MergedClaimed Log in

Privacy Policy

Last updated: 26 May 2026

This policy explains how Blackfortz Capital Ltd (trading as MergedClaimed) handles personal data when you use our website (mergedclaim.com) or our product (app.mergedclaim.com). We're committed to handling your data lawfully, transparently, and only for the purposes set out here.

Who we are

Data Controller: Blackfortz Capital Ltd, a private company limited by shares, registered in England and Wales under company number 16153268. Registered office: Unit F Winston Business Park, Churchill Way, Chapeltown, Sheffield, S35 2PS, United Kingdom.

Contact for data matters: [email protected]

ICO registration: Application submitted. Public registration number will appear here once issued by the Information Commissioner's Office. You can verify our status on the ICO public register.

What we collect, and why

1. Account data

2. Company data (you provide during onboarding)

Lawful basis: contract performance.

3. Engineering metadata (when you install our GitHub App)

Lawful basis: contract performance. We never read source code by default. See our Security & data page.

4. AI conversation data

Messages exchanged between you and the AI claim agent are stored alongside your projects for audit purposes. Lawful basis: contract performance. You can clear the transcript at any time.

5. Billing data (when you subscribe)

We use Stripe as our payment processor. Card data is handled directly by Stripe — we never receive or store it. We store the Stripe customer ID and subscription status.

6. Service logs

Request logs (IP address, user-agent, URLs accessed) are retained for 30 days for security and debugging. Lawful basis: legitimate interests in keeping the service secure.

Who we share data with (sub-processors)

We use the following third parties to deliver the service. Each is contractually bound to process data only on our instructions.

Where data is stored

All data we control is stored on servers physically located in Germany (EU). UK GDPR + EU GDPR apply. Disk-level encryption is enabled at the OS layer; OAuth tokens are additionally encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256).

How long we keep it

Your rights under UK GDPR

You have the right to:

To exercise any of these rights, email [email protected]. We respond within 30 days.

Cookies

We use two essential cookies — see our Cookie Policy for details. No third-party tracking, no advertising cookies.

Changes to this policy

Material changes will be communicated by email at least 30 days before they take effect. Minor wording fixes are updated here without notice.

Contact

Email: [email protected]
Post: Blackfortz Capital Ltd, Unit F Winston Business Park, Churchill Way, Chapeltown, Sheffield, S35 2PS, UK


MergedClaimed is a trading name of Blackfortz Capital Ltd (UK company number 16153268).