Meerakl Privacy Policy
Effective date: 10 April 2026
Last updated: 22 April 2026
We are Zoluna Technology Limited (“Meerakl”), a company incorporated under the laws of Nigeria with its primary address at 7, Alhaji Towobola, Bolaji Quarters, Oluyole, Ibadan. For any access request, questions, or inquiries about how we use your (personal) data and our privacy practices, please contact us at support@meerakl.com.
1. Overview
Meerakl (“Meerakl”, “we”, “us”, “our”) is a social-commerce client relationship management (CRM) product operated by Zoluna Ltd (“Zoluna”), a private company incorporated under the laws of the Federal Republic of Nigeria. Zoluna is the data controller for information processed to run the Meerakl platform. Zoluna is a data processor (or sub-processor) for information that our customers upload or receive through Meerakl about their own end-customers — see Section 4 (“Two roles”).
2. Scope of Privacy
This policy covers personal data processed through:
- the Meerakl web application at meerakl.com and its subdomains;
- the Meerakl marketing website and any landing, help, or documentation pages we operate;
- the Meerakl mobile and installable progressive-web-app experiences;
- Meerakl’s public APIs, webhooks, email notifications, and customer-support channels.
It does not cover third-party sites or services linked from Meerakl, nor messages you exchange with end-customers on messaging networks (WhatsApp, Instagram, etc.) once they leave our platform — those networks have their own privacy notices.
3. International Data Transfers & Territorial reach
Meerakl is designed primarily for small and medium businesses in Nigeria but enjoys a wider and global adoption across several other global markets. As such, we may need to transfer your data to help us provide you with our services and better serve you. Personal data may be transferred to countries which may not have the same data protection laws as your country, but whenever we have to transfer or transmit your data internationally, we will take reasonable caution to ensure your data is handled securely in compliance with the Data Protections Legislation.
Because some of our sub-processors are based outside Nigeria and, as applicable, outside the EEA/UK/other home jurisdictions, your personal data may be transferred to and processed in countries with different data-protection rules.
4. Two roles: platform data and seller’s customer data
Meerakl processes personal data in two distinct capacities. It is important to understand which one applies to you.
4.1 When we are the controller
We are the controller of personal data you give us about yourself or your business when you sign up for Meerakl and run your business on it such as:
- Your name, email address, and login credentials
- Your business name, country, timezone, and profile information
- The billing information (plan tier, payment history with our subscription payment provider)
- The usage, support, and audit logs we generate as you use Meerakl
4.2 When we are the processor
Meerakl allows businesses to connect messaging channels (WhatsApp Cloud API, Instagram) and a payment gateway (Paystack) to manage conversations, orders, and marketing with their own end-customers. When a Meerakl customer (the “Seller”) connects these channels, Meerakl processes the end-customer’s personal data on the Seller’s behalf and on their documented instructions. In that processing, the Seller is the controller, and Zoluna is the processor (or sub-processor).
If you are an end-customer of a business that uses Meerakl and you want to understand how your data is handled, please contact that business directly — they decide what data to collect, why, and for how long to retain it. We will support them in responding to you.
Our processing of Seller-customer data on behalf of Sellers is further governed by our Privacy Notice (available on request from support@meerakl.com).
5. Personal data we process
5.1 Data we collect from you (Seller/platform user)
| Category | Examples | Source |
|---|---|---|
| Identity and contact data | name, email, phone number, country | you, at sign-up and in profile settings |
| Authentication data | hashed password, session tokens, email-verification state, password-reset tokens | you, generated by Supabase Auth |
| Business data | business name, logo, Paystack public key, encrypted Paystack secret key, bank name, bank code, account number, account name, WhatsApp phone-number ID, Instagram account ID, channel connection status | you |
| Billing data | current plan, subscription history, accrued message-cost credits, Paystack subscription reference | generated by Meerakl and our subscription provider |
| Usage and technical data | pages visited, features used, device and browser details, IP address, timestamps, crash and error reports | generated automatically as you use Meerakl |
| Support and feedback data | feedback submissions, screenshots you attach, support-ticket correspondence | you |
| Audit and security data | admin actions, login events, webhook events, rate-limit events | generated automatically |
5.2 Data we process on behalf of Sellers (about their end-customers)
| Category | Examples |
|---|---|
| End-customer contact data | name, phone number, email, tags, notes, profile picture where provided by the channel |
| Messages | inbound and outbound messages on WhatsApp or Instagram, timestamps, delivery/read status, attachments, template variables |
| Orders and payments | order line items, quantities, prices, payment method, payment status, Paystack transaction references, bank-transfer confirmations |
| Derived data | RFM recency/frequency/monetary scores, lifecycle stage (new/active/at-risk/churning/churned), pipeline stage |
| Automation and broadcast data | automation rule triggers, broadcast recipient lists, personalization variables, scheduled-send timings |
5.3 Data we do not intentionally collect
Meerakl is not designed for sensitive personal data as defined under the NDPA, GDPR, or other applicable laws (e.g., health, religious belief, ethnic origin, political opinion, sexual orientation, genetic or biometric data). Sellers must not upload such data unless they have a lawful basis and a specific written agreement with us.
Meerakl services are not directed at persons under the age of eighteen (18), and we do not knowingly or directly collect data from individuals who fall within this category. When you have any belief that Meerakl has mistakenly or unknowingly collected information from a minor, please contact us to enable us to investigate and restrict such data collection.
6. How we collect personal data
- Directly from you when you sign up, connect a channel, save bank details, send feedback, or contact support.
- Automatically when you use Meerakl (cookies, device and log data, crash reports).
- From third parties you authorize — Meta (WhatsApp Cloud API and Instagram Graph API) when you connect those channels, and Paystack when you connect your Paystack account or complete a subscription payment.
7. Why we process your data, and our lawful bases
| Purpose | Lawful basis (NDPA / GDPR) |
|---|---|
| Create and operate your Meerakl account | Performance of a contract |
| Provide, maintain, and improve the Meerakl platform | Performance of a contract; legitimate interests |
| Process subscription payments and apply credits | Performance of a contract; compliance with legal obligations (tax, accounting) |
| Send transactional email (verification, password reset, billing receipts, product notifications) | Performance of a contract |
| Send product and marketing email (only where you have opted in, or where legally permitted on a soft opt-in basis to existing customers) | Consent; legitimate interests |
| Provide customer support and resolve disputes | Performance of a contract; legitimate interests |
| Monitor security, detect fraud and abuse, and enforce our Terms | Legitimate interests; compliance with legal obligations |
| Generate aggregated, non-identifying analytics about how Meerakl is used | Legitimate interests |
| Comply with legal and regulatory obligations, including lawful requests from public authorities | Compliance with legal obligations |
For processing that relies on legitimate interests, we have balanced those interests against your privacy rights and concluded that our processing is reasonable and proportionate. You can object at any time — see Section 12.
For processing Seller-customer data on behalf of Sellers, the lawful basis is the Seller’s, not ours. We rely on the Seller’s representation that they have a lawful basis to instruct us to process that data.
8. Sub-processors we use
We carefully select service providers to help us run Meerakl. Each acts under a written contract that requires them to apply appropriate safeguards. Current sub-processors:
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Supabase, Inc. | Managed Postgres database, authentication, real-time messaging, file storage | United States (with EU region options) |
| Vercel, Inc. | Web hosting, edge network, serverless functions | United States and global edge regions |
| Meta Platforms, Inc. (WhatsApp Cloud API, Instagram Graph API) | Messaging delivery and inbound webhooks on the channels you connect | Global |
| Paystack Payments Limited | Subscription billing (Zoluna's Paystack account) and, separately, Seller's own payment collection ("Bring Your Own Paystack") | Nigeria, South Africa (see Paystack's privacy notice) |
| Resend, Inc. | Transactional email delivery | United States / EU |
| Functional Software, Inc. (Sentry) | Application error and performance monitoring | United States |
We update this list as sub-processors change. You can request the current list at any time from support@meerakl.com.
9. How long we keep personal data
We retain personal data only for as long as we need it to provide the Meerakl service, meet a legal obligation, or resolve a dispute.
| Data category | Retention period |
|---|---|
| Account and profile data | For the life of your account, then deleted within 90 days of account closure (unless we must keep it longer for legal or accounting reasons) |
| Messages, orders, and customer records (Seller-customer data) | Controlled by the Seller; by default we retain as long as the Seller's account is active |
| Billing records and invoices | At least 6 years after the end of the financial year to which they relate, in line with Nigerian tax and companies legislation |
| Audit and security logs | Up to 24 months |
| Error reports (Sentry) | Up to 90 days |
| Backups | Up to 30 days on a rolling basis |
| Marketing email preferences | Until you withdraw consent or request deletion |
After the applicable retention period we either delete the data or irreversibly anonymise it so that it can no longer be linked to you.
10. How we secure personal data
Security controls we operate include:
- Transport security: all traffic to and from Meerakl is encrypted with TLS.
- At-rest encryption: databases and storage managed by our sub-processors are encrypted at rest. Seller’s Paystack secret keys are additionally encrypted by Meerakl before they are written to the database, using AES-256-GCM, and are never logged in plaintext.
- Access control: multi-factor authentication, principle of least privilege, and Row-Level Security on every multi-tenant table in our Postgres database so that one Seller cannot read another Seller’s data.
- Webhook integrity: inbound webhooks from Meta and Paystack are verified with shared secrets or HMAC signatures before we act on them.
- Secret management: production secrets are stored in our hosting provider’s secret store and rotated periodically.
- Monitoring: we log administrative actions, monitor for anomalies, and maintain an error-reporting pipeline.
- Data-breach response: if we become aware of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the NDPC (and other competent authorities as applicable) without undue delay and, where required, no later than 72 hours after becoming aware of it, and we will notify affected individuals as required by law.
No system is perfectly secure. You are responsible for keeping your Meerakl login credentials confidential and for any activity that happens under your account.
11. Your rights
Depending on where you live, you may have the following rights over your personal data:
- Right of access — ask for a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — ask us to delete your data, subject to legal-retention carve-outs. See the Data Deletion page for self-service, Meta-initiated, and email-based erasure flows.
- Right to restrict processing — ask us to pause processing while a dispute is resolved.
- Right to object — object to processing based on legitimate interests, including direct marketing.
- Right to data portability — receive your data in a commonly used machine-readable format and transfer it to another controller.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Right not to be subject to purely automated decision-making — Meerakl’s customer RFM scoring and lifecycle classification are informational aids and are not used to make decisions that produce legal or similarly significant effects on anyone.
- Right to lodge a complaint with a supervisory authority (see Section 14).
To exercise any of these rights, email support@meerakl.com from the email address on your account or attach proof of identity. We respond within 30 days (extendable by up to 60 days where the request is complex), in line with Section 38(3) of the NDPA and equivalent provisions in the other named laws.
If you are an end-customer of a Seller and you want to exercise rights over messages, orders, or profile data held inside that Seller’s Meerakl workspace, please contact the Seller directly — they are the controller. We will cooperate with them in responding to you.
12. Cookies and similar technologies
Meerakl uses a small number of cookies and comparable technologies:
| Cookie/Storage | Purpose | Type |
|---|---|---|
| Supabase auth session | Keeps you signed in | Strictly necessary |
| Theme preference | Remembers dark or light mode | Functional |
| PWA install and onboarding flags | Prevents repeat prompts | Functional |
| Sentry session identifiers | Ties errors to a session to help debugging | Functional / strictly necessary for service stability |
We do not use third-party advertising cookies or cross-site tracking on the logged-in Meerakl app. If we introduce analytics cookies on the public marketing site, we will first obtain consent through a cookie banner, as required under applicable law.
13. Complaints
If you believe we have not handled your personal data properly, we would like you to tell us first so we can try to resolve the issue. You can contact us at support@meerakl.com.
14. Minors
Meerakl services are not directed at persons under the age of eighteen (18), and we do not knowingly or directly collect data from individuals who fall within this category. When you have any belief that Meerakl has mistakenly or unknowingly collected information from a minor, please contact us to enable us to investigate and restrict such data collection.
16. Changes to this policy
We may update this policy from time to time. When we make material changes, we will:
- update the Effective date at the top of this document;
- notify you by email or by an in-product notice before the change takes effect;
- where the change requires your consent, ask for it.
If you continue to use Meerakl after a change takes effect, you accept the revised policy. If you do not agree, you may close your account before it takes effect.
17. Contact
For any question about this policy or about how we handle your personal data: