Privacy Policy
Last updated: July 12, 2026
MeritForge (“MeritForge,” “we,” “us,” or “our”) is a business-to-business employee recognition platform designed for organizations, teams, and workplaces.
This Privacy Policy explains how we collect, use, store, and protect personal data when you use MeritForge, visit our website, or interact with our services.
MeritForge is based in Spain and is designed with European data protection principles in mind, including the General Data Protection Regulation (GDPR).
1. Who this policy applies to
This policy applies to:
- employees, members, contractors, managers, administrators, and owners who use a MeritForge workspace;
- organization representatives who create, manage, or administer a MeritForge workspace;
- people who contact us for support, sales, or product inquiries;
- visitors to our website or landing pages.
MeritForge is intended for workplace and organizational use. It is not directed to children or intended for personal use by minors outside an organization-provisioned workspace.
2. Our role and your organization’s role
MeritForge is a multi-tenant SaaS platform. This means that organizations create and manage their own workspaces, users, recognition settings, rewards configuration, and internal data.
For most workspace-related personal data, your employer or organization acts as the Data Controller, because it decides why the data is processed and how the workspace is used.
MeritForge acts as a Data Processor for that workspace data, processing it on behalf of the organization and according to its instructions.
In some cases, MeritForge may act as a Data Controller for limited data we process for our own purposes, such as account administration, security, service improvement, website analytics, billing administration, support communications, and legal compliance.
3. Information we collect
We collect only the information needed to provide, secure, support, and improve MeritForge.
Account and identity data
We may collect:
- email address;
- name;
- workspace membership;
- role within the platform, such as Owner, Admin, or Member;
- authentication and login-related information.
Authentication is provided through Supabase Auth. MeritForge uses passwordless authentication methods such as magic links or one-time codes, so we do not store user passwords in our own application database.
Profile and organization data
Depending on how your organization configures MeritForge, we may process:
- job title;
- department, team, group, or organizational unit;
- manager or reporting relationship;
- joined date or work anniversary date;
- profile image;
- organization name, logo, structure, values, and settings.
Profile images, organization logos, and other uploaded media may be stored using Microsoft Azure Storage.
Recognition and activity data
MeritForge processes data generated through recognition activity, including:
- Sparks and peer-to-peer recognition messages;
- Great Hall activity feed content;
- comments and replies;
- forged medal titles and descriptions;
- badge rarity, category, and selected visuals;
- hashtags, company values, and recognition tags;
- XP, Honor, Ingots, Sparks, and other recognition economy events;
- approvals, audit trails, and reward-related history.
This information is used to operate the recognition platform, preserve company continuity, calculate balances and milestones, provide analytics, and support workspace administration.
Integration data
If your organization enables integrations, we may process data needed to operate those integrations.
For example:
- Slack integration data may be used to allow users to send recognition from Slack;
- Tremendous integration data may be used to support reward fulfillment;
- CSV or XLS import data may be used to create or update organization structure, users, departments, teams, joined dates, and manager relationships.
The exact data processed depends on which integrations your organization enables.
Support and communication data
If you contact us, we may collect:
- your name and email address;
- the content of your message;
- support details needed to investigate and respond to your request;
- technical information relevant to solving the issue.
Usage, security, and analytics data
We may collect technical and usage information such as:
- device and browser information;
- IP address;
- approximate location derived from technical data;
- log data;
- session and event data;
- feature usage;
- error reports;
- security events.
At the time of this policy, MeritForge does not rely on third-party advertising tracking. In the future, we may use analytics tools such as Google Analytics or similar platforms to understand product usage and improve the service. Where required, we will use appropriate consent, cookie controls, or opt-out mechanisms.
If analytics are enabled, we may track usage across sessions using unique user or device identifiers to understand product behavior, improve reliability, and measure feature adoption.
4. How we use personal data
We use personal data to:
- create, authenticate, and manage user accounts;
- operate organization workspaces;
- enable recognition, medals, Sparks, comments, rewards, and activity feeds;
- manage organization structure, departments, teams, groups, and manager relationships;
- provide analytics and insights to authorized workspace administrators;
- process approvals, audit trails, and reward history;
- provide integrations requested by the organization;
- generate AI-assisted badge or recognition titles when requested;
- provide support and respond to inquiries;
- secure the platform and prevent abuse;
- monitor performance and fix technical issues;
- comply with legal, accounting, tax, security, and regulatory obligations;
- improve MeritForge’s product and user experience.
5. AI-assisted processing
MeritForge may offer AI-assisted features, such as suggesting badge titles or recognition wording based on an achievement description.
When a user requests an AI-generated suggestion, the relevant text may be sent to an AI service hosted on Microsoft Azure.
We use this processing only to provide the requested generation feature. We do not use customer workspace content to train public or external AI models.
Organizations and users should avoid entering unnecessary sensitive personal data into AI-assisted fields.
6. Rewards and third-party fulfillment
If your organization enables rewards, MeritForge may process reward-related data such as:
- recipient name;
- recipient email address;
- reward value;
- reward milestone or eligibility event;
- reward delivery status.
Where Tremendous or another approved reward provider is enabled by the organization, MeritForge may send the minimum required information to that provider so the reward can be fulfilled.
MeritForge does not collect or store employee bank account details or personal payment card information for reward fulfillment.
7. Legal bases for processing
Where MeritForge acts as a Data Controller, we process personal data under one or more of the following legal bases:
- Contractual necessity, where processing is needed to provide the service;
- Legitimate interests, such as securing the platform, improving the service, preventing abuse, and supporting customers;
- Legal obligation, where we must retain or process data for legal, tax, accounting, security, or regulatory reasons;
- Consent, where required, such as for certain analytics, cookies, or optional marketing communications.
Where MeritForge acts as a Data Processor, the customer organization determines the applicable legal basis for processing workspace data.
8. Data sharing and subprocessors
We do not sell personal data.
We may share personal data with trusted service providers and subprocessors where necessary to provide MeritForge, including:
- Microsoft Azure for hosting, compute, storage, and AI-related services;
- Supabase for database, authentication, and related backend services;
- Tremendous or other approved reward providers, if rewards are enabled;
- communication, support, monitoring, logging, or analytics providers, if used;
- legal, accounting, compliance, or security advisors where necessary.
These providers may only process personal data as needed to provide their services to us or to the customer organization.
9. Data location and international transfers
MeritForge is operated from Spain. Our core application infrastructure and primary database services are intended to be hosted in European regions where available, including Microsoft Azure services in Europe and Supabase database hosting in Europe.
However, some third-party providers, subprocessors, support services, billing providers, reward providers, analytics tools, security services, or operational systems may process limited personal data outside the European Economic Area.
Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards required by applicable data protection law, such as adequacy decisions, Standard Contractual Clauses, data processing agreements, and additional technical or organizational measures where appropriate.
10. Data retention
We retain personal data only for as long as necessary to provide the service, support the organization workspace, comply with legal obligations, resolve disputes, maintain security, and preserve legitimate business records.
Employee deactivation
When a workspace administrator deactivates an employee account, the employee’s access to that workspace is removed immediately.
Historical recognition activity may be retained while the tenant workspace remains active so that previous recognitions, audit trails, reward history, reporting, and company continuity are preserved.
Where an identity is deleted or anonymized, historical activity may be shown under a generic label such as “Former Employee” instead of exposing the original personal identity.
Workspace deletion
When a tenant workspace is scheduled for deletion, access to that workspace is disabled immediately.
The workspace then enters a deletion-pending period of up to 90 days for recovery, export, support, or administrative review.
After the retention period, authorized backoffice staff may finalize deletion.
On final deletion, tenant-owned personal and workspace data is deleted or anonymized where appropriate. This may include:
- raw Great Hall recognition text;
- comments and replies;
- Slack integration data;
- invitations and access requests;
- notifications;
- product feedback;
- analytics projections;
- organization logos;
- forged medal images;
- public badge or share links;
- direct tenant-owned image URLs.
Public badge links and direct tenant-owned asset URLs may stop working after deletion.
Minimal financial, audit, security, and operational records may be retained where necessary for legal, accounting, tax, fraud prevention, security, or dispute-resolution purposes. Where possible, personal identifiers are minimized, anonymized, or scrubbed.
Backups are not individually rewritten at deletion time. Deleted data ages out according to MeritForge’s normal backup retention cycle.
11. Security
We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.
These measures may include:
- access controls;
- role-based permissions;
- secure cloud infrastructure;
- authentication controls;
- audit logging;
- encryption in transit;
- restricted administrative access;
- monitoring and abuse prevention;
- separation of tenant workspaces.
No system can be guaranteed to be completely secure, but we work to protect the platform using reasonable safeguards appropriate for a B2B SaaS service.
12. Your privacy rights
Depending on your location and applicable law, you may have rights to:
- access your personal data;
- correct inaccurate data;
- request deletion of personal data;
- restrict processing;
- object to certain processing;
- request data portability;
- withdraw consent where processing is based on consent;
- lodge a complaint with a data protection authority.
Because most workspace data is controlled by your employer or organization, some requests may need to be handled by the organization that manages your workspace. If you contact MeritForge directly, we may redirect the request to the relevant organization or assist them in responding, depending on our legal role.
13. Cookies and analytics
MeritForge may use essential cookies or similar technologies required to provide login, security, session management, and core platform functionality.
If we introduce optional analytics, marketing, or tracking cookies, we will provide appropriate notice and consent controls where required by law.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our product, integrations, service providers, legal requirements, or business operations.
When we make material changes, we will update the “Last updated” date and may provide additional notice where appropriate.
15. Contact
For privacy questions, data protection requests, or support with personal data matters, contact us at:
Please note that this email is our privacy contact point. It should not be interpreted as the appointment of a formal Data Protection Officer unless MeritForge expressly states otherwise.