Last updated: March 26, 2026
This Privacy Policy describes how Global Entry Alerts ("we," "us," or "our") collects, uses, and shares information when you use haya.merrowa.com (the "Service").
Information you provide directly:
Information collected automatically when you use the Service:
Payment information:
We use Stripe to process payments. We do not store your card number or CVV. We store only your Stripe customer ID and subscription ID so we can manage your subscription and issue refunds.
Authentication tokens:
We use passwordless (magic-link) sign-in via email. Short-lived one-time tokens are stored temporarily and deleted after use or expiry.
| Data | Purpose |
|---|---|
| Email address | Account authentication, appointment alerts, transactional emails (signup confirmation, subscription receipts, pass expiry warnings) |
| Phone number | SMS appointment alerts (only if enabled) |
| Push credentials | Delivering push notifications to your device (only if enabled) |
| Watched locations | Checking the CBP scheduling API for available appointments and sending alerts when slots are found |
| Notification preferences | Filtering alerts to match your schedule |
| Stripe IDs | Managing your subscription, processing refunds, preventing duplicate charges |
We do not use your data for advertising or sell it to third parties.
We share data only with the following service providers, strictly for operating the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (SES) | Sending transactional emails | Email address, alert content |
| Amazon Web Services (SNS) | Sending SMS alerts | Phone number, alert content |
| Stripe | Payment processing | Email address, payment method (handled by Stripe's hosted UI) |
We do not share your data with any other third parties. We do not sell your data.
| Data | Retention |
|---|---|
| Account data (email, preferences, Stripe IDs) | Until you delete your account |
| Watched locations | Until you remove them or delete your account |
| Push notification credentials | Until you disable push notifications or delete your account |
| Magic-link tokens | Deleted automatically after use or after 15 minutes, whichever comes first |
| Appointment slot records | Retained for 7 days for deduplication, then deleted automatically |
We store Cognito authentication tokens in your browser's localStorage to keep you signed in across sessions. No tracking cookies are set. You can clear this data at any time by signing out or clearing your browser's site data.
Depending on where you live, you may have the following rights:
GDPR (EU/EEA residents): The legal basis for processing your data is performance of a contract (providing the alert service you signed up for) and your consent (for optional SMS and push notifications).
CCPA (California residents): We do not sell personal information. You have the right to know what personal information we collect and to request deletion.
To exercise any of these rights, email us at support@merrowa.com.
We use HTTPS for all data in transit. Data at rest is stored in AWS (us-west-2) with encryption enabled. Payment data is handled entirely by Stripe and never passes through our servers. We apply the principle of least privilege to all internal service access.
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13.
We will notify registered users by email if we make material changes to this policy. The "Last updated" date at the top of this page reflects the most recent revision.
Questions or requests regarding this policy:
support@merrowa.com