle Labs may handle client IT infrastructure data (system configurations, network architecture, software inventories), business metrics and performance data relevant to our engagement, and business contact information of client personnel. We only access data that is directly necessary for delivering the agreed-upon services.
All client data is stored using encrypted, cloud-hosted infrastructure with strict access controls. Data is segmented per client to prevent any cross-contamination. Access is limited to authorised Merkle Labs personnel who require it to perform their duties.
Client data is retained for the duration of the active engagement plus 90 days after the conclusion of services. After this retention period, all client data is permanently deleted from our systems. Clients may request early deletion of their data at any time during or after the engagement.
Client data is never sold to third parties. Sharing is strictly limited to essential service providers who assist in delivering our services, and only under binding confidentiality agreements. We will always inform clients before sharing any data with a third-party provider.
We employ encryption at rest and in transit for all client data. Our infrastructure undergoes regular security audits and penetration testing. Access controls are enforced using the principle of least privilege, and all access is logged and monitored.
You have the right to access all data we hold about you and your organisation, export your data in a standard format, and request complete deletion of your data at any time. We will fulfil all data requests within a reasonable timeframe.
For questions about this Data Policy or to exercise your data rights, please contact Merkle Labs at dion@merklelabs.xyz.