Privacy Policy

Contents

1. Information We Collect 2. How We Use Information 3. Information Sharing 4. Data Retention 5. Security 6. Your Rights 7. GDPR / EU Residents & International Transfers 8. CCPA / California Residents 9. Cookies and Analytics 10. Changes to This Policy 11. Contact

MergeGuide, Inc. ("MergeGuide," "we," "us," or "our") operates the MergeGuide platform and related services. This Privacy Policy explains how we collect, use, and disclose information about you when you use our services.

1. Information We Collect

Account information

When you create an account, we collect your name, email address, company name, and payment information. We use a third-party payment processor (Stripe) and do not store full credit card numbers.

Service usage data

We collect data generated when you use our services, including:

Policy evaluation requests and results (code content is processed but not persistently stored beyond what is necessary for service delivery)
Evidence artifacts generated by policy evaluations
Repository and branch metadata associated with evaluations
API access logs, including timestamps and request volumes

Device and technical data

We automatically collect IP addresses, browser type, operating system, and referring URLs when you access our website. This data is used for security monitoring and service improvement.

We use Plausible Analytics (plausible.io), a privacy-friendly, cookieless analytics service, to understand aggregate traffic to our marketing website. Plausible does not use cookies or persistent identifiers, does not collect personal data, and processes IP addresses only transiently to determine visitor country (the IP itself is hashed daily and never stored). See Plausible's data policy for details.

We also use HubSpot (hubspot.com) for customer relationship management and to understand how visitors interact with our website over time. HubSpot uses cookies to associate website visits with known contacts (for example, when a visitor later fills out a form or is matched to an existing email-contact record) and to attribute traffic source. HubSpot's tracking is governed by the cookie consent banner that appears on your first visit — until you accept, HubSpot does not set tracking cookies. You may revisit your consent preferences at any time via the cookie banner control. See HubSpot's privacy policy for details.

We also use Apollo Visitor Tracking (apollo.io) to identify the *company* an anonymous visitor is associated with, based on the visitor's IP address. We do not use Apollo to identify specific individuals on our marketing website (we have configured Apollo to operate at the company level only). Apollo's tracking is governed by the same cookie consent banner — it is enabled only when you accept the "Advertisement" / marketing category. You may revisit your consent preferences at any time via the cookie banner control. See Apollo's privacy policy for details.

Communications

If you contact us, we retain records of that communication to respond to your inquiry and improve our support.

2. How We Use Information

We use the information we collect to:

Provide, operate, and maintain the MergeGuide service
Process transactions and send related information including purchase confirmations and invoices
Send transactional and promotional communications (you can opt out of promotional communications at any time)
Monitor and analyze trends, usage, and activities in connection with our services
Detect, investigate, and prevent security incidents and fraudulent activity
Comply with legal obligations

We do not sell your personal information to third parties.

We share information only in the following circumstances:

Service providers: We share information with third-party vendors who help us provide services (e.g., cloud infrastructure, payment processing, analytics). These providers are bound by data processing agreements and may only use your data to provide services to us.
Marketing-website analytics: Aggregate, non-identifying visit data is processed by Plausible Analytics (Plausible Insights OÜ, Estonia, EU) for traffic measurement on our public marketing website only. Plausible operates as a data processor under GDPR; their DPA is available at plausible.io/dpa.
CRM and marketing automation: HubSpot, Inc. (Massachusetts, USA) processes contact records, marketing-website visit data (subject to consent via our cookie banner), and email-engagement data for sales and marketing operations. HubSpot operates as a data processor under our Data Processing Agreement; their privacy policy is at legal.hubspot.com/privacy-policy.
Sales prospecting and visitor identification: Apollo.io, Inc. (San Francisco, California, USA) processes IP-derived company identification data (reverse-IP lookup) and outbound sales engagement data for our prospecting operations. On our marketing website, Apollo operates only at the *company* level (not person-level identification) and only when a visitor has consented via our cookie banner. Apollo operates as a data processor under our Data Processing Agreement; their privacy policy is at apollo.io/privacy-policy.
Legal requirements: We may disclose information when required by law, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.
Business transfers: If MergeGuide is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before this occurs.
With your consent: We may share information for other purposes with your explicit consent.

4. Data Retention

We retain account information for as long as your account is active or as needed to provide services. Evidence artifacts are retained in accordance with your tier's retention policy and applicable compliance framework requirements — in all cases exceeding the minimum required by any supported framework.

When you delete your account, we will delete or anonymize your personal information within 30 days, subject to legal retention requirements and evidence artifact retention obligations.

5. Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. This includes AES-256 encryption at rest, TLS 1.3 in transit, and immutable evidence storage.

No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, MergeGuide will notify affected users and, where required, relevant supervisory authorities within the timeframes required by applicable law (including within 72 hours under GDPR, where feasible). We maintain an incident response program to detect, contain, and remediate security incidents.

6. Your Rights

You may request to access, correct, or delete your personal information by contacting us at our contact page. We will respond to your request within 30 days.

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your personal data, subject to legal retention requirements
Right to restrict processing: Request that we limit how we use your data
Right to data portability: Receive your data in a machine-readable format
Right to object: Object to certain processing activities

Our legal basis for processing is: contract performance (to provide services you've requested); legitimate interests (security monitoring, fraud prevention, and service improvement — we balance these against your interests and rights); legal compliance (where we are subject to a legal obligation); and consent (for promotional communications, where required — you may withdraw consent at any time by unsubscribing).

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection law — for example, the Irish Data Protection Commission (lead EU supervisory authority for US-based processors), the UK Information Commissioner's Office (ICO) for UK residents, or the supervisory authority in your EU member state. We encourage you to contact us first at privacy@mergeguide.ai so we can address your concerns directly.

International data transfers: MergeGuide is headquartered in the United States. When we process personal data from individuals in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the lawful mechanism for such transfers to the US. Copies of the applicable SCCs are available upon request at privacy@mergeguide.ai.

Data Processing Agreement: EU, UK, and enterprise customers requiring a Data Processing Agreement (DPA) — including DPAs incorporating SCCs, HIPAA Business Associate Agreements, or DORA sub-processor agreements — may request one at legal@mergeguide.ai.

8. CCPA — California Residents

California residents have the right to request disclosure of the categories and specific pieces of personal information we have collected, request deletion of personal information, and opt out of the sale of personal information (MergeGuide does not sell personal information).

To exercise these rights, contact us via our contact page. We will not discriminate against you for exercising CCPA rights.

9. Cookies and Analytics

The MergeGuide marketing website (mergeguide.ai) uses two analytics services with different consent profiles:

Plausible Analytics is cookieless by design — it does not set any cookie, does not fingerprint visitors, and does not track users across sites. Plausible operates without consent under GDPR's "necessary for legitimate interest" basis (anonymous aggregate measurement).
HubSpot uses cookies for visitor identification and source attribution. HubSpot tracking is governed by the cookie consent banner that appears on your first visit. Until you accept the "Analytics" category, HubSpot does not set tracking cookies. You may change your consent preferences at any time via the "Cookie Settings" link in the footer.
Apollo Visitor Tracking uses cookies and reverse-IP lookup to identify the *company* an anonymous visitor is associated with (we do not use it for person-level identification on our marketing website). Apollo's tracking is governed by the cookie consent banner and is enabled only when you accept the "Advertisement" category. Until you accept that category, Apollo does not set cookies and no identification occurs.

We do not use third-party advertising cookies and we do not allow third-party advertising networks on our marketing site.

The authenticated MergeGuide product portal (portal.mergeguide.ai) uses session cookies strictly necessary for authentication and core functionality. These cannot be disabled without breaking the service.

Future updates to this policy will disclose any additional analytics or visitor-identification services we may add to the marketing website.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting a notice in the service. Your continued use of the service after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions, requests, or concerns, contact us via our contact page or write to:

MergeGuide, Inc.
Privacy Team
251 Little Falls Drive
Wilmington, DE 19808, United States
Email: privacy@mergeguide.ai