Privacy Policy

Updated on 4th January, 2024

Purpose and scope

This Privacy Notice by Merlin Fit Limited, “Merlin Physio” (together with our affiliates, “Merlin”, “Physio” “we”, or “us”) describes how we treat the information that we collect from you in connection with our websites (collectively the “Site”), through which our services are accessed, our mobile application (the “App”), when you interact with us via our customer support service,  e-mail communications and social media channels and any other Merlin products, services or digital platforms that link to this Privacy Notice (together with the Site, Merlin, and App, the “Merlin Services” or “Services”), the kinds of information we will collect, how that information is used, with whom we share it and how you can opt-out of a use or correct or change such information.

This Privacy Notice supplements and forms part of Terms of Service (the “Terms”). All individuals whose responsibilities include the Processing of personal information on behalf of Merlin are expected to protect that data by adherence to this Privacy Notice. This Privacy Notice does not apply to personal information of Merlin employees processed in the employment context, but employees who elect to use the services will be treated as users in accordance with this Privacy Notice with respect to personal information processed as users of our service.

At Merlin Physio, we take your online safety and privacy very seriously and understand that particularly in the Health and Fitness sector, the data you share is sensitive and needs to be protected by those to whom you have entrusted it. We understand and share the concern of our Users since ultimately we aim to build a community through our Platform and therefore, through this Policy wish to help you make an informed decision. Kindly read this Policy in its entirety before proceeding further. All data that is provided to us by you, our Users remains protected and is collected in compliance with the applicable laws of the United Kingdom.

This Privacy Policy applies to our website, and its associated subdomains (collectively, our “Service”) alongside our application, Merlin. By accessing or using our service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this privacy policy and our Terms of Service.

The information we collect and how it is used

The data and information we will be collecting and processing during your usage of our Services include:

  • Information you provide when you register/sign-up in a mobile application our platform will collect  your name, email address, phone number, login details, password. You acknowledge that your User Profile information may be personal to you, and by creating a Merlin account and providing such information through the use of our Services, you allow others, including Merlin, to identify you and therefore you may not be anonymous.
  • Location tracking permissions which will be required and necessary in order to provide our Merlin Physio App services. Various operations necessitate these elements to ensure a smooth and seamless user experience. Internet usage permissions are also required and primarily used for application error log collection, application version update detection, user data management, and are necessary permissions. Location tracking, Internet usage and access features are low powered features that shall run in the background even when the Merlin Physio App is closed and not in use. Your permission preferences may affect and/or restrict your access to and experience of our Merlin Physio App.
  • The Merlin Physio app seeks your permission to access the camera during exercise sessions to enhance functionality and provide a comprehensive user experience.
  • We refrain from collecting or transferring any images or videos from your device to our servers. Our system solely receives keypoint data, encompassing the positions of wrists, ankles, knees, hips, shoulders, and elbows.
  • Fitness And Performance Data. When you use the Services, we will collect your fitness performance history (including workout history, such as hours spent on working out, calories burnt out, days spent on working out and times of working out), Merlin Achievements.
  • Automatic Data Collection. We collect certain information automatically through our Services or other methods of web analysis, such as your IP Address, cookie identifiers, mobile carrier, MAC address, IMEI, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type and language, geo-location information, hardware type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences. We also collect information from mobile devices for a better user experience, although these features are completely optional:
  • Location (GPS). Location data helps to target the user to our nearest servers to provide the best speed of services.

By accepting the Privacy Policy, you agree to share your data like your email address, mobile number, your exercise and reports with your Physio. This is required to provide your Physio to review and help to heal your injury in a better way.

Disclosure of your information

We may also share your information with our current and future affiliated companies and business partners, and if we are involved in merger, asset sale or other business reorganization, we may also share or transfer your personal and non-personal information to our successors-in-interest.

We may engage trusted third party service providers to perform functions and provide services to us, such as hosting and maintaining our servers and the website, database storage and management, email management, storage marketing, customer service. We will likely share your personal information, and possibly some non-personal information, with these third parties to enable them to perform these services for us and for you.

We may share portions of our log file data, including IP addresses, for analytics purposes with third parties such as web analytics partners, application developers, and ad networks. If your IP address is shared, it may be used to estimate general location and other technographics such as connection speed, whether you have visited the website/app in a shared location, and type of the device used to visit the website/app.

We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate in order to respond to claims, legal process (including subpoenas), to protect our rights and interests or those of a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to otherwise comply with applicable court orders, laws, rules and regulations.

How we use your email address

By submitting your email address on this website/app, you agree to receive emails from us. You can cancel your participation in any of these email lists at any time by clicking on the opt-out link or other unsubscribe option that is included in the respective email. We only send emails to people who have authorized us to contact them directly. We do not send unsolicited commercial emails, because we hate spam as much as you do.

How long we keep your information

We retain your information only for the duration necessary to provide Merlin Physio services and fulfill the purposes outlined in our policy. After account deletion or when retention is no longer required, we either remove or depersonalise the information, adhering to our policies.

Users can request the deletion of their account and their data will be erased. Once a user has submitted a request for account deletion, we will store users’ data for 30 days in our database and then we will erase it. If a user re-logins within 30 days, the account will be re-activated and all the services will be restored.

Here is the flow to navigate user for account deletion:
Profile (Top right corner) > Settings > Account > Delete Account.

How we protect your information

We implement a variety of security measures to maintain the safety of your personal information when you submit or access your personal information. We offer the use of a secure server. We cannot, however, ensure or warrant the absolute security of any information you transmit to Merlin or guarantee that your information on the Service may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards.

We employ various precautions to ensure the security of your information, utilizing physical, electronic, and managerial procedures to safeguard against unauthorized access, maintain data security, and appropriately utilize your information. Our commercially reasonable safeguards, adjusted based on the sensitivity of personal information, aim to prevent unauthorized use, disclosure, or access. While we strive for security, it’s essential to acknowledge that the internet cannot be guaranteed to be entirely secure, and we cannot warrant the security of information you provide. We don’t accept liability for unintentional disclosure. By using our services, you consent to electronic communication on security, privacy, and administrative issues. In the event of a security breach, we may attempt to notify you electronically, and you may have a legal right to receive this notice in writing. Deleting your Merlin Physio account may not immediately eliminate all associated content due to caching, backups, or accessible public activity stored on our servers.

Could my information be transferred to other countries?

Information collected via our website/app, through direct interactions with you, or from use of our help services may be transferred from time to time to our offices or personnel, or to third parties, located throughout the world, and may be viewed and hosted anywhere in the world, including countries that may not have laws of general applicability regulating the use and transfer of such data. To the fullest extent allowed by applicable law, by using any of the above, you voluntarily consent to transfer and hosting of such information.

Our servers are located in safe countries like Tokyo, Japan. For more information refer to AWS Security Policy.

Opt out, update or correct your information

General: You have the right to object and opt-out of certain uses and disclosures of your Personal Information. Where you have consented to Merlin’s Processing of your Personal Information or Sensitive Personal Information, you may withdraw that consent at any time and opt-out to further Processing by emailing our Support team at support@merlinphysio.com.

Mobile devices: We may occasionally send you push notifications through the App with updates, achievements and other notices that may be of interest to you. You may at any time opt-out from receiving these types of communication by changing the settings on your device. We will also collect location-based information if you use the App. You will opt-out of this collection by changing the settings on your device.

Personnel: You may contact us in order to (1) update or correct your information, (2) change your preferences with respect to communications and other information you receive from us, or (3) receive a record of the information we have relating to you. Such updates, corrections, changes and deletions will have no effect on other information that we maintain, or information that we have provided to third parties in accordance with this Privacy Policy prior to such update, correction, change or deletion.

Customers: Customers possess the right to request limitations on specific uses and disclosures of personally identifiable information. You may contact us to (1) amend or rectify your personally identifiable information, (2) modify your communication preferences and other information received from us, or (3) erase the personally identifiable information stored about you in our systems by cancelling your account. These updates, corrections, changes, and deletions will not impact other information we retain or information shared with third parties as per this Privacy Policy before such modifications.

In order to safeguard your privacy and security, we may employ reasonable measures, such as requesting a unique password, to confirm your identity before providing access to your profile or allowing corrections. It is your responsibility to ensure the confidentiality of your unique password and account information at all times.

Upon receipt of your request, personal information stored in actively used databases and other easily searchable media will be promptly updated, corrected, changed, or deleted, as applicable, to the extent reasonably and technically feasible.

Sale of business

This provision also applies if we cease operations, file for bankruptcy, reorganization, or a similar proceeding. The transfer is contingent upon the third party’s agreement to abide by the terms outlined in this Privacy Policy.

Governing law

This privacy policy is bound by the laws of the United Kingdom, irrespective of conflict of laws provisions.

Your consent

Our Privacy Policy has been updated to enhance transparency regarding data collection and usage when you visit our site or use our mobile app. By engaging with our website/app, creating an account, you express consent and agreement to the terms outlined in our Privacy Policy.

For inquiries about our privacy practices, this Privacy Notice, or to file a complaint with the appropriate authority, please contact Merlin via email at support@merlinphysio.com or at the address provided below:

Attn: Legal Department
Merlin Fit Limited,
1104 Crawford House,
70 Queen’s Road Central,
Central, Hong Kong.

Changes to our Privacy Policy

Our services and policies may undergo modifications, and corresponding adjustments to this privacy policy will be made to align with these changes accurately. Except where legally mandated, we commit to informing you, typically through our Service, in advance of any alterations to this privacy policy. This ensures you have the opportunity to review the changes before they become effective. By continuing to use the service following updates, you implicitly accept the revised privacy policy. If you do not wish to agree to the current or any updated privacy policy, you have the option to delete your account.

Tracking technologies


General DataProtection Regulation (GDPR)

We will be collecting and using information from you if you are from theEuropean Economic Area (EEA), and in this section of our Privacy Policy we are going to explain exactly how and why is this data collected, and how we maintain this data under protection from being replicated or used in the wrong way.

  • What is GDPR?

It is an EU-wide privacy and data protection law that regulates how EU residents’ data is protected by companies and enhances the control the EU residents have over their personal data. It is a comprehensive data protection and privacy regulation implemented by the European Union (EU) to strengthen and unify data protection for individuals within the EU.

The primary objectives of the GDPR include giving individuals greater control over their personal data and simplifying the regulatory environment for international businesses by unifying data protection regulations within the EU. It applies to organisations, both within and outside the EU, that process the personal data of EU residents. The GDPR introduces stringent requirements for obtaining consent, transparent data processing practices, and the notification of data breaches, among other provisions, to ensure the privacy and security of individuals’ personal information.

  • Legal basis for processing personal data under GDPR

We will process Personal Data, considering Your consent for processing Personal Data for one or more specific purposes.

In any case, the Company will gladly help to clarify the specific purpose that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

  • Individual data subject’s rights – Data access, portability and deletion

We are committed to helping our customers meet the data subject rights requirements of GDPR. Merlin physio processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all conversation and personal data for up to 30 days unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, but we will not hold it longer than 30 days.

We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data. We got you! We’ve been set up as self service from the start and have always given you access to your data and your customers data. Our customer support team is here for you to answer any questions you might have about working with the API.

Request access to your personal data. The right to access, update or delete the information We have on You. Whenever made possible, you can access, update or request deletion of your personal data directly within your account settings section. If you are unable to perform these actions yourself, please contact Us to assist you.

Request correction of the personal data that we hold about you. You have the right to have any incomplete or inaccurate information We hold about You corrected.

Object to processing of your personal data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.

Request the transfer of your personal data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.

Withdraw your consent. You have the right to withdraw Your consent on using your Personal Data. If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.

  • Exercising your GDPR Data Protection Rights

You may exercise your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.

You have the right to complain to a Data Protection Authority about Our collection and use of your personal data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.

/END