What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: Mercury's privacy policy engages the Gramm-Leach-Bliley Act (GLBA), which imposes specific financial privacy notice and opt-out requirements on financial institutions and their data sharing with non-affiliated third parties. The California Consumer Privacy Act (CCPA) as amended by CPRA applies to California-resident users and beneficial owners of Mercury accounts, granting rights to access, delete, correct, and opt out of sale or sharing of personal information. The FTC ho…

How does Mercury's Mercury Privacy Policy affect users?

Mercury's policy establishes data collection and sharing practices that apply to business account holders, authorized users, and beneficial owners associated with an account. The policy authorizes collection and processing of transaction records, account activity, device identifiers, and derived characteristics, with permitted disclosure to service providers, affiliates, and business partners for analytics and marketing purposes. Individuals seeking to exercise data access, deletion, or sharing…

How often is Mercury's Mercury Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Mercury updates this document?

Yes. Monitor subscribers ($19/month) can add Mercury to their watchlist and receive same-day email alerts whenever this document or any other Mercury document changes.

CA-D-000530

Mercury Privacy Policy

Mercury

Last change detected June 12, 2026 Privacy policy

SHA-256: 4317b21ebc59365d9cc… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Mercury ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

4 Medium severity

3 Low severity

Summary

Mercury's privacy policy establishes the terms under which the company collects, uses, and shares financial and operational data from business account holders and associated individuals through its banking, lending, and expense management products. The policy authorizes Mercury to collect transaction history, account balances, device information, and behavioral patterns, and permits sharing this data with third-party service providers, affiliates, and business partners for purposes including analytics and marketing. California residents are entitled to submit requests to access, delete, or opt out of certain data sharing categories through Mercury's privacy portal.

Technical / Legal Breakdown

This document is Mercury's Privacy Policy governing the collection, use, sharing, and retention of personal information for users of Mercury's business banking platform, operating under applicable U.S. federal and state privacy law frameworks. The policy states that Mercury collects a broad range of personal and financial data including identity information, transaction data, device and usage data, and inferred characteristics, and the terms authorize sharing this information with affiliated entities, service providers, financial partners, and in some cases third parties for marketing and analytics purposes. Notably, the policy asserts the right to collect and use inferred data and behavioral signals for product improvement and marketing, and reserves broad discretion to share data with 'business partners' beyond core service delivery, though applicable law including CCPA and Gramm-Leach-Bliley Act provisions may constrain how some of these rights apply in practice. California residents are granted specific opt-out and deletion rights under CCPA, and the policy acknowledges GLBA applicability given Mercury's financial services context, which creates a layered regulatory compliance obligation spanning FTC enforcement, CFPB oversight, and state-level consumer protection regimes. Material compliance considerations include ensuring that consent mechanisms, data retention schedules, and third-party data sharing arrangements are consistent with GLBA financial privacy requirements and CCPA's expanded rights framework, particularly given Mercury's role as a banking-adjacent platform serving business customers.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: June 2026

June 12, 2026

low

What changed Mercury's privacy policy cookie table was updated on June 12, 2026 to add one new cookie entry and reorder existing entries. A Google Analytics cookie pattern (^_dc_gtm_UA-.*) was added to the Analytics category, and the tcm cookie entry was moved in the list. This represents a minor technical clarification of tracked cookies rather than a substantive change to Mercury's data practices.

Why this matters The updated privacy policy adds an additional Google Analytics cookie pattern to the list of disclosed tracking mechanisms. This cookie (matching the pattern ^_dc_gtm_UA-.*) is categorized as Analytics. The change does not alter Mercury's data collection practices or user rights; it refines the transparency disclosures already available in the policy.

View full change record →

Recent Provision Changes Jun 12, 2026

7 provisions unchanged.

View full change record →

Medium — 4 provisions

Collection of Financial and Identity Data Compare →

Mercury collects your full identity information and detailed financial data including Social Security numbers, account numbers, transaction history, and balances when you open and use an account.

Added May 8, 2026 Standard Seen across 284 platforms
Third-Party and Affiliate Data Sharing Compare →

Mercury can share your personal and financial information with affiliated companies, service providers, and business partners, including for marketing purposes that may benefit those third parties.

Added May 11, 2026 Standard Seen across 252 platforms
Collection of Beneficial Owner and Authorized User Data Compare →

When a business opens a Mercury account, personal information about the business's owners and other authorized individuals is also collected and processed, even if those individuals are not the primary account applicant.

Added May 11, 2026 Standard Seen across 284 platforms
Use of Data for Marketing and Product Development Compare →

Mercury can use your personal and financial data to send you marketing messages including from partners, and to improve and develop new products by analyzing how you use the platform.

Added May 11, 2026 Standard Seen across 284 platforms

Low — 3 provisions

Behavioral and Inferred Data Collection Compare →

Mercury tracks how you use its platform, including which features you click on and what actions you take, and uses that data to draw inferences about your preferences and characteristics.

Added May 11, 2026 Standard Seen across 284 platforms
California Consumer Privacy Act Rights Compare →

California residents can ask Mercury what data it holds about them, request that data be deleted, and opt out of having their data sold or shared with third parties for advertising, without facing retaliation for doing so.

Added May 11, 2026 Standard Seen across 284 platforms
Data Retention Policy Compare →

Mercury keeps your data for as long as it needs to in order to run its services and meet legal requirements, using a risk-based assessment to determine how long each type of data is held.

Added May 11, 2026 Standard Seen across 284 platforms