Mercure.rocks Privacy Policy
Dunglas Services SAS ("we", "us", "Mercure.rocks") operates the https://mercure.rocks website and the Mercure Cloud service ("Service"). This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have over it.
It applies to Mercure Cloud only. The open source Mercure Hub and Mercure Enterprise run on infrastructure you control: we do not collect any data from those deployments.
Last updated: 2026-04-30.
1. Data controller
Dunglas Services SAS, a French société par actions simplifiée, is the data controller for personal data processed through this Service. Contact: contact@mercure.rocks.
We have not appointed a data protection officer because we are not required to under GDPR Article 37. Data-protection requests are handled at the contact address above.
2. What we collect, why, and on what legal basis
| Data | Source | Purpose | Legal basis |
|---|---|---|---|
| Email address | You, via Auth0 sign-up | Account identification, service notifications | Contract (GDPR Art. 6(1)(b)) |
| Auth0 subject identifier | Auth0 | Linking your sign-in to your account | Contract |
| Project metadata (name, plan, configuration) | You | Provisioning and operating your Hub(s) | Contract |
| Billing information (card data is held by Stripe, never by us; we only see masked card metadata, customer ID, invoices) | You via Stripe | Processing payments, issuing invoices, fraud prevention | Contract & legal obligation |
| Server-side technical logs (IP address, request paths, timestamps, user-agent) generated by the API | Your browser | Security, debugging, abuse prevention | Legitimate interest (GDPR Art. 6(1)(f)) |
| Mercure Hub access logs (your tenant Hub's stdout logs) | Your subscribers/publishers | Operating the Service, troubleshooting | Contract |
We do not collect phone numbers, postal addresses, or any special-category data (Art. 9). We do not run advertising or analytics cookies.
3. How long we keep it
| Data | Retention |
|---|---|
| Account record (email, Auth0 link, projects) | Until you delete your account, then immediate erasure from production |
| Encrypted backups containing the database | 31 days from creation, then automatically purged from backup storage |
| Billing records (invoices, Stripe customer link) | 10 years, as required by French commercial law (Code de commerce L.123-22) |
| Mercure Hub logs | Ephemeral; tied to instance lifecycle (typically less than 24 hours), no centralized aggregation |
| API server-side logs | 30 days |
4. Subprocessors
We share personal data with the following processors. All have a Data Processing Agreement in place and process data on our instructions only.
| Subprocessor | Role | Location of processing | Transfer mechanism |
|---|---|---|---|
| DigitalOcean LLC | Primary infrastructure hosting the Service (compute, database, cache) | Amsterdam, Netherlands | EU-based processing, DPA with SCCs |
| Amazon Web Services EMEA SARL | Encrypted nightly backups | Paris, France | EU-based processing, DPA with SCCs |
| Okta, Inc. (Auth0) | Authentication (sign-up, sign-in, session) | EU region tenant | DPA with SCCs for incidental US support access |
| Stripe Payments Europe Ltd | Card payments, invoicing | Ireland (EU) and US for cardholder verification | DPA with SCCs |
We notify you on this page before adding or replacing a subprocessor.
5. International transfers
Mercure Cloud's primary processing happens entirely in the European Union (Netherlands and France). Two subprocessors (Auth0/Okta, Stripe) may transfer data outside the EU for incidental support or fraud-prevention. Those transfers are covered by the European Commission's Standard Contractual Clauses signed with each processor. You can request a copy of the SCCs by emailing contact@mercure.rocks.
6. Your rights
Under GDPR you have the right to:
Access the personal data we hold on you (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data, subject to legal retention obligations such as invoicing (Art. 17)
Restrict processing (Art. 18)
Object to processing based on legitimate interest (Art. 21)
Portability for data you provided under contract (Art. 20)
Withdraw consent where consent is the legal basis (it is not the basis for any of our core processing today)
Requests are free of charge for the first request and are answered within 30 days. Email contact@mercure.rocks. If you are not satisfied with our response, you may lodge a complaint with the French data-protection authority CNIL.
7. Cookies
We use strictly necessary cookies only:
An Auth0 session cookie, set when you sign in, used to keep you signed in.
A small set of preference cookies for things like dismissing notices.
We do not use analytics, advertising, social, or tracking cookies. Under the ePrivacy Directive and French law, strictly necessary cookies do not require prior consent, which is why we do not display a cookie banner. You can clear cookies in your browser at any time; some Service features will stop working without the session cookie.
8. Security
We follow modern security practices including state-of-the-art TLS via Caddy, rootless-compatible container images, hardened Helm chart with NetworkPolicy and pod-level security, automated dependency and vulnerability scanning, and restricted shell access to production. See our Security Policy for details.
9. Data breach notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we notify the CNIL within 72 hours per GDPR Art. 33, and notify affected users without undue delay per Art. 34.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from minors.
11. Self-hosted deployments
If you run the open source Mercure Hub or Mercure Enterprise on your own infrastructure, we have no visibility into the data your Hub processes. You are the controller for that deployment and bear the corresponding GDPR obligations.
12. Data Processing Agreement
If you process personal data through Mercure Cloud as part of your own service, you may be the controller and we the processor. We provide a standard Article 28 DPA at /legal/dpa.
13. Changes to this policy
We post material changes here and update the "Last updated" date. For changes that materially affect your rights, we will notify users by email.