Privacy Policy

Effective Date: 02-July-2025
Last Updated: 02-July-2025

For individuals in the European Economic Area, United Kingdom, and Switzerland, you can read this version⁠ of our Privacy Policy

The following Privacy Policy governs the online information collection practices of Foyer Technologies Private Limited ("Company," "Foyer," "Merlin," "we," or "us"). This Privacy Policy outlines the types of information that we gather about you while you are using our websites https://merlin.foyer.work/, https://www.getmerlin.in, browser extensions (Chrome, Edge, Firefox, Safari), mobile applications (iOS and Android), the AI Note Taker app, our API services, and any other related services (collectively, the "Services"), and the ways in which we use this information.

Foyer operates Merlin AI, a comprehensive AI-powered assistant that helps users ("User(s)") access state-of-the-art AI models for various tasks including text generation, conversation, document analysis, image generation, web searching, and more. We also enable users to share their content such as information, files, and folders ("Content") and analyze interactions with their customers, prospects, and third parties ("Viewer(s)"). Viewers are non-registered users who may access content shared by our registered Users.

We process your data in accordance with applicable laws and regulations, following industry best practices for data protection and AI safety. This Privacy Policy is designed to help you understand how we collect, use, share, and protect your information.

1. Purpose and Scope

This Privacy Policy applies to information we collect:

Through our Services (websites, apps, extensions, APIs)
When you interact with us on third-party sites
Through other offline interactions

This policy does NOT apply to:

Third-party websites linked from our Services
Information collected by our Users about their own customers
Services provided by third parties

2. Information We Collect

2.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, and account credentials.

User Content: We collect the content you provide when using our Services, including:

Text inputs, prompts, and queries you submit
Documents, images, and files you upload
Conversation history with our AI models
Feedback and ratings you provide

Payment Information: When you purchase subscriptions or services, we collect payment details (processed securely through third-party payment processors).

Communications: Information you provide when you contact our support team or participate in surveys.

2.2 Information We Collect Automatically

Usage Information: We collect information about how you interact with our Services, including:

Features used and actions taken
Time spent on different parts of the Services
Frequency and duration of use
Performance metrics and error reports

Device Information: We collect:

Device type, operating system, and browser type
IP address and approximate location
Device identifiers and advertising IDs
Network and connection information

Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to collect information about your browsing activities. See our Cookie Policy below for details.

2.3 Information from Third Parties

OAuth Providers: When you sign in using Google, Apple, or other OAuth providers, we receive basic profile information.

Cloud Storage Services: When you connect cloud storage accounts (e.g., Google Drive, Dropbox), we access only the files you choose to process.

Analytics Providers: We receive aggregated analytics data about Service usage from our analytics partners.

3. How We Use Your Information

We use the information we collect to:

3.1 Provide and Improve Our Services

Process your requests and provide AI-generated responses
Personalize your experience and remember your preferences
Develop, test, and improve our AI models and Services
Analyze usage patterns to enhance functionality

3.2 Communicate with You

Send service-related notifications and updates
Respond to your inquiries and provide customer support
Send marketing communications (with your consent where required)
Inform you about new features and offerings

3.3 Ensure Safety and Security

Detect, prevent, and address fraud, abuse, and security issues
Monitor and enforce compliance with our Terms of Service
Protect our users, employees, and the public

3.4 Business Operations

Process transactions and payments
Provide customer support
Conduct business analytics
Manage our business relationships

3.5 Comply with Legal Obligations

Respond to legal requests and prevent harm
Comply with applicable laws and regulations
Establish, exercise, or defend legal claims

3A. Lawful Bases for Processing

We process your personal data only when permitted under applicable data protection laws. Our processing activities are based on one or more of the following lawful grounds:

We rely on your freely given, specific, informed, and unambiguous consent to process your data for:

Sending marketing or promotional communications
Personalizing advertisements (interest-based advertising)
Using optional cookies and similar technologies. You may withdraw your consent at any time by adjusting your preferences in account settings or by contacting us.

Performance of a Contract

We process your data to provide the Services you request under our Terms of Service, including:

Creating and managing your user account
Providing access to AI models and processing your content (e.g., prompts, files)
Managing subscriptions and transactions

Legal Obligation

We may process your data to comply with applicable legal obligations, such as:

Tax and accounting requirements
Responding to lawful data access requests from regulators or authorities

Legitimate Interests

We process your data when it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes:

Improving and securing our Services
Detecting and preventing fraud, abuse, or misuse
Aggregating usage patterns to refine AI models
Ensuring network and information security

Establishment, Exercise, or Defence of Legal Claims

Where necessary, we may process your data in connection with the exercise or defence of legal claims, including dispute resolution or investigations.

We do not sell your personal information. We share information in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who help us operate our Services, including:

Cloud Hosting and Infrastructure Providers We use third-party cloud hosting and infrastructure providers to operate and maintain our website and services. These providers store and process data (such as user account data and service-related information) on secure servers located in various regions to ensure availability, scalability, and performance.
Payment Processors (Stripe) If you make a purchase or subscription, your payment information is processed securely by third-party payment providers. We do not store full credit/debit card details on our servers. These processors handle transactions and ensure compliance with relevant financial regulations.
Analytics and Monitoring Services We use analytics and monitoring tools to understand how our website is used, identify performance issues, and improve user experience. These services may collect data such as IP address, browser type, pages visited, and interaction patterns.
Customer Support Tools (Tawk.to) We use Tawk.to, a live chat and customer support tool, to provide real-time assistance and handle user inquiries directly on our website. When you use the chat feature, Tawk.to may collect your IP address, browser details, and any information you voluntarily provide (e.g., name, email, message).
Email Service Providers We use third-party email services to send account-related emails (e.g., password resets, confirmations) and optional newsletters or product updates (with consent). These providers manage email delivery and may collect email engagement data (e.g., opens or clicks).
jsDelivr (Content Delivery Network - CDN) We use jsDelivr to serve static assets like JavaScript libraries and stylesheets quickly from servers closest to the user. This improves website speed and reliability.
Twitter (X) Our website includes a link to our profile on Twitter (X). This is a simple outbound link that does not transmit personal data unless you click it. However, if you visit our Twitter page, Twitter may collect data in accordance with its privacy policy. We do not use embedded tweets or Twitter tracking pixels on our site.
YouTube We may embed YouTube videos on our website. When you view an embedded YouTube video, Google may collect certain data such as your IP address, device type, and interaction history—even if you are not logged into a Google account.
Google APIs We use various Google APIs (e.g., Google Fonts) to enhance functionality and presentation. These APIs may collect technical information such as browser version when assets are loaded.
Cloudflare We use Cloudflare, a web infrastructure and security company, to serve content via a global content delivery network (CDN), protect against attacks, and optimize loading speed. Cloudflare may log anonymized IP address, system configuration, and security headers to detect malicious activity.
Vercel Our website is hosted on Vercel, a cloud platform that stores and serves our front-end application. When you visit our site, Vercel may log access data (e.g., IP address, browser type, date/time) to maintain performance and detect errors.

4.2 API and Integration Partners

If you connect third-party services, we may share data as necessary to provide integrated functionality.

4.3 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests from public authorities.

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4.5 Safety and Protection

We may share information to:

Prevent fraud, abuse, or illegal activities
Protect our users, employees, and the public
Enforce our Terms of Service

We may share your information with your explicit consent or at your direction. Where we rely on your consent to process personal data, you may withdraw that consent at any time by updating your account settings or contacting us at support@foyer.work or dpo@foyer.work

4.7 Aggregated or De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you. Access to your information is limited to authorized employees, contractors, and service providers who require it to perform their duties. All such individuals are subject to strict confidentiality obligations.

5. Data Retention

We retain your information for as long as necessary to:

Provide our Services to you
Comply with legal obligations
Resolve disputes and enforce agreements
Improve our Services and AI models

Specific retention periods:

Account Information: Retained until account deletion plus any legally required period
User Content: Retained for 30 days after deletion request (unless required by law to retain longer)
Usage Data: Retained for up to 2 years
Marketing Data: Retained until you unsubscribe

6. Your Rights and Choices

6.1 Access and Portability

You can access, download, or export your information through your account settings.

6.2 Correction

You can update or correct your information through your account settings or by contacting us.

6.3 Deletion

You can request deletion of your account and associated data. Some information may be retained as required by law.

6.4 Communication Preferences

You can opt out of marketing communications through the unsubscribe link in emails or account settings.

You can manage cookie preferences through our cookie consent tool or your browser settings.

6.6 Do Not Track

We do not currently respond to Do Not Track browser signals.

6.7 Account Information

You can update account information through your account settings or by contacting support. You can manage cookie preferences through our cookie consent tool or your browser settings.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption in transit and at rest
Access controls and authentication
Regular security assessments
Employee training on data protection

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and any applicable regulators within the timelines prescribed by law.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including:

Standard contractual clauses
Adequacy decisions
Other mechanisms approved by relevant authorities

9. Sensitive Information

We do not intentionally collect sensitive personal information (e.g., health data, religious beliefs, political opinions). If you provide such information in prompts or content, you do so at your own discretion.

10. Children's Privacy

Our Services are not intended for children under 16 (or applicable age of digital consent in your jurisdiction). We do not knowingly collect information from children. If we learn we have collected information from a child without proper consent, we will delete it promptly. Parents or guardians who believe we may have collected information from their child should contact us immediately.

Here's a clear, compliant, and user-friendly privacy policy section you can include to address the feedback regarding account creation and Google login:

We offer users the ability to register and log in to our platform either by creating a dedicated account or by using a third-party authentication provider such as Google.

11.1 Standard Registration

When registering using the standard form, the following personal data is collected and marked with an asterisk (*) to indicate that it is required for account creation:

Name* – Used to personalize your account and communications.
Email Address* – Used for account identification, communication, and password recovery.
Password* – Used to securely access your account. Passwords are stored in encrypted form and cannot be accessed by us.

These data fields are mandatory in order to create and maintain a secure user account.

11.2 Login via Google (OAuth)

As an alternative, you may choose to log in using your existing Google account. If you do so, we will receive certain information from Google, specifically:

Your full name
Email address
Google profile picture (optional)

This data is used solely for authentication and account creation/login purposes. We do not gain access to your Google password or any other data from your Google account beyond what is explicitly authorized.

11.3 Legal Basis

The legal basis for processing your data during registration or login is:

Article 6(1)(b) GDPR – processing is necessary for the performance of a contract (i.e., the creation and maintenance of your user account).
For Google login, the data transfer is also based on your explicit consent under Article 6(1)(a) GDPR, provided through the OAuth flow.

11.4 Data Retention

We retain your registration data for as long as your account remains active. You may request deletion of your account at any time.

12. Data Processing Activities and Legal Bases

Processing Activity	Purpose	Legal Basis	Applicable Region
Account Registration & User Management	To create, manage, and secure your user account, including enabling log-ins via email or third-party providers (e.g., Google).	Art. 6(1)(b) GDPR — Performance of a contract	EU, UK, Switzerland
Identity Verification (if applicable)	To verify your identity for security and fraud prevention when creating or managing your account.	Art. 6(1)(c) GDPR — Legal obligation (where required) and Art. 6(1)(f) GDPR — Legitimate Interest	EU, UK, Switzerland
Service Provision	To deliver the GetMerlin.com services you have requested, including the core AI tools and extensions.	Art. 6(1)(b) GDPR — Performance of a contract	EU, UK, Switzerland
Email Communications & Notifications	To send you account-related information (e.g., password resets, service updates).	Art. 6(1)(b) GDPR — Performance of a contract	EU, UK, Switzerland
Marketing Emails & Newsletters	To send you marketing materials, updates, and offers, if you have opted in.	Art. 6(1)(a) GDPR — Consent	EU, UK, Switzerland
Analytics & Performance Tracking	To analyse usage of our website/app, measure performance, and improve our services (e.g., Google Analytics, Googleapis).	Art. 6(1)(a) GDPR — Consent	EU, UK, Switzerland
Cookies for Essential Functionality	To store your cookie preferences and keep our site secure and functioning properly.	Art. 6(1)(f) GDPR — Legitimate Interest	EU, UK, Switzerland
Third-Party Content & Plug-ins	To display embedded content or enable sharing via social plug-ins/buttons (e.g., YouTube, LinkedIn, Twitter, Instagram).	Art. 6(1)(a) GDPR — Consent	EU, UK, Switzerland
CDN & Security Services	To deliver website content quickly and securely via services like Jsdelivr CDN.	Art. 6(1)(f) GDPR — Legitimate Interest	EU, UK, Switzerland
Customer Support	To respond to your inquiries and resolve any support tickets you submit.	Art. 6(1)(b) GDPR — Performance of a contract	EU, UK, Switzerland
Legal & Compliance	To comply with legal obligations, enforce our Terms of Service, or defend our legal rights.	Art. 6(1)(c) GDPR — Legal obligation & Art. 6(1)(f) GDPR — Legitimate Interest	EU, UK, Switzerland

13. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with personal information.

Our website includes icons or buttons that link to our official profiles on social media platforms, including:

X (formerly Twitter) LinkedIn Instagram Youtube

These buttons function solely as external links. When you click on one of these icons, you are redirected to the respective platform. No personal data is transferred to these platforms simply by visiting our website.

Please note that once you are on these external sites, their own privacy policies and terms of service apply. We do not control how these platforms collect or process your personal data.

15. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes through the Services or by email. The "Effective Date" at the top indicates when this Policy was last revised.

16. AI-Specific Privacy Practices

16.1 Your AI Content

You retain ownership of your input prompts and any original content you provide
AI-generated outputs are provided under our Terms of Service
We do not claim ownership of AI outputs generated for you
You are responsible for reviewing and using AI outputs appropriately
AI-generated outputs may sometimes be factually inaccurate or inappropriate. You are solely responsible for verifying AI responses before relying on them for decision-making, especially in sensitive or regulated environments.
While you retain ownership of your inputs and content, you are solely responsible for ensuring that your use of our AI tools complies with applicable laws and does not infringe third-party rights. We disclaim liability for misuse of AI-generated content.

16.2 AI Safety and Ethics

We are committed to responsible AI development and deployment:

Regular safety testing and evaluation
Bias mitigation efforts
Transparency about AI capabilities and limitations
User education about responsible AI use

17. Data Processing for Business Users

If you use our Services on behalf of an organization:

Your organization may have additional policies governing your use
We may share your information with your organization's administrators
Your organization is responsible for its own privacy practices

For enterprise customers, we offer Data Processing Agreements (DPAs). Contact dpo@foyer.work to request a DPA.

18. Marketing and Advertising

We may use your information for marketing purposes:

Direct Marketing: With your consent, we send promotional emails about new features, services, and offers
Interest-Based Advertising: We may show you targeted ads based on your activity. We may use tracking technologies and behavioral signals (e.g., click history, time spent on content) to deliver personalized ads via platforms such as Google or Facebook. You can opt out of such advertising through Ad Settings and opt-out mechanisms shared in our cookie policy and privacy policies.
Referral Programs: If you participate, we process data necessary to track referrals

You can opt out of marketing at any time through your account settings or by clicking "unsubscribe" in our emails.

19. Automated Decision Making

We use automated systems for:

Fraud detection and prevention
Content moderation
Service personalization
Determining service eligibility

You have the right to request human review of significant automated decisions that affect you. If you disagree with our decision on any request, you may appeal by contacting us again at dpo@foyer.work within 30 days of communication of such decision to you.

20. Impact assessment

We conduct privacy and data protection impact assessments where required by law, particularly for high-risk features involving automated decision-making or large-scale processing.

21. Data captured on our mobile apps

We capture the following data across our mobile apps (Merlin AI, Notetaker app, Wallflower)

Firebase analytics – Firebase Analytics help us understand how users interact with our website by collecting information about mouse movements, clicks, and scrolling behavior.
Facebook events – Facebook events helps us measure, optimize, and build audiences for our advertising campaigns. It allows us to track conversions from Facebook ads, Optimize ads based on collected data, build targeted audiences for future ads and remarket to qualified leads who have already taken action on our app.
TikTok events – Tiktok events help us measure, optimize and build audiences for our advertising campaigns on tiktok.
Microsoft Clarity - Microsoft Clarity also help us understand how users interact with our website by collecting information about mouse movements, clicks, and scrolling behavior.

22. Requests and Contact Us

Any request that you may want to share or submit may also be submitted by authorized agents. In such cases, we require signed permission from the data subject.

Contact Us

For questions about this Privacy Policy or our privacy practices:

Data Protection Officer: dpo@foyer.work
Customer Support: support@foyer.work
DPO Phone: Sirsendu Sarkar (+91-8953348922)

Our DPO: Sirsendu Sarkar (+91-8953348922)

EU GDPR Representative:
Rickert Rechtsanwaltsgesellschaft m.b.H.
Colmantstraße 15, 53115 Bonn, Germany
Email: info@rickert.law
Phone: +49 (0)228 74 898 0

UK GDPR Representative:
Rickert Services Ltd UK
PO Box 1487, Peterborough, PE1 9XX
United Kingdom
Email: art-27-rep-foyertech@rickert-services.uk

Mailing Address for DPO: House 721, 6th B Cross Road, Block-3, Koramangala, Bangalore, India 560034

Registered Address and Mailing Address: Foyer Tech Inc 16192 Coastal Highway, Lewes, DE 19958 United States Email: support@foyer.work

California

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request information about categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information (subject to exceptions)
Right to Opt-Out: We do not sell personal information
Right to Non-Discrimination: Not be discriminated against for exercising privacy rights

To exercise these rights, contact us at support@foyer.work.

Other Jurisdictions

If you are located in other jurisdictions with specific privacy laws, you may have additional rights. Contact us to learn more.

This Cookie Policy explains how we use cookies on our websites and applications (the "Services"), the types of cookies we use, and your rights regarding cookie management. You can access our cookie policy from here

Browser Help Pages:

End User License Agreement (EULA)

Your use of our applications may be governed by platform-specific End User License Agreements:

iOS App: Apple Standard EULA
Android App: Google Play Terms of Service
Browser Extensions: Respective browser store terms

Procedure for Data Withdrawal via Erasure and Objection

You have the right to request the withdrawal of your data through erasure of your personal data held by us. This means we will delete all personal data pertaining to you from our systems, subject to any legal obligations for data retention.

To initiate a request for data erasure:

Send an email to support@foyer.work
CC dpo@foyer.work
Include "Data Erasure Request" in the subject line
Provide your account email and any relevant details

We will respond to your request within 30 days and complete the erasure within the timeframes required by applicable law.

You also have the right to object to the processing of your personal data where we rely on legitimate interests or use your data for direct marketing purposes. To exercise this right, contact us at dpo@foyer.work and support@foyer.work