Launch promo — $100/mo off every plan + FREE setupuntil July 31
MeraFix

Privacy Policy

Last updated: May 13, 2026

MeraFlow LLC ("we," "our," or "us") operates the MeraFix platform and the website at merafix.com (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It applies to visitors to our public website, business owners who subscribe to MeraFix ("customers" — typically appliance repair shops), and end consumers whose information our customers process through MeraFix ("end users" — typically the homeowners those shops serve).

Read this Policy together with our Terms of Service, our AI Disclosure, and our Cookie Policy.

1. Quick summary

  • We do not sell your personal information.
  • We do not use your data or your end users' data to train third-party AI foundation models. We do use AI vendors (Vapi, OpenAI, Google) to operate features you turn on — they process the data only to provide that feature, not to train.
  • If you call our AI sales line, the call is recorded and transcribed for service operation, fraud detection, and product improvement. We will route you to a human if you request that.
  • You can request access, correction, deletion, or export of your data at any time by emailing [email protected].
  • We are based in the United States. Data is stored in the United States.

2. Roles — who is the controller of what data?

MeraFix is a multi-tenant software-as-a-service platform. The same Service plays two different roles for two different relationships:

  • For our customers (the repair shops who subscribe): we are the controller of the data relating to your business account — billing details, login credentials, preferences, support communications. This Policy explains how we handle that data.
  • For end users (the homeowners and businesses your shop serves): when our customer enters or imports your information into MeraFix, our customer is the controller of that information and we act as a processoron their behalf. The customer's own privacy notice, not this Policy, primarily governs how that information is used. Our processing is contractually limited by our agreements with the customer.

3. Information we collect

3.1 Information you give us directly

  • Account information: name, work email, phone, business name, role, and what plan you choose.
  • Billing information: handled by our payment processor (Stripe). We receive only the last four digits of the card and a token — never the full PAN, CVV, or full account number.
  • Customer-supplied data: for our customers using MeraFix as a CRM, anything they enter about their own end users — names, addresses, phone numbers, appliance details, service history, photos, signatures, payment references.
  • Communications: what you write to us via contact form, waitlist, email, or phone.
  • Lead-capture forms: if you submit your email or business name on our website to join the waitlist or request a demo, we save it together with the source page, the time, and any UTM parameters from the link you arrived through.

3.2 Information collected automatically when you use the Service

  • Usage data: pages viewed, features clicked, approximate session duration, error logs.
  • Device and connection: browser, operating system, screen size, language, IP address, approximate location derived from IP.
  • Cookies and similar: see Section 9 and our Cookie Policy.
  • Click identifiers: if you arrive via a Google Ads, Meta, or similar ad-network click, we may store the click identifier (for example, GCLID, fbclid) to attribute conversions for ourselves and, when applicable, for our customer whose ad you clicked.

3.3 Information from AI phone calls

When you call a phone number operated by MeraFix or by one of our customers using our AI Phone feature, the call is connected to an AI voice assistant. During and after the call we collect:

  • Audio recording of the entire call.
  • Real-time transcript generated by an automated speech-to-text service.
  • Caller telephone number as delivered by the carrier (caller ID).
  • Anything the caller says in response to AI prompts — name, address, appliance issue, payment-method preference, etc.
  • Call metadata — start time, end time, duration, language detected, end reason, cost.

See our AI Disclosure for the full notice we provide at the start of every AI call, including how callers in two-party-consent states can refuse recording or request a human.

4. How we use information

  • To provide, operate, and maintain the Service, including answering AI calls and routing them to the right place.
  • To bill subscribers and reconcile usage-based charges (for example, AI minutes).
  • To authenticate accounts, prevent fraud, detect abuse, and enforce our Acceptable Use Policy.
  • To respond to support questions and other communications you send us.
  • To improve the Service — measuring conversion funnels, debugging errors, evaluating quality of AI responses, and prioritizing features.
  • To send you transactional messages (booking confirmations, invoices, receipts, security alerts) and, with your consent or where permitted by law, product updates. You can opt out of marketing email at any time.
  • To comply with applicable law, regulatory requests, and legal process.

5. AI processing — what we do and do not do

We use third-party artificial-intelligence services to operate features you turn on. Specifically:

  • Voice answering and conversation uses Vapi, which in turn uses OpenAI's language models, Deepgram's transcription, and ElevenLabs' speech synthesis as sub-processors.
  • Landing-page copy generation and translation uses Google's Gemini model.

We send these vendors only the inputs needed to perform the requested task (call audio for transcription; shop name, brands serviced, and similar facts for content generation). We do not authorize them to retain that input for model training. Your prompts and outputs are not used to improve any third-party model under our agreements with these vendors.

We may use anonymized, aggregated data — call counts, average call duration, common request types — to improve our own product. This aggregated data does not identify you or any individual.

6. How we share information

We do not sell personal information. We share it only in these circumstances:

6.1 Sub-processors

The following companies process information on our behalf to operate parts of the Service. Each is bound by contract to use the information only for the purpose listed.

VendorPurposeLocation
Stripe, Inc.Payments, subscription billingUnited States
Vapi, Inc.AI voice phone platform (call orchestration, recording, transcription)United States
OpenAI, L.L.C.Large language model inference for AI calls (sub-processor of Vapi)United States
Deepgram, Inc.Speech-to-text transcription (sub-processor of Vapi)United States
ElevenLabs, Inc.Text-to-speech voice synthesis (sub-processor of Vapi)United States
Twilio Inc.SMS messaging (when enabled)United States
Resend Inc.Transactional email deliveryUnited States
Google LLCGemini language model (content generation for landing pages, translation)United States
Cloudflare, Inc.Content delivery, DDoS protection, DNSUnited States
The Constant Company, LLC (Vultr)Hosting infrastructure (servers, databases, backups)United States (Atlanta, GA)
Umami (self-hosted)Privacy-first web analytics — aggregated page views and sessions; no cookies, no third-party data sharingSelf-hosted on operator infrastructure (United States)

We update this list when sub-processors change. Customers will be notified of material additions at least 30 days in advance where reasonably practicable.

6.2 Customers' integrations

When you, or a customer of ours, authorizes a third-party integration (for example, Google Ads, Google Calendar, an SMS gateway), we exchange data with that third party on the authorizing party's behalf. The third party's own privacy policy then also applies.

6.3 Required disclosures

We may share information when required to do so by law, by valid legal process, or where we believe in good faith that disclosure is necessary to protect our rights, the safety of our users, or the integrity of our Service.

6.4 Business transfers

If MeraFlow LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify affected users and provide reasonable choices where practicable.

6.5 With your consent

For any other purpose, only with your explicit consent.

6.6 Mobile opt-in & SMS data

Mobile opt-in information and SMS consent — including a phone number and the fact that consent to receive text messages was given — are not shared with, rented to, or sold to any third parties or affiliates for their marketing or promotional purposes.Where text messages are sent, the mobile number is shared only with the SMS carrier and messaging platform that deliver those messages on our (or our customer's) behalf, and only as needed to send them. Message frequency varies; message and data rates may apply; reply STOP to opt out and HELP for help.

7. Data retention

We keep information only as long as we need it for the purposes described, plus a reasonable period to satisfy legal obligations and resolve disputes. Specific defaults:

  • Account records — for the life of the account plus 12 months.
  • Customer-supplied tenant data (the data your shop puts into our CRM) — kept while your subscription is active. After cancellation we retain it for 60 days to allow export, then purge unless you request earlier deletion.
  • AI call audio recordings — 90 days, then deleted. Customers may request shorter retention by contacting [email protected].
  • AI call transcripts and metadata — 12 months.
  • Billing and tax records — 7 years (US federal tax recordkeeping).
  • Activity and security logs — 12 months.
  • Database backups — rolling 30 days.
  • Lead-capture submissions — until you ask us to delete them.

8. Security

We use technical and organizational measures including TLS encryption in transit, encryption at rest for backups and secrets, role-based access control, multi-factor authentication on administrative accounts, audit logging, and regular review of access and permissions. We segregate customer data using row-level security so that one tenant cannot read another tenant's rows. Despite these efforts, no system is perfectly secure; we cannot guarantee absolute security.

If we become aware of a security breach involving your personal information, we will notify affected parties and applicable authorities consistent with applicable law (and in any event without unreasonable delay).

To protect our forms (such as contact, waitlist, and booking) against spam and automated abuse, our website uses Cloudflare Turnstile. Turnstile runs in the background and may process device and interaction signals to distinguish humans from bots. Your use of Turnstile is subject to the Cloudflare Privacy Policy and the Cloudflare Turnstile Privacy Addendum.

9. Cookies and similar technologies

We use a small number of cookies for essential functions (authentication, session, CSRF protection) and, where applicable, for product analytics. We do not currently run third-party advertising trackers on the public website. See our Cookie Policy for the full list and any controls available to you.

For platform analytics we run Umami, a privacy-first analytics tool self-hosted on our own infrastructure. Umami records aggregate page views and sessions without setting cookies, without collecting personally identifying information, and without sharing data with third parties. Visitors are not tracked across sessions or across sites.

10. Your rights

Depending on the state of residence, individuals in the United States may have rights including the right to:

  • Know what personal information we collect, where we got it, and how we use it.
  • Access a copy of the personal information we hold.
  • Correct inaccuracies in that information.
  • Delete personal information we hold, subject to limited legal exceptions.
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information; you may still submit a request and we will confirm.
  • Limit use of sensitive personal information where applicable.
  • Appeal a denial of a privacy request.
  • Non-discrimination for exercising any of these rights.

These rights are recognized in varying form under the privacy laws of the following states: California (CCPA / CPRA); Virginia (VCDPA); Colorado (CPA); Connecticut (CTDPA); Utah (UCPA); Texas (TDPSA); Oregon (OCPA); Montana (MTCDPA); Iowa (ICDPA); Tennessee (TIPA); Indiana (ICDPA); New Hampshire (NHCDPA); Delaware (DPDPA); New Jersey (NJDPA). Other states may provide additional rights. We honor verifiable requests regardless of which state law applies.

To exercise any right, email [email protected]. We may need to verify your identity before fulfilling certain requests. We will respond within 45 days of a verifiable request and may extend once by an additional 45 days where reasonably necessary, with notice to you.

If your personal information is held by a customer of ours (you used a repair shop's booking form, you spoke with a shop's AI assistant, etc.), please contact that shop directly. We will assist them in fulfilling your request.

11. Recorded calls and two-party consent states

Calls to our AI sales line and to our customers' AI assistants are recorded. The AI introduces itself as an AI at the start of every call and discloses that the call may be recorded. Callers located in two-party-consent states — California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, Washington — may at any time ask the AI to stop recording or transfer to a human; the AI will end the call without further recording or attempt to transfer. See the full AI Disclosure.

12. Children

The Service is intended for use by businesses and the adults who run them. It is not directed at children under 16. We do not knowingly collect personal information from children. If we learn we have collected information from a child without verified parental consent, we will delete it.

13. International users

The Service is operated from and hosted in the United States. We do not actively offer the Service to residents of the European Economic Area, the United Kingdom, or other jurisdictions outside the United States. If you access the Service from outside the United States, you understand and agree that your information will be transferred to and processed in the United States.

14. Third-party links

The Service may contain links to third-party websites. We are not responsible for the practices of those sites. Please review their privacy policies before providing information to them.

15. Changes to this Policy

We may update this Policy from time to time. When we do, we will post the revised version at this URL and update the "Last updated" date. Material changes will be communicated by email to active customers at least 30 days before they take effect, except where a shorter notice period is required by law or to address a security risk.

16. Contact

For privacy questions or to exercise any right under this Policy: