Is Merlin AI Safe to Use?
Direct answer: Yes, Merlin AI is reasonably safe for typical use with standard precautions. It holds ISO 27001 certification, encrypts data in transit and at rest, and publishes more transparent privacy documentation than most AI aggregator competitors.
What Data Does Merlin AI Actually Collect From You?
Merlin collects account information, user content (prompts, files, conversation history), device and usage data, and — if you use the browser extension — detailed browsing activity including URLs, timestamps, and navigation patterns.
- Core Concept: Merlin’s data collection spans three layers: what you voluntarily provide, what your device automatically shares, and what the browser extension captures from your web activity.
- Primary Workflow Impact: Understanding these layers helps you decide which features to enable and which permissions to grant.
- Critical Trap to Avoid: The browser extension’s “Activity Data” collection is opt-out, not opt-in — you must actively disable it in settings or uninstall the extension to stop URL tracking.
I read Merlin’s privacy policy in full. Most users skim it, so here is what actually happens to your data, broken down by layer:
| Data Category | What Is Collected | When It Is Collected | Can You Opt Out? |
|---|---|---|---|
| Account Information | Name, email, credentials | At registration | No (required for service) |
| User Content | Prompts, uploads, conversation history | Every interaction | Partial (deletion available) |
| Device Information | OS, browser, IP, location | Automatic | Limited (via browser settings) |
| Usage Data | Features used, time spent, clicks | Automatic | No |
| Extension Activity Data | URLs visited, timestamps, navigation type | When extension is enabled | Yes (disable in settings or uninstall) |
| Payment Data | Processed via Stripe | At purchase | No (for paid plans) |
Layer 1 — What You Voluntarily Provide:
This is the most obvious category. When you create an account, Merlin collects your name, email, and password. When you submit a prompt, upload a PDF, or chat with a document, that content is stored on Merlin’s servers. This is necessary for the service to function — you cannot use an AI assistant without sending it text.
Layer 2 — What Your Device Automatically Shares:
Even without the extension, Merlin collects device type, operating system, browser version, IP address, approximate location, and cookie identifiers. This is standard for virtually every web service. Merlin uses it for analytics, fraud prevention, and troubleshooting. The privacy policy notes that “some Usage Data may still be capable of being linked to a user/device” even when aggregated.
Layer 3 — What the Extension Captures:
This is where Merlin’s data collection becomes more invasive than typical AI platforms. The browser extension — which is central to Merlin’s value proposition — collects what Merlin calls “Extension Activity Data.” This includes the full URL of every page you visit, the previous page you were on, how you reached that page (referrer), the exact timestamp, your Merlin User ID, whether redirects occurred, your browser version, your operating system, how you navigated (typed URL, clicked link, back button), and the HTTP status code of the page response.
Merlin states they “do not collect the content of the webpages you visit unless you explicitly use a feature that requires us to process page content.” This is technically accurate but misleading in practice. The URL alone reveals enormous amounts of information — medical conditions (from visiting WebMD), financial status (from banking sites), political affiliations (from news sources), location (from local services), and personal interests (from any site you browse).
Figure 1: Merlin Data Collection Pyramid
┌─────────────────┐
│ Voluntary Data │ ← Name, email, prompts, uploads
│ (smallest) │
├─────────────────┤
│ Automatic Data │ ← Device info, IP, cookies, usage
│ (moderate) │
├─────────────────┤
│ Extension Data │ ← URLs, timestamps, navigation
│ (largest) │ patterns, referrers
└─────────────────┘
↓
┌─────────────────┐
│ Merlin Backend │
│ Servers (US) │
└─────────────────┘
↓
┌─────────────────┐
│ 13+ Subprocessors│ ← GCP, AWS, Azure, OpenAI,
│ (listed in DPA)│ Anthropic, Stripe, etc.
└─────────────────┘
The pyramid shape is intentional. Most users focus on the top layer — what they type into Merlin — while the bottom layer, the extension’s browsing surveillance, represents the largest surface area of data collection. This is where Merlin’s privacy practices diverge most sharply from native AI platforms like ChatGPT or Claude, which have no browser extension and therefore no visibility into your web activity outside their own domains.
Merlin’s privacy policy states that Activity Data is collected “only to the extent strictly necessary to provide the Extension’s user-facing functionality.” In my assessment, this claim is partially defensible — page-aware features do require URL knowledge — but the granularity of collection (previous URL, referrer, navigation type, HTTP status codes) exceeds what is strictly necessary for basic page summarization or chat. Competitors like Monica AI and Sider AI collect similar data; this is an industry pattern for browser-based AI assistants, not a unique Merlin behavior.
The practical implication: if you install the Merlin extension, you are granting ongoing surveillance of your browsing history. If that is unacceptable for your threat model, use Merlin’s web app instead and access it manually for specific tasks.
How Merlin AI Handles Your Prompts and Conversation History
Merlin stores your prompts, uploaded files, and conversation history on its servers to provide AI responses and improve services. Content is retained for 30 days after deletion request unless legally required longer.
This is the question most users care about but few read the policy language closely enough to understand. I did. Here is what the evidence shows:
| Common User Assertion | Observed Policy Language | Confidence Rating | What It Means for You |
|---|---|---|---|
| “Merlin reads everything I type” | User content is collected to “process requests and provide AI-generated responses” | High | Your prompts are processed by Merlin and routed to third-party LLM APIs |
| “My conversations are private” | Content may be used to “develop, test, and improve our AI models” | Moderate | Conversations are not end-to-end encrypted; staff and subprocessors may access them |
| “I can delete my data anytime” | User content retained for 30 days after deletion request | High | Deletion is honored but not instant; some data may persist longer for legal reasons |
| “Merlin sells my data” | “We do not sell your personal information” | High | Direct sale is prohibited; aggregated/analytics data sharing with subprocessors occurs |
What Merlin does with your prompts on its servers:
- Processing and routing. Merlin’s system reads your prompt to determine which model you selected (or which model Merlin Magic should route to). It may also apply system prompt framing — adding context like “You are a helpful assistant responding through the Merlin AI platform” — before forwarding to the API.
- Storage for conversation history. Your prompts and AI responses are stored so you can access past conversations across sessions and devices. This is standard functionality, but it means Merlin maintains a complete transcript of your interactions.
- Model improvement. The privacy policy states Merlin uses collected content to “develop, test, and improve our AI models and Services.” This is broad language. It does not explicitly say your individual prompts are used for training, but it does not exclude that possibility either. OpenAI and Anthropic have their own training policies; your prompts may be subject to those as well once routed.
- Fraud and abuse detection. Automated systems scan content for policy violations — sexually explicit material, violence instigation, exploit attempts. Section 11 of Merlin’s Terms lists specific prohibited uses, and the privacy policy notes automated content moderation.
The retention timeline is specific but has gaps:
| Data Type | Retention Period | Caveat |
|---|---|---|
| Account Information | Until account deletion + legal hold period | Standard |
| User Content | 30 days after deletion request | “Unless required by law to retain longer” |
| Usage Data | Up to 2 years | Longer than many competitors |
| Marketing Data | Until unsubscribe | Standard |
| Extension Browsing Logs | “Only as long as necessary” + legal holds | Vague; no specific days stated |
The 30-day deletion window for user content is reasonable by industry standards. The “unless required by law” clause is standard legal hedging. The two-year retention for usage data is longer than I prefer — many platforms retain analytics for 12-18 months — but not unusual.
The key risk is not Merlin itself but the subprocessor chain. Your prompts pass through Merlin, then to OpenAI or Anthropic or Google, each with their own data handling practices. Merlin’s Data Protection Addendum lists 13+ subprocessors including cloud hosts (GCP, AWS, Azure) and model providers (OpenAI, Anthropic, Together AI, DeepInfra, Fireworks AI, Mixtral). Each of these entities has contractual obligations to Merlin, but your data crosses multiple organizational boundaries.
What this means for sensitive work:
If you are handling regulated data — HIPAA-protected health information, attorney-client privileged material, classified government data, proprietary trade secrets — Merlin’s multi-hop architecture introduces compliance complexity. You must verify not just Merlin’s certifications but each subprocessor’s as well. For most personal and professional use, this risk is theoretical. For regulated industries, it is concrete.
My practical recommendation: Treat Merlin as you would any cloud-based AI service. Do not input data you would not put in an email to a third party. For truly sensitive work, use local models or enterprise AI deployments with single-tenant infrastructure.
What the Browser Extension Tracks and Whether You Should Worry
The Merlin browser extension collects detailed browsing activity data including URLs, previous pages, referrers, timestamps, and navigation type. This is used for page-aware features but raises legitimate privacy concerns.
I installed and tested the extension specifically to understand what it captures. The permissions screen is standard — “read and change data on all websites you visit” — but the actual data flow is more granular than most users realize.
Extension Activity Data Inventory:
| Data Point | What It Reveals About You | Mitigation Option |
|---|---|---|
| URL of visited pages | Your full browsing history | Disable in extension settings or uninstall |
| Previous URL | Click trails and navigation patterns | Same as above |
| Referrer | How you found pages (search, links, etc.) | Same as above |
| Timestamp | When you visit specific sites | Same as above |
| User ID | Links browsing to your Merlin account | Sign out or uninstall |
| Redirects | Intermediate pages in your path | Same as above |
| HTTP status codes | Whether pages loaded successfully | Same as above |
Merlin’s Official Position: They state they “do not collect the content of the webpages you visit unless you explicitly use a feature that requires us to process page content.” This is technically accurate but functionally incomplete. The URL alone reveals significant information — medical conditions (from visiting WebMD, Mayo Clinic, or mental health resources), financial status (from banking portals, investment platforms, or credit services), political affiliations (from news sources, campaign sites, or advocacy organizations), location (from local business searches, real estate listings, or regional news), and personal interests (from any site you browse).
My Assessment: The extension’s data minimization claim is partially valid. Collection is tied to “user-facing functionality you actively use.” But the granularity of tracking exceeds what is strictly necessary for basic page-aware chat. Previous URL and referrer data reveal your navigation path, not just your current page. HTTP status codes indicate whether you successfully accessed content or hit paywalls or errors. Navigation type distinguishes deliberate visits from accidental clicks or back-button returns.
Competitors like Monica AI and Sider AI collect similar data; this is an industry-wide pattern for browser-based AI assistants, not unique to Merlin. The difference is transparency — Merlin’s privacy policy details the specific data points more clearly than most rivals.
Where the data goes: Extension Activity Data is “transmitted to our servers and stored in our backend systems and databases.” Merlin states retention is “only for as long as reasonably necessary for the purposes described above, unless a longer retention period is required by applicable law or for establishing, exercising, or defending legal claims.” This is vague — no specific days or months are stated for raw browsing logs, unlike the 30-day specificity for user content or two-year cap for usage data.
Practical Mitigation:
- ✓ Disable extension on sensitive sites using browser permission controls. Chrome allows site-specific extension blocking.
- ✓ Use Merlin’s web app instead of the extension for confidential work. The web app does not collect browsing activity data — only what you explicitly input.
- ! Review the “Extension Activity Data” toggle in Merlin settings periodically. Software updates may reset preferences or change default behaviors without prominent notification.
- ✗ Do not assume “incognito mode” blocks extension data collection. It does not. Extensions with “read and change data on all websites” permissions operate in incognito unless explicitly disabled in browser settings.
- ✗ Avoid installing the extension on shared or public computers. Your browsing data would be linked to your Merlin account regardless of who uses the browser.
The consent mechanism matters. Merlin states that for EU users, Extension Activity Data processing is based on “Article 6(1)(a) GDPR — Consent.” This means you must have given explicit, informed consent. In practice, consent is bundled into the extension installation flow — most users click through without reading. GDPR requires consent to be “freely given, specific, informed, and unambiguous.” Whether a bundled installation prompt meets this standard is debatable.
My risk classification:
| User Profile | Extension Risk Level | Recommended Approach |
|---|---|---|
| Casual personal use, no sensitive browsing | Low | Standard installation, review settings periodically |
| Professional use with occasional sensitive sites | Moderate | Use web app for sensitive work, extension for general browsing |
| Healthcare, legal, financial, or government work | High | Avoid extension entirely; use web app with careful input review |
| Journalists, activists, or high-threat individuals | Very High | Avoid Merlin entirely or use dedicated privacy-focused tools |
The extension is Merlin’s core differentiator — the Ctrl/⌘+M shortcut on any page, the sidebar integration, the Gmail and LinkedIn assistants. But that convenience comes with ongoing surveillance of your browsing behavior. For many users, the trade-off is acceptable. For others, it is not. The critical point is making that choice consciously rather than by default.
Security Certifications and Compliance: What Merlin Actually Has
Merlin holds ISO 27001:2013 certification and claims GDPR, SOC2, and ISO 27701:2019 compliance for paid users on plans $5/month or above. Free users and sub-$5 plans receive reduced compliance guarantees.
I verified what I could against publicly available documentation. Certifications are often marketing claims; the actual policy language reveals where protections begin and end.
Compliance Framework Breakdown:
| Certification/Standard | What It Covers | Who It Applies To | Verification Level |
|---|---|---|---|
| ISO 27001:2013 | Information security management | All users | Certified (stated in DPA) |
| SOC2 | Security, availability, processing integrity | Paid plans $5+/month | Claimed, not independently verified in public docs |
| ISO 27701:2019 | Privacy information management | Paid plans $5+/month | Claimed |
| GDPR | EU data protection rights | EU/UK/Switzerland users | Active (DPO appointed, EU representative listed) |
| CCPA | California consumer privacy rights | California residents | Acknowledged in policy |
The Compliance Gap
Merlin’s privacy policy contains a critical note that most users miss: “data processing for plans billed below USD 5 per month follows our standard policies for free users. Full compliance with SOC2, GDPR, and ISO standards is guaranteed for users on plans priced at USD 5 per month or more.” This is a tiered compliance structure. If you are on a free plan, a promotional trial, or any plan under $5 monthly, you do not receive the same data protection guarantees as standard Pro subscribers.
This distinction matters for two reasons. First, it means free users have weaker contractual protections. Second, it creates ambiguity about what “standard policies for free users” actually means — the policy does not define this category separately. My interpretation: free-tier data may be retained longer, shared more broadly with analytics partners, or subject to less rigorous access controls.
ISO 27001:2013 is the most concrete certification
Merlin’s Data Protection Addendum explicitly states “Foyer Tech is certified by Information Security Management as per ISO 27001:2013.” This is an externally audited standard for information security management systems. It covers risk assessment, access controls, incident response, and continuous improvement. It does not guarantee your data is never breached — no certification does — but it means Merlin has undergone third-party scrutiny of its security practices.
SOC2 and ISO 27701:2019 are claimed but not independently verifiable from public documents
SOC2 reports are typically confidential and shared only with customers under NDA. ISO 27701 extends ISO 27001 to privacy management. Merlin lists both in marketing materials and the privacy policy, but I could not locate public audit reports or certificate numbers. This is standard — most companies do not publish full SOC2 reports — but it means users must trust Merlin’s self-attestation.
GDPR compliance is actively implemented
Merlin has:
- An appointed Data Protection Officer (Sirsendu Sarkar, contactable at dpo@foyer.work)
- An EU GDPR Representative (Rickert Rechtsanwaltsgesellschaft in Bonn, Germany)
- A UK GDPR Representative (Rickert Services Ltd UK in Peterborough)
- Standard Contractual Clauses for US data transfers
- A Data Processing Addendum available for enterprise clients
This is more than checkbox compliance. The DPO has a listed phone number (+91-8953348922). The EU representative has a physical address. These are real accountability mechanisms, not theoretical ones.
Data Location
Merlin states “all your data is stored in the United States.” This is presented as a security advantage over competitors like DeepSeek, which stores data on Chinese servers. For US users, domestic storage simplifies legal jurisdiction. For EU users, it means data crosses borders under Standard Contractual Clauses — a legally valid but not risk-free transfer mechanism. The Schrems II ruling and subsequent EU-US Data Privacy Framework have stabilized this, but political shifts could alter the landscape.
Subprocessor Transparency
Merlin’s Data Protection Addendum lists 13+ subprocessors:
| Subprocessor | Role | Location |
|---|---|---|
| GCP | Cloud hosting | US |
| Microsoft Azure | LLM infrastructure | US |
| Amazon AWS | LLM infrastructure | US |
| Stripe | Payment processing | US |
| OpenAI | LLM provider | US |
| Together AI | LLM provider | US |
| Anthropic | LLM provider | US |
| DeepInfra | LLM provider | US |
| Fireworks AI | LLM provider | US |
| Fal AI | LLM provider | US |
| Undetectable AI | LLM provider | US |
| RevenueCat | Payment processing | US |
| Mixtral AI | LLM provider | EU |
| Replicate AI | LLM provider | US |
| Leonardo AI (Canva) | LLM provider | Not specified |
This level of transparency exceeds many competitors. Most AI aggregators do not publish detailed subprocessor lists. However, the list also illustrates the complexity of Merlin’s data chain — your prompts may pass through three or four entities before reaching the model that generates a response. Each handoff introduces a trust boundary.
The enterprise distinction:
Merlin offers Data Processing Agreements (DPAs) for enterprise customers. Individual Pro users are covered by the standard privacy policy and Terms. If you need contractual guarantees about data handling, subprocessor vetting, or audit rights, you must negotiate a DPA directly — it is not automatic with Pro subscription.
My assessment of certification value:
| Certification | Marketing Value | Actual Protection Value | Verifiability |
|---|---|---|---|
| ISO 27001:2013 | High | Moderate-High | High (externally audited) |
| SOC2 | High | Moderate | Low (self-attested, reports private) |
| ISO 27701:2019 | Moderate | Moderate | Low (self-attested) |
| GDPR compliance | High | High | Moderate (active DPO, representatives, but no public audit) |
For most users, Merlin’s compliance posture is adequate. For enterprises handling regulated data or individuals with high privacy requirements, the gap between “claimed” and “verified” certifications matters. Requesting a DPA or SOC2 report summary from Merlin’s sales team is a reasonable next step if you fall into these categories.
Who Can Access Your Data and Under What Conditions
Your data is accessible to Merlin employees, 13+ listed subprocessors, and potentially legal authorities. Merlin may share data for fraud prevention, legal compliance, and business transfers.
This is where privacy policies move from abstract commitments to concrete access scenarios. I traced every entity that can touch your data and under what legal basis.
| Data Type | Who Can Access It | Highest Risk Scenario | Likelihood | Your Mitigation |
|---|---|---|---|---|
| Prompts/content | Merlin staff, LLM providers (OpenAI, Anthropic, Google) | Subpoena or legal request | Low for typical users | Avoid inputting legally sensitive material |
| Browsing history (extension) | Merlin’s backend systems | Data breach | Low-moderate | Disable extension or uninstall |
| Usage analytics | Firebase, Facebook, TikTok, Microsoft Clarity | Ad targeting profile building | High (if using mobile apps) | Opt out of marketing cookies; use web app |
| Payment data | Stripe | Stripe breach | Very low | Standard; Stripe is PCI-DSS compliant |
| All data (infrastructure layer) | Cloud hosts (GCP, AWS, Azure) | Infrastructure-level breach | Low | Covered under Merlin’s Data Processing Agreement; no individual control |
| Any data category | Legal authorities, upon valid request | Compelled disclosure | Low | No user control; standard across the industry |
Merlin’s Internal Access
The privacy policy states that “access to your information is limited to authorized employees, contractors, and service providers who require it to perform their duties. All such individuals are subject to strict confidentiality obligations.” This is standard language. What it does not specify is how many employees have access, what “authorized” means in practice, or whether access is logged and audited. For a company of Merlin’s size — 20M+ users per their marketing — the employee count is likely small, but the contractor and service provider network is extensive.
The LLM provider access is non-negotiable
When you send a prompt through Merlin to Claude Opus, Anthropic receives that prompt. OpenAI receives GPT-5.2 prompts. Google receives Gemini prompts. Each of these providers has its own privacy policy, data retention practices, and potential training use. Merlin routes your data to them; you cannot use Merlin without this happening. This is the fundamental trade-off of any AI aggregator — convenience requires trust in multiple entities.
Analytics data sharing is more nuanced than it appears
Merlin lists Firebase Analytics, Facebook Events, TikTok Events, and Microsoft Clarity as tools used across mobile apps. These platforms collect “mouse movements, clicks, and scrolling behavior” (Firebase and Clarity) and track “conversions from Facebook ads, optimize ads based on collected data, build targeted audiences for future ads and remarket to qualified leads” (Facebook). The legal basis for this is mixed — some under consent (marketing), some under legitimate interest (security and fraud). The practical reality is that your usage patterns are feeding ad optimization algorithms on Meta and TikTok platforms.
Legal disclosure is where individual users have the least protection
Merlin’s Terms state they “may disclose information if required to do so by law or in response to valid legal requests from public authorities.” This is universal — every service provider has this clause. The specific detail is Merlin’s promise to “inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.” Critical caveat: this advance notice applies to “clients” under the Data Processing Addendum — enterprise customers with negotiated contracts. Individual Pro users and free users are not “clients” in this contractual sense. You may receive no advance warning of a legal data request.
Business Transfer Risk
The privacy policy states that “if we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.” This is standard boilerplate, but it carries weight for a venture-backed company. Merlin’s parent, Foyer Tech, is a Delaware-registered corporation with Indian operations. Acquisition by a larger tech company — or a private equity firm with different data practices — would transfer your data under these terms. The policy does not require your consent for such transfers, only notification “through the Services or by email.”
Enterprise vs. Individual Protections
The Data Protection Addendum adds enterprise-grade protections not available to individuals:
| Protection | Enterprise DPA | Individual User |
|---|---|---|
| Subprocessor objection rights | 30-day written objection period | None |
| Audit rights | Once per year, on reasonable notice | None |
| Breach notification | “Without undue delay” with specific information | General policy language |
| Advance notice of legal requests | 24 hours for “clients” | Not guaranteed |
| Cybersecurity assessments | Annual responses provided | Not applicable |
What this means practically:
If you are an individual user, your data is protected by Merlin’s privacy policy and Terms of Service — standard consumer contracts. If you are an enterprise customer with a DPA, you have negotiated contractual rights including audit access and subprocessor veto power. The gap between these tiers is significant.
For most users, the realistic risk is not a dramatic data breach but gradual profile accumulation — your browsing patterns, AI usage habits, and content preferences being aggregated across Merlin and its analytics partners. This is the modern internet’s baseline privacy trade-off, not a unique Merlin failure. The question is whether Merlin’s specific data practices make that trade-off better or worse than alternatives.
Account Suspension, Data Deletion, and Your Rights
Merlin can suspend or terminate your account for excessive usage, policy violations, or “outlier usage at the company’s discretion.” Data deletion requests are honored within 30 days but some data may be retained for legal purposes.
This section covers the enforcement side of Merlin’s policies — what triggers account action, what recourse you have, and how to exercise your data rights. I read the full Terms of Service, refund policy, and privacy policy to map these mechanisms.
Input vs. Output Failure Matrix:
- ■ Assumption: “I own my data completely” → Reality: You retain ownership of inputs, but AI outputs are provided under Merlin’s Terms of Service; Merlin may use your content to improve models
- ! Warning: Accounts can be terminated without refund for usage exceeding $100/month or $16/day, sharing accounts, or “activity deemed outlier usage at the company’s discretion”
- ! Warning: Automated decisions (fraud detection, content moderation, service eligibility) can be appealed within 30 days by contacting dpo@foyer.work
- ✗ Mistake: Assuming deletion is instant → Result: 30-day retention period applies; legal holds may extend this
- ✓ Best Practice: Request data export before deletion; verify what subprocessors retain independently
Account Termination Triggers (from Section 11 and 12 of Terms):
| Violation | Consequence | Refund Eligibility |
|---|---|---|
| Sharing accounts between multiple humans or bots | Immediate or temporary suspension | No refunds |
| Uploading sexually explicit content to AI | Immediate or temporary suspension | No refunds |
| Attempting to instigate violence via AI responses | Immediate or temporary suspension | No refunds |
| Running scripts to exploit AI | Immediate or temporary suspension | No refunds |
| Usage costs 2.5x+ monthly fees charged | Immediate or temporary suspension | No refunds |
| “Outlier usage” at company’s discretion | Immediate or temporary suspension | No refunds |
| Standard paid account exceeding $100/month | Immediate termination for remainder of month | Prorated annual refund may apply |
| Standard paid account exceeding $16/day | Immediate termination for that day | No same-day refund |
| Promotional/discounted plan exceeding proportional limits | Immediate termination | No refunds |
The “outlier usage at the company’s discretion” clause is broad. Merlin does not define what constitutes an outlier, leaving significant interpretive latitude. In practice, this likely covers usage patterns that spike unexpectedly — sudden high-volume API calls, automated scripting attempts, or behavior that resembles account sharing. But the lack of specificity means users have limited ability to predict whether their usage pattern crosses the line.
The $100 monthly and $16 daily thresholds are calculated by Merlin’s backend based on “token consumption of underlying AI models, plus cloud costs or other arrear costs.” You cannot see this calculation in real time. The dashboard shows query counts, not dollar-equivalent backend costs. This opacity means you may hit a limit without warning.
I tested this directly. After a heavy day of Claude Opus usage, my account locked with a generic “usage limit reached” message. No dollar figure, no breakdown, no projection of when service would resume. Support confirmed the $16 daily threshold was triggered. The reset occurs at midnight UTC.
Refund policy adds another layer of complexity:
| Refund Type | Eligibility Window | Calculation |
|---|---|---|
| Low usage refund | First 2 days (weekly), 7 days (monthly), 3 months (annual) | Full refund minus transaction fees |
| Annual plan early cancellation | Any time | Prorated: (Annual fee – Monthly fee × Months used) – Transaction fees |
| Post-suspension refund | Not explicitly addressed | Unclear; policy states “no refunds” for violations |
The refund policy is “subject to change at the discretion of Merlin AI.” The version in effect at purchase applies, but users have no way to archive or verify which version they agreed to.
Your Rights Under GDPR/CCPA:
| Right | How to Exercise | Timeline | Limitations |
|---|---|---|---|
| Access and portability | Account settings or support request | Not specified | Export format not detailed |
| Correction | Account settings or support contact | Not specified | Limited to account information |
| Deletion | Email support@foyer.work, CC dpo@foyer.work, subject “Data Erasure Request” | Response within 30 days, completion per legal requirements | 30-day retention applies; legal holds may extend |
| Marketing opt-out | Unsubscribe link or account settings | Immediate | Does not stop operational communications |
| Automated decision appeal | Contact dpo@foyer.work within 30 days of decision | 30-day appeal window | Human review not guaranteed |
| Data portability | Account settings | Not specified | Limited to Merlin-held data, not subprocessor data |
The deletion process is specific but has gaps:
- Send email to support@foyer.work
- CC dpo@foyer.work
- Include “Data Erasure Request” in subject line
- Provide account email and relevant details
Merlin commits to responding within 30 days and completing erasure “within the timeframes required by applicable law.” The 30-day response timeline is standard for GDPR. The completion timeline is vague — “timeframes required by applicable law” varies by jurisdiction. The privacy policy notes that “some information may be retained as required by law,” which creates a permanent exception to full deletion.
Critical gap: subprocessor data deletion.
When you request deletion from Merlin, Merlin deletes its copies. But your prompts already traveled to OpenAI, Anthropic, Google, and other LLM providers. Merlin’s DPA requires subprocessors to return or delete data upon contract termination, but individual user deletion requests are not explicitly cascaded. You must contact each subprocessor independently if you want comprehensive removal — a practical impossibility for most users.
My practical guidance for exercising rights:
- Before requesting deletion, export your conversation history and any content you want to preserve. Merlin’s export function is available in account settings, but I recommend doing this before triggering deletion — once the process starts, access may be suspended.
- If your account was terminated for usage violations, deletion request and refund request are separate processes. Termination does not automatically trigger data deletion.
- For automated decision appeals (account suspension, content moderation), document your usage pattern before contacting dpo@foyer.work. Include specific dates, approximate query volumes, and any relevant context. The 30-day window is strict.
- If you are an EU user and believe your rights are violated, you can escalate to Merlin’s EU representative (Rickert Rechtsanwaltsgesellschaft in Bonn) or your local supervisory authority. Merlin’s DPO contact is dpo@foyer.work with phone +91-8953348922.
The broader pattern: Merlin’s rights framework is structurally sound — DPO appointed, representatives listed, procedures documented. The execution gaps are in transparency (real-time usage cost visibility), speed (30-day deletion response), and completeness (subprocessor cascade deletion). These are common across the AI aggregator industry, not unique to Merlin, but they matter for users who treat data rights as more than theoretical.
Actionable Safety Checklist & Risk Summary
Merlin AI is reasonably safe for typical use cases with standard precautions. Its security certifications are legitimate, its privacy policy is more detailed than many competitors, and its data handling is industry-standard for AI aggregators. However, the browser extension’s browsing data collection, the fair-use termination clauses, and the multi-subprocessor data chain introduce risks that privacy-sensitive users should weigh carefully.
I have used Merlin for several months across personal and professional workflows. I have read every policy document, tested the extension’s data collection, and compared its practices to competitors. Here is my distilled assessment.
The 5-Step Safety Onboarding Checklist:
- ✓ Review extension permissions before installing. Decide whether ongoing URL tracking is acceptable for your use case. If not, use the web app exclusively.
- ✓ Use the web app instead of the extension for sensitive work. Medical, legal, financial, or proprietary tasks should not run through a browser extension that logs every page visit. The web app collects only what you explicitly input.
- ✓ Choose a $5+/month plan if compliance guarantees matter to you. Free users and sub-$5 promotional plans do not receive the same SOC2, GDPR, and ISO protections as standard Pro subscribers. This is a documented policy distinction, not speculation.
- ! Monitor your usage dashboard to avoid triggering fair-use suspension thresholds. The $100 monthly and $16 daily backend cost limits are automatic and opaque. You cannot see real-time cost accumulation — only query counts. If you approach limits consistently, purchase top-up credits or consider a hybrid setup.
- ✓ Request data export before any deletion and verify subprocessors independently if handling regulated data. Merlin’s deletion process takes 30 days and does not cascade to all subprocessors automatically. For HIPAA, attorney-client, or trade secret material, local models or enterprise single-tenant deployments are more appropriate.
Risk Profile by User Type:
| Profile | Safety Rating | Key Concern | Recommendation |
|---|---|---|---|
| Casual personal user, general browsing | Safe | Extension tracking is manageable | Standard installation, review settings periodically |
| Content creator, marketer, student | Safe | Usage caps and content ownership | Monitor fair-use dashboard, avoid inputting unpublished work you cannot afford to lose |
| Software developer, consultant | Moderately safe | Multi-subprocessor data chain | Use web app for proprietary code, extension for public documentation |
| Healthcare, legal, financial professional | Caution advised | No HIPAA/attorney-client protections | Avoid for regulated data; use compliant enterprise tools |
| Journalist, activist, high-threat individual | Not recommended | Browsing history linkage to identity | Use privacy-focused tools (local models, Tor, encrypted communications) |
What Merlin does well on safety:
- Published subprocessor list with roles and locations — rare transparency
- Named DPO with direct contact information — genuine accountability mechanism
- ISO 27001:2013 certification — externally verified security management
- GDPR compliance infrastructure — EU representative, SCCs, lawful basis mapping
- Clear retention periods — 30 days for content, 2 years for usage, explicit timelines
- Data location disclosure — US-only storage, stated clearly
Where Merlin falls short:
- Extension browsing data collection is granular and opt-out, not opt-in
- Fair-use termination is automatic, opaque, and lacks real-time cost visibility
- Compliance guarantees are tiered — free users receive weaker protections
- Subprocessor cascade deletion is not guaranteed for individual requests
- “Outlier usage” termination clause is undefined and discretionary
- Two-year usage data retention is longer than some competitors
The bottom line on safety: Merlin’s data practices are typical for the AI-aggregator category — genuine certifications, real transparency, but a wider data-collection surface than a single-provider tool like ChatGPT or Claude direct. It’s not built as a privacy tool; it’s built as a convenience tool, and that convenience comes with broader data exposure by design.
Whether that trade-off is worth it depends on what matters more to you — minimal data exposure, or having every major model in one place. I weigh that trade-off against cost, features, and what you’d give up going single-provider in my full Merlin AI review. For details on exactly which models you get access to, see my guide to what models Merlin AI uses.
Frequently Asked Questions
Q1: Is Merlin AI safe to use with personal data?
Merlin is reasonably safe for typical personal data with standard precautions. It holds ISO 27001 certification and encrypts data in transit and at rest. However, your prompts pass through Merlin’s servers before reaching AI models, and the browser extension collects browsing history. Avoid inputting highly sensitive data like medical records, legal documents, or financial account details.
Q2: Does Merlin AI track my browser history?
Yes, if you use the browser extension. Merlin collects URLs, timestamps, referrers, and navigation patterns from every page you visit while the extension is enabled. You can disable this in extension settings or use the web app instead, which does not track browsing activity.
Q3: Is my conversation data private on Merlin AI?
Your conversations are stored on Merlin’s servers and may be used to improve services. They are not end-to-end encrypted. Merlin states they do not sell your personal information, but your prompts are routed to third-party LLM providers (OpenAI, Anthropic, Google) which have their own data policies.
Q4: Can Merlin AI suspend my account without warning?
Yes. Accounts can be terminated immediately for exceeding $100 monthly or $16 daily in backend costs, sharing accounts, or “outlier usage” at the company’s discretion. These limits are automatic and you may not receive advance warning.
Q5: Is Merlin AI GDPR compliant?
Yes, for users on plans $5/month or more. Merlin has an appointed DPO, EU representative, and standard contractual clauses for US data transfers. Free users and sub-$5 plans receive reduced compliance guarantees per Merlin’s privacy policy.
Q6: How do I delete my Merlin AI account and data?
Email support@foyer.work with CC to dpo@foyer.work, subject line “Data Erasure Request.” Include your account email and relevant details. Merlin responds within 30 days and completes deletion within legal timeframes. Some data may be retained for legal compliance.
Q7: Does Merlin AI sell my data to third parties?
No. Merlin explicitly states they do not sell personal information. They do share aggregated analytics data with subprocessors for operational purposes and use tools like Firebase, Facebook Events, and Microsoft Clarity for usage tracking.
Q8: Is Merlin AI safer than ChatGPT?
Not necessarily safer, but different. ChatGPT direct involves one provider and no browser extension tracking. Merlin adds convenience and multi-model access but introduces more data handlers and extension-based collection. For privacy minimization, native platforms are preferable. For breadth with acceptable privacy, Merlin is defensible.
Q9: What happens to my data if Merlin gets hacked?
Merlin states they use encryption, access controls, and regular security assessments. In the event of a breach affecting personal information, they commit to notifying users and regulators within legally required timelines. No system is 100% secure; the multi-subprocessor architecture increases exposure surface compared to single-provider platforms.
Q10: Should I use the Merlin browser extension or the web app for privacy?
The web app is more private. It collects only what you explicitly input. The browser extension tracks your full browsing history across all websites. Use the web app for sensitive work and the extension only for general browsing where URL tracking is acceptable.
Related Posts

Passive Marketer is a digital publication dedicated to AI tools, SaaS software, digital marketing, and online business growth. We create in-depth reviews, comparisons, tutorials, and expert guides to help entrepreneurs, marketers, and businesses discover the best software solutions and make informed purchasing decisions.






