Privacy Policy

1. Data Controller

The data controller within the meaning of Art. 4(7) GDPR is:

Bluepolicy.ai
Represented by: Jens Schneider
Knütgenstr. 12, 53721 Siegburg, Germany
Phone: +49 178 1482348
Email: beta@bluepolicy.ai
Website: merux.app

2. What Personal Data We Collect

When you register for the MeruX beta program, we collect the following personal data:

• Full name (required) — to identify you as a beta participant
• Email address (required) — for communication about the beta program
• Apple ID email (optional) — to send you a TestFlight invitation for the iOS beta app
• Phone number (optional) — for direct communication if requested
• Role / Persona — whether you are an employee, self-employed, or in HR/Finance
• Wallbox brand (optional) — to understand your charging hardware
• iPhone model (optional) — for app compatibility and testing purposes
• iOS version (optional) — for app compatibility and testing purposes
• GDPR consent timestamp and version — to document your consent
• Registration timestamp — to record when you signed up
• IP address (collected server-side) — for security and fraud prevention

3. Purpose of Processing and Legal Basis

We process your personal data for the following purposes:

a) Beta program registration and access

We process your name, email, role, and device information to register you as a beta participant and provide you with access to the MeruX app.
Legal basis: Consent pursuant to Art. 6(1)(a) GDPR.

b) TestFlight invitation

If you provide your Apple ID email, we share it with Apple Inc. to send you a TestFlight invitation for the iOS beta app.
Legal basis: Consent pursuant to Art. 6(1)(a) GDPR.

c) Communication about the beta program

We use your email address and, if provided, your phone number to contact you about updates, feedback requests, and important information regarding the beta program.
Legal basis: Consent pursuant to Art. 6(1)(a) GDPR.

d) Product improvement

We analyze aggregated and anonymized usage patterns, device information, and feedback to improve the MeruX product.
Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is the continuous improvement of our product to better serve our users.

e) Security and fraud prevention

We collect your IP address to protect against spam and fraudulent registrations.
Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is the security of our systems and the integrity of the beta program.

f) Contact form inquiries

When you use our contact form (for investor, fleet management, or wallbox manufacturer inquiries), we collect your name, email address, company name (optional or required depending on inquiry type), and your message. This data is used solely to respond to your inquiry.
We store your inquiry in Azure Table Storage (EU, Germany West Central region) and send you a confirmation email. A notification with your inquiry details is also sent to our team.
Legal basis: Consent pursuant to Art. 6(1)(a) GDPR. Your data is retained for 2 years and deleted upon request at any time via beta@bluepolicy.ai.

4. Data Recipients and Third Parties

We do not sell your personal data. Your data may be shared with the following service providers who process data on our behalf:

• Microsoft Azure (Microsoft Corporation, EU data centers) — We use Azure Communication Services for email delivery (sending from merux@bluepolicy.ai) and Azure Table Storage for storing registration data. Data is processed in the Germany West Central region, ensuring EU data residency. A Data Processing Agreement (DPA) is in place.
• Cloudflare, Inc. (global network, EU data processing) — We use Cloudflare Workers for website hosting and Cloudflare Turnstile for spam protection. Cloudflare processes data in accordance with its DPA and Standard Contractual Clauses.
• Apple Inc. (USA) — If you provide your Apple ID email, it is shared with Apple to send you a TestFlight beta invitation. See Section 5 regarding international data transfers.

We may also disclose your data to law enforcement or regulatory authorities if required by applicable law.

5. International Data Transfers

Your data is primarily stored and processed within the European Union (Germany).

If you provide your Apple ID email for TestFlight invitations, this email address is transferred to Apple Inc. in the United States. This transfer is based on the EU-US Data Privacy Framework (adequacy decision by the European Commission pursuant to Art. 45 GDPR), which ensures an adequate level of data protection for transfers to certified US companies.

Cloudflare may process certain data (such as IP addresses for website delivery) on servers outside the EU. This is covered by Cloudflare's Standard Contractual Clauses and supplementary measures pursuant to Art. 46(2)(c) GDPR.

6. Data Retention

Your beta registration data is retained for the duration of the beta program and for a period of 2 years after the beta program ends. After this retention period, your data will be permanently deleted.

You may request deletion of your data at any time by contacting us at beta@bluepolicy.ai. We will process your request within 30 days.

Certain data may be retained longer if required by law (e.g., tax or commercial law obligations).

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — You can request information about what personal data we hold about you.
• Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) — You can request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing (Art. 18 GDPR) — You can request that we restrict the processing of your data.
• Right to data portability (Art. 20 GDPR) — You can request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — You can object to processing based on legitimate interest at any time.
• Right to withdraw consent (Art. 7(3) GDPR) — You can withdraw your consent at any time with effect for the future. The lawfulness of processing based on consent before its withdrawal remains unaffected.
• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority (see Section 8).

To exercise any of these rights, please contact us at beta@bluepolicy.ai.

8. Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

The competent supervisory authorities for data protection in Germany are the state data protection commissioners (Landesbeauftragte für Datenschutz) of the respective federal states. A list of all supervisory authorities is available at: www.bfdi.bund.de

9. Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

10. Cookies and Tracking

This website does not use analytics cookies, tracking cookies, or any third-party tracking tools.

We use one functional cookie: NEXT_LOCALE (duration: 1 year) to store your language preference (English or German). This cookie is strictly necessary for functionality and does not track users. It is exempt from consent requirements under GDPR Recital 30 and the ePrivacy Directive Art. 5(3).

We use Cloudflare Turnstile for spam protection on our beta registration form. Turnstile is a privacy-friendly CAPTCHA alternative that does not use tracking cookies, does not collect personal data for advertising purposes, and is designed to be GDPR-compliant. For more information, see Cloudflare's Privacy Policy.

11. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. This includes encryption of data in transit (TLS/HTTPS), secure storage in EU-based data centers, access controls, and regular security reviews.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. Significant changes will be communicated to beta participants via email. The current version is always available on this page.