Privacy Policy

Version 1.0 · Last updated 30 June 2026

This policy explains what personal data MerliQ collects, why, how we look after it, and the rights you have over it. It applies to everyone who uses MerliQ. We are committed to handling your data lawfully under the UK GDPR and the Data Protection Act 2018, and — for users in the European Economic Area — the EU GDPR.

1. Who we are

MerliQ (“we”, “us”, “our”) is an educational and medical-literature tool for clinicians. For the purposes of UK and EU data-protection law, MerliQ is the data controller for the personal data described below. You can reach us at merliq.app@gmail.com for any privacy question or to exercise your rights.

MerliQ is currently in private beta. This policy will be reviewed and expanded before public release, including confirmation of our registered controller details and, where required, an EU representative under Article 27.

2. The data we collect

• Account data — your email address, and (if you sign in with Google or Notion) the identifier and basic profile your provider shares. We never see your provider password.
• Your preferences — clinical level, the specialties and topics you follow, and your session settings.
• Content you create — notes you write, papers you save to your library, and your quiz answers and progress.
• Your own AI key (optional) — if you add a Google Gemini API key, we store it encrypted so the AI features can run on your own quota.
• Usage and technical data — pages viewed, feature use, performance timings, and standard server logs (such as IP address and browser type), collected to keep the service working and to improve it.

We do not ask for, or want, any patient-identifiable information. Please see section 6.

3. How and why we use your data

• To provide your account and the core service (signing you in, saving your library, running your daily session).
• To personalise what we surface to you, based on the specialties and topics you choose to follow.
• To power the AI features — curating literature, generating quizzes, and processing text you submit — by sending the necessary content to a large-language-model provider (see section 5).
• To understand how MerliQ is used, fix problems, and improve it. For this we use usage data in a pseudonymised form (keyed to an internal account identifier, never to your name), and we do not single out or read individual users’ notes.
• To keep the service and your account secure (for example, fraud and abuse prevention).

4. Our lawful bases

Under Article 6 of the UK and EU GDPR we rely on:

• Performance of a contract — to create your account and deliver the features you ask for.
• Legitimate interests — to secure, maintain, analyse and improve MerliQ. We have considered your rights and interests and limit this to what is necessary and proportionate; you can object at any time (section 9).
• Consent — where we ever rely on consent (for example any optional, non-essential processing), you can withdraw it at any time without affecting earlier processing.

We do not knowingly process special-category (health) data about you, and you should not provide health data about anyone else (section 6).

5. Who we share data with (our processors)

We do not sell your data. We share it only with the service providers that help us run MerliQ, each acting as our processor under contract:

• Supabase — database, authentication and file hosting.
• Vercel — application hosting and privacy-conscious usage analytics.
• Google (Gemini API) — the large-language model that powers curation, quizzes, and processing of text you submit. Content needed for a feature is sent to Google to generate the result. If you supply your own Gemini key, the calls run under your own Google account and terms.
• Cloudflare Turnstile — bot/abuse protection on sign-in and sign-up.
• NCBI / PubMed — searched for medical literature using your topic terms only; no personal data about you is sent.

Each provider has its own privacy policy. We will keep an up-to-date list of processors available on request, and will update this section as our providers change.

6. AI features and your notes — important

MerliQ uses AI. Text you enter — including notes and anything you ask us to summarise or quiz you on — may be sent to a large-language-model provider (Google Gemini, or your own key) to generate a response. Because of this:

• Do not enter patient-identifiable information (names, dates of birth, NHS numbers, or any detail that could identify a real patient) anywhere in MerliQ.
• Treat your notes as study notes about conditions and evidence, not about specific patients.
• Your optional Gemini API key is stored encrypted at rest on our servers and used only to make calls on your behalf. We are honest about this: it is encrypted, not “never stored”.

7. Storage, security and retention

• Data is stored on our providers’ infrastructure, with database hosting in the EU region where available.
• We apply appropriate technical and organisational measures, including encryption in transit, encryption of your AI key at rest, and access controls so that each user can only reach their own data.
• We keep your personal data for as long as your account is active. When you delete your account, we delete your account data and the private content you created (see section 9). Aggregated or fully de-identified statistics that can no longer identify you may be retained.

8. International data transfers

Some of our processors (for example Google and Vercel) may process data outside the UK or the European Economic Area. Where that happens, we rely on an appropriate safeguard recognised under UK and EU law — such as the UK International Data Transfer Agreement / Addendum or the EU Standard Contractual Clauses, together with an adequacy decision where one applies — so that your data keeps an equivalent level of protection.

9. Your rights

Under the UK and EU GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• erase your data — you can delete your account at any time in Settings, which removes your account and the private content you created;
• restrict or object to certain processing, including processing based on legitimate interests;
• data portability — receive your data in a structured, machine-readable form;
• withdraw consent where we relied on it.

To exercise any of these, contact merliq.app@gmail.com. If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ico.org.uk), or, if you are in the EEA, to your local data-protection supervisory authority.

10. Cookies and similar technologies

We use a small number of cookies that are strictly necessary to sign you in and keep your session secure. We also use privacy-conscious analytics to measure use and performance. We do not use advertising or cross-site tracking cookies. You can control cookies through your browser settings.

11. Children

MerliQ is intended for qualified clinicians and clinicians in training. It is not intended for, or directed at, children.

12. Changes to this policy

We may update this policy as MerliQ develops. We will change the version and date at the top, and for significant changes we will take reasonable steps to let you know.

Questions? Contact us at merliq.app@gmail.com.