Europe Privacy Policy

Effective Date: 20-Jan-2026
Last Updated: 20-Jan-2026

For individuals outside the European Economic Area, United Kingdom, and Switzerland, you can read this version of our Privacy Policy.

We at Foyer Tech Inc (together with our affiliates, "Foyer," "Merlin," "we," "our" or "us") respect your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to Personal Data that we collect from or about you when you use our websites https://merlin.foyer.work/, https://www.getmerlin.in, browser extensions (Chrome, Edge, Firefox, Safari), mobile applications (iOS and Android), the AI Note Taker app, our API services, and any other related services (collectively, "Services").

1. Data Controller

If you live in the UK, European Economic Area (EEA) or Switzerland, Foyer Tech Inc, with its registered office at 16192 Coastal Highway, Lewes, DE 19958, United States, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

EU GDPR Representative

Company: Rickert Rechtsanwaltsgesellschaft m.b.H.
Address: Colmantstraße 15, 53115 Bonn, Germany
Email: [email protected]
Phone: +49 (0)228 74 898 0

UK GDPR Representative

Company: Rickert Services Ltd UK
Address: PO Box 1487, Peterborough, PE1 9XX, United Kingdom
Email: [email protected]

2. Personal Data We Collect

We collect personal data relating to you ("Personal Data") as follows:

Personal Data You Provide: We collect Personal Data if you create an account to use our Services or communicate with us as follows:

Personal Data We Receive from Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions ("Technical Information"):

2.3 Information from Third Parties

OAuth Providers: When you sign in using Google, Apple, or other OAuth providers, we receive basic profile information.

Cloud Storage Services: When you connect cloud storage accounts (e.g., Google Drive, Dropbox), we access only the files you choose to process.

Analytics Providers: We receive aggregated analytics data about Service usage from our analytics partners.

2.4 Usage data

A. Browsing without providing account details You may browse the Platform without creating an account or directly providing your name, email address, phone number, or other similar details. In such cases, we will collect information that your device and browser automatically share when you visit or use the Platform, such as device identifiers, cookie identifiers, IP address, browser type, language, time zone, operating system, referring/exit pages, and usage/activity data (“Usage Data”).

If you choose to register, place an order, submit a request, subscribe, post reviews/feedback, or otherwise use features that require details, you will provide certain information (and you may no longer be able to use the Platform in an anonymous or pseudonymous manner for those features). Wherever practicable, we indicate which fields are mandatory and which are optional. You may choose not to provide optional information; however, you may not be able to use certain services/features that require it.

B. Usage data, analytics, and internal research We may automatically collect and analyse Usage Data about how you interact with the Platform (for example, pages viewed, clicks, searches, time spent, purchase journey steps, error logs, and performance metrics). We use this to:

Where feasible, we analyse such information in aggregated form to understand broad patterns. Aggregation reduces the ability to identify individuals, but some Usage Data (such as IP address or cookie identifiers) may still be capable of being linked to a user/device.

C. User-generated content (reviews, feedback, forums) If you choose to post messages, reviews, comments, feedback, or other content on the Platform (including in message boards, chat rooms, public review areas, or similar features), we will collect and store the information you submit.

We retain such information as reasonably necessary to provide customer support, respond to queries, enforce our terms, resolve disputes, comply with law, and improve the Platform.

2.5 Merlin Extension – Browsing Activity Data If you install the Merlin browser extension and grant the required permissions, the extension collects browsing activity data for pages you visit while the extension is installed and enabled (“Browsing Activity Data”). This may include:

Storage: Browsing Activity Data is transmitted to our servers and stored in our backend systems and databases.

We do not collect the content of the webpages you visit unless you explicitly use a feature that requires us to process page content (and we will disclose that separately). We do not require you to provide this information to merely browse the internet, but the Extension cannot provide certain features and functionality unless Extension Activity Data is collected and processed. You may disable or remove the Extension at any time through your browser settings, which will stop further collection by the Extension. We retain Extension Activity Data only for as long as reasonably necessary for the purposes described above, unless a longer retention period is required by applicable law or for establishing, exercising, or defending legal claims.

User-Facing Feature & Data Minimisation (Extension Activity Data). We collect and process Extension Activity Data only to the extent strictly necessary to provide the Extension’s user-facing functionality that you actively use on the page you are viewing (for example, enabling page-aware features and requested actions within the Extension). We do not collect Extension Activity Data for unrelated background profiling or any purpose that is not directly connected to delivering the Extension’s user-facing features. Where feasible, we limit collection to the minimum data required for the selected feature and apply technical and organisational controls to reduce the scope, volume, and retention of such data. Merlin collects the URLs of pages you visit while the Extension is enabled to power page-aware features you use. You can turn this off anytime in Settings or by uninstalling the Extension.

2.6. Links to Third-Party Sites

The Platform may contain links to third-party websites/apps/platforms (“Third-Party Sites”). Third-Party Sites may collect information about you (including through cookies or similar technologies) and may have their own privacy practices. We do not control and are not responsible for the privacy practices, security, or content of Third-Party Sites. We recommend reviewing the relevant third party’s privacy policy before sharing information with them.

We may also use third-party service providers (for example, analytics, fraud prevention, hosting, customer support, advertising delivery/measurement) who process information on our behalf under contractual obligations.

3. How We Use Your Personal Data

We use the information we collect to:

3.1 Provide and Improve Our Services

3.2 Communicate with You

3.3 Ensure Safety and Security

3.4 Business Operations

We may also aggregate or de-identify Data so that it no longer identifies you and use this information for the purposes described above, such as to analyze the way our Services are being used, to improve and add features to them, and to conduct research. We will maintain and use de-identified information in de-identified form and not attempt to reidentify the information, unless required by law.

3.6 Use of Merlin Extension Browsing Activity Data

We use Activity Data to:

We will limit collection and use of Activity Data to what is necessary for the stated, specific purposes and in line with applicable law.

3.7 Sharing and Transfers of Extension Data

We may share Activity Data with our vetted service providers (data processors) only to the extent necessary to provide or improve Merlin’s services, comply with law, or protect against fraud/abuse, under contractual confidentiality and security obligations. We do not sell Activity Data and do not transfer it to data brokers or use it for personalized advertising.

Where required under applicable law, we process Activity Data based on your consent, which must be free, specific, informed, unconditional and unambiguous and limited to what is necessary for the specified purpose. You can withdraw consent at any time by disabling the relevant extension setting, signing out, or uninstalling the extension (as applicable). Withdrawal will not affect processing already carried out prior to withdrawal, but we will stop processing going forward unless required by law.

4. Your Rights

You have the following statutory rights in relation to your Personal Data:

You have the following rights to object:

You can exercise some of these rights through your Merlin account. If you are unable to exercise your rights through your account, please submit your request to [email protected].

We hope that we are able to address any questions or concerns you may have. If you have any unresolved complaints with us or our Data Protection Officer, you can reach out to the Irish Data Protection Commission as our lead supervisory authority, or your local supervisory authority. For any unresolved complaints relating to the UK you can reach out to the Information Commissioner's Office and for Switzerland, to the Federal Data Protection and Information Commissioner.

A note about accuracy: Services like Merlin generate responses by reading a user’s request and, in response, predicting the words most likely to appear next. In some cases, the words most likely to appear next may not be the most factually accurate. For this reason, you should not rely on the factual accuracy of output from our partner's models which you are using. Please feel free to reach out to us on [email protected] in case of any requests.

5. Data Transfers

Merlin processes your Personal Data on servers located outside of the EEA, Switzerland and the UK for the purposes described in this Privacy Policy. This includes processing and storing your Personal Data in our facilities and servers in the United States. While data protection law varies by country and these countries may not offer the same level of data protection as your home country, we apply the protections described in this policy to your Personal Data regardless of where it is processed. When transferring Personal Data outside of the EEA, Switzerland or the UK, we rely on the following transfer mechanisms to comply with applicable data protection law:

For more information or to obtain a copy of the appropriate safeguards we have in place when transferring Personal Data, please contact us at [email protected].

6. Retention

We'll retain your Personal Data for only as long as we need in order to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of factors, such as:

7. Security

We implement commercially reasonable technical, administrative, and organizational measures designed to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. Therefore, you should take special care in deciding what information you provide to the Services. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.

8.1

Purpose of processingType of Personal Data processed, depending on the processing activityLegal basis, depending on the process activity
To provide, analyze, and maintain our ServicesAccount Information
User Content
Communication Information
Other Information You Provide
Log Data
Usage Data
Device Information
Location Information
Cookies and Similar Technologies
Where necessary to perform a contract with you, such as processing a user's prompts to provide a response.
To communicate with you, including to send you information about our Services and eventsAccount Information
Communication Information
Social Media Information
Other Information You Provide
Log Data
Usage Data
Device Information
Cookies and Similar Technologies
Where necessary to perform a contract with you, such as processing your contact information to send you a technical announcement about the Services.

Your consent when we ask for it to process your Personal Data for a specific purpose that we communicate to you, such as processing your contact information to send you certain forms of marketing communications.
To prevent fraud, illegal activity, or misuses of our Services, and to protect the security of our systems and ServicesAccount Information
User Content
Communication Information
Social Media Information
Other Information You Provide
Data We Receive From Other Sources
Log Data
Usage Data
Device Information
Cookies and Similar Technologies
Where necessary to comply with a legal obligation.

Where we are not under a specific legal obligation, where necessary for our legitimate interests and those of third parties, including in protecting our Services from abuse, fraud, or security risks, such as processing data from security partners to protect against fraud, abuse and security threats in our Services.
To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, Merlin, or third partiesAccount Information
User Content
Communication Information
Social Media Information
Other Information You Provide
Data We Receive From Other Sources
Log Data
Usage Data
Device Information
Cookies and Similar Technologies
Where necessary to comply with a legal obligation, such as retaining transaction information to comply with record-keeping obligations.

Where we are not under a specific legal obligation, where necessary for our legitimate interests and those of third parties and broader society, including in protecting our or our affiliates', users', or third parties' rights, safety, and property, such as analyzing log data to identify fraud and abuse in our Services.

8.2

Processing ActivityPurposeLegal BasisApplicable Region
Account Registration & User ManagementTo create, manage, and secure your user account, including enabling log-ins via email or third-party providers (e.g., Google).Art. 6(1)(b) GDPR — Performance of a contractEU, UK, Switzerland
Identity Verification (if applicable)To verify your identity for security and fraud prevention when creating or managing your account.Art. 6(1)(c) GDPR — Legal obligation (where required) and Art. 6(1)(f) GDPR — Legitimate InterestEU, UK, Switzerland
Service ProvisionTo deliver the GetMerlin.com services you have requested, including the core AI tools and extensions.Art. 6(1)(b) GDPR — Performance of a contractEU, UK, Switzerland
Email Communications & NotificationsTo send you account-related information (e.g., password resets, service updates).Art. 6(1)(b) GDPR — Performance of a contractEU, UK, Switzerland
Marketing Emails & NewslettersTo send you marketing materials, updates, and offers, if you have opted in.Art. 6(1)(a) GDPR — ConsentEU, UK, Switzerland
Analytics & Performance TrackingTo analyse usage of our website/app, measure performance, and improve our services (e.g., Google Analytics, Googleapis).Art. 6(1)(a) GDPR — ConsentEU, UK, Switzerland
Cookies for Essential FunctionalityTo store your cookie preferences and keep our site secure and functioning properly.Art. 6(1)(f) GDPR — Legitimate InterestEU, UK, Switzerland
Third-Party Content & Plug-insTo display embedded content or enable sharing via social plug-ins/buttons (e.g., YouTube, LinkedIn, Twitter, Instagram).Art. 6(1)(a) GDPR — ConsentEU, UK, Switzerland
CDN & Security ServicesTo deliver website content quickly and securely via services like Jsdelivr CDN.Art. 6(1)(f) GDPR — Legitimate InterestEU, UK, Switzerland
Customer SupportTo respond to your inquiries and resolve any support tickets you submit.Art. 6(1)(b) GDPR — Performance of a contractEU, UK, Switzerland
Legal & ComplianceTo comply with legal obligations, enforce our Terms of Service, or defend our legal rights.Art. 6(1)(c) GDPR — Legal obligation & Art. 6(1)(f) GDPR — Legitimate InterestEU, UK, Switzerland
Merlin Browser Extension – Browsing Activity Data ProcessingTo provide and operate Extension user-facing functionality (page-aware features), maintain security and prevent abuse/fraud, troubleshoot errors, and improve Extension performance (including diagnostics such as redirects and HTTP status codes).Art. 6(1)(a) GDPR — Consent (for collection/processing of browsing activity data such as URLs) and Art. 6(1)(f) GDPR — Legitimate Interest (limited to security, fraud prevention, and essential service integrity logs, where applicable).EU, UK, Switzerland

9. Disclosure of Personal Data

We may disclose your Personal Data in the following circumstances:

10. Children

Our Services are not directed to, or intended for, children under 14. We do not knowingly collect Personal Data from children under 14. If you have reason to believe that a child under 14 has provided Personal Data to Merlin through the Services, please email us at [email protected]. We will investigate any notification and, if appropriate, delete the Personal Data from our systems. Users under 18 must have permission from their parent or guardian to use our Services.

11. Account Registration and Login

We offer users the ability to register and log in to our platform either by creating a dedicated account or by using a third-party authentication provider such as Google.

11.1 Standard Registration

When registering using the standard form, the following personal data is collected and marked with an asterisk (*) to indicate that it is required for account creation:

These data fields are mandatory in order to create and maintain a secure user account.

11.2 Login via Google (OAuth)

As an alternative, you may choose to log in using your existing Google account. If you do so, we will receive certain information from Google, specifically:

This data is used solely for authentication and account creation/login purposes. We do not gain access to your Google password or any other data from your Google account beyond what is explicitly authorized.

11.3 Legal Basis

The legal basis for processing your data during registration or login is:

11.4 Data Retention

We retain your registration data for as long as your account remains active. You may request deletion of your account at any time.

12. Data captured on our mobile apps

We capture the following data across our mobile apps (Merlin AI, Notetaker app, Wallflower)

  1. Firebase analytics – Firebase Analytics help us understand how users interact with our website by collecting information about mouse movements, clicks, and scrolling behavior.
  2. Facebook events – Facebook events helps us measure, optimize, and build audiences for our advertising campaigns. It allows us to track conversions from Facebook ads, Optimize ads based on collected data, build targeted audiences for future ads and remarket to qualified leads who have already taken action on our app.
  3. TikTok events – Tiktok events help us measure, optimize and build audiences for our advertising campaigns on tiktok.
  4. Microsoft Clarity - Microsoft Clarity also help us understand how users interact with our website by collecting information about mouse movements, clicks, and scrolling behavior.

Our website includes icons or buttons that link to our official profiles on social media platforms, including:

X (formerly Twitter)

LinkedIn

Instagram

Youtube

These buttons function solely as external links. When you click on one of these icons, you are redirected to the respective platform. No personal data is transferred to these platforms simply by visiting our website.

Please note that once you are on these external sites, their own privacy policies and terms of service apply. We do not control how these platforms collect or process your personal data.

14. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date on this page, unless another type of notice is required by applicable law.

15. How to Contact Us

Please contact [email protected] if you have any questions or concerns not already addressed in this Privacy Policy. Alternatively, you can write to us at [email protected] or the address above under Section 1 (Data Controller).

You can contact our Data Protection Officer at [email protected] in matters related to Personal Data processing.

Data Protection Officer:
Name: Sirsendu Sarkar
Email: [email protected]
Phone: +91-8953348922

EU Representative:
Rickert Rechtsanwaltsgesellschaft m.b.H.
Colmantstraße 15, 53115 Bonn, Germany
Email: [email protected]
Phone: +49 (0)228 74 898 0

UK Representative:
Rickert Services Ltd UK
PO Box 1487, Peterborough, PE1 9XX, United Kingdom
Email: [email protected]


Procedure for Data Withdrawal via Erasure and Objection

You have the right to request the withdrawal of your data through erasure of your personal data held by us. This means we will delete all personal data pertaining to you from our systems, subject to any legal obligations for data retention.

To initiate a request for data erasure:

  1. Send an email to [email protected]
  2. CC [email protected]
  3. Include "Data Erasure Request" in the subject line
  4. Provide your account email and any relevant details

We will respond to your request within 30 days and complete the erasure within the timeframes required by applicable law.

You also have the right to object to the processing of your personal data where we rely on legitimate interests or use your data for direct marketing purposes. To exercise this right, contact us at [email protected] and [email protected]