Privacy Policy

Introduction

This Privacy Policy explains how Merge ("the App"), operated by Merge Labs Ltd ("we," "us," or "our"), collects, uses, shares, and protects your information. This policy applies to anyone who downloads, installs, or uses our Apps across iOS, Android, watchOS, and Wear OS, which are provided as a commercial service.

The Apps primarily use Bluetooth to connect your phone and watch. In Merge for your Apple Watch, when Bluetooth is unavailable or unstable, we may use an internet relay and push notification services to deliver notifications and calls.

By using the Apps, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Apps.

Information

Information that is kept solely on your devices

We prioritize your privacy and data integrity. Most content data is kept solely on your devices, and we do not access it. When internet relay is used in our Apple Watch app, message and notification content is encrypted end-to-end between your devices and we cannot access plaintext content. We protect relay metadata with encryption in transit and at rest where applicable.

• Bluetooth Connection: The App uses Bluetooth to connect to devices and may access Bluetooth identifiers.
• Notification Content: The Apps relay notifications between your phone and watch over Bluetooth or, if needed, via an encrypted relay. We do not access notification content.
• Encryption Keys: Keys for end-to-end encryption are generated and stored on your devices.
• Location Information: Some Android versions require location permission for Bluetooth scanning. If you enable location-based features, the App may use precise location while that feature is active. On Android, if you enable features such as Known Locations for auto-hotspot, the App may also use precise location, background location, and geofence enter/exit events, including while the app is not open, to determine whether hotspot should stay on or turn off at your saved locations. Saved locations are kept on your devices and are not sent to our servers as part of normal operation.
• Health Information: If you enable health or fitness integration, the App syncs health information to Apple Health, Health Connect, or other platform health services where supported. Depending on the features you enable and the data available from your connected watch, this may include activity, workouts, sleep, body measurements, vitals, nutrition, workout routes, and reproductive health records such as menstrual or ovulation-related data.
• Contacts: If you enable contacts sync, the App syncs contact information from your phone to your watch.
• Installed Apps and App Icons: On Android, the App may enumerate installed third-party apps and store package names, app labels, notification-management settings, and cached app icons locally on your devices so your connected watch can display apps, notifications, and related settings. This installed-app inventory is kept on your devices and is not sent to our servers as part of normal operation.

Once your data is synced to Apple Health, Google Contacts, or other platform services, some of it may be sent to their cloud services, as per their policies.

In particular, notification content and relay payloads are designed to remain end-to-end encrypted between your devices, and encryption keys are generated and stored on your devices. Where supported features involve identification data, contacts, or health-related data, that information is generally kept on your devices or handled in encrypted form.

Information We Collect

• Email Address: Before subscribing, you may optionally provide your email address to receive promotional offers from us. Providing your email is entirely voluntary — you may skip this step with no impact on your ability to subscribe or use the Services. By actively submitting your email at this step, you consent to receive such offers. For users in the European Economic Area (EEA), we process this data on the basis of Article 6(1)(a) GDPR (consent). You may withdraw your consent at any time by using the unsubscribe link in any email we send.
• Usage Statistics and Analytics: The App may collect limited usage analytics and aggregate statistics, including through Google Analytics, to improve its functionality and services. These analytics may be associated with device, installation, or app instance identifiers.
• Device Identifiers and Tokens: We collect device identifiers, app instance identifiers, relay tokens, and push notification tokens to maintain pairing and deliver notifications.
• Log Data and Diagnostics: In case of errors or connectivity issues, we may collect data such as IP address, device name, operating system version, app configuration, relay and notification status, timestamps, crash reports, and related diagnostic metadata. Log data is retained for three months.
• App Icon Requests: When you request app icons, our servers may receive app identifiers and IP address to return the icon assets.
• Purchase Information: We may retain information about your past purchases and subscriptions through the App for operational, support, and legal purposes, although subscription transactions are managed by Apple or Google.
• Service Providers: To operate the service, we use a limited number of processors or service providers, including Amazon Web Services (AWS) for hosting and infrastructure, Google Analytics for usage analytics, Google Crashlytics for crash reporting, and Bugstack for diagnostics and troubleshooting workflows. These providers may process limited technical data such as IP address, device or app instance identifiers, push tokens, crash logs, timestamps, and related diagnostic metadata solely on our behalf.

How We Use Your Information

We use the information collected for the following purposes:

• Enhancing Functionality: To improve and optimize your experience, prioritize features, and refine the App's services and functionality.
• Improving the App: To analyze aggregate usage patterns and trends to make enhancements to the App.
• Service Delivery: To pair devices, deliver notifications and calls, and provide relay and push functionality.
• Location-Based Automation: On Android, if you enable Known Locations for auto-hotspot, to detect geofence entry and exit events and determine whether hotspot should stay on or off at your saved locations.
• Local App Lists and Icons: On Android, to build app lists, notification-management settings, and app icon display for your connected watch.
• Security and Abuse Prevention: To protect the service, prevent fraud or misuse, and enforce our policies.
• Subscription Processing: To facilitate subscription sign-up, send transactional messages related to your subscription, and communicate about your account.
• Service Providers: We use a limited number of service providers acting on our behalf to host infrastructure, analyze aggregate usage, monitor crashes, and support troubleshooting.

How We Share Your Information

We do not sell, rent, or disclose your personal data to advertisers, data brokers, or other third parties for their own marketing purposes.

We do use a limited number of service providers that process data on our behalf to operate the Apps. This includes Amazon Web Services (AWS) for cloud hosting and infrastructure, Google Analytics for aggregate usage analytics, Google Crashlytics for crash reporting, and Bugstack for diagnostics and troubleshooting workflows. These providers may process limited technical and diagnostic data such as IP address, device and app instance identifiers, push tokens, crash logs, timestamps, and related metadata solely as necessary to operate, secure, maintain, and improve the service.

We do not share plaintext message content, notification content, or other end-to-end encrypted relay payloads with these providers. We also do not share personal data with third parties for advertising targeting, profiling, or data brokerage.

Service Providers

We currently use service providers such as:

• Amazon Web Services (AWS) for hosting, infrastructure, and encrypted relay operations;
• Google Analytics for aggregate usage analytics;
• Google Crashlytics for crash reporting and reliability monitoring; and
• Bugstack for diagnostics, support, and troubleshooting workflows.

These providers act as processors or service providers on our behalf. They may process only the limited data reasonably necessary to provide their services to us, and they are not authorized to use your data for their own advertising or marketing purposes. We may also disclose information where required by law, regulation, legal process, or to protect the rights, safety, and security of our users or the service.

Permissions and Controls

The Apps may request permissions such as Bluetooth, notifications, background operation or foreground services, internet access, contacts, health data, broad app visibility or installed-app inventory access, and location where required by the OS. On Android, if you enable Known Locations for auto-hotspot, the App may request background location ("Allow all the time") so it can detect geofence entry and exit events while the app is not open. You can manage permissions in your device settings, but some features may not work if permissions are disabled.

Children Under 13

The App does not knowingly collect personal information from children under the age of 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete that information.

Data Security

We value your trust in providing us with your information and use commercially acceptable means to protect it. However, no method of transmission or electronic storage is 100% secure, so we cannot guarantee its absolute security. Transaction and log data, if retained, are encrypted.

When relay is used, message and notification content is encrypted end-to-end between your devices and we cannot access plaintext content. We protect relay metadata with encryption in transit and at rest where applicable. Because encryption keys are generated and stored on your devices, we do not have plaintext access to end-to-end encrypted communications.

International Data Processing

We and our service providers may process information in the locations where they operate. By using the Apps, you understand that your information may be processed in countries with different data protection laws than your own.

Links to Other Sites

This App may contain links to other sites. If you click on a third-party link, you will be directed to that site. We strongly advise you to review the Privacy Policy of those websites, as we have no control over and assume no responsibility for their content, privacy policies, or practices.

Data Retention and Deletion

We retain personal and sensitive user data only for as long as necessary to fulfill the purposes for which it was collected. Relay payloads are transient and not stored beyond delivery. Relay metadata and device tokens are retained as needed to provide the service, prevent abuse, or meet legal obligations, and may be removed when you stop using the Apps or deregister your devices. Log data is retained for three months for support and troubleshooting purposes.

Email addresses collected at the optional pre-subscription step are retained until you withdraw your consent by unsubscribing.

Your Rights (GDPR and Similar Laws)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights regarding your personal data:

• Access: You may request a copy of the personal data we hold about you.
• Rectification: You may ask us to correct inaccurate or incomplete data.
• Erasure: You may request that we delete your personal data, subject to any legal obligations to retain it.
• Restriction: You may ask us to restrict processing of your data in certain circumstances.
• Portability: Where processing is based on your consent or a contract, you may request your data in a structured, commonly used, machine-readable format.
• Objection: You may object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@merge.watch. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Changes to This Policy

We may update our Privacy Policy periodically. You are advised to review this page regularly for any changes. We will notify you of updates by posting the new Privacy Policy on this page.

Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at: contact@merge.watch

Effective Date

This Privacy Policy is effective as of 2026-04-21.