diff --git a/database/db.go b/database/db.go
index 0ca9e3e7..60898405 100644
--- a/database/db.go
+++ b/database/db.go
@@ -48,6 +48,22 @@ func Dialect() string {
 	return db.Dialector.Name()
 }
 
+var sensitiveConflictFields = map[string]struct{}{
+	"uuid":     {},
+	"password": {},
+	"auth":     {},
+	"subId":    {},
+}
+
+// redactConflictValues masks values for credential-bearing merge fields so
+// they never reach plain-text logs. Non-sensitive fields pass through.
+func redactConflictValues(x model.ClientMergeConflict) (oldV, newV, keptV any) {
+	if _, sensitive := sensitiveConflictFields[x.Field]; sensitive {
+		return "<redacted>", "<redacted>", "<redacted>"
+	}
+	return x.Old, x.New, x.Kept
+}
+
 const (
 	defaultUsername = "admin"
 	defaultPassword = "admin"
@@ -249,8 +265,9 @@ func seedClientsFromInboundJSON() error {
 				} else {
 					conflicts := model.MergeClientRecord(row, incoming)
 					for _, x := range conflicts {
+						oldV, newV, keptV := redactConflictValues(x)
 						log.Printf("client merge: email=%s conflict on %s old=%v new=%v kept=%v",
-							email, x.Field, x.Old, x.New, x.Kept)
+							email, x.Field, oldV, newV, keptV)
 					}
 					if err := tx.Save(row).Error; err != nil {
 						return err