(08) 6325 5761
Merion

Data Handling

How data is collected, stored, protected, backed up, and ultimately deleted — the full lifecycle of personal and operational information on the Merion platform.

Data lifecycle overview

Personal information on the Merion platform passes through five stages:

  1. Collection — from creditor clients (at onboarding and case referral) and from debtors (via portal, phone, or correspondence).
  2. Use — to manage and pursue the specific debt account to resolution.
  3. Storage — in Merion's hosted database, encrypted at field level for PII.
  4. Retention — held for the minimum required period (see below).
  5. Deletion / de-identification — after the retention period, data is deleted or de-identified so it can no longer be attributed to an individual.

Encryption at rest

Debtor personally identifiable information (PII) — specifically phone numbers and physical addresses — is encrypted at the field level using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). GCM provides both confidentiality and authenticity: a tampered ciphertext will fail decryption rather than silently returning incorrect data.

Encryption keys are stored separately from the data they protect. Keys are rotated on a scheduled basis; historical ciphertexts are re-encrypted following key rotation. Access to encryption keys is logged and restricted to automated service accounts; no human operator has direct key access in production.

Operational data that is not PII (case reference numbers, status flags, amounts, timestamps) is stored unencrypted for query performance, but is subject to the same access-control and multi-tenant isolation controls as encrypted fields.

Encryption in transit

All data in transit is protected by TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) with a max-age of 31,536,000 seconds (one year) is enforced on all public-facing endpoints. Internal service-to-service traffic is also encrypted; no plaintext HTTP channels exist in the production environment.

Backups

The production database is backed up automatically on a scheduled basis:

  • Daily snapshots are taken at low-traffic periods and retained for 30 days.
  • Weekly snapshots are retained for 90 days.
  • Monthly snapshots are retained for 12 months.

Backups are encrypted using the same key management approach as production data. Backup restoration is tested periodically to confirm recoverability. Backups are stored in a separate geographic region from the primary database.

Retention schedule

Merion retains personal information for the minimum period necessary for the purposes described, and not less than:

Active case data
Retained for the life of the case plus 7 years after final resolution.
Payment records
7 years from the date of the transaction (taxation and financial reporting obligations).
Audit log entries
7 years minimum; append-only (cannot be deleted through the application).
Correspondence
7 years from the last action on the account.
Creditor account data
Life of the client relationship plus 7 years after disengagement.
System logs (access, error)
90 days rolling; after 90 days, logs are deleted unless a specific incident requires preservation.

After the relevant retention period, data is permanently deleted from all storage systems including backups (backups age out and are not specially retained beyond their scheduled retention window).

Data minimisation

Merion collects only the data needed to pursue the specific debt account. We do not collect demographic data, employment status, or social media information unless directly relevant to the account and provided voluntarily by the debtor. Creditors are asked to submit only the data needed to establish the debt — not the full customer record.

Data breach response

In the event of a data breach (actual or suspected), Merion's incident response procedure is:

  1. Detection — Sentry alerts, anomaly detection, or staff report trigger an incident. The on-call engineer is notified within minutes.
  2. Containment — Affected systems are isolated. Access is revoked where necessary. The scope and nature of the breach is assessed.
  3. Assessment — The type of data involved, the number of individuals affected, and the likely harm are assessed within 30 days.
  4. Notification — If the breach meets the threshold for an Eligible Data Breach under the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act), the OAIC is notified and affected individuals are contacted as soon as practicable.
  5. Remediation — Root cause is identified. Controls are updated to prevent recurrence. A post-incident review is conducted.

To report a suspected breach or security issue, see Responsible Disclosure.

Right to deletion

Where a deletion request is received and there is no ongoing legal or regulatory obligation to retain the data, Merion will delete or de-identify the relevant personal information within 30 days of confirming the request. Note that where an active debt account exists, deletion cannot be completed until the account is resolved, as the data is necessary for the legitimate purpose of pursuing the debt.

To submit a data deletion request, email [email protected] with the subject line "Data Deletion Request".

Get started

Ready to talk to Merion?

Whether you have accounts to recover or a question about a notice, the first conversation is always obligation-free.

Contact us Explore our services