Frequently Asked Questions

Is my data encrypted?

Yes. Debtor personally identifiable information (PII) — specifically phone numbers and physical addresses — is encrypted at the field level using AES-256-GCM before being written to storage. All data in transit is protected by TLS 1.2 or higher with HSTS enforced.

Who can see my account information?

Only you and authorised Merion staff can access your account. If you are a creditor client, you can see only cases you have referred — not those of other clients. If you are a debtor, you can see only accounts that relate to you. Multi-tenant isolation is enforced at the database query layer, not just the UI.

Does Merion sell my personal information?

No. Merion does not sell personal information to third parties under any circumstances. Personal information is used only for the purpose of managing and recovering the specific debt account, and for regulatory compliance.

Where is my data stored?

Merion's application data is hosted on Hostinger's managed infrastructure. Cloudflare provides DNS, CDN, and WAF services globally. Some sub-processors — including Stripe, Anthropic, OpenAI, and Sentry — are located in the United States. See the Sub-Processors page for details.

Which regulations does Merion comply with?

Merion operates under the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the ACCC/ASIC Debt collection guideline, and ASIC RG 96. It is not required to hold a Commercial Agent Licence in QLD, VIC, NSW or ACT as it does not engage in field-agent activities.

How do I make a privacy request?

Email [email protected] with the subject line 'Privacy Request'. Include your full name, the account or case reference number (if known), and a description of what you are requesting (access, correction, or deletion). We respond within 30 days.

What happens if there is a data breach?

Merion follows the Notifiable Data Breaches (NDB) scheme under the Privacy Act. If a breach meets the eligible data breach threshold, we notify the OAIC and affected individuals as soon as practicable. See the Data Handling page for our full breach response procedure.

How do I log in to the debtor portal?

Debtor portal access is passwordless. You need your case reference number (from your letter), access to your registered email for a magic link, and access to your registered phone for an SMS OTP. You do not create a password.

Is Stripe PCI compliant?

Yes. Stripe is a PCI DSS Level 1 certified service provider — the highest level of PCI compliance. Merion's platform does not store, process, or transmit raw card data. Card credentials are tokenised by Stripe's hosted elements before reaching Merion's servers.

What authentication does the client portal use?

The client portal uses Merion's self-hosted OIDC SSO at auth.merion.com.au, using ES256 (ECDSA with P-256/SHA-256) token signatures and PKCE S256 for the authorisation code flow. Credential-based login is supported; multi-factor authentication is available.

How do I report a security vulnerability?

Email [email protected] with 'Security' in the subject line. Include a description of the vulnerability, affected URLs or endpoints, and reproduction steps. Do not include real personal data in your report. See the Responsible Disclosure page for full details, scope, and safe-harbour terms.

Which AI providers does Merion use?

Anthropic (Claude) and OpenAI (GPT) are engaged for optional AI features only. These features are not used in standard collection workflows. When AI processing is used, text is submitted without embedding raw PII where this can be avoided. Merion does not make automated decisions about individual debtors using AI without human review.

How long does Merion keep my data?

Active case data is retained for the life of the case plus 7 years after final resolution. Payment records are kept for 7 years. Audit log entries are retained for a minimum of 7 years and are append-only. After the relevant retention period, data is permanently deleted or de-identified.

Is Merion licensed to collect debts?

Merion is not required to hold a Commercial Agent Licence in Queensland, Victoria, New South Wales, or the Australian Capital Territory, as it does not engage in field-agent activities. Its operations comply with all relevant state and federal regulations.

How do I make a complaint?

Contact us at [email protected] with 'Complaint' in the subject line. We acknowledge within one business day and aim to resolve within 10 business days. If unresolved, you may escalate to the ACCC, ASIC, or OAIC depending on the nature of the complaint. See merion.com.au/complaints/ for the full process.

Still have a question?

If your question is not answered here, email [email protected]. For security vulnerability reports, see Responsible Disclosure. For privacy requests, see Privacy. For complaints, see merion.com.au/complaints/.