Back to home

Last Updated: June 2026

This Privacy Policy describes how Mera Labs B.V. ("Mera," "Mera News," "we," "us," or "our") processes personal data in connection with the Mera News mobile application and related services.

Mera News is owned and operated by Mera Labs B.V. a company registered in the Netherlands. Mera Labs B.V. is the legal entity responsible for the service and acts as the data controller for personal data processed under this policy.

This policy is intended to explain the service's data-processing model in precise terms. Technical mechanisms such as on-device processing, confidential computing, encryption, and data minimization are described because they determine what data is processed, where processing occurs, and which parties can access it.

1. Data Controller

The data controller for personal data processed under this policy is:

Mera Labs B.V.

Location: Netherlands

Website: mera.news

Privacy contact: privacy@mera.news

Data Protection Officer: dpo@mera.news

Security contact: security@mera.news

General support: support@mera.news

This policy is prepared with reference to the General Data Protection Regulation (EU GDPR), the Dutch Implementation Act (Uitvoeringswet AVG), and applicable EU privacy rules.


2. Summary of the Processing Model

Mera News separates user data into two principal categories:

  1. User facts: personal information, preferences, interests, concerns, reading context, and other information that may identify or characterize an individual user.
  2. User topics: generic topic strings derived from user facts, such as "Amsterdam local news" or "EU technology regulation."

The service is designed so that user facts remain on the user's device at rest. User topics are transmitted to Mera-controlled infrastructure each time the user requests news and are used to retrieve candidate news items. User topics may be transiently cached while a request is processed, but they are never persistently stored. Topic retrieval is stateless and idempotent: the server does not retain a record of which topics a user requested.

AI processing is performed in one of two ways, chosen by the user (subject to device support):

  • On-device processing (local LLM): where the device supports it, the user can run a local LLM provided by Mera directly on the device.
  • Private Cloud Compute (confidential compute): alternatively, the user can use Private Cloud Compute. Data is encrypted on the device, then decrypted and executed only inside an attested, secured isolated environment, and the results are returned to the device. This guarantees that the user input and LLM output are not accessible to anyone except the user.

User facts, user topics, reading history, and generated suggestions are all stored on the user's device, and Mera has no access to them. Mera's servers do not store user facts, user topics, generated suggestions, reading history, notification decisions, or inference outputs.


3. Data Categories

3.1 Account Data

Mera News may collect and store:

  • Email address
  • Password hash and associated authentication data
  • Account creation date
  • Subscription status
  • Billing-related records where applicable

Purpose: account authentication, service access, billing, fraud prevention, and service-related communication.

Retention: until account deletion, except where legal retention obligations apply.

3.2 Device Data

Mera News may collect and store:

  • Device identifier or push notification token
  • App version
  • Operating system version
  • Device capability tier

Purpose: delivery of notifications, selection of the appropriate processing path, technical support, security, and service reliability.

Mera News does not collect device location, contacts, photos, files, or a list of installed applications.

3.3 User Facts

User facts may include:

  • Interests and preferences
  • Personal circumstances voluntarily provided by the user
  • Reading context and feedback
  • User-defined relevance signals
  • Local history used to reduce repetition or improve relevance

User facts are stored on the user's device at rest. They are not stored on Mera servers. Where Private Cloud Compute is used, relevant payloads are encrypted on the device before transmission and decrypted and processed only inside the secured isolated environment described in this policy.

3.4 User Topics

User topics are generic topic strings derived from user facts. Examples include:

  • "Amsterdam local news"
  • "AI regulation Europe"
  • "climate policy updates"

User topics are stored on the user's device, together with user facts, reading history, and generated suggestions, and Mera has no access to this stored data. User topics are transmitted to Mera-controlled infrastructure each time the user requests news. While a request is processed, they may be transiently cached (for example, in MongoDB or in memory), but they are never persistently stored. The server is stateless and idempotent with respect to user topics and does not retain a record of which topics a user requested.

Purpose: retrieval of candidate news items that may be relevant to the user.

Design objective: user topics are intended to be broad search strings rather than detailed personal profiles. They are not intended to identify a specific individual.

3.5 Usage Metadata

Mera News may collect:

  • Timestamps of article-candidate requests
  • Aggregated service performance data
  • Anonymized crash or error logs

Mera News does not collect:

  • Which articles the user opened or read
  • Time spent reading
  • Article-level behavioral history
  • Which articles became notifications
  • The user's reaction to specific articles
  • Inference inputs, outputs, or intermediate results

Retention: request timestamps are deleted after 90 days. Crash logs are deleted after 30 days unless a shorter retention period is technically required or a longer period is necessary for security investigation.


4. System Architecture and Data Flow

4.1 Local Processing

The following processing occurs on the user's device:

  • Storage of user facts
  • Storage of user topics
  • Storage of reading history and local article-state information
  • Generation or use of relevance context
  • Notification decision-making
  • Suggestion storage
  • Decryption of Private Cloud Compute results
  • Native translation where enabled by the operating system

4.2 Topic Generation

Mera News converts user facts into user topics either on-device or through NEAR AI Private Cloud Compute.

The purpose of this step is to convert detailed local context into broader search terms. User topics are transmitted to Mera servers over encrypted connections each time the user requests news and are used for candidate retrieval. They may be transiently cached while a request is processed, but they are never persistently stored. This processing is stateless and idempotent: the server does not retain a record of which topics a user requested.

4.3 Candidate Retrieval

Mera infrastructure uses user topics to retrieve candidate news items. Google Cloud Platform may be used for news sourcing, indexing, candidate generation, and delivery infrastructure.

GCP is used for the news-processing pipeline. User facts are not processed on GCP.

4.4 AI Inference

Mera News uses AI for topic generation, relevance scoring, and suggestion generation. The user can choose between two inference paths:

  • Local LLM: inference is performed on the device using a local LLM provided by Mera.
  • Private Cloud Compute (confidential compute): data is encrypted on the device before transmission, decrypted and executed only inside an attested, secured isolated environment, and the results are returned to the device. This design guarantees that the user input and the LLM output are not accessible to anyone except the user, including Mera and the infrastructure provider.

Mera does not use user data to train, fine-tune, or improve AI models. Mera does not send personal data to general-purpose AI platforms such as OpenAI, Google, or Anthropic for inference.

4.5 Periodic Updates

For users on the Private Cloud Compute path, silent push notifications may trigger periodic background processing. The device prepares an encrypted payload and sends it to the Private Cloud Compute environment, where it is decrypted and processed inside a secured isolated environment. The device then determines which news, if any, should be surfaced.

For users on the local LLM path, processing occurs when the user opens the app or otherwise initiates relevant app activity. No server-side background inference is performed for user facts.

4.6 Suggestions and Notifications

Suggestions and notification decisions are generated and stored on the device. Mera servers do not retain generated suggestions, notification decisions, or reasoning about why a particular article was relevant to a user.


5. Purposes of Processing

Mera News processes data for the following purposes:

5.1 Service Delivery

  • Authenticating users
  • Fetching candidate news items
  • Generating user topics
  • Running relevance and suggestion workflows
  • Delivering notifications
  • Supporting account and device functionality

5.2 Security and Reliability

  • Preventing unauthorized access
  • Detecting abuse or service misuse
  • Maintaining audit logs for backend access
  • Diagnosing crashes and technical failures
  • Maintaining service availability

5.3 Billing

Where paid services are introduced or used, account and payment-related information may be processed for billing, subscription management, tax compliance, and financial recordkeeping.

5.4 Service Improvement

Mera News may use aggregated or anonymized analytics to assess system performance, crash rates, source quality, and broad product reliability.

Mera News does not use analytics to identify individual users or build behavioral advertising profiles.


6. Legal Bases for Processing

Under GDPR Article 6, Mera News processes personal data on the following legal bases:

  • Contract performance (Article 6(1)(b)): account creation, authentication, service delivery, and user-requested functionality.
  • Legitimate interests (Article 6(1)(f)): security, fraud prevention, service reliability, system diagnostics, and aggregated service improvement.
  • Legal obligation (Article 6(1)(c)): retention of billing, tax, and accounting records where legally required.
  • Consent (Article 6(1)(a)): where a specific feature or jurisdiction requires consent.

Where processing is based on consent, the user may withdraw consent at any time. Withdrawal does not affect processing that occurred before withdrawal.


7. Data Not Collected or Stored by Mera Servers

Mera servers do not store:

  • User facts, except for the email address required for authentication
  • Detailed personal interest profiles
  • A record of which user topics a user requested
  • Personal concerns or circumstances
  • Reading history
  • Article-open history
  • Article dismissal history
  • Which articles became notifications
  • Generated suggestions
  • Inference inputs, outputs, or intermediate results
  • Notification-relevance reasoning
  • Native on-device translations
  • Location data
  • Contacts
  • Browsing history outside Mera News
  • Search activity within publisher websites

8. Third-Party Service Providers

Mera News uses third-party service providers only for specific functions described below.

8.1 Payment Processing

Providers: Stripe and/or PayPal

Data shared: email address, payment amount, subscription status, and transaction information required for payment processing

Purpose: payment processing, subscription management, fraud prevention, and financial recordkeeping

Policies: Stripe Privacy Policy | PayPal Privacy Policy

8.2 Private Cloud Compute (Confidential-Compute AI Processing)

Provider: NEAR AI

Function: Private Cloud Compute inference for users who do not use the local LLM

Data shared: encrypted inference payloads and limited network metadata required to deliver the service

Purpose: decrypting and processing encrypted requests only inside an attested, secured isolated environment and returning encrypted results to the user's device, such that user input and LLM output are not accessible to anyone except the user

Policy: NEAR AI Privacy Policy

Mera does not intentionally provide plaintext user facts, reading history, notification decisions, or generated suggestions to NEAR AI.

8.3 Cloud Infrastructure

Provider: Google Cloud Platform

Function: news sourcing, indexing, candidate generation, and delivery infrastructure

Data processed: news data and service infrastructure data

Data not processed: user facts, user topics, or inference payloads

8.4 Push Notification Infrastructure

Providers: Apple Push Notification Service and Firebase Cloud Messaging

Data shared: device token and notification-delivery metadata

Purpose: delivery of silent push notifications or service notifications

Data not shared: article content, user facts, user interests, notification reasoning, or generated suggestions

8.5 News Publishers

When the user opens an article, Mera News may direct the user to the publisher's website in an in-app web view or external browser.

The publisher controls the article page and surrounding website experience. The publisher's own terms, privacy policy, cookie practices, advertising systems, subscriptions, paywalls, and account requirements apply. Mera News does not control or receive data about the user's activity on the publisher's website.


9. Artificial Intelligence and Automated Processing

Mera News uses AI to support:

  • Conversion of user facts into user topics
  • Relevance scoring
  • Suggestion generation
  • Reduction of repetitive or irrelevant recommendations
  • Optional translation only where provided by native Android or iOS functionality

Mera News does not use AI to make decisions that produce legal or similarly significant effects on users within the meaning of GDPR Article 22.

Users may contact privacy@mera.news to request information about AI-related processing or to object where applicable under GDPR.


10. Security Measures

Mera News applies technical and organizational measures intended to protect data against unauthorized access, loss, misuse, alteration, and disclosure.

These measures include:

  • TLS 1.3 for data in transit
  • AES-256 encryption for stored server-side data
  • bcrypt hashing for passwords
  • Encryption of user facts at rest on the user's device
  • Device-side encryption before Private Cloud Compute transmission
  • Access controls for backend systems
  • Audit logging for backend access
  • Security-monitoring procedures
  • Incident-response procedures
  • Third-party security assessments
  • Responsible vulnerability disclosure procedures

No transmission or storage method can provide absolute security. If a security incident creates a notification obligation under GDPR Articles 33 or 34, Mera News will notify the competent supervisory authority and affected individuals where required.


11. Data Retention

Data Type Storage Location Retention Period
Email address Mera servers Until account deletion
Password hash Mera servers Until account deletion
Billing records Mera servers / payment processors 7 years where required by Dutch law
Anonymous user topics Transiently cached on Mera-controlled infrastructure during a request; never persistently stored Not retained; discarded after the request
Request timestamps Mera servers 90 days
Crash logs Mera servers 30 days
User facts User device Until app uninstall, local data deletion, or account-related deletion flow where supported
User topics (device copy) User device Until app uninstall, local data deletion, or account-related deletion flow where supported
Suggestions User device Until app uninstall, local data deletion, or account-related deletion flow where supported
Reading history User device Until app uninstall, local data deletion, or account-related deletion flow where supported
Private Cloud Compute inference data Not retained by Mera; decrypted and processed only in a secured isolated environment Discarded after processing

12. International Data Transfers

Mera News is operated from the Netherlands and is subject to EU data-protection law.

Primary storage for account data is intended to occur in EU data centers. User topics are processed transiently for candidate retrieval and are not persistently stored. Payment processors and other service providers may process data outside the European Economic Area where necessary. In such cases, appropriate safeguards, including standard contractual clauses where applicable, are used.

For Private Cloud Compute, encrypted payloads may be transmitted to NEAR AI infrastructure. Because payloads are encrypted on the device before transmission and are decrypted and processed only inside a secured isolated environment, Mera servers do not receive plaintext user facts through this processing path.


13. Cookies and Similar Technologies

Mera News is primarily a mobile application.

13.1 Mobile Application

The mobile application does not use browser cookies for ordinary app functionality. Local storage is used to store user facts, user topics, preferences, reading history, generated suggestions, session information, and local article state on the user's device.

13.2 Website

The website at mera.news may use:

  • Essential cookies or equivalent technologies required for website operation
  • Privacy-preserving, cookieless analytics for aggregate website traffic analysis

Mera News does not use advertising cookies, social media tracking pixels, or third-party marketing cookies.

Users can manage cookies through browser settings. Disabling essential cookies may affect website functionality.


14. Government and Legal Requests

If legally required by valid legal process, Mera News may provide data that it controls, such as:

  • Account email address
  • Account creation date
  • Subscription and payment records
  • Request timestamps

Mera News cannot provide data it does not possess, including:

  • User facts stored only on the user's device
  • Reading history
  • Generated suggestions
  • Inference logs or results
  • A record of which user topics a user requested
  • Notification decisions
  • Native on-device translations
  • Publisher-site activity

Where legally permitted, Mera News will notify affected users of legal requests. Mera News may challenge requests that appear overbroad, unlawful, or inconsistent with applicable legal standards.


15. User Rights Under GDPR

Users have the following rights under GDPR and applicable Dutch law, subject to statutory conditions and limitations.

15.1 Right of Access

Users may request a copy of personal data processed by Mera News. This may include account information, subscription status, and request timestamps.

Mera News cannot provide user facts, reading history, generated suggestions, or a record of requested user topics, as these either exist only on the user's device or are not stored by Mera.

15.2 Right to Rectification

Users may request correction of inaccurate personal data. Certain data may be corrected directly in app settings.

15.3 Right to Erasure

Users may request deletion of their account and associated personal data. Upon valid request, Mera News will delete:

  • Account information
  • Password hash
  • Device identifiers
  • Associated metadata not subject to legal retention obligations

Billing records may be retained for the legally required period.

15.4 Right to Data Portability

Users may request export of their personal data in a structured, commonly used, machine-readable format, where applicable.

15.5 Right to Restrict Processing

Users may request that Mera News restrict processing in circumstances provided by GDPR.

15.6 Right to Object

Users may object to processing based on legitimate interests. Mera News will assess the objection in accordance with GDPR.

15.7 Rights Related to Automated Decision-Making

Users have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Mera News does not perform such decision-making.

15.8 Right to Withdraw Consent

Where processing is based on consent, users may withdraw consent at any time.

15.9 Right to Lodge a Complaint

Users may lodge a complaint with a supervisory authority. In the Netherlands, the competent authority is the Dutch Data Protection Authority:

Authority: Autoriteit Persoonsgegevens

Website: https://autoriteitpersoonsgegevens.nl

Telephone: +31 (0)70 888 8500

Address: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, Netherlands

15.10 Exercising Rights

To exercise rights, contact privacy@mera.news.

Mera News will respond within 30 days where required by GDPR. In complex cases or where multiple requests are received, this period may be extended by up to two additional months. If an extension is required, Mera News will inform the user within the initial 30-day period.

Mera News may request identity verification before processing a rights request. A fee may be charged only where permitted by GDPR, such as for manifestly unfounded or excessive requests.


16. Children's Privacy

Mera News is not directed to individuals under 16 years of age. Mera News does not knowingly collect personal data from children under 16.

If Mera News becomes aware that a child under 16 has provided personal data, reasonable steps will be taken to delete that data. Concerns may be sent to privacy@mera.news.


17. Business Transfers

If Mera Labs B.V. is involved in a merger, acquisition, reorganization, sale of assets, or other business transfer, account data and operational records may be transferred as part of that transaction. Because user topics are not persistently stored, they are not part of any such transfer.

Mera News will provide notice where required by law. User facts stored only on user devices are not part of server-side business-transfer records unless separately provided by the user or otherwise processed in a manner described in an updated policy.


18. Changes to This Policy

Mera News may update this Privacy Policy to reflect changes in the service, data-processing practices, legal requirements, or technical implementation.

Material changes will be communicated through one or more appropriate channels, such as email, in-app notice, or notice on the website. The updated policy will apply from the date stated in the updated version.

Users who do not agree with an updated policy may stop using the service and request account deletion.


19. Contact

For privacy questions or data-rights requests:

Email: privacy@mera.news

For data-protection matters:

Data Protection Officer: dpo@mera.news

For security reports:

Email: security@mera.news

For general support:

Email: support@mera.news

Operator: Mera Labs B.V.

Location: Netherlands