Privacy Policy
Last updated: 15 May 2026
Effective date: 1 June 2026
At Merge Digital SL (hereinafter "MERGE", "we" or "us") we take the protection of your personal information very seriously. This Privacy Policy explains what data we collect when you interact with the website https://www.mmerge.io (the "Site"), when you register for or attend our events (MERGE Madrid, MERGE LatAm and any other edition), when you subscribe to our newsletter, when you participate as a speaker, sponsor, partner, press representative or collaborator, and, in general, when you deal with us through any channel.
1. Data Controller
| Company name | Merge Digital SL |
| Tax ID | B-56893787 |
| Registered office | Calle Gaztambide 57, Local 5, 28015 Madrid, Spain |
| Registration | Madrid Commercial Registry |
| Contact email | [email protected] |
| Safety and conduct channel | [email protected] |
| Website | https://www.mmerge.io |
MERGE has not appointed a Data Protection Officer (DPO) as none of the cases set out in Article 37 GDPR apply. For any privacy-related queries please email [email protected] with "Privacy" in the subject line.
2. Applicable legal framework
This Policy is governed primarily by:
- Regulation (EU) 2016/679, of 27 April, the General Data Protection Regulation ("GDPR").
- Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD").
- Spanish Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce ("LSSI-CE").
- Spanish Organic Law 1/1982, of 5 May, on civil protection of the right to honour, personal and family privacy and one's own image.
- For the processing of data of residents in Brazil and other Latin American countries in connection with MERGE LatAm: Brazilian Law 13.709/2018 (Lei Geral de Proteção de Dados — "LGPD") and any other applicable local rules.
3. Whose data we process
We process personal data of visitors to the Site, newsletter subscribers, ticket buyers and event attendees, speakers, panelists and moderators, sponsors, partners and exhibitors, accredited press and media, candidates in recruitment processes, and professional contacts engaging with MERGE through business channels.
4. Purposes for which we process your data
The following table summarises the processing purposes, categories of data involved and legal basis. If you wish to obtain further detail on any specific purpose you may request it by writing to [email protected].
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Operating and improving the Site | Navigation data: IP, device identifier, browser, pages visited, interaction events | Legitimate interest (Art. 6(1)(f) GDPR). For non-strictly necessary cookies: consent (Art. 6(1)(a) GDPR and Art. 22 LSSI-CE) |
| Ticket purchase and event attendance | Identification and contact data, professional data (job title, company), billing data, payment data processed by the gateway, access control data, accessibility preferences if disclosed | Contract performance (Art. 6(1)(b) GDPR). Compliance with tax and accounting legal obligations (Art. 6(1)(c) GDPR) |
| Management of speakers, panelists and moderators | Identification and contact data, professional biography, photograph, content of the intervention, travel and expense reimbursement data | Performance of the participation agreement (Art. 6(1)(b)). For the broad use of image, voice and intervention: explicit consent (Art. 6(1)(a) GDPR + Spanish Organic Law 1/1982) collected through the Speakers' Image Rights Assignment Addendum |
| Management of sponsors, partners, exhibitors and press | Representative data, commercial data, company identification, billing data | Contract performance (Art. 6(1)(b)). Legitimate interest in managing the commercial relationship (Art. 6(1)(f)). Compliance with legal obligations (Art. 6(1)(c)) |
| Capturing image, voice and video during the event | Image and voice captured in photographs, videos, live streaming, after-movies and graphic materials | General attendees: legitimate interest (Art. 6(1)(f) GDPR and Art. 8(2)(a)/(c) Spanish Organic Law 1/1982), with the right to object as set out in section 8. Speakers, sponsors active at booths and accredited press: explicit consent upon confirming their participation |
| Newsletter and marketing communications | Email, name, optional interests | Explicit consent of the data subject (Art. 6(1)(a) GDPR and Art. 21 LSSI-CE). For prior customers: legitimate interest in similar products (Art. 21(2) LSSI), with a simple unsubscribe option in every communication |
| Handling enquiries and requests | The data the user voluntarily provides | Consent of the data subject when initiating contact (Art. 6(1)(a) GDPR). Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Data necessary to respond to requests from authorities, courts and regulators | Compliance with a legal obligation (Art. 6(1)(c) GDPR) |
5. Retention periods
We keep your data only for as long as is strictly necessary for the purposes described and, subsequently, during the applicable statutory limitation periods:
| Category of data | Retention period |
|---|---|
| Navigation data / cookies | As indicated for each category in the Cookies Policy |
| Contractual data (tickets, sponsors, speakers) | Duration of the relationship + statutory limitation periods (10 years commercial and 4 years tax under Spanish law) |
| Event audiovisual materials (photographs, video, after-movies) | Indefinite as a historical and promotional archive, without prejudice to the data subject's right to request removal as set out in section 8 |
| Newsletter | Until the subscriber withdraws consent (one-click in any email) |
| Enquiry handling | 2 years from the last interaction |
| Press data | 4 years from the last edition covered |
Once these periods elapse, data is deleted or anonymised.
6. Recipients of the data
6.1. Processors
To deliver our services we rely on suppliers acting as processors under Article 28 GDPR. As of the date of this Policy the main ones are:
- Google Workspace (Gmail and Drive) — Google Ireland Ltd. — corporate email and file storage.
- Google Analytics 4 — Google Ireland Ltd. — web analytics.
- Google Tag Manager — Google Ireland Ltd. — tag management.
- LinkedIn Insight Tag and LinkedIn Ads Pixel — LinkedIn Ireland Unlimited Company — analytics and advertising.
- Meta Pixel — Meta Platforms Ireland Ltd. — analytics and advertising on Facebook and Instagram.
- TikTok Pixel — TikTok Information Technologies UK Ltd. — analytics and advertising on TikTok.
- X Pixel — X Corp. — analytics and advertising on X (formerly Twitter).
- Typeform — TYPEFORM SL (Spain) — forms and surveys.
- Zoho CRM — Zoho Corporation — commercial relationship management.
- Zoho Email — Zoho Corporation — transactional and marketing email platform.
- Stripe — Stripe Payments Europe Ltd. — ticket payment gateway.
- Holded — Holded Technologies SL (Spain) — invoicing and accounting.
- Meetmaps SL (Tax ID B-66469859, Spain) — Event App platform and event access control.
An up-to-date list is available on request to [email protected].
6.2. Disclosures to third parties
- Sponsors and partners: MERGE shares with sponsors and partners partially anonymised and aggregated information (for example, breakdown by sector and by job title) based on legitimate interest. The disclosure of full identifying data is only made when the attendee expressly consents, for example: (i) by allowing their QR code to be scanned at a booth, (ii) by participating in a sponsored session that clearly states this, (iii) by activating the matchmaking functionality in the Event App, or (iv) by signing up to a specific sponsor draw or promotion.
- Group companies: MERGE may share personal data with companies belonging to the same corporate group as Merge Digital SL, current or future, exclusively for internal administrative purposes (centralised management, support, reporting), always maintaining the same level of data protection described in this Policy.
- Public authorities: when required by law.
- Advisors and auditors of MERGE under a duty of confidentiality.
MERGE does not sell your personal data.
7. International transfers
Some of our processors (in particular those of the Google, LinkedIn, Meta, TikTok, X, Zoho and Stripe groups) may process data in countries located outside the European Economic Area. In such cases MERGE ensures that adequate safeguards under Chapter V GDPR are in place, mainly:
- European Commission adequacy decisions (for example, the United States under the Data Privacy Framework, where applicable).
- Standard Contractual Clauses approved by the European Commission.
- Supplementary technical measures where necessary.
For MERGE LatAm participants, data may partially be processed on infrastructure located in the European Union, which may constitute an international transfer from Brazil. In such case the safeguards set out in Articles 33 to 36 LGPD apply.
You may request a copy of the applicable safeguards by writing to [email protected].
8. Your rights
Under the GDPR and the LOPDGDD you have the right to:
- Access your personal data.
- Rectify inaccurate or incomplete data.
- Erasure of your data where one of the legal grounds applies.
- Restrict the processing.
- Portability of your data in a structured format.
- Object to the processing, including the right to object to receiving marketing communications and to the use of your image captured as an attendee at the event.
- Not be subject to automated decisions producing legal effects on you (MERGE does not carry out any relevant automated decision-making in this sense).
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, write to [email protected] stating in the subject the right you wish to exercise and attaching, where applicable, a copy of a document evidencing your identity. We will respond within one month, extendable to two months in particularly complex cases.
Right to object to image capture as an attendee. If you do not wish to appear identifiably in event photographs or videos, you may inform the MERGE staff at the time of check-in and we will reasonably endeavour to ensure that the photography and video team does not focus on you. In addition, you may at any later time, even after the event, exercise your right to object and request the removal of specific images by writing to [email protected] with "Image rights" in the subject line.
If you consider that your rights have not been properly addressed, you may file a complaint with:
- Spanish Data Protection Agency (AEPD) — https://www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid.
- For residents in Brazil: National Data Protection Authority (ANPD) — https://www.gov.br/anpd
- For residents in other countries, the corresponding national supervisory authority.
9. Policy regarding minors
MERGE is a professional event aimed exclusively at adults aged 18 and over. Minors are not admitted to the event under any circumstances, nor do we knowingly process personal data of minors. If we detect that we have inadvertently collected data of a minor, we will delete it without delay. If you become aware that a minor has provided us with data, please notify us at [email protected].
10. Data security
MERGE applies technical and organisational measures that are reasonable and proportionate to the risk of the processing under Article 32 GDPR: encryption in transit (TLS), role-based access control, environment segregation, backups, audit logs and internal privacy training. In the event of a personal data breach posing a risk to your rights, we will notify the supervisory authority and, where required, the affected data subjects within the legal time limits.
11. Automated decisions and profiling
MERGE does not make decisions based solely on automated processing that produce significant legal effects on data subjects. We may carry out marketing segmentation (for example, grouping subscribers by interests) without this constituting "profiling" within the meaning of Article 22 GDPR.
12. Cookies
The use of cookies and similar technologies is governed by the Cookies Policy, which forms an integral part of this Privacy Policy.
13. Links to third-party sites
The Site may contain links to sponsor, speaker, partner or media websites. MERGE is not responsible for the privacy practices of those third parties and recommends that you review their respective policies before providing them with data.
14. Changes to this Policy
MERGE may amend this Policy to adapt it to legal, technical or business changes. The date of the last update is shown at the beginning of the document. Where the changes are material, you will be informed by email or prominent notice on the Site at least 30 days prior to their effective date.
15. Contact
Merge Digital SL
Calle Gaztambide 57, Local 5, 28015 Madrid (Spain)
General email: [email protected] (subject: "Privacy")
Specific safety and conduct channel: [email protected]