MergeFlow is a Chrome extension that sends personalized email through your own Gmail account using data from your own Google Sheets. This policy explains what the extension can and cannot access, and what happens to your data.
The short version
Your spreadsheet data and your emails stay between your browser and Google. We run no servers that store your contacts, your sheet contents, or your messages. MergeFlow cannot read your inbox: the only Gmail permission it requests is send-only.
Google account permissions
MergeFlow requests three Google permissions:
gmail.send - lets the extension send the emails you compose. It does not allow reading, searching, or modifying anything in your mailbox.
spreadsheets - lets the extension read the sheet you choose and write send-status columns (sent, opened, clicked) back to that same sheet.
userinfo.email - shows which account you are connected as.
All Google API traffic goes directly from your browser to Google. MergeFlow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What we store, and where
In your browser only: settings, campaign history, monthly send counts, and your license key. This lives in Chrome extension storage on your device.
Open/click tracking (optional): if you enable tracking, emails include a pixel and wrapped links served by a tracking endpoint. It records a random tracking ID, a timestamp, and the event type. It does not receive your sheet contents.
License validation: when you activate a license, the key is checked against Lemon Squeezy (our payment provider). Lemon Squeezy is the merchant of record for purchases and has its own privacy policy.
What we never do
No reading your inbox. The extension does not have the permission to do so.
No selling or sharing data. There is no analytics SDK, no ad network, no data broker.
No storing your contacts or messages on our servers.
Your responsibilities as a sender
You are the sender of every email. Make sure you have consent to email your recipients and that your messages comply with the anti-spam laws that apply to you (for example CASL in Canada, CAN-SPAM in the US, GDPR in the EU).
Data deletion
Uninstalling the extension deletes everything it stored in your browser. Tracking records, if you enabled tracking, expire automatically and can be deleted on request.