MERLYN - PRIVACY POLICY

The Creator-First Meme Social Platform

Effective Date: May 2026 | Last Updated: May 2026

Version 2.0 — NDPA & GAID 2025 Compliant

1. Introduction

Welcome to Merlyn. Merlyn is a mobile-first social media platform built exclusively for meme culture — where creators publish memes, images, and voice-based content, and audiences engage, comment, and build communities around the content they love most.

This Privacy Policy explains how we collect, use, share, and protect information about you when you use the Merlyn app, website, and related services (collectively, the “Services”). It has been prepared in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive 2025 (GAID), issued by the Nigeria Data Protection Commission (NDPC).

By creating an account or using Merlyn, you confirm that you have read and understood this Privacy Policy. If you do not agree, please do not use our Services.

⚖️ NDPA Obligation: This policy is governed by the Nigeria Data Protection Act 2023 (NDPA) and the NDPC General Application and Implementation Directive (GAID), effective September 19, 2025. These are the primary data protection laws applicable to Merlyn and its users.

2. Data Controller and Data Protection Officer

Merlyn is the Data Controller responsible for the personal data you provide or that is collected when you use our Services. As a platform processing the personal data of a significant number of Nigerian users, Merlyn is registered with the NDPC as a Data Controller of Major Importance (DCPMI).

2.1 Data Controller Contact

• Name: Merlyn

• Email: merlyncore@gmail.com

• Privacy inquiries: privacymerlynapp@gmail.com

2.2 Data Protection Officer (DPO)

In compliance with the NDPA, Merlyn has appointed a Data Protection Officer (DPO). The DPO is responsible for monitoring compliance with the NDPA and GAID, advising on data protection obligations, and serving as the primary point of contact with the NDPC.

• DPO Contact Email: dpomerlynapp@gmail.com

• You may contact the DPO directly for any data protection concerns, subject access requests, or to report a suspected data breach.

⚖️ NDPA Obligation: Under the NDPA, Data Controllers of Major Importance — those processing data of more than 200 individuals within six months — are required to appoint a DPO and register with the NDPC. Merlyn fulfils both obligations.

3. Information We Collect

We collect information you provide directly, information generated automatically through your use of the platform, and information from third parties. We collect only what is adequate, relevant, and limited to what is necessary for the purposes described in this policy.

3.1 Information You Provide

• Account registration details: name, username, email address, date of birth, and password.

• Profile information: profile photo, bio, and any other details you add to your public profile.

• Content you post: memes, images, voice note posts, voice comments, stickers, and captions.

• Communications: messages, support requests, or feedback you send to us.

• Creator Pay Program information: bank account details, mobile money numbers, or other payout identifiers required to process earnings.

• Identity verification data: where required for Creator Verification badges, we may collect government-issued ID information, which is treated as sensitive personal data under the NDPA.

3.2 Information Collected Automatically

• Usage data: content you view, interact with, like, share, or comment on; search queries; session duration; and navigation patterns.

• Device information: device model, operating system, unique device identifiers, browser type, and mobile network details.

• Log data: IP address, access times, features used, app crashes, and activity logs.

• Location data: approximate location inferred from your IP address. We do not collect precise GPS coordinates unless you explicitly grant permission.

• Camera and microphone access: only when you actively record voice note posts or voice comments. We do not record audio passively in the background.

• Cookies and similar tracking technologies: used to maintain sessions, remember preferences, deliver ads, and measure performance. See Section 7 for full details.

3.3 Information From Third Parties

• If you sign in using a third-party service (such as Google or Apple), we receive your name, email address, and profile photo from that provider, subject to their privacy policies.

• Advertisers and analytics partners may share aggregated or anonymised data with us to help measure ad performance.

4. Lawful Basis for Processing Your Data

Under the NDPA, we are required to process your personal data only when we have a valid legal basis for doing so. The table below sets out the lawful bases we rely on for each category of processing activity.

Processing Activity

Lawful Basis

Details

Account creation & management

Contract

Necessary to provide the Services you signed up for

Personalised content discovery (AI algorithm)

Legitimate Interest

To surface relevant memes and improve your experience

Creator Pay Program payouts

Contract + Legal Obligation

To fulfil earnings agreements and meet tax obligations

In-feed advertising

Consent

You consent to personalised ads during onboarding, with opt-out available

Voice note posts & voice comments

Consent

You grant permission when you record; we do not record passively

Analytics & platform improvement

Legitimate Interest

To fix bugs and improve performance

Security & fraud prevention

Legal Obligation + Legitimate Interest

To protect users and comply with the Cybercrimes Act 2015

Legal compliance & regulatory reporting

Legal Obligation

To comply with NDPA, tax laws, and court orders

⚖️ NDPA Obligation: The NDPA requires every processing activity to have a clearly documented lawful basis. Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of prior processing.

5. How We Use Your Information

5.1 Providing and Improving the Services

• To create and manage your account.

• To surface personalised meme content via our AI-powered discovery engine.

• To enable posting, voice notes, voice comments, sticker purchases, and all core features.

• To process Creator Pay Program payments and track earnings milestones.

• To maintain platform security, detect fraud, and prevent abuse.

• To fix bugs, improve performance, and develop new features.

5.2 Advertising

• To show you in-feed ads, including native meme-style advertisements tailored to your interests and platform behaviour.

• To measure ad performance and provide analytics to advertisers. We do not sell your personal data; we use it to serve ads on behalf of advertisers.

• To facilitate Brand Deal matchmaking, connecting eligible creators with brands based on content category and audience profile. Your data is only shared in this context with your explicit consent.

5.3 Automated Decision-Making and Profiling

Merlyn’s AI discovery engine uses automated profiling to determine what content you see in your feed and, for creators, how content is distributed. This profiling can significantly affect a creator’s reach and earnings.

You have the right to: (a) request a human review of any automated decision that significantly affects you; (b) object to automated profiling; and (c) request an explanation of the logic behind a specific outcome. To exercise these rights, contact dpomerlynapp@gmail.com.

⚖️ NDPA Obligation: Under the NDPA, users have the right to object to automated profiling that significantly affects them. Creators who believe the algorithm has unfairly impacted their earnings may request a manual review.

5.4 Communications

• To send service notifications, security alerts, and account-related updates.

• To send promotional communications about Merlyn Pro, creator opportunities, or platform updates. You may opt out at any time via your account settings or by emailing privacymerlynapp@gmail.com.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (such as device fingerprinting and tracking pixels) on the Merlyn platform. In compliance with Article 19 of the NDPC GAID 2025, we obtain your opt-in consent before deploying any non-essential cookies.

6.1 Categories of Cookies We Use

• Essential cookies: Required for the app to function (login sessions, security tokens). These do not require consent and cannot be turned off.

• Analytics cookies: Help us understand how users interact with the platform (e.g. which screens are visited most). Consent required.

• Advertising cookies: Used to serve relevant in-feed ads and measure their effectiveness. Consent required.

• Preference cookies: Remember your settings and personalisation choices. Consent required.

When you first use the Merlyn app, you will be presented with a cookie consent prompt. You may accept all, reject non-essential cookies, or manage preferences individually. You can change your preferences at any time in Settings > Privacy > Cookie Preferences.

⚖️ NDPA Obligation: Under GAID Article 19, opt-in consent is mandatory for all cookies except essential cookies. Continuing to use the app does not constitute consent to non-essential cookies — you must make an active choice.

We do not sell your personal data. We may share your information only in the following limited circumstances, and always with appropriate safeguards in place.

• Service providers: Trusted third-party vendors (cloud hosting, payment processors, analytics, content moderation) who process data solely on our behalf under written Data Processing Agreements (DPAs) that bind them to NDPA standards.

• Advertisers: We share aggregated, anonymised audience insights only. Individual personal data is not shared with advertisers.

• Brand partners: Only with your explicit consent, we may share your creator profile (follower count, content category, engagement rate) with brand partners for deal matchmaking.

• Other users: Your username, profile photo, public posts, voice notes, and follower/following counts are visible to other users by default.

• Legal requirements: We may disclose information where required by Nigerian law, court order, or to protect the safety of our users or the public.

• Business transfers: In the event of a merger, acquisition, or asset sale, user data may transfer. We will give 30 days’ notice and, where required by law, seek your consent.

7.1 Data Processing Agreements with Third Parties

In compliance with the NDPA, every third-party vendor that processes your data on our behalf is bound by a written Data Processing Agreement (DPA). These agreements require vendors to: process data only on our documented instructions; implement appropriate technical and organisational security measures; assist us in responding to data subject rights requests; and delete or return data at the end of the service relationship.

⚖️ NDPA Obligation: The NDPA requires data controllers to execute written DPAs with all data processors. We are responsible for ensuring our vendors comply. If you have concerns about a specific vendor, contact dpo@merlynapp.com.

8. Voice and Audio Data

Merlyn is a voice-enabled platform. We give special attention to audio data because of its personal and potentially sensitive nature.

• Voice note posts and voice comments are stored on our servers and served to other users as part of the platform experience.

• We do not use voice recordings to train speech recognition or AI models without your explicit, separate opt-in consent.

• Audio content is subject to the same content moderation policies as all other content on the platform.

• You may delete your voice content at any time from your profile. Deletion removes the content from public view immediately. Residual copies in encrypted backups are purged within 30 days.

9. Creator Pay Program

If you participate in the Merlyn Creator Pay Program, we collect and process additional information to administer your earnings:

• Payment information: bank account details, mobile money numbers, or other payout identifiers. This information is encrypted and processed exclusively through PCI-compliant payment processor partners.

• Earnings data: view counts, engagement metrics, and milestone achievements that determine your pay calculations.

• Tax information: where required by Nigerian law or the laws of your country of residence, we may collect tax identification numbers and issue earnings statements.

Creator payment data is treated with enhanced security and is never shared with other users or third parties except as necessary to process payouts, comply with tax regulations, or satisfy a lawful legal request.

10. Sticker Marketplace

When you buy or sell sticker packs on Merlyn:

• Transaction data (amount, items, timestamp) is retained for billing and dispute resolution.

• Creator revenue is processed through the Creator Pay Program under the same data handling terms in Section 9.

• Purchase history may be used to personalise sticker recommendations for you.

11. Data Retention

We retain your information only for as long as necessary to fulfil the purposes described in this policy or as required by law. The following retention periods apply:

• Account data: retained until you delete your account, after which personal data is removed within 30 days, except where retention is required by law.

• User-generated content (memes, voice notes, comments): deleted when you remove it or close your account.

• Payment and earnings records: retained for a minimum of 7 years to comply with Nigerian financial regulations.

• Log and analytics data: retained for up to 12 months in identifiable form, then aggregated or deleted.

• Cookie consent records: retained for 2 years as evidence of your consent choices.

12. Your Data Rights Under the NDPA

The Nigeria Data Protection Act 2023 grants you the following rights in relation to your personal data. To exercise any of these rights, contact us at privacymerlynapp@gmail.com or dpomerlynapp@gmail.com. We will respond to verified requests within 30 days.

• Right of Access: Request a copy of the personal data we hold about you and information about how we use it.

• Right to Rectification: Request correction of inaccurate or incomplete personal data.

• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.

• Right to Data Portability: Request your personal data in a structured, machine-readable format so you can transfer it to another service.

• Right to Object: Object to processing based on legitimate interest, including direct marketing and algorithmic profiling.

• Right to Object to Automated Decision-Making: Request human review of any automated decision (including algorithmic content ranking) that significantly affects you.

• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect processing already carried out.

• Right to Lodge a Complaint: If you are unsatisfied with our response to any request, you have the right to lodge a complaint directly with the NDPC (see Section 16).

⚖️ NDPA Obligation: These rights are granted to you under Sections 34–40 of the Nigeria Data Protection Act 2023. Exercising them is free of charge. We may verify your identity before processing a request.

13. Children’s Privacy

Under the Nigeria Child Rights Act 2003, a child is defined as any person under the age of 18. Accordingly, Merlyn is intended for users aged 18 and above.

We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a minor has registered on Merlyn, we will immediately delete their account and associated data. If you believe a minor has an account on Merlyn, please contact us at privacymerlynapp@gmail.com.

In jurisdictions where a lower age of digital consent is established by law, users in that age range may access Merlyn only with verified parental or guardian consent, and we will apply additional protections to their accounts, including restricted ad targeting and enhanced content controls.

⚖️ NDPA Obligation: The NDPA, read together with the Child Rights Act 2003, defines a child as any person under 18. Our minimum age policy reflects this definition. The child-friendly version of this policy is available in the app under Settings > Privacy > Children’s Privacy Notice.

14. International Data Transfers

Merlyn operates with infrastructure based in Nigeria and may use cloud service providers or processors located in other countries. Any transfer of your personal data outside Nigeria is carried out strictly in accordance with Part VI of the NDPA.

We will only transfer your personal data to a country or organisation outside Nigeria if at least one of the following conditions is met:

• The destination country has been assessed by the NDPC as providing an adequate level of data protection equivalent to the NDPA.

• We have entered into Standard Contractual Clauses (SCCs) approved by the NDPC with the recipient entity, ensuring NDPA-equivalent protections apply.

• The recipient has adopted Binding Corporate Rules (BCRs) approved by the NDPC.

• You have given your explicit, informed consent to the transfer after being notified of the potential risks involved.

• The transfer is necessary to perform a contract with you (e.g. processing a Creator payout to an international payment provider).

We document the basis for all cross-border transfers and make this information available to the NDPC upon request.

⚖️ NDPA Obligation: Under Section 43 of the NDPA, personal data may not be transferred outside Nigeria unless adequate protections are in place. We rely primarily on Standard Contractual Clauses (SCCs) with our international service providers.

15. NDPC Registration and Annual Compliance Audit

As a Data Controller of Major Importance (DCPMI) under the NDPA, Merlyn is subject to the following regulatory obligations:

15.1 Registration with the NDPC

Merlyn is registered with the Nigeria Data Protection Commission (NDPC) as required under Section 30 of the NDPA. Our registration includes details of our processing activities, DPO contact information, categories of data processed, and cross-border transfer arrangements. We report material changes to our processing activities to the NDPC within 60 days.

15.2 Annual Data Protection Audit

In compliance with the NDPA and GAID 2025, Merlyn undergoes an annual data protection audit conducted by a licensed Data Protection Compliance Organisation (DPCO). The audit assesses our data processing practices, technical safeguards, staff knowledge, and documentation. A summary of the audit is submitted to the NDPC by 15 March each year.

15.3 Data Protection Impact Assessments (DPIAs)

Before introducing new features or processing activities that may pose a high risk to users’ rights — such as new AI-powered features, new ad targeting methods, or new data sharing arrangements — we conduct a Data Protection Impact Assessment (DPIA). Where the DPIA identifies a high residual risk, we consult with the NDPC before proceeding.

⚖️ NDPA Obligation: DPCMIs are required to file a Compliance Audit Return (CAR) with the NDPC by 31 March each year. Merlyn fulfils this obligation and maintains all required documentation under GAID Article 7.

16. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These include:

• Encryption of all data in transit using TLS 1.2 or higher and at rest using AES-256 encryption.

• Secure processing of payment and payout information through PCI-DSS compliant payment processor partners.

• Strict role-based access controls ensuring only authorised Merlyn personnel can access personal data, on a need-to-know basis.

• Regular security assessments, penetration testing, and monitoring for suspicious activity.

• Staff training on data protection obligations under the NDPA.

16.1 Data Breach Notification

Despite our best efforts, no system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the NDPC within 72 hours of becoming aware of the breach, including the nature of the breach, categories of data affected, approximate number of individuals affected, and remediation steps taken.

• Notify affected users without undue delay — and in any event within 7 working days — where the breach is likely to result in a high risk, including clear advice on steps you can take to protect yourself.

• Maintain an internal breach register recording all breaches, their causes, and the remediation actions taken.

⚖️ NDPA Obligation: The 72-hour NDPC notification and 7-working-day user notification requirements are mandated by Section 40 of the NDPA and GAID Article 7(p). These timelines apply to breaches posing a high risk to data subjects.

17. Third-Party Links and Services

Merlyn may contain links to third-party websites, brand pages, or services. This Privacy Policy does not apply to those third parties and we are not responsible for their data practices. We encourage you to review the privacy policies of any external services you visit through Merlyn.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or NDPC guidance. When we make material changes, we will:

• Notify you via in-app notification or email at least 14 days before the changes take effect.

• Update the “Last Updated” date at the top of this policy.

• Where required by the NDPA, seek fresh consent for any new processing activities not covered by the original consent you provided.

Your continued use of Merlyn after the effective date of the revised policy constitutes acceptance where consent is not the lawful basis. Where it is, we will seek your renewed consent.

19. Contact Us and How to Complain

19.1 Contact Merlyn

If you have questions, concerns, or wish to exercise your data rights, please contact:

• General Privacy: privacymerlynapp@gmail.com

• Data Protection Officer: dpomerlynapp@gmail.com

• General Contact: merlyncore@gmail.com

We aim to acknowledge all requests within 5 working days and resolve them within 30 days. For complex requests, we may extend this by a further 30 days with notice.

19.2 Complaints to the NDPC

If you are not satisfied with how we have handled your personal data or responded to your request, you have the right to lodge a complaint directly with the Nigeria Data Protection Commission (NDPC), the statutory authority responsible for enforcing the NDPA.

• NDPC Website: www.ndpc.gov.ng

• NDPC Email: info@ndpc.gov.ng

• The NDPC has the power to investigate your complaint, require us to take corrective action, and impose fines if we are found to be in breach of the NDPA.

⚖️ NDPA Obligation: Your right to complain to the NDPC exists independently of any complaint you make to us. You do not need to contact us first before escalating to the NDPC, though we encourage you to give us the opportunity to resolve your concern first.

20. International Users — Your Rights by Region

Merlyn is built in Nigeria and currently governed by the NDPA 2023. However, if you access Merlyn from outside Nigeria, additional data protection laws in your country may apply to you. This section summarises your rights by region and the additional protections we extend to international users.

If you are located in the European Union (EU) or United Kingdom (UK), the General Data Protection Regulation (GDPR) or UK GDPR applies to the processing of your personal data. These regulations grant you the following rights in addition to those in Section 12:

• Right to restriction of processing: You may ask us to pause processing of your data while a dispute is resolved.

• Right not to be subject to solely automated decision-making: Where a decision produces legal or similarly significant effects, you may request human review.

• Right to lodge a complaint with your local supervisory authority: EU users may complain to their national Data Protection Authority (DPA). UK users may complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Our lawful bases for processing EU/UK user data mirror our NDPA bases: consent, contract performance, legitimate interests, and legal obligation, as set out in Section 4.

For EU/UK users, cross-border transfers of your data from the EU/UK to Nigeria are protected by Standard Contractual Clauses (SCCs) adopted under GDPR. We will appoint an EU/UK representative as required by Article 27 GDPR when Merlyn’s EU/UK user base reaches the applicable threshold.

20.2 United States

The United States does not have a single federal privacy law. Depending on your state, additional rights may apply to you:

• California (CCPA / CPRA): California residents have the right to know what personal data we collect about them, request deletion, opt out of the sale or sharing of their data, and limit the use of sensitive personal information. Merlyn does not sell personal data. To exercise California rights, contact privacymerlynapp@gmail.com with the subject line ‘California Privacy Request’.

• Virginia, Colorado, Texas, and other US states: Residents of states with comprehensive privacy laws (VCDPA, CPA, TDPSA, and others) have rights to access, correct, delete, and port their data, and to opt out of targeted advertising and profiling. Contact us at privacymerlynapp@gmail.com to exercise these rights.

• Children’s Online Privacy (COPPA): Merlyn does not knowingly collect personal data from any user under the age of 13. If you believe a child under 13 has an account on Merlyn, contact privacymerlynapp@gmail.com immediately and we will delete the account and data promptly.

We will respond to verified US privacy requests within 45 days, with a possible extension of a further 45 days for complex requests.

20.3 Other African Countries

Several African countries where Merlyn may operate have their own data protection laws. Where applicable, we extend equivalent rights to users in those countries:

• South Africa (POPIA): South African users have rights under the Protection of Personal Information Act 2013, including the right to access, correct, and delete personal data, and the right to complain to the Information Regulator (inforegulator.org.za).

• Kenya (Data Protection Act 2019): Kenyan users have rights including access, rectification, deletion, and objection to processing under the Kenya Data Protection Act 2019, enforced by the Office of the Data Protection Commissioner (odpc.go.ke).

• Ghana (Data Protection Act 2012): Ghanaian users are protected under the Ghana Data Protection Act 2012. The Data Protection Commission (dpc.gov.gh) handles complaints.

• Other jurisdictions: We commit to processing your data in line with NDPA standards as a minimum baseline, regardless of where you are located. If your country has a higher standard, we will endeavour to meet it.

20.4 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. Brazilian users have rights to access, correct, delete, port, and object to the processing of their personal data. You may also revoke consent at any time and request information about the consequences of doing so. To exercise your rights under the LGPD, contact privacymerlynapp@gmail.com.

20.5 Our Commitment to All International Users

Regardless of where you are in the world, Merlyn commits to the following baseline standards for all users:

• We will never sell your personal data to any third party.

• We will respond to all data rights requests within 30 days (or the applicable local deadline, whichever is sooner).

• We will process your data transparently, with a lawful basis, and only for the purposes described in this policy.

• We will notify you of any material data breach affecting your data without undue delay.

• We will provide you with a clear and simple way to delete your account and associated data.

If the data protection law of your country requires us to take additional steps beyond what is described in this policy — such as appointing a local representative, registering with a local authority, or providing additional rights — we will comply with those requirements as we expand into your region.

For any international privacy enquiries, contact our Data Protection Officer at dpomerlynapp@gmail.com.

Report content on this page