Privacy Policy — Merge
Effective Date: May 2026
Last Updated: May 2026
1. Introduction
Merge ("we", "us", "our") is an AI-powered video generation app that lets you create motion-controlled videos using your photos and reference videos. This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding your data.
By using Merge, you agree to the practices described in this policy.
2. Information We Collect
2.1 Account Information
When you sign in with Apple, we receive:
- Your Apple-provided user ID (a stable, anonymized identifier — not your Apple ID email unless you choose to share it)
- Your name (first time only, if you share it with the app)
- Your email address (only if you choose to share it — Apple may relay it through a private address)
We do not receive your Apple ID password or any payment information from Apple.
2.2 Profile Information
Information you voluntarily provide:
- Display name and username
- Bio text
- Profile photo (avatar)
2.3 Content You Create
- Character photos: The images you select as your character source. These are sent to our third-party AI generation provider as base64-encoded data within a secure API call and are not stored on our servers. The provider may retain them temporarily per their own retention policy.
- Reference motion videos: Videos you select as motion references. These are temporarily uploaded to Supabase Storage (under
temp/) and automatically deleted once the AI provider has accepted the generation task (within seconds). - Generated videos: AI-generated videos. If you choose to publish a video, it is stored in Supabase Storage and appears in the public feed. If you choose to save privately, the video is saved only to your device.
2.4 Usage and Analytics
We use Mixpanel to collect anonymous usage analytics, including:
- Feature interactions (e.g., generation started, published, liked)
- App performance events
- Funnel and retention data
Mixpanel data is associated with your Supabase user ID (not your name or email) unless you explicitly provide an email.
2.5 Purchase and Subscription Data
We use RevenueCat to process in-app purchases. RevenueCat receives:
- Your Apple App Account Token (anonymous purchase identifier)
- Product IDs and transaction IDs from Apple
- Your Supabase user ID (to match purchases to your account)
We never see or store your full credit card or billing details — all payment processing is handled by Apple.
2.6 Technical Data
Automatically collected when you use the app:
- Device type and iOS version
- App version
- Crash and error reports (via Supabase error logging)
- API request logs (IP address, timestamp, endpoint — retained for 30 days)
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance |
| Generating AI videos | Contract performance |
| Showing your content in the public feed (if published) | Contract performance / Consent |
| Processing credit purchases and subscriptions | Contract performance |
| Detecting and preventing abuse (rate limiting, fraud) | Legitimate interest |
| Analytics to improve the app | Legitimate interest |
| Responding to support requests | Legitimate interest |
| Legal compliance | Legal obligation |
4. Information We Share
We share data only as necessary to operate the service:
| Recipient | What is shared | Why |
|---|---|---|
| AI generation provider | Character photo (base64), reference video URL, generation prompt | AI video generation |
| Supabase (supabase.com) | All database content, authentication, file storage | Backend infrastructure |
| RevenueCat (revenuecat.com) | User ID, product purchases | Subscription and credit management |
| Mixpanel (mixpanel.com) | Anonymous usage events | Analytics |
| Google Cloud Run | API request data | Backend hosting |
We do not sell your personal information to any third party.
We may disclose information if required by law, court order, or to protect the rights and safety of our users.
5. Data Retention
| Data | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Published videos | Until you delete or unpublish them |
| Generation task records | 30 days (Provider CDN links expire; records are then purged) |
| Credit transaction ledger | 7 years (financial record requirement) |
| API request logs | 30 days |
| Analytics data (Mixpanel) | 2 years |
| Temp reference videos in storage | Deleted within seconds of the AI provider accepting the task |
6. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you.
- Correction: Request correction of inaccurate profile information (via the app's Edit Profile screen).
- Deletion: Delete your account and all associated data at any time via Settings → Delete Account in the app. This permanently removes your auth account, profile, posts, credits, and storage files.
- Data portability: Request an export of your data.
- Withdraw consent: Disable analytics tracking by opting out of Mixpanel data collection (contact us).
To exercise any of these rights, contact us at: themistech@hotmail.com (or the contact email provided in your App Store listing).
7. Children's Privacy
Merge is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately and we will delete it.
8. International Data Transfers
Our infrastructure providers (Supabase, Google Cloud, our AI generation provider, RevenueCat, Mixpanel) may process data in countries outside your own. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms to ensure adequate protection.
9. Security
We protect your data using industry-standard security practices:
- HTTPS/TLS for all data in transit
- Supabase Row Level Security (RLS) ensuring users can only access their own data
- API keys and secrets stored in Google Secret Manager (never in source code)
- Supabase JWT authentication on all backend API calls
- Google Cloud Armor (WAF and DDoS protection)
Despite our best efforts, no method of transmission over the internet is 100% secure.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via an in-app notice or by updating the "Last Updated" date above. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy, please contact us:
Email: themistech@hotmail.com
App: Merge — available on the Apple App Store
This Privacy Policy was drafted for the Merge iOS app. It covers data processing as of the Effective Date above.