Privacy Policy

1.1 Information We Collect:

• Account Information: Name, email address, and profile picture from OAuth providers (Google, GitHub, etc.)
• Content Data: Your inputs (prompts), AI-generated outputs (responses), conversation history, and timestamps
• Usage Data: Token consumption, model selections, feature usage, and interaction patterns
• Technical Data: IP address, browser type, device information, operating system, and access times
• Location Data: Approximate location (city/region level) derived from your IP address for service optimization, security, and compliance purposes. We do not collect precise GPS location.
• Payment Information: Billing address and payment method details (processed securely by our payment providers)
• Content Reports: When you report AI-generated content as harmful, offensive, inaccurate, or otherwise problematic, we collect the report category, optional details you provide, and a reference to the reported message to improve content safety

1.2 How We Use Your Information:

• To provide, maintain, and improve our services
• To personalize your experience and remember your preferences
• To process transactions and manage subscriptions
• To monitor usage, enforce limits, and prevent abuse
• To communicate with you about service updates, security alerts, and support
• To comply with legal obligations and protect our rights
• To analyze trends and improve our AI services (in anonymized form)
• To review reported content and improve the safety and quality of AI-generated responses

1.3 Data Security: We implement industry-standard security measures including encryption in transit (TLS) and at rest, secure access controls, and regular security audits. However, no method of transmission over the internet is 100% secure.

1.4 Data Sharing: We do not sell your personal data. We share data only with: (a) AI providers to process your requests, who are contractually required to provide the same or equal protection of your data as described in this privacy policy, (b) service providers who assist our operations under equivalent data protection obligations, (c) when required by law, and (d) with your explicit consent.

1.5 Your Privacy Rights: Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data (subject to legal requirements)
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data for certain purposes
• Right to Restrict Processing: Request limitation of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us at support@merachat.ai. We will respond to your request within 30 days.

1.6 International Data Transfers: Your data may be transferred to and processed in countries other than your country of residence, including India where our servers are located. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

1.7 Children's Privacy: While our app may be rated for all ages on app stores (e.g., 3+ on Google Play), the use of our AI services requires a minimum age. Our services are not intended for unsupervised use by children. The following age requirements apply:

• Users must be at least 13 years old to use our services (or 16 years old in the European Economic Area, or 18 years old in India under the DPDPA).
• Users under 18 must have parental or legal guardian supervision and consent to use the services.
• We do not knowingly collect personal data from children below the applicable minimum age without parental consent.

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us immediately.

2.1 Conversation Storage: Your conversations are stored securely in our encrypted database. We retain this data to provide you with conversation history, enable search functionality, and allow data export.

2.2 Data Retention: We retain your data for as long as your account is active or as needed to provide services. Upon account deletion:

• All conversations and messages are permanently deleted within 30 days
• Account information is anonymized or deleted
• Aggregated, anonymized analytics data may be retained for service improvement
• Data required for legal compliance may be retained as necessary

2.3 Data Export: You can export all your conversation data at any time from the Settings page in JSON or Markdown format. We support your right to data portability.

2.4 Cookies and Tracking: We use the following types of cookies and tracking technologies:

• Essential Cookies: Required for authentication, session management, security, and basic functionality. Cannot be disabled.
• Preference Cookies: Remember your settings, preferences, and customizations.
• Analytics Cookies: Help us understand how users interact with our services. We use this data to improve our services.

We do not use third-party advertising or marketing cookies. Most browsers allow you to control cookies through settings. Note that disabling essential cookies may prevent you from using certain features.

2.5 Model Training: By default, your conversations may be used to improve our services. You can opt out of training data usage in your account settings. Even if you opt out, data flagged for safety review may still be used to improve our safety systems.

2.6 Do Not Track: Our services currently do not respond to "Do Not Track" browser signals because there is no industry standard for this feature. We recommend managing cookies through your browser settings.

2.7 Data Retention After Account Termination: After account termination, we may retain certain data as required by law, for legitimate business purposes (such as fraud prevention), or as necessary to fulfill our legal obligations. Aggregated or anonymized data may be retained indefinitely.

3.1 AI Providers: Our service integrates with third-party AI models from providers including OpenAI (GPT models), Anthropic (Claude), Google (Gemini), DeepSeek, xAI (Grok), Inception (Mercury), and others. When you use our service, the following data may be shared with these providers to generate responses:

• Your text prompts and messages
• Relevant conversation history needed for contextual responses
• File attachments or images you include in your messages
• Audio recordings when you use speech-to-text (voice input) features

We do not share your name, email address, account information, or other personal identifiers with AI providers. Before any data is shared with third-party AI providers, we obtain your explicit consent through an in-app disclosure presented on your first use of AI features.

3.2 Third-Party Terms: Your use of AI features may be subject to additional terms from our AI providers. Each provider has their own privacy policy and data handling practices:

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy
• DeepSeek Privacy Policy
• xAI (Grok) Privacy Policy
• Inception (Mercury) Privacy Policy

3.3 Data Minimization: We only share the minimum data necessary with AI providers — specifically your text prompts and relevant conversation context needed to generate responses. We do not share your account information, email address, or metadata with AI providers unless required for the service.

3.4 No Third-Party Sales: We do not sell, rent, or trade your personal information or conversation data to third parties for marketing or advertising purposes.

3.5 Third-Party Data Processing: When you use AI models from third-party providers, your Input may be processed on servers located in various countries including the United States (OpenAI, Anthropic, Google, xAI, Inception), European Union, and China (DeepSeek). Each provider handles data according to their own policies and applicable laws.

3.6 Third-Party Links: Our services may contain links to third-party websites, services, or content. We are not responsible for the privacy practices, content, or availability of these third-party services. Your use of third-party services is at your own risk and subject to their terms.

3.7 Service Integrations: We may offer integrations with third-party services (such as file storage, productivity tools, etc.). When you enable such integrations, you authorize us to access and use data from those services as necessary to provide the integration functionality.

4.1 Our Security Measures: We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, secure authentication, regular security audits, and access controls. However, no method of transmission over the Internet or electronic storage is 100% secure.

4.2 Your Security Responsibilities: You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords and enabling two-factor authentication where available
• Notifying us immediately if you suspect unauthorized access to your account
• Not sharing your account with others
• Logging out from shared or public devices

4.3 Security Vulnerabilities: If you discover a security vulnerability in our services, please report it responsibly to support@merachat.ai. Do not exploit or publicly disclose vulnerabilities before giving us reasonable time to address them.

4.4 Data Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law. Notification will include the nature of the breach, affected data categories, and steps you can take to protect yourself.

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

• Performance of Contract (Article 6(1)(b)): Processing necessary to provide our services, including account creation, conversation processing, and subscription management.
• Legitimate Interest (Article 6(1)(f)): Processing for analytics, service improvement, security, fraud prevention, and abuse detection, where our interests do not override your rights.
• Consent (Article 6(1)(a)): Processing based on your explicit consent, such as optional model training data usage. You may withdraw consent at any time through your account settings.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or legal proceedings.

5.1 Data Protection Officer: For GDPR-related inquiries, you may contact us at support@merachat.ai. We will respond to your request within 30 days.

5.2 Right to Lodge a Complaint: If you are in the EEA, you have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.

MeraChat operates as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA). As a user ("Data Principal"), you have the following rights:

• Right to Access: Obtain a summary of your personal data and processing activities.
• Right to Correction and Erasure: Request correction of inaccurate data or deletion of your personal data.
• Right to Grievance Redressal: Submit complaints regarding data processing to our grievance contact.
• Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity.

6.1 Consent: We process your personal data based on your consent, which is obtained at the time of account creation. You may withdraw consent at any time by deleting your account or contacting us, though this may affect your ability to use our services.

6.2 Children's Data: Under DPDPA, users under 18 years of age require verifiable parental or legal guardian consent before using our services. We do not knowingly process data of users under 18 in India without such consent.

6.3 Grievance Officer: For any grievances related to your personal data processing, please contact our Grievance Officer at support@merachat.ai. We will acknowledge your grievance within 48 hours and resolve it within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

7.1 Categories of Personal Information Collected: Identifiers (name, email), internet activity (usage data, conversations), geolocation data (approximate, from IP), and commercial information (subscription and payment data).

7.2 No Sale of Personal Information: We have not sold personal information in the preceding 12 months and do not intend to do so.

7.3 How to Exercise Your Rights: To submit a request, email us at support@merachat.ai. We will verify your identity and respond within 45 days. You may also designate an authorized agent to submit requests on your behalf.

If you have questions, concerns, or feedback about our privacy practices, please contact us:

For privacy-related requests under GDPR or other data protection laws, we will respond within 30 days. For urgent security matters, please include "URGENT" in your subject line.

For our full Terms of Service, please visit our Terms of Service page.