Updated on 4th January, 2024
Purpose and scope
This Privacy Notice by Merlin Fit Limited, “Merlin” (together with our affiliates, “Merlin”, MerlinFit” “we”, or “us”) describes how we treat the information that we collect from you in connection with our websites (collectively the “Site”), through which our services are accessed, our mobile application (the “App”), when you interact with us via our customer support service, e-mail communications and social media channels and any other Merlin products, services or digital platforms that link to this Privacy Notice (together with the Site, Merlin, and App, the “Merlin Services” or “Services”), the kinds of information we will collect, how that information is used, with whom we share it and how you can opt-out of a use or correct or change such information.
This Privacy Notice supplements and forms part of the Terms of Service (the “Terms”). All individuals whose responsibilities include the Processing of personal information on behalf of Merlin are expected to protect that data by adherence to this Privacy Notice. This Privacy Notice does not apply to the personal information of Merlin employees processed in the employment context, but employees who elect to use the services will be treated as users in accordance with this Privacy Notice with respect to personal information processed as users of our service.
At MerlinFit, we take your online safety and privacy very seriously and understand that particularly in the Health and Fitness sector, the data you share is sensitive and needs to be protected by those to whom you have entrusted it. We understand and share the concerns of our Users since ultimately we aim to build a community through our Platform and therefore, through this Policy wish to help you make an informed decision. Kindly read this Policy in its entirety before proceeding further. All data that is provided to us by you, our Users remains protected and is collected in compliance with the applicable laws of the United Kingdom.
The information we collect and how it is used
The data and information we will be collecting and processing during your usage of our Services include:
- Information you provide when you register/sign up in a mobile application our platform will collect your name, email address, phone number, gender, age, login details, and password. You acknowledge that your User Profile information may be personal to you, and by creating a Merlin account and providing such information through the use of our Services, you allow others, including Merlin, to identify you and therefore you may not be anonymous.
- Location tracking permissions will be required and necessary in order to provide our MerlinFit App services and access to our MerlinFit Platform via our devices. Various operations necessitate these elements to ensure a smooth and seamless user experience. Internet usage permissions are also required and primarily used for application error log collection, application version update detection, and user data management, and are necessary permissions. Location tracking, Internet usage and access features are low-powered features that shall run in the background even when the MerlinFit App is closed and not in use. Your permission preferences may affect and/or restrict your access to and experience of our MerlinFit App.
- The MerlinFit app requires access to your device’s camera during exercise sessions to determine your pose and form.
- We refrain from collecting or transferring any images or videos from your device to our servers. Our system solely receives keypoint data, for example, the positions of wrists, ankles, knees, hips, shoulders, and elbows.
- Fitness and performance data. When you use the Services, we will collect your fitness performance history (including workout history, such as hours spent on working out, calories burnt out, days spent on working out and times of working out), and Merlin Achievements.
- Automatic data collection. We collect certain information automatically through our Services or other methods of web analysis, such as your IP Address, cookie identifiers, mobile carrier, MAC address, IMEI, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type and language, geolocation information, hardware type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences.
- We also collect information from mobile devices for a better user experience, although these features are completely optional: Location (GPS): Location data helps to target the user to our nearest servers to provide the best speed of services.
Disclosure of your information
We may also share your information with our current and future affiliated companies and business partners, and if we are involved in a merger, asset sale or other business reorganization, we may also share or transfer your personal and non-personal information to our successors-in-interest
We may engage trusted third-party service providers to perform functions and provide services to us, such as hosting and maintaining our servers and the website, database storage and management, email management, storage marketing, and customer service. We will likely share your personal information, and possibly some non-personal information, with these third parties to enable them to perform these services for us and you.
We may share portions of our log file data, including IP addresses, for analytics purposes with third parties such as web analytics partners, application developers, and ad networks. If your IP address is shared, it may be used to estimate general location and other technographic such as connection speed, whether you have visited the website/app in a shared location, and type of the device used to visit the website/app.
We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate in order to respond to claims, legal process (including subpoenas), to protect our rights and interests or those of a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to otherwise comply with applicable court orders, laws, rules and regulations.
How we use your email address
By submitting your email address on this website/app, you agree to receive emails from us. You can cancel your participation in any of these email lists at any time by clicking on the opt-out link or other unsubscribe option that is included in the respective email. We only send emails to people who have authorized us to contact them directly. We do not send unsolicited commercial emails, because we hate spam as much as you do.
How long we keep your information
We retain your information only for the duration necessary to provide MerlinFit services and fulfil the purposes outlined in our policy. After account deletion or when retention is no longer required, we either remove or depersonalise the information, adhering to our policies.
Users can request the deletion of their account and their data will be erased. Once a user has submitted a request for account deletion, we will store user data for 30 days in our database and then we will erase it. If a user re-login within 30 days, the account will be re-activated and all the services will be restored.
Here is the flow to navigate users for account deletion:
Profile (Top right corner) > Settings > Account > Delete Account.
How we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you submit or access your personal information. We offer the use of a secure server. We cannot, however, ensure or warrant the absolute security of any information you transmit to Merlin or guarantee that your information on the Service may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards.
We employ various precautions to ensure the security of your information, utilizing physical, electronic, and managerial procedures to safeguard against unauthorized access, maintain data security, and appropriately utilize your information. Our commercially reasonable safeguards, adjusted based on the sensitivity of personal information, aim to prevent unauthorized use, disclosure, or access. While we strive for security, it’s essential to acknowledge that the internet cannot be guaranteed to be entirely secure, and we cannot warrant the security of the information you provide. We don’t accept liability for unintentional disclosure. By using our services, you consent to electronic communication on security, privacy, and administrative issues. In the event of a security breach, we may attempt to notify you electronically, and you may have a legal right to receive this notice in writing. Deleting your MerlinFit account may not immediately eliminate all associated content due to caching, backups, or accessible public activity stored on our servers.
Could my information be transferred to other countries?
Information collected via our website/app, through direct interactions with you, or from the use of our help services may be transferred from time to time to our offices, personnel, or third parties, located throughout the world, and may be viewed and hosted anywhere in the world, including countries that may not have laws of general applicability regulating the use and transfer of such data. To the fullest extent allowed by applicable law, by using any of the above, you voluntarily consent to the transfer and hosting of such information.
Our servers are located in safe countries like Tokyo, Japan. For more information refer to AWS Security Policy.
Opt-out, update or correct your information
General: You have the right to object and opt out of certain uses and disclosures of your Personal Information. Where you have consented to Merlin’s Processing of your Personal Information or Sensitive Personal Information, you may withdraw that consent at any time and opt-out out of further Processing by emailing our Support team at email@example.com.
Mobile devices: We may occasionally send you push notifications through theApp with updates, achievements and other notices that may be of interest to you. You may at any time opt out from receiving these types of communication by changing the settings on your device. We will also collect location-based information if you use the App. You will opt out of this collection by changing the settings on your device.
In order to safeguard your privacy and security, we may employ reasonable measures, such as requesting a unique password, to confirm your identity before providing access to your profile or allowing corrections. It is your responsibility to ensure the confidentiality of your unique password and account information at all times.
Upon receipt of your request, personal information stored in actively used databases and other easily searchable media will be promptly updated, corrected, changed, or deleted, as applicable, to the extent reasonably and technically feasible.
Sale of business
For inquiries about our privacy practices, this Privacy Notice, or to file a complaint with the appropriate authority, please contact Merlin Fit via email at firstname.lastname@example.org or the address provided below:
Attn: Legal Department
Merlin Fit Limited,
1104 Crawford House,
70 Queen’s Road Central,
Central, Hong Kong.
General Data Protection Regulation (GDPR)
What is GDPR?
It is an EU-wide privacy and data protection law that regulates how EU residents’ data is protected by companies and enhances the control the EU residents have over their personal data. It is a comprehensive data protection and privacy regulation implemented by the European Union (EU) to strengthen and unify data protection for individuals within the EU.
The primary objectives of the GDPR include giving individuals greater control over their personal data and simplifying the regulatory environment for international businesses by unifying data protection regulations within the EU. It applies to organisations, both within and outside the EU, that process the personal data of EU residents. The GDPR introduces stringent requirements for obtaining consent, transparent data processing practices, and the notification of data breaches, among other provisions, to ensure the privacy and security of individuals’ personal information.
Legal basis for processing personal data under GDPR
We will process Personal Data, considering Your consent for processing Personal Data for one or more specific purposes.
In any case, the Company will gladly help to clarify the specific purpose that applies to the processing, and in particular, whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Individual data subject’s rights – Data access, portability and deletion
We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data. We got you! We’ve been set up as self-service from the start and have always given you access to your data and your customers’ data. Our customer support team is here for you to answer any questions you might have about working with the API.
Request access to your personal data. The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request the deletion of your personal data directly within your account settings section. If you are unable to perform these actions yourself, please contact Us to assist you.
Request correction of the personal data that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected.
Object to processing of your personal data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your personal data on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request the transfer of your personal data. We will provide to you, or to a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with You.
Withdraw your consent. You have the right to withdraw Your consent to use your Personal Data. If You withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the service.
Exercising your GDPR data protection rights
You may exercise your rights of access, rectification, cancellation and opposition by contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.
You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.