Privacy Policy

Contents

1. Information We Collect 2. How We Use Information 3. Information Sharing 4. Data Retention 5. Security 6. Your Rights 7. GDPR / EU Residents & International Transfers 8. CCPA / California Residents 9. Cookies 10. Changes to This Policy 11. Contact

MergeGuide, Inc. ("MergeGuide," "we," "us," or "our") operates the MergeGuide platform and related services. This Privacy Policy explains how we collect, use, and disclose information about you when you use our services.

1. Information We Collect

Account information

When you create an account, we collect your name, email address, company name, and payment information. We use a third-party payment processor (Stripe) and do not store full credit card numbers.

Service usage data

We collect data generated when you use our services, including:

Policy evaluation requests and results (code content is processed but not persistently stored beyond what is necessary for service delivery)
Evidence artifacts generated by policy evaluations
Repository and branch metadata associated with evaluations
API access logs, including timestamps and request volumes

Device and technical data

We automatically collect IP addresses, browser type, operating system, and referring URLs when you access our website. This data is used for security monitoring and service improvement.

Communications

If you contact us, we retain records of that communication to respond to your inquiry and improve our support.

2. How We Use Information

We use the information we collect to:

Provide, operate, and maintain the MergeGuide service
Process transactions and send related information including purchase confirmations and invoices
Send transactional and promotional communications (you can opt out of promotional communications at any time)
Monitor and analyze trends, usage, and activities in connection with our services
Detect, investigate, and prevent security incidents and fraudulent activity
Comply with legal obligations

We do not sell your personal information to third parties.

We share information only in the following circumstances:

Service providers: We share information with third-party vendors who help us provide services (e.g., cloud infrastructure, payment processing, analytics). These providers are bound by data processing agreements and may only use your data to provide services to us.
Legal requirements: We may disclose information when required by law, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.
Business transfers: If MergeGuide is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before this occurs.
With your consent: We may share information for other purposes with your explicit consent.

4. Data Retention

We retain account information for as long as your account is active or as needed to provide services. Evidence artifacts are retained in accordance with your tier's retention policy and applicable compliance framework requirements — in all cases exceeding the minimum required by any supported framework.

When you delete your account, we will delete or anonymize your personal information within 30 days, subject to legal retention requirements and evidence artifact retention obligations.

5. Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. This includes AES-256 encryption at rest, TLS 1.3 in transit, and immutable evidence storage.

No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, MergeGuide will notify affected users and, where required, relevant supervisory authorities within the timeframes required by applicable law (including within 72 hours under GDPR, where feasible). We maintain an incident response program to detect, contain, and remediate security incidents.

6. Your Rights

You may request to access, correct, or delete your personal information by contacting us at our contact page. We will respond to your request within 30 days.

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your personal data, subject to legal retention requirements
Right to restrict processing: Request that we limit how we use your data
Right to data portability: Receive your data in a machine-readable format
Right to object: Object to certain processing activities

Our legal basis for processing is: contract performance (to provide services you've requested); legitimate interests (security monitoring, fraud prevention, and service improvement — we balance these against your interests and rights); legal compliance (where we are subject to a legal obligation); and consent (for promotional communications, where required — you may withdraw consent at any time by unsubscribing).

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection law — for example, the Irish Data Protection Commission (lead EU supervisory authority for US-based processors), the UK Information Commissioner's Office (ICO) for UK residents, or the supervisory authority in your EU member state. We encourage you to contact us first at privacy@mergeguide.ai so we can address your concerns directly.

International data transfers: MergeGuide is headquartered in the United States. When we process personal data from individuals in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the lawful mechanism for such transfers to the US. Copies of the applicable SCCs are available upon request at privacy@mergeguide.ai.

Data Processing Agreement: EU, UK, and enterprise customers requiring a Data Processing Agreement (DPA) — including DPAs incorporating SCCs, HIPAA Business Associate Agreements, or DORA sub-processor agreements — may request one at legal@mergeguide.ai.

8. CCPA — California Residents

California residents have the right to request disclosure of the categories and specific pieces of personal information we have collected, request deletion of personal information, and opt out of the sale of personal information (MergeGuide does not sell personal information).

To exercise these rights, contact us via our contact page. We will not discriminate against you for exercising CCPA rights.

9. Cookies

We use cookies and similar tracking technologies to collect usage data and maintain sessions. You can control cookie settings through your browser. Disabling cookies may affect functionality of the service.

We do not use third-party advertising cookies. Analytics cookies are used solely for service improvement purposes.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting a notice in the service. Your continued use of the service after changes take effect constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions, requests, or concerns, contact us via our contact page or write to:

MergeGuide, Inc.
Privacy Team
251 Little Falls Drive
Wilmington, DE 19808, United States
Email: privacy@mergeguide.ai