One person, one account — how Turtini collapses duplicates

Most people end up with more than one Turtini account by accident — a vendor invited you to view an invoice (which made you a "customer" account) before you ever signed up to use Turtini for your own business (which made a full account). The platform recognizes when both belong to the same human and collapses them into one.

How the match works: Turtini watches for cases where two accounts share a verified email — typically your org account's "personal email" (your recovery address) matches your customer account's primary email. Same verified address = same human, every time.

What "collapsed" means:

• One account becomes the canonical survivor; the other becomes "absorbed."
• Personal data on the absorbed account (recipes, dive plans, personal events, activity history, grocery list, favorites, saved views, notes) is copied to the surviving account. Existing data on the survivor wins on conflict; copied docs use a "merged-" prefix to avoid id collisions.
• The absorbed account stays in Firebase Auth — you can still sign in with that email — but the platform routes the session to the surviving account automatically. The next time you sign in with the absorbed email, you're seamlessly placed in the canonical account.
• Every email on either side is added to your account's identity graph so future records (vendor invoices, calendar invites) auto-link to the canonical you.

When the merge happens:

• **Automatically** the moment you save a Personal Email on your account that matches another account's primary email — IF both emails are email-verified by Firebase Auth. No further action required.
• **Daily scan** — a scheduler runs nightly to catch matches the trigger missed (e.g. a customer signed up *after* the org admin had already added them as a personal email).
• **Manually** via the in-app "I have another account" link on your Account page — useful when both addresses aren't yet verified.

Auto-merge requires BOTH sides to be email-verified. Unverified pairs land in the admin merge queue for human review — a safety guard against someone claiming an email they don't actually own. Once verified, the merge runs automatically.

Audit trail: every merge writes an audit row to `accountMerges/{auditId}` with the executor (you, an admin, or the auto-trigger), timestamp, and both sides. The pointer (`mergedInto`) is server-only and reversible by a platform admin if needed.