Privacy Policy

1. Introduction

Mercando ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our document management and due diligence platform ("Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree with the practices described in this policy, please do not use our Service.

2. Data We Collect

Account Data

When you create an account, we collect:

• Name (first and last)
• Email address (business email required)
• Phone number (optional)
• Company affiliation
• Role within your organization

Document Data

When you use the Service, we process:

• Documents you upload (encrypted)
• Document metadata (filename, size, type, upload date)
• Document versions and version history
• Categories and tags you assign
• Sharing permissions and access history

Usage Data

We automatically collect:

• Login timestamps and session duration
• Actions performed within the Service
• Features accessed and used
• Search queries within your documents

Technical Data

We automatically collect:

• IP address
• Browser type and version
• Operating system
• Device information
• Time zone setting

3. How We Use Your Data

We use your data for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service
• Authentication: To verify your identity and manage your account
• Security: To detect, prevent, and respond to security incidents
• Communications: To send service updates, alerts, and support messages
• Compliance: To comply with legal obligations and regulatory requirements
• Audit Trail: To maintain records for compliance and due diligence purposes
• Analytics: To understand how our Service is used and improve it

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your data based on:

• Contract: Processing necessary to fulfill our agreement with you
• Legitimate Interests: Processing for security, fraud prevention, and service improvement
• Legal Obligation: Processing required by applicable laws (e.g., 5-year retention)
• Consent: Where you have provided explicit consent for specific processing

5. Data Sharing

We may share your data with:

• Service Providers: Third-party vendors who assist in operating our Service (see Subprocessor List)
• Your Organization: Administrators within your company may access account information
• Authorized Parties: Parties you specifically authorize to access shared documents
• Legal Requirements: When required by law, court order, or government request

We do not sell your personal data to third parties.

6. Data Retention

We retain your data for as long as necessary to provide the Service and comply with our legal obligations.

• Account Data: Retained while your account is active, plus 30 days after deletion request
• Documents: Retained according to your organization's settings and applicable retention requirements
• Shared Documents: Subject to 5-year mandatory retention after access is revoked (Ley Debida Diligencia)
• Audit Logs: Retained for a minimum of 7 years for compliance purposes

For more details, see our Data Retention Policy.

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to retention requirements)
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain types of processing
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@nimbbo.com or through your account settings.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with our subprocessors
• Technical and organizational security measures

9. Security Measures

We implement comprehensive security measures to protect your data:

• Encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit
• Client-Side Encryption: Optional RSA-4096 end-to-end encryption
• Access Controls: Role-based access control (RBAC)
• Multi-Tenant Isolation: Data isolation between organizations
• Audit Logging: Comprehensive activity logging
• Regular Assessments: Security audits and vulnerability assessments

For more details, see our Security Policy.

10. Cookies

We use cookies and similar technologies to operate and improve our Service. For detailed information about the cookies we use, please see our Cookie Policy.

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Policy Updates

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days before the changes take effect by email or through the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact: