Privacy Policy

This Privacy Policy explains how Merse Originals, Inc., a Delaware corporation doing business as "Dench" (" Dench," "we," "us," or "our") handles personal information. Dench is a customer relationship management (CRM) and agent workspace platform, the second brain for a company's people, customers, and operations. We are headquartered in California, United States and incorporated in Delaware.

This Policy applies to dench.com, our web and desktop applications, sign-in flows, hosted APIs and gateway, managed cloud workspaces and sandboxes, billing, support, and other services we operate under the Dench brand (collectively, the "Services").

If you use the open-source or self-hosted version of our software on infrastructure you control, much of your workspace data can stay on your own systems. Section 14 explains how this Policy applies in that case. This Policy, the Terms of Service, and (for customers who sign one) our Data Processing Addendum work together.

Privacy law treats us differently depending on whose data is involved, so it helps to separate two roles:

• Dench as a processor / service provider. For the CRM records, contacts, files, messages, prompts, and other content that a customer organization puts into the Services ("Customer Data"), the customer is the controller and decides what to collect and why. We process Customer Data only to provide the Services, on the customer's instructions, as described in our Data Processing Addendum. If you are an individual whose information appears in a customer's workspace, please direct privacy requests to that organization.
• Dench as a controller. For the account, billing, usage, device, support, and website-visitor data we collect to run and improve our business, we act as the controller. The rest of this Policy focuses on that controller role.

Account and organization details

When you create an account or set up an organization, we collect information such as your name, email address, profile image, organization name and slug, membership role, invitation details, onboarding state, and current organization selection.

Sign-in and verification data

We support Google sign-in and email one-time-password sign-in. Depending on the method you choose, we may receive basic Google profile information, your email address, verification codes, sign-in timestamps, session identifiers, device identifiers for desktop linking, OAuth state or pending sign-in records, and authentication cookies or tokens. Email sign-in codes expire after about 10 minutes, and session lifetimes can last up to about 90 days depending on activity and configuration.

Billing and subscription data

If you purchase a paid plan or use metered AI features, payment processing is handled by Stripe. We do not store full card numbers on our servers. We do store subscription and billing metadata such as Stripe customer and subscription IDs, plan or tier, subscription status, quantities, billing period dates, credit grants, usage totals, and spend-limit settings.

Customer Data you put into the Services

When you use the Services, you and your team submit CRM records, contacts, companies, tasks, notes, files, emails, messages, and other workspace content. We process this Customer Data on your behalf to provide the Services. You decide what to include, so please avoid submitting information you do not have the rights or a lawful basis to process.

AI inputs, outputs, and usage metadata

When you use AI or agent features, we process prompts, uploaded context, tool results, model responses, model and provider selection, request IDs, token counts, latency, estimated cost, billed amounts, error details, workspace and organization identifiers, and related operational metadata.

Usage, analytics, and device data

We collect product analytics and operational data about how the Services are used, including page views, page-leave events, clicks, navigation flows, referrers, device and browser characteristics, organization context, and service performance. We use PostHog for browser and server-side analytics, and some areas enable session replay. Depending on the page and configuration, replay or autocapture may record on-screen activity and some information entered into the app, and not every input is guaranteed to be masked automatically.

Cloud infrastructure data

If you use a managed cloud workspace or sandbox, we process infrastructure data such as sandbox subdomains, compute instance identifiers, network routing identifiers, storage volume identifiers, IP addresses, storage archive paths, provisioning state, stop or delete schedules, and backup or snapshot metadata. We may also store organization logos or similar uploaded assets.

Communications and support

We collect information from emails, support requests, onboarding reminders, budget alerts, invitations, and other communications you send to us or that we send to you.

• To create and secure accounts, organizations, sessions, and managed access.
• To operate the CRM, hosted APIs, cloud workspaces, AI routing, billing, credits, and subscription lifecycle.
• To send sign-in codes, transactional emails, receipts, support replies, reminders, and service notices.
• To measure usage, prevent abuse, investigate incidents, enforce limits, and improve reliability and product quality.
• To personalize the Services for your organization, including settings, roles, and current workspace context.
• To comply with legal obligations and protect the rights, safety, and security of Dench, our users, and third parties.

Where the GDPR or similar laws apply to our controller processing, we rely on these legal bases: performance of a contract (to provide the Services you request), legitimate interests (to secure, operate, and improve the Services and prevent abuse), consent (for example, certain analytics or marketing where required), and compliance with legal obligations.

The Services include AI-assisted features, hosted model routing, and agentic automation. To generate responses and take actions, we send the relevant prompts, context, tool results, and related data to AI model providers, currently Anthropic, OpenAI, and models hosted through Amazon Bedrock.

We may use aggregated and de-identified usage data (information that does not identify you or your organization) to monitor, debug, secure, and improve the Services. AI output can be inaccurate or incomplete, so you should review it before relying on it. The Terms of Service describe responsibility for AI output and agent actions in more detail.

We do not sell your personal information, and we do not " share" it for cross-context behavioral advertising as those terms are defined under California law. We disclose information only as needed to run the Services, comply with law, or complete a business transaction.

We use vetted third-party providers (subprocessors) for hosting, AI inference, billing, email, analytics, sign-in, integrations, and messaging. Each is bound by data protection terms no less protective than ours. The current list, with each provider's purpose, location, and transfer mechanism, is maintained on our Subprocessors page.

We may also disclose information to professional advisors, and to an acquirer or successor in connection with a merger, acquisition, financing, or sale of assets, and to regulators or authorities where required by law or to protect rights, safety, and security. Your use of third-party integrations you connect is also subject to those providers' own terms and privacy practices.

The hosted Services run in the United States (AWS US East, Northern Virginia / us-east-1). Customer Data at rest is stored in the United States, and our subprocessors that handle Customer Data are based in the United States.

If you access the Services from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection rules than your home country. Where we transfer personal data that is protected by the laws of the European Economic Area, the United Kingdom, or Switzerland, we rely on recognized transfer mechanisms such as the EU, UK, and Swiss Standard Contractual Clauses, and applicable Data Privacy Framework certifications, as further described in our Data Processing Addendum.

We use cookies and browser storage to keep you signed in, remember state, measure product usage, and improve the Services. These include authentication cookies or tokens, analytics cookies and storage (PostHog), session storage for onboarding and setup, and local storage for certain UI preferences.

You can control cookies and storage through your browser or device settings, and we honor recognized opt-out signals such as Global Privacy Control where required. Some parts of the Services may not work correctly if you block essential cookies. For details, see our Cookie Policy.

We keep information for as long as needed to provide the Services, maintain security and billing records, resolve disputes, and meet legal obligations. Account, organization, authentication, and billing records are retained while your account is active and for a reasonable period afterward. Analytics and operational logs are retained for debugging, abuse prevention, financial reconciliation, and product improvement.

For managed cloud workspaces, our current operational lifecycle may include stopping a canceled workspace, retaining the stopped environment for roughly 7 days, and retaining final recovery snapshots for up to roughly 90 days before final deletion. We may adjust these windows as the Services evolve or where law, security, or disaster recovery requires it. You are responsible for exporting any data you want to keep before cancellation or termination.

We use administrative, technical, and organizational safeguards designed to protect the Services, including encryption of data in transit and at rest, cloud secret management for sensitive configuration, and encrypted storage of organization gateway secrets. You can read more on our security page.

No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for protecting your devices, credentials, recovery email accounts, and API keys. If you believe your account or a key has been compromised, contact security@dench.com.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights over personal data we hold about you as a controller, subject to conditions and exceptions in applicable law:

• Access to, and a copy of, your personal data.
• Correction of inaccurate or incomplete data.
• Erasure of your data in certain circumstances.
• Restriction of, or objection to, certain processing.
• Data portability.
• Withdrawal of consent at any time, where processing is based on consent.
• The right to lodge a complaint with your local supervisory authority.

To exercise these rights, contact privacy@dench.com. Where the data is Customer Data we process on behalf of an organization, we will refer your request to that organization.

Depending on your state of residence (for example California, Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws), you may have rights to know or access the personal information we collect, to correct it, to delete it, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal information, or certain profiling.

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes that would require an opt-out right under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

To exercise your rights, email privacy@dench.com. You may use an authorized agent where permitted by law. We will not discriminate against you for exercising your rights, and we will verify your identity before acting on a request. If we deny a request, you may appeal by replying to our response.

The Services are not directed to children under 13, and we do not knowingly collect personal information from them. You may not use the Services if you are not old enough to consent to the processing of your personal data under applicable law.

Parts of our software are available under open-source licenses and can be run on infrastructure you control. When you self-host, data stored solely on your own systems is under your control, and this Policy does not apply to that data except to the extent you also use Dench-hosted features such as accounts, billing, hosted AI routing, or managed cloud. The open-source license governs your rights in the code itself.

When you apply to the Dench Creator Program at dench.com/creators, we collect your name, email address, social media handle, chosen platform, post URL, optional follower count, IP address, and user agent. We use this to review your application, contact you about its status, and detect duplicate or abusive submissions.

Bank account information needed to send your payment is not stored in our application database. After approval, you provide it via email to creators@dench.com, and we use it solely to issue a one-time bank transfer. We delete that email after payment is complete and retain application records (excluding bank information) for record-keeping, payment audit, and one-payout-per-person enforcement.

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and may provide additional notice through the Services or by email. Your continued use of the Services after an update means you accept the revised Policy.

For privacy questions, data requests, or to discuss enterprise privacy terms, contact us at privacy@dench.com.

Merse Originals, Inc. (doing business as Dench)
1065 Southwest 8th Street #1796, Miami, Florida 33130, United States