Privacy policy

Last updated: April 23, 2026

Protecting your personal data is important to us. We process your data exclusively on the basis of the statutory provisions (GDPR, BDSG, DDG). In this policy we inform you transparently about which data we process for which purpose.

1. Controller

The controller in the sense of the GDPR is:

A data protection officer is not legally required and has not been appointed.

2. Your rights

You have the following rights regarding the personal data we hold about you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent (Art. 7 para. 3 GDPR)

To exercise your rights, an informal message to contact@merlon.ai is sufficient. You also have the right to lodge a complaint with a data-protection supervisory authority about our processing of your personal data (Art. 77 GDPR). The competent authority is the Saxon Data Protection and Transparency Commissioner (Sächsische Datenschutz- und Transparenzbeauftragte, Devrientstraße 1, 01067 Dresden, Germany).

3. Provision of the website and server logs

When you visit our website, technically necessary data is automatically captured in log files by our hosting provider. This includes: truncated IP address, date and time, URL requested, referrer, user agent.

Purpose: Ensuring technical provision, security and stability of the website.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).
Retention: Log data is deleted or anonymized after a maximum of 14 days.

4. Contacting us

4.1 Contact form

If you send us a message via the contact form, we process the data you provide (name, email address, optionally organization, message) to handle your inquiry.

Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest in answering inquiries).
Retention: Data is deleted as soon as the purpose no longer applies and no statutory retention obligations (e.g. § 147 of the German Fiscal Code: six years) preclude deletion.

4.2 Email and phone

If you contact us by email or phone, the information you provide is processed to handle your inquiry. The legal basis and retention correspond to section 4.1.

4.3 Checklist request (lead magnet)

On the page /en/checkliste (or /checkliste in German) you can request our two-page checklist on AI for regulated professions as a PDF via email. The checklist content covers German law (§ 203 StGB, GDPR, German professional codes); both the English and German editions address the same German-law scope. In doing so we process your email address and your profession (tax advisor / attorney / physician / other).

Purpose: one-time delivery of the requested checklist to the email address you provided, and internal traceability and qualification of the request (which profession, which country, at what time) for potential subsequent personal outreach by us.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent given by actively ticking the consent checkbox) together with Art. 6 para. 1 lit. b GDPR (performance of a pre-contractual measure you requested), and — for the internal lead qualification — Art. 6 para. 1 lit. f GDPR (legitimate interest in traceability of our own marketing activities).
Recipients / processors: Email delivery is technically handled by Resend (see section 6); the internal notification copy is stored in our mailbox at Mailbox.org (see section 5). In addition, we store your email address, profession, language, approximate location (country/city derived from IP geolocation — the IP address itself is not stored), user-agent and timestamp in an internal database at Cloudflare D1 (EU-West region, see section 8). Your data is not added to any newsletter system and is not shared with third parties.
Retention: The records in the D1 database are retained for up to 24 months and then deleted, unless you reach out to us beyond the checklist request. The email copies in the mailbox follow the general mail retention (section 5).
Withdrawal / deletion: You can withdraw your consent at any time — informally by replying to the email you received or by writing to contact@merlon.ai. We will then delete both the mail copy and the D1 record.

No newsletter, no automated follow-ups: Requesting the checklist does not subscribe you to any newsletter or automated follow-up communication. Any subsequent personal outreach by us (e.g. pointing out a fitting service) happens manually and only in justified individual cases.

5. Email hosting (Mailbox.org)

Our email mailboxes (including contact@merlon.ai) are hosted by the German provider Mailbox.org. All emails addressed to us are received, stored and processed on Mailbox.org servers in Germany. Automated confirmation and appointment emails from our scheduling system (see section 9) are also sent via Mailbox.org. Mailbox.org encrypts data at rest and the transport path to other mail servers according to the state of the art (TLS, PGP/S-MIME support).

Processor: Heinlein Support GmbH, Schwedter Straße 8/9a, 10119 Berlin, Germany. Data processing takes place exclusively within the European Union.
Legal basis: Art. 6 para. 1 lit. b GDPR (handling of inquiries) or Art. 6 para. 1 lit. f GDPR (legitimate interest in reliable, GDPR-compliant email infrastructure).
DPA: A data-processing agreement pursuant to Art. 28 GDPR was requested and will be in place before going into productive operation.
More information: mailbox.org/datenschutz.

6. Automated email delivery (Resend)

For the automated delivery of emails from the contact form (section 4.1) and for sending the requested checklist PDF (section 4.3) we use the service Resend. The data you provide in the respective form is transmitted to Resend and delivered from there either to our Mailbox.org inbox or to the email address you provided.

Processor: Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Data transfer to the USA takes place on the basis of the EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR) as well as supplementary technical protective measures. A DPA pursuant to Art. 28 GDPR has been concluded.
Legal basis: Art. 6 para. 1 lit. f GDPR (efficient and reliable email delivery from the contact form).
More information: resend.com/legal/privacy-policy.

7. AI chatbot (Anthropic)

This website offers an AI chatbot that answers questions about merlon.ai's services, pricing and process. The associated script is not loaded on page load — it is loaded only after you actively click the chat button in the bottom right corner.

As soon as you open the chat and send a message, the text of your message and the existing conversation history are transmitted via our own Cloudflare Worker to the AI provider Anthropic and processed there by a language model (Claude). merlon.ai itself does not persistently store the conversation history; it exists only transiently in your browser window until you close the chat or leave the page.

Processor: Anthropic, PBC, 548 Market Street PMB 90375, San Francisco, CA 94104, USA. Data transfer to the USA takes place on the basis of the EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR). Anthropic is not currently certified under the EU-U.S. Data Privacy Framework. A DPA pursuant to Art. 28 GDPR is concluded as part of Anthropic's terms (Data Processing Addendum).
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in an immediately available information offer for website visitors).
Retention at Anthropic: According to the provider, chat content is retained for up to 30 days for abuse detection and then deleted. The provider states that the data is not used to train the models.
More information: anthropic.com/legal/privacy.

Important note: The chatbot is intended solely to answer questions about merlon.ai. It is not suitable for transmitting confidential client, patient, or customer data. For follow-ups with personal references or a binding inquiry, please use our contact form or contact@merlon.ai.

8. Hosting and content delivery (Cloudflare)

This website is delivered on the infrastructure of Cloudflare. Cloudflare distributes content over a global network and provides protection mechanisms against attacks (DDoS, bots). In doing so Cloudflare processes technically necessary connection data — in particular IP address, browser type, requested content and timestamps.

Processor: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich (German branch) and Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Data transfer to the USA takes place on the basis of the EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR) and the EU-U.S. Data Privacy Framework. A DPA pursuant to Art. 28 GDPR has been concluded.
Legal basis: Art. 6 para. 1 lit. f GDPR (secure and performant provision of the website).
More information: cloudflare.com/privacypolicy.

Bot protection (Cloudflare Turnstile): To protect our contact form from automated spam submissions we use Cloudflare Turnstile — a privacy-friendly alternative to classical CAPTCHAs. The associated script is not loaded on page load — it is loaded only when you actively use the contact form (first cursor focus on a form field). Turnstile analyzes anonymous telemetry and behavior signals (browser fingerprint, IP address, interaction patterns) to distinguish humans from bots. No cookies are set for tracking or marketing purposes; according to the provider, personal data is not used for any purpose other than bot defense.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in defending against automated attacks on our contact form).
More information: cloudflare.com/turnstile.

Database (Cloudflare D1): The lead data collected via the checklist request (section 4.3) is stored in Cloudflare D1 — a serverless SQL database by Cloudflare. We store: email address, profession, language of the request, country and city (derived from IP geolocation at the time of the request, not the IP address itself), user-agent and timestamp. The database runs in the EU-West region (Europe); no third-country transfer occurs for this data. The DPA with Cloudflare (see section 8, first paragraph) also covers D1.
Legal basis: Art. 6 para. 1 lit. a and lit. b GDPR (consent and pre-contractual measure) together with Art. 6 para. 1 lit. f GDPR (legitimate interest in lead qualification).
Retention: up to 24 months, see section 4.3.

9. Appointment booking (self-hosted Cal.com)

For online booking of an introductory call we operate our own instance of the open-source software Cal.com under the subdomain cal.merlon.ai. This is not the hosted service of Cal.com Inc. — the software runs on our own server infrastructure at Hetzner (see section 10).

The booking widget is only loaded on our website when you actively click the "Book a call" button. Before that, no connection to the booking infrastructure takes place. As soon as you open the widget, technically necessary session cookies are set on cal.merlon.ai to represent the booking process. These cookies serve no tracking, no marketing, and do not leave our infrastructure.

As part of the booking we process the data you provide (name, email address, optionally phone number, selected appointment, optionally a short message). This data is processed exclusively for the purpose of appointment coordination and stored until you revoke your consent or the end of the statutory retention period.

Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient appointment coordination).
Processor: No third-party provider — the software runs on a dedicated server at Hetzner Online GmbH in Germany (see section 10).

10. Server infrastructure (Hetzner)

Our application servers — in particular the appointment-booking instance described in section 9 — run at Hetzner Online GmbH in the Falkenstein data center, Saxony. In this context Hetzner processes technically necessary connection data (IP address, timestamps) to provide the server infrastructure.

Processor: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data processing takes place exclusively within the European Union.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in reliable, GDPR-compliant server infrastructure).
DPA: A separate data-processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner; the technical and organizational measures pursuant to Art. 32 GDPR are included as an annex.
More information: hetzner.com/rechtliches/datenschutz.

11. No cookies, no tracking

We set no first-party cookies, no web-analytics tool, no pixel tracking and no social-media widgets on this website. No external third-party scripts are loaded. A cookie banner is therefore not required.

Only exception: If you actively click "Book a call", we load our self-hosted scheduling widget, which sets technically necessary session cookies on cal.merlon.ai (see section 9). These cookies serve only the booking process, not tracking.

Server-side page view counter: For internal reach and funnel measurement we keep aggregated daily counters on our server (date, path, visit count), with no link to your IP address, browser attributes, session ID or cookies. No personal data are stored; individual visitors cannot be re-identified. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring the effectiveness of our own website).

12. SSL/TLS encryption

For security reasons this website uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://". With encryption active, the data you transmit to us cannot be read by third parties.

13. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to reflect changes to our services. The new privacy policy will then apply to your next visit.