← Back to Merlin AI

Privacy Policy

Privacy Policy

Effective date: 2025-08-14

1. Introduction

We care about your privacy. This policy explains what we collect, why, how we use it, and your rights. If you do not agree, do not use the Service.

2. Categories of Data

  • Account data: email, authentication/session identifiers, plan, status.
  • Usage data: message counts, token usage, model selections, timestamps.
  • Content data: chat text, prompts, uploaded files, images you provide.
  • Payment data: obtained via processors (e.g., Stripe). We do not store full card details.
  • Device/technical data: IP, user agent, cookies/local storage identifiers.

3. Purposes of Processing

  • Provide and improve the Service (AI chat, image generation, billing).
  • Security, fraud prevention, abuse detection, and rate limiting.
  • Usage analytics, aggregate reporting, and cost optimization.
  • Compliance with law, enforcement of our Terms, and dispute handling.
  • Customer support and operational communications.

4. Legal Bases

Where applicable (e.g., GDPR/UK GDPR), we rely on: contract performance, legitimate interests (security, product improvement), consent (where required), and compliance with legal obligations.

5. Data Security

  • TLS in transit; hardened infrastructure; access controls and logging.
  • Principle of least privilege for production access.
  • Local-only features (e.g., optional local storage) are device-bound.

6. Retention

We retain data as long as necessary for the purposes described or as required by law. We may retain minimal records for fraud prevention, safety, accounting, and legal compliance.

7. International Transfers

Data may be processed outside your country. Where required, we use appropriate safeguards (e.g., SCCs) to protect personal data in cross-border transfers.

8. Third-Party Processors

We use service providers (e.g., OpenAI, Anthropic, Google, xAI, Replicate, ElevenLabs, Stripe) who process data under their terms. Their privacy terms apply to their processing.

9. Your Rights

  • Access, correction, deletion, restriction, portability (where applicable).
  • Object to processing based on legitimate interests; withdraw consent at any time where processing is based on consent.
  • California residents: CCPA/CPRA rights to know, delete, correct, and opt-out of sale/share of personal information.

10. Children

The Service is not directed to children under 13 (or 16 where applicable). We do not knowingly collect data from children. If you believe a child provided data, contact us to remove it.

11. Do Not Track / Cookies

We may use cookies or local storage for functionality and analytics. Do Not Track signals may not be honored due to industry standards.

12. Contact

For privacy requests, use the in-app contact form or email contact@merlintheai.com. You may have the right to lodge a complaint with your supervisory authority.

13. Changes

We may update this policy. Material changes will be posted here with a new effective date. Continued use after changes constitutes acceptance.