Privacy & Security Policy
Comprehensive information about how we protect your data and respect your privacy
Last updated
22 August 2025
What Merra Is
Merra provides short, conversational AI interviews that deliver comprehensive candidate assessments. Our platform generates a 0–100 match-fit score with detailed per-area evaluations, plus complete video recordings and transcripts for hiring teams.
Data Protection Roles
Customer (Data Controller)
You determine what data to collect, set retention periods, and establish the lawful basis for processing.
Merra (Data Processor)
We process personal data strictly according to your instructions as outlined in this policy and our Data Processing Addendum (DPA).
Data We Process
Candidate Data
- Name and email address
- Interview video and audio recordings
- Transcripts and evaluations
- Performance scores and assessments
- Device compatibility checks
Customer Users
- Name and email address
- Company information
- Role and permissions
- Administrative actions and audit logs
Operational Data
- System logs and diagnostics
- Security monitoring data
- Usage analytics for service improvement
- Performance and reliability metrics
We never sell personal data and do not use candidate interviews to train our AI models without explicit consent.
Security Measures
- Encryption: TLS in transit and AES-256 equivalent at rest
- Access Control: Least-privilege, role-based access with logged admin actions
- Monitoring: Automated backups with anomaly detection alerts
- Incident Response: Immediate breach notification within regulatory timelines
Data Retention
- Video/audio: 30 days
- Transcripts & scores: up to 12 months
Admins can delete data by candidate, job, or workspace at any time through admin settings.
Human Oversight & Fairness
Merra's outputs are advisory. A human reviewer must Advance or Pass each candidate. We focus analyses on job-related criteria chosen by the Controller.
Sub-processors & Data Location
We use reputable cloud/AI/email providers in UK/EU regions (and, if needed, approved international transfers with safeguards). A current sub-processor list is available on request or at /sub-processors.
Candidate Notice
Before recording, candidates see what's captured, duration, who the controller is, and a link to a Candidate Privacy Notice. Rights requests are handled by the Controller; we support you in responding.
Cookies & Analytics
We use essential cookies for auth and security, and minimal analytics to improve reliability and UX. Manage preferences in Cookie Settings.
Your Rights & Choices (as Controller)
Export or delete data from Admin settings or via support. We provide reasonable assistance with data subject requests, DPIAs, and breach notifications as required by Art. 28 & 32–36 GDPR/UK GDPR.