Privacy Policy

Last updated: May 2026.

1. Controller

The controller responsible for the processing of personal data on mergeshot.com within the meaning of Art. 4 (7) GDPR is:
4vor4 UG (haftungsbeschränkt)
Bromberger Straße 20
25474 Ellerbek, Germany
Email: hello@mergeshot.com

We are not legally required to appoint a Data Protection Officer. For any data protection request, please contact us at the email above.

2. Scope

This policy covers the public marketing pages at mergeshot.com and the MergeShot product (account sign-up, photo upload, AI merging, and result download). Where certain processing only applies to one of these (for example, photo uploads only happen inside the product), we say so explicitly.

3. Data we process

3.1 When you visit the website

• Server & access logs. Our hosting provider (Vercel Inc.) automatically processes technical data such as IP address, user agent, referring page, and timestamp to deliver the site, prevent abuse, and enforce rate limits. These logs are rotated and not used to build profiles of individual users.
• Anonymous usage analytics. We use Vercel Web Analytics, which is cookie-less and does not use persistent identifiers or fingerprinting. It records aggregated page views, referrers, and basic device categories without identifying individual visitors.

3.2 When you join the waitlist

• Email address, the CTA / page section you came from, and a timestamp. This information is sent through a private webhook to a Discord channel that we use as a notification inbox for the founding team.

3.3 When you create an account, use the product, or purchase a paid plan

• Account data — email address, sign-in provider (e.g. Google account or email magic link), and an internal user ID. Authentication is provided by Firebase Authentication.
• Uploaded photos that you submit to MergeShot in order to receive a merged result. Photos are stored in Firebase Storage in a per-user folder and are automatically deleted within 24 hours of upload by a scheduled clean-up job.
• Request metadata — request ID, timestamps, status (pending / processing / complete / rejected), the merge options you chose, and your daily/monthly usage counters used for fair-use limits and abuse prevention.
• Generated result images produced by the AI merging step. These are kept in Firebase Storage in your per-user folder for up to 30 days after the merge completes and are then automatically deleted by a scheduled clean-up job. You can also delete your account at any time to wipe them immediately (see Section 11).
• Billing and subscription data (only if you purchase a paid plan) — purchase confirmation, plan name, renewal status, and any support correspondence about your subscription. Card numbers and similar payment instruments are not processed or stored by us; they are handled by our payment provider (see Section 6).

We do not knowingly collect special categories of personal data (Art. 9 GDPR). Group photos may, however, contain identifiable people. Please make sure you have the right to upload them — see our Terms of Service.

4. Purposes and legal bases

• Operating the website and the product — Art. 6 (1)(b) GDPR (performance of a contract or pre-contractual steps) for account creation, photo merging, and delivering results; Art. 6 (1)(f) GDPR (legitimate interest in providing a functional, secure service) for hosting, logs, and abuse prevention.
• Waitlist signups — Art. 6 (1)(b) GDPR (pre-contractual steps: notifying you when MergeShot launches) and Art. 6 (1)(a) GDPR (consent), which you can withdraw at any time by emailing us.
• Anonymous analytics — Art. 6 (1)(f) GDPR (legitimate interest in understanding aggregate usage to improve the product). Because the analytics are cookie-less and do not process personal identifiers, no consent banner is required.
• Fair-use enforcement and abuse prevention — Art. 6 (1)(f) GDPR (legitimate interest in protecting the service from misuse and controlling AI inference costs).

5. Retention

• Uploaded photos are automatically deleted from our storage within 24 hours of upload by a scheduled clean-up job.
• Result images are stored for 30 days after the merge completes, then automatically deleted by the same scheduled clean-up job. Deleting your account also wipes any remaining results immediately.
• Account data and usage counters are kept for as long as your account exists. You can request deletion at any time.
• Waitlist data (email + source + timestamp) is kept until we have sent the launch notification and you have either responded or asked to be removed.
• Billing and invoice data for paid plans is retained for the period required by German tax and commercial law (currently up to 10 years under §147 AO and §257 HGB). It is retained by us only to the extent legally required; the primary billing record is held by our Merchant of Record (see Section 6).
• Server logs are kept for a short period for security and rate-limiting purposes and then rotated.

6. Recipients and processors

We use a small number of carefully selected service providers (“processors” under Art. 28 GDPR) to run the service. We have data processing agreements with each of them. The categories of recipients and the specific providers we currently use are:

• Hosting and CDN of the website / API. Vercel Inc., San Francisco, USA. Processes server logs and delivers the website. Data may be processed in the EU and US under EU Standard Contractual Clauses.
• Authentication, application database, file storage and serverless backend. Google Ireland Ltd. / Google LLC (Firebase Authentication, Cloud Firestore, Cloud Storage for Firebase, and Cloud Functions for Firebase). EU data centres are used by default; transfers to the US are covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
• AI inference for image validation and merging. To produce your merged photo we send your uploaded images and a short text prompt to one or more cloud-based AI inference providers based in the EU and/or the US (with US transfers covered by EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework). We work with established large cloud providers and select them based on output quality, EU compliance, and privacy practices. We only work with providers whose API terms forbid using customer content to train their general-purpose models. AI providers may briefly retain inputs for service operation and abuse prevention before deletion in accordance with their own retention policies. The current list of AI inference providers used for your merges is available on request from hello@mergeshot.com.
• Payment processing and billing (only if you purchase a paid plan). Lemon Squeezy LLC, USA, acts as our Merchant of Record. Lemon Squeezy receives the data necessary to process your purchase (e.g. email address, billing address, country, IP address, and payment-instrument data handled by their own payment processors), to issue invoices, and to handle VAT/sales-tax obligations. Transfers to the US are covered by EU Standard Contractual Clauses. We do not see or store your full payment-instrument data.
• Internal notification of waitlist signups. Discord, Inc., San Francisco, USA. Receives waitlist submissions (email, CTA source, timestamp) via a private webhook so the founding team is notified in real time. Transfers to the US are covered by EU Standard Contractual Clauses.
• Web fonts. The Inter typeface is self-hosted by Next.js at build time; no runtime requests to Google Fonts are made from your browser.

Beyond these processors we do not sell or share your personal data. Data is only disclosed to public authorities where we are legally required to do so.

7. International data transfers

Some of our processors are based in the United States or process data there. In those cases, we rely on the European Commission's Standard Contractual Clauses (Art. 46 (2)(c) GDPR) and, where applicable, the EU-US Data Privacy Framework as the legal mechanism for the transfer. We choose providers that offer EU data residency where reasonably possible.

8. AI processing details

When you upload photos to MergeShot, the following happens:

1. Your photos are stored in Firebase Storage under your user ID.
2. Our backend sends your photos plus a fixed instruction prompt to one or more AI inference providers (see Section 6) for two steps: a similarity check and the actual image merge.
3. The provider returns a merged image, which we store as your result.
4. Your original uploads are deleted from our storage within 24 hours by a scheduled job. The merged result is kept in your account for up to 30 days, then deleted by the same job.

We choose AI providers whose API terms forbid the use of customer content for training their general-purpose models. AI providers may briefly retain inputs for service operation and abuse prevention before deletion in accordance with their own retention policies. We do not send your photos to any third party other than the AI inference providers and the infrastructure providers listed above.

Outputs are produced by AI and may contain artefacts or inaccuracies. They are clearly identifiable as AI-generated where required, in line with the EU AI Act (Regulation (EU) 2024/1689).

9. Cookies and similar technologies

MergeShot does not set tracking or marketing cookies. Strictly necessary cookies are used only to keep you signed in and to protect against CSRF. Vercel Web Analytics is cookie-less. Because only essential cookies are used, no cookie consent banner is required (§25 (2) Nr. 2 TTDSG / Art. 6 (1)(f) GDPR). If we ever introduce non-essential cookies or third-party tracking, we will ask for your consent first.

10. Your rights under GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15 GDPR).
• Have inaccurate data corrected (Art. 16 GDPR).
• Have your data deleted (Art. 17 GDPR), subject to retention obligations.
• Restrict processing of your data (Art. 18 GDPR).
• Receive your data in a portable format (Art. 20 GDPR).
• Object to processing based on legitimate interest (Art. 21 GDPR).
• Withdraw any consent you have given, with effect for the future (Art. 7 (3) GDPR).
• Lodge a complaint with the competent data protection authority. For us, that is the Independent State Centre for Data Protection Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz, ULD), Holstenstraße 98, 24103 Kiel, Germany — datenschutzzentrum.de.

11. Children

MergeShot is not directed at children. We do not knowingly process personal data of children under 16. If you believe a child's data has been submitted to us, please contact us and we will delete it.

12. Automated decision-making

We do not use your data for automated decision-making with legal or similarly significant effect within the meaning of Art. 22 GDPR. The AI similarity check decides only whether your photos can be merged technically; it does not produce decisions about you.

13. Changes to this policy

We may update this policy when our processing or our list of processors changes materially. The current version is always published at this URL with the “Last updated” date at the top.

14. Contact

For any privacy request, write to hello@mergeshot.com with the subject line “Data request”. We respond within the statutory deadlines.