HomeThemesComponentsPricingDocs Sign InGet Started

Privacy Policy

Last updated: April 19, 2026

Draft — Pending Legal Review / 초안 — 법률 전문가 검토 전 This Privacy Policy is a working draft prepared for internal review. It has not been reviewed or approved by a licensed attorney or a Data Protection Officer and does not constitute legal advice. MergeUi will publish a final, counsel-reviewed version before public launch. Questions: privacy@mergeui.com.

1. Introduction

MergeUi ("we", "us", "our") takes your privacy seriously. This Privacy Policy explains what personal data we collect, how and why we use it, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation ("GDPR"), the Korean Personal Information Protection Act ("PIPA"), and other applicable privacy laws.

This Policy applies to mergeui.com and all related services (the "Service"). By using the Service, you acknowledge that you have read this Policy. Where required by law, we will also obtain your explicit consent.

한글 요약 — 본 개인정보처리방침은 MergeUi가 이용자의 개인정보를 어떻게 수집·이용·보관·제공·파기하는지, 그리고 이용자의 권리(GDPR 및 한국 개인정보보호법)에 관해 설명합니다.

2. Data Controller

The data controller responsible for your personal data is:

한글 요약 — 개인정보 처리 책임자(Controller)는 [COMPANY_NAME]이며, 개인정보 관련 문의는 privacy@mergeui.com으로 접수합니다.

3. Personal Data We Collect

CategoryExamplesSource
Account dataEmail address, display name, password hash (if email sign-up), countryYou, at sign-up
OAuth profileGitHub or Google user ID, email, display name, profile picture URLGitHub / Google OAuth
Subscription & billingPlan, subscription status, renewal date, Lemonsqueezy customer ID, invoice historyLemonsqueezy (we do NOT receive full card numbers)
Usage dataPages visited, features used, download history, template preferencesYour device, our servers
Device & log dataIP address, user-agent, browser, OS, approximate location (country/region), timestamps, error logsYour device, server logs
Analytics & cookie dataGA4 client ID, session ID, event data, consent statusGoogle Analytics 4 (with consent)
Marketing dataNewsletter subscription status, email opens/clicks, preferencesLoops (with consent)
Support dataContents of support tickets, feedback submissionsYou

We do not knowingly collect special-category ("sensitive") personal data such as health, religion, or political opinions. Please do not submit such data via support channels.

한글 요약 — 이메일·이름·비밀번호 해시·국가 정보, OAuth 프로필(GitHub/Google), Lemonsqueezy 결제 정보(카드 전체번호는 수집하지 않음), 이용 내역, 기기·로그 정보, GA4 쿠키, 뉴스레터 수신 기록, 문의 내용을 수집합니다. 민감정보는 수집하지 않습니다.

4. Purposes and Legal Basis

Under GDPR Article 6, we process your personal data on the following legal bases:

PurposeData usedLegal basis (GDPR)
Provide and operate the Service (account creation, authentication, download delivery)Account, OAuth, usageArt. 6(1)(b) — Performance of contract
Process subscriptions, renewals, and refundsBilling, subscriptionArt. 6(1)(b) — Performance of contract
Comply with tax, accounting, and legal obligationsBilling, invoicesArt. 6(1)(c) — Legal obligation
Prevent fraud, abuse, and secure the ServiceDevice, log, usageArt. 6(1)(f) — Legitimate interest
Send transactional emails (receipts, password resets, critical announcements)Account, billingArt. 6(1)(b) — Performance of contract
Send marketing emails (newsletter, product updates)Email, preferencesArt. 6(1)(a) — Consent (opt-in)
Analytics to improve the Service (GA4 with Consent Mode v2)Cookie, usageArt. 6(1)(a) — Consent
Respond to support requests and feedbackSupport dataArt. 6(1)(b)/(f) — Contract / Legitimate interest

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. See Section 9.

한글 요약 — 서비스 제공·결제·세무 의무 이행·부정사용 방지·고객 지원은 계약 이행 또는 정당한 이익에 근거하며, 마케팅 이메일·GA4 분석 쿠키는 사전 동의를 기반으로 처리합니다. 한국 개인정보보호법상 수집·이용 동의 항목은 회원가입 화면에서 별도 고지·동의를 받습니다.

5. Data Retention Periods

Data categoryRetention periodReason
Account dataUntil account deletion + 30 days (technical backup cycle)Service provision
Subscription & billing records (invoices)5 years after last transactionKorean Commercial Act, tax law
Consumer-complaint records3 yearsKorean e-Commerce Consumer Protection Act
Access logs (IP, login)3 monthsKorean Communications Secrets Protection Act
Newsletter subscriptionUntil unsubscribeConsent-based
Analytics (GA4)14 months (default GA4 retention)Analytics improvement
Backups30 days rollingDisaster recovery

After the retention period expires, we will either permanently delete or irreversibly anonymize the data, except where a longer period is required or permitted by law.

한글 요약 — 계정 정보는 탈퇴 시 30일 이내 파기, 결제·세금 관련 기록은 전자상거래법·상법에 따라 최대 5년, 접속 로그는 3개월간 보관합니다. 보관 기간 경과 시 지체 없이 파기 또는 복원 불가능하게 익명화합니다.

6. Third-Party Service Providers (Data Processors)

We share personal data only with the processors listed below, each under a Data Processing Agreement (DPA) that imposes GDPR-compliant obligations. We do not sell your personal data.

ProviderPurposeData sharedLocation
Lemonsqueezy (Merchant of Record)Payment processing, subscription management, tax & invoicingEmail, name, billing address, card data (collected directly by Lemonsqueezy)USA
SupabaseDatabase & authentication hostingAccount, subscription, usage dataRegion to be confirmed at provisioning (EU or US)
LoopsTransactional and marketing email deliveryEmail, name, preferences, event dataUSA
Google Analytics 4Aggregated usage analytics (with consent)Pseudonymous client ID, page views, events, anonymized IPGlobal (Google)
GitHub / GoogleOAuth authenticationOAuth profile fields listed in Section 3USA
Hosting / CDN (TBD)Static site and asset deliveryIP address, user-agent, request metadataGlobal

We may also disclose data when required by law, court order, or government request, or to protect the rights, property, or safety of MergeUi, our users, or others.

한글 요약 — 결제(Lemonsqueezy), DB 호스팅(Supabase), 이메일 전송(Loops), 분석(Google Analytics 4), 인증(GitHub/Google) 서비스에 필요한 범위로 제3자에게 개인정보 처리를 위탁하며, 각 업체와 개인정보 처리 위탁 계약(DPA)을 체결합니다. 법령상 의무가 있거나 권리 보호를 위해 필요한 경우 외에는 제3자에 판매·제공하지 않습니다.

7. International Data Transfers

Because we operate a global service and several of our processors are located outside Korea and the EEA (primarily in the United States), your personal data may be transferred to and processed in jurisdictions whose data-protection laws may differ from those of your country.

For transfers from the EEA/UK, we rely on:

  • the European Commission's Standard Contractual Clauses (SCCs) as updated in 2021;
  • the EU–US Data Privacy Framework (DPF), where the recipient is certified; and
  • supplementary safeguards such as encryption in transit and at rest.

For transfers from Korea to overseas processors, we obtain the consents required under PIPA Articles 28-8 and 28-9 and disclose the items, country, and duration of transfer in this Policy.

한글 요약 — 일부 수탁업체(Lemonsqueezy, Loops 등)는 미국에 소재하며, EU→미국 이전은 SCC 및 EU–US DPF에 따릅니다. 한국→해외 이전은 개인정보보호법 제28조의8·9에 따라 이용자 동의를 받으며 이전 항목·국가·기간을 본 방침에 명시합니다.

8. Cookie Policy

8.1 What cookies we use

CategoryPurposeExamplesConsent required?
Strictly necessaryAuthentication, session, load balancing, security (CSRF)session cookies, auth tokensNo (exempt under ePrivacy)
FunctionalRemember preferences (theme, language)theme preference cookieNo (if strictly functional)
AnalyticsUnderstand aggregated usage_ga, _ga_*, GA4 measurementYes
MarketingCurrently none; we do not run ad retargetingYes, if added in future

8.2 Consent Mode v2

We implement Google Consent Mode v2. On first visit, analytics and advertising storage are set to denied by default. Google tags load but do not write analytics cookies until you grant consent via the cookie banner. If you deny analytics cookies, we receive only anonymized, cookieless pings (no client ID, no cross-session tracking).

8.3 Managing your cookie choices

You can change your cookie preferences at any time by clicking "Cookie settings" in the site footer, or by clearing cookies in your browser. Declining non-essential cookies will not affect your ability to use the Service.

한글 요약 — 필수 쿠키(로그인·보안)는 동의 없이 사용되며, 분석 쿠키(Google Analytics 4)는 동의 시에만 활성화됩니다. Google Consent Mode v2를 적용해 동의 거부 시 추적 쿠키가 발행되지 않습니다. 쿠키 설정은 하단 "Cookie settings"에서 언제든 변경 가능합니다.

9. Your Rights under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — limit how we use your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV) and transmit it to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent for any consent-based processing at any time.
  • Right not to be subject to automated decision-making (Art. 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
  • Right to lodge a complaint — you may lodge a complaint with your local data-protection supervisory authority. A list of EU authorities is available at edpb.europa.eu.

To exercise any right, email privacy@mergeui.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with prior notice). We may need to verify your identity before fulfilling a request.

한글 요약 — EU·영국·스위스 거주자는 열람권, 정정권, 삭제권(잊혀질 권리), 처리제한권, 이동권, 이의제기권, 동의철회권 등을 행사할 수 있습니다. privacy@mergeui.com으로 요청 시 30일 이내 처리하며, 복잡한 경우 최대 60일 연장될 수 있습니다.

10. Your Rights under Korean PIPA

If you are located in the Republic of Korea, you (or your legal representative) have the right to:

  • access your personal data (Art. 35);
  • request correction or deletion (Art. 36);
  • request suspension of processing (Art. 37);
  • withdraw consent at any time for consent-based processing.

To exercise these rights, contact privacy@mergeui.com. You may also file a complaint with the Personal Information Protection Commission (PIPC, www.pipc.go.kr, tel. 1833-6972) or the Korea Internet & Security Agency (KISA, privacy.kisa.or.kr, tel. 118).

한글 요약 — 한국 거주 이용자는 개인정보보호법 제35조(열람), 제36조(정정·삭제), 제37조(처리정지) 및 동의철회권을 행사할 수 있으며, 개인정보보호위원회(국번없이 1833-6972) 및 KISA 개인정보침해신고센터(국번없이 118)에 민원을 제기할 수 있습니다.

11. Security Measures

We implement reasonable technical and organizational measures designed to protect your personal data, including:

  • TLS 1.2+ encryption for all data in transit;
  • encryption at rest for managed database storage (Supabase);
  • password hashing with modern algorithms (bcrypt/argon2) — plaintext passwords are never stored;
  • principle of least privilege for production access, with logging of administrative actions;
  • regular dependency updates and security reviews;
  • access tokens scoped per session with short expiry and rotation;
  • Data Processing Agreements (DPAs) with all sub-processors.

Despite these measures, no method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify affected users and regulators where required by law (GDPR: within 72 hours; PIPA: as prescribed).

한글 요약 — 전송 중 TLS 1.2+ 암호화, 저장 중 암호화, 비밀번호 해시, 최소 권한 원칙, 감사 로깅 등 기술적·관리적 보호조치를 적용합니다. 침해 사고 발생 시 법령에 따라 72시간 이내 감독기관 및 이용자에게 통지합니다.

12. Children's Privacy

The Service is not directed to children under the age of 16 (or the age of digital consent in your jurisdiction, if higher). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@mergeui.com and we will delete the data promptly.

한글 요약 — 본 서비스는 만 16세 미만 아동을 대상으로 하지 않으며, 아동의 개인정보는 수집하지 않습니다. 관련 신고가 접수되면 즉시 해당 정보를 파기합니다.

13. Privacy Contact and Representative

  • Privacy inquiries: privacy@mergeui.com
  • Data Protection Officer: To be appointed. Contact the privacy email above for DPO correspondence.
  • EU Representative (Art. 27 GDPR): [EU_REPRESENTATIVE_TBD] — to be appointed if required by the scope of processing.
  • UK Representative: [UK_REPRESENTATIVE_TBD] — to be appointed if required.
  • Korean Chief Privacy Officer (CPO): [CPO_NAME_TBD], privacy@mergeui.com
한글 요약 — 개인정보 보호책임자(CPO) 및 EU 대리인은 사업자 등록 및 서비스 확장 시점에 지정하여 본 방침을 개정합니다. 문의는 privacy@mergeui.com으로 연락 바랍니다.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or business operations. We will post the updated version with a new "Last updated" date. For material changes, we will provide advance notice by email or a prominent in-product notice at least 30 days before the changes take effect.

한글 요약 — 본 방침이 변경되는 경우 최신화된 날짜와 함께 게시하며, 중요한 변경은 효력 발생 30일 전에 이메일 또는 서비스 내 공지로 고지합니다.