Effective Date: 4/29/2026 | Last Updated: 4/29/2026
Merritt Companies ("Merritt," "we," "us," or "our") is committed to protecting the privacy of individuals who visit our websites, submit information through our contact forms, or otherwise engage with our services. This Privacy Policy covers the following websites operated by Merritt Companies and its subsidiaries:
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data across these sites in compliance with applicable privacy laws, including the Maryland Online Data Privacy Act ("MODPA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the European Union General Data Protection Regulation ("GDPR"), and the CAN-SPAM Act.
Merritt Companies is headquartered at 2066 Lord Baltimore Drive, Baltimore, MD 21244. Merritt Properties, LLC is a Maryland limited liability company. Merritt Construction Services is an affiliate operating under the Merritt Companies family of businesses.
1. Information We Collect
Information You Provide Directly
Category
Data Elements
Source
Contact Information
Name, email address, phone number, company name, message content
Contact form submissions
Newsletter Subscription
Email address, name (if provided), communication preferences
Newsletter sign-up forms
Business Inquiries
Project details, service preferences, budget information
RFP or inquiry forms
Information Collected Automatically
Category
Data Elements
Technology
Device & Browser Data
IP address, browser type and version, operating system, device type, screen resolution
Server logs, Cloudflare, Google Analytics 4 (GA4)
Usage Data
Pages visited, time on page, click paths, referring URL, entry/exit pages
Google Analytics 4 (GA4)
Location Data
Approximate geographic location (city/region level, derived from IP address)
Google Analytics 4 (GA4)
Cookie Identifiers
Session IDs, analytics identifiers, preference cookies
Cookies, local storage
Information from Third-Party Sources
We may receive information from third-party sources, including:
Apollo.io: We use Apollo.io's B2B intent data platform, which may identify the company associated with your IP address when you visit our Site. This data is used to understand the types of businesses that visit our Site and is not used to identify specific individuals.
LinkedIn Insight Tag: LinkedIn may provide us with aggregated demographic and company-level data about our Site visitors based on their LinkedIn profile information.
AdRoll: AdRoll may provide audience segment and engagement data to assist with our advertising campaigns.
We use the personal data we collect for the following purposes:
Responding to inquiries: To reply to your contact form submissions and business inquiries.
Providing services: To deliver the commercial real estate leasing, property management, and related real estate services you request.
Marketing communications: To send newsletters, promotional content, and service updates (with your consent or where permitted by law).
Website improvement: To analyze site usage, identify trends, and improve user experience through analytics data.
Advertising and retargeting: With your consent, to serve relevant advertisements on third-party platforms and measure ad campaign performance. These activities only occur when you have provided consent through our cookie banner, and you may opt out at any time.
Legal compliance: To comply with applicable laws, regulations, and legal processes.
Security: To detect, prevent, and respond to fraud, unauthorized access, or other security incidents.
Our Site uses cookies and similar tracking technologies. A cookie is a small data file stored on your device when you visit a website. We use the following categories of cookies:
Cookie Type
Service(s)
Purpose
Duration
Strictly Necessary
Drupal CMS, Cloudflare, Google Tag Manager
Essential for the Site to function, including session management, security, load balancing, and bot protection. These cookies cannot be disabled. Google Tag Manager is used to manage tracking scripts across the site. It loads without storing any personal data — your privacy choices determine what, if anything, is tracked.
Session / up to 1 year
Analytics & Performance
Google Analytics 4 (GA4)
Help us understand how visitors interact with the Site, including page views, session duration, traffic sources, and user behavior. Data is collected pseudonymously.
Used to deliver relevant advertisements, retarget past visitors, track conversions, and measure campaign performance. AdRoll additionally syncs with partner ad networks (including Outbrain, Taboola, Index Exchange, Rubicon, PubMatic, OpenX, AppNexus, Eyeota, Bombora, Experian, LiveRamp, Criteo, BidSwitch, Tapad, and TripleLift) for audience matching. Apollo.io identifies visiting companies for B2B outreach purposes. HubSpot is used to manage contact form submissions, track visitor engagement, and power our email marketing — including scripts. These cookies are only set with your consent where required by law.
Enable enhanced features on our Site. YouTube cookies are set when you interact with embedded video players. AddToAny enables social content sharing. Typography fonts are delivered via a third-party CDN. These services may set their own cookies when activated.
Session / up to 1 year
You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of our Site or by adjusting your browser settings.
Some pages on our Site may contain embedded content from third-party services not listed above, such as virtual property tours, construction progress cameras, or other media provided by external platforms. These services may set their own cookies independently. We recommend reviewing the privacy policies of those services for details on their data practices.
We honor the Global Privacy Control (GPC) signal and other universal opt-out preference signals. When we detect such a signal from your browser, we will treat it as a valid opt-out request for the sale of personal data and targeted advertising, as required under MODPA, CCPA/CPRA, and other applicable laws.
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:
Consent: For newsletter subscriptions, marketing emails, and non-essential cookies. You may withdraw consent at any time.
Legitimate Interests: For responding to business inquiries, improving our website, and ensuring site security, where these interests are not overridden by your data protection rights.
Contractual Necessity: To fulfill our obligations when you engage us for services.
Legal Obligation: To comply with applicable EU or member state law.
We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing purposes.
When you provide consent through our cookie banner, we may share certain data (such as cookie identifiers and site interaction data) with advertising platforms for retargeting and audience creation purposes. Under some state laws (including CCPA/CPRA), this sharing for targeted advertising may constitute a "sale" or "sharing" of personal information. You may opt out of this at any time through our cookie settings, by contacting us, or via a Global Privacy Control signal.
We share personal data only with the following categories of service providers who process data on our behalf under written agreements:
Service Provider
Purpose
Data Shared
Google Analytics 4 / Google Tag Manager
Website traffic analysis, reporting, and centralized script management
IP address (anonymized where required), usage data, device and browser information, page interaction data
Google Ads
Conversion tracking and remarketing to past visitors
Cookie identifiers, conversion events, IP address
HubSpot
Contact form management, email marketing, and visitor engagement tracking
Email address, name, phone number, company name, message content, form submissions, site interaction data
Facebook (Meta) Pixel
Retargeting and audience creation on Facebook and Instagram platforms
Cookie identifiers, page view events, IP address (hashed)
LinkedIn Insight Tag
Campaign performance measurement and retargeting on LinkedIn
Cookie identifiers, page view events, IP address
AdRoll
Display retargeting across the web; AdRoll syncs with partner ad networks for audience matching
Cookie identifiers, browsing behavior on our Site, IP address
Apollo.io
Identifying the companies of anonymous website visitors for B2B sales and marketing outreach
IP address, company-level firmographic data (not individual PII)
YouTube (Google LLC)
Embedded video playback on our Site
IP address, browser information, video interaction data (when a video is played)
Cloudflare
Content delivery, DDoS protection, and bot mitigation
IP address, server logs, request metadata
AddToAny
Enable visitors to share our content on social media platforms
Page URL and title; individual sharing actions handled by the destination platform
We may also disclose personal data when required by law, to respond to legal process, to protect our rights, or in connection with a merger, acquisition, or sale of assets (in which case you will be notified).
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:
Contact form submissions: Retained for up to 3 years from last interaction, unless an ongoing business relationship exists.
Newsletter subscriber data: Retained until you unsubscribe or request deletion.
Analytics data: Retained in accordance with our analytics platform's data retention settings (typically up to 26 months).
Business records: Retained as required for legal, tax, or audit purposes.
When personal data is no longer needed, we securely delete or anonymize it.
Depending on your location, you may have some or all of the following rights regarding your personal data:
Right to Know / Access: Request confirmation of whether we process your personal data and obtain a copy of it.
Right to Correct: Request correction of inaccurate personal data.
Right to Delete: Request deletion of your personal data, subject to legal exceptions.
Right to Portability: Receive your personal data in a portable, commonly used format.
Right to Opt Out: Opt out of the sale of personal data, targeted advertising, or profiling.
Right to Restrict Processing: Request that we limit how we use your data.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment.
To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within 45 days (or 30 days for GDPR requests). If we need additional time, we will notify you of the extension and the reason.
Appeals Process
If we deny your privacy rights request, you have the right to appeal. To submit an appeal, email [email protected] with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days. If your appeal is denied, we will provide you with information on how to contact the applicable regulatory authority, including the Maryland Attorney General's Consumer Protection Division or other supervisory authority.
8. Maryland Online Data Privacy Act (MODPA) Rights
If you are a Maryland resident, the Maryland Online Data Privacy Act (effective October 1, 2025; enforcement begins April 1, 2026) provides you with specific privacy rights. Under MODPA, you have the right to:
Confirm whether we are processing your personal data.
Access the personal data we have collected about you.
Correct inaccuracies in your personal data.
Obtain a copy of your personal data in a portable, readily usable format.
Obtain a list of the categories of third parties to which we have disclosed your personal data.
Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
MODPA Sensitive Data Protections: Under MODPA, we do not collect, process, or share "sensitive data" (as defined by Maryland law) unless strictly necessary to provide a product or service you have specifically requested. We do not sell sensitive personal data under any circumstances.
How to Exercise MODPA Rights
Submit your request by emailing [email protected]. We will verify your identity and respond within 45 days. You may also designate an authorized agent to submit requests on your behalf. If we deny your request, you may appeal the decision, and we will provide instructions for contacting the Maryland Attorney General's Consumer Protection Division.
Universal Opt-Out Mechanism
We recognize and honor universal opt-out preference signals (such as Global Privacy Control) as valid opt-out requests under MODPA. When detected, we will cease processing your data for targeted advertising and any sale of personal data.
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with additional rights regarding your personal information.
Your CCPA/CPRA Rights
Right to Know: Request the categories and specific pieces of personal information we have collected, the sources, purposes of collection, and categories of third parties with whom we share it.
Right to Delete: Request deletion of your personal information.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information to only what is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
Categories of Personal Information Collected (Past 12 Months)
Professional/Employment Information (company name, role — via inquiry forms)
Yes
No
No
To submit a request, email [email protected] or call (410) 247-0700. We will verify your identity before processing your request and respond within 45 days.
If you are located in the EEA or UK, you have additional rights under the GDPR, including:
Right to Lodge a Complaint: You may file a complaint with your local data protection supervisory authority.
Right to Restrict Processing: You may request that we restrict the processing of your personal data under certain conditions.
Right to Object: You may object to the processing of your personal data based on our legitimate interests.
Right to Data Portability: You may request that we transfer your data to another controller in a structured, commonly used format.
Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects. We do not currently engage in such automated decision-making.
For GDPR requests, we will respond within 30 days. Contact us at [email protected].
We honor universal opt-out preference signals, including the Global Privacy Control (GPC). When we detect a GPC or similar signal from your browser or device, we will:
Treat the signal as a valid request to opt out of the sale of personal data (as applicable under MODPA and CCPA/CPRA).
Cease targeted advertising based on your personal data.
Apply the opt-out to the browser or device from which the signal is sent.
You can also manually opt out by contacting us at [email protected] or by clicking the "Do Not Sell or Share My Personal Information" link on our Site.
We comply with the CAN-SPAM Act of 2003. When we send you commercial emails, we will:
Clearly identify the message as an advertisement or solicitation when applicable.
Include our valid physical mailing address in every email.
Provide a clear and conspicuous unsubscribe mechanism in every commercial email.
Process unsubscribe requests within 10 business days.
Not use deceptive subject lines or misleading header information.
To unsubscribe from our marketing emails, click the "Unsubscribe" link at the bottom of any email or contact privacymerritt-companies.com. Please note that even after unsubscribing from marketing emails, you may continue to receive transactional emails related to active service engagements.
We do not intentionally collect sensitive personal data, which may include (depending on jurisdiction) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation, citizenship or immigration status, social security or government ID numbers, financial account information, precise geolocation, or personal data of children.
In compliance with the Maryland Online Data Privacy Act, we do not collect, process, or share sensitive data unless strictly necessary to provide a specific product or service you have requested, and we do not sell sensitive personal data under any circumstances.
If we inadvertently collect sensitive data, we will promptly delete it unless legally required to retain it.
In accordance with the Maryland Online Data Privacy Act and other applicable privacy laws, we conduct Data Protection Assessments for processing activities that present a heightened risk of harm to consumers. These assessments evaluate the benefits and risks of processing activities, including those involving targeted advertising, the sale of personal data, profiling, sensitive data processing, and any use of algorithms that may produce legal or similarly significant effects on consumers.
Our Data Protection Assessments are maintained internally and may be made available to the Maryland Attorney General's Office upon request, as required by MODPA.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls, regular security assessments, and employee training on data protection. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the applicable regulatory authorities as required by law.
Merritt Properties, LLC is based in the United States. If you are visiting our Site from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers and central database operate.
For personal data transferred from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms, to ensure that your data is afforded an adequate level of protection consistent with GDPR requirements.
Our Site and services are not directed to individuals under the age of 16 (or under the age of 13 in jurisdictions where COPPA applies). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take immediate steps to delete that information. If you believe we have collected information from a child, please contact us at [email protected].
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, provide additional notice (such as a banner on our Site or an email notification). We encourage you to review this policy periodically.
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us:
For Maryland residents: If you are unsatisfied with our response to your privacy request, you may contact the Maryland Attorney General's Consumer Protection Division at www.marylandattorneygeneral.gov.