Mercury Privacy Policy
Version 1.0 · Effective date: May 31, 2026
Draft status: This is privacy policy v1, pending review by privacy counsel before public publication. It is written to describe Mercury's actual current data practices. See Revision history.
The short version (plain English)
Mercury is a scam- and phishing-protection app. To protect you, we read and analyze the content of the email in mailboxes you connect, so we can identify scams and phishing. Here is what matters most:
- We use your data only to protect you — to detect scams and phishing, to act on them, and to improve how well we detect them. Nothing else.
- We never sell your data. Not to anyone, ever.
- We never use your data for advertising, and we don't allow anyone else to.
- We never show the content of your messages to a family manager — no matter what visibility level you've granted them.
- You stay in control. You can disconnect a mailbox, revoke a family manager's visibility, or delete your account and data at any time, from inside the app.
The rest of this policy explains the details. We've tried to write it in plain language, because a privacy policy you can't understand isn't really protecting your privacy.
Who we are
Mercury is operated by Oliwka Software. If you have any privacy question or request, contact us at privacy@mercurysecurity.app.
What data we collect
- Account information. Your email address and authentication details, managed through our identity provider (Firebase Authentication). We do not store your password.
- Connected mailbox content. When you connect an email account (for example, Gmail), we access the messages in that mailbox in order to analyze them for scams and phishing. This includes message content — senders, subjects, and message bodies — because scams and phishing cannot be reliably identified from metadata alone.
- SMS classification data. On iPhone, when iOS hands an incoming message from an unknown sender to Mercury's Message Filter, the message may be classified on your device or, for ambiguous cases, sent to our classifier to return a verdict.
- Detection results. When we identify (or clear) a message, we record the result — a timestamp, the channel (email, SMS, or call), the classification, and a confidence score.
- Device and notification data. A push-notification token so we can alert you, and basic technical data needed to operate the service.
- Family-manager relationships. If you invite or accept a family manager, we record the relationship, its status, and the visibility level you've chosen.
How we use your data
We use your data for one purpose: to protect you from scams and phishing, and to get better at it. Specifically:
- Detection. We read and analyze the content of email in your connected mailboxes, and the content of SMS messages routed to us by iOS, to identify scams and phishing.
- Protection. We alert you to threats we find, help you understand them in plain language, and help you act on them.
- Improving detection. Building accurate scam and phishing detection requires studying real examples. During development and ongoing improvement, email content may be retained and reviewed by our team solely to build and improve our detection logic and models. Access is restricted and controlled.
We do not use your data for any other purpose. In particular:
- We do not sell your personal information.
- We do not use your data for advertising, ad targeting, or profiling unrelated to scam protection, and we do not allow third parties to.
- We do not share the content of your messages with family managers, advertisers, data brokers, or any other third party.
Google user data and restricted scopes
When you connect a Gmail account, Mercury requests Google's gmail.readonly scope, which lets us
read the content of your mail in order to analyze it for scams and phishing.
Mercury's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Concretely, data obtained from Gmail is used only to provide and improve Mercury's scam- and phishing-detection features as described above. It is not sold, not used for advertising, and not transferred to others except as needed to provide the service, to comply with the law, or as part of a merger or acquisition with comparable protections. Human access to Gmail content is limited to building and improving detection (and where you have given explicit consent, or where required for security or to comply with law).
Microsoft email (forward-looking)
Mercury plans to support Microsoft email accounts via Microsoft Graph. When that launches, mail content accessed through Microsoft Graph will be handled under the same principles described here: used only for detection and protection, never sold, never used for advertising.
SMS classification
On iPhone, iOS — not Mercury — decides which messages from unknown senders to pass to Mercury's Message Filter extension. High-confidence classifications happen on your device. For ambiguous messages, iOS sends the message content to Mercury's classifier over a system-mediated network path to return a verdict. Mercury cannot read your full SMS history; it only ever sees messages iOS routes to it.
Family-manager visibility
Mercury lets you optionally bring in a family manager — a person you trust to help keep an eye out for scams targeting you. This is always your choice and always under your control.
- A visibility relationship exists only after you accept an invite. No one can add themselves.
- You choose the visibility level: summary only, standard, or detailed.
- A family manager never sees the content of your messages, at any visibility level. They see protection activity (such as that a scam was detected), not what your email or texts say.
- You can change the visibility level, pause it, or revoke it at any time from inside your own app — without the family manager being able to prevent it.
Data retention and deletion
We keep your data only as long as needed to provide protection and to improve detection, and then we delete it. You can delete your data at any time:
- Disconnect a mailbox to stop all access to that account.
- Delete your account to remove your personal data, subject to limited records we must keep for legal or security reasons.
- Email us at privacy@mercurysecurity.app to request access, correction, export, or deletion.
When you disconnect a mailbox or delete your account, we revoke the associated access tokens and delete the related stored data.
Your privacy rights
California (CCPA/CPRA). You have the right to know what personal information we collect, to access and delete it, and to correct it. We do not sell or share your personal information for cross-context behavioral advertising — there is nothing to opt out of, because we don't do it. We will not discriminate against you for exercising your rights.
EU/EEA and UK (GDPR). Where applicable, you have rights to access, rectify, erase, restrict, and port your data, and to object to processing. Our lawful basis for processing email content is your consent and the performance of the protection service you've asked us to provide. You may withdraw consent at any time by disconnecting the mailbox or deleting your account.
To exercise any of these rights, contact privacy@mercurysecurity.app.
Children's privacy
Mercury is not intended for, and may not be used by, anyone under 18. We do not knowingly collect data from children.
Cookies, analytics, and advertising
Mercury does not use advertising trackers and does not sell data to ad networks. Any analytics we use are limited to operating and improving the service, never for advertising.
Security
We protect your data with industry-standard measures, including encryption of stored credentials using managed keys, strict internal access controls, and a documented incident-response process. No system is perfectly secure, but protecting your data is core to what Mercury is.
Changes to this policy
We may update this policy as Mercury evolves. Material changes — for example, a change in the email permissions we request or in how we act on detected threats — will be reflected here with a new version number and effective date, and where required, we will ask for your consent again.
Revision history
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-31 | Initial version. Describes Gmail gmail.readonly content analysis for scam/phishing detection, SMS classification, family-manager visibility, and CCPA/GDPR disclosures. |
Contact
Privacy questions, requests, or concerns: privacy@mercurysecurity.app