// legal

Privacy Policy

Effective: May 2, 2026

1. Overview

MergeWell ("we", "our", "us") is a GitHub App that posts automated code-review comments on pull requests. This policy explains what data we collect, why we collect it, and how we protect it. We collect the minimum necessary to operate the service.

2. Data We Collect

  • GitHub identity: Your GitHub user ID, username, and avatar URL — received when you authenticate via GitHub OAuth.
  • Repository metadata: Names, IDs, and default branches of repositories you install the app on.
  • Pull request content: PR titles, descriptions, and code diffs — sent to our AI model to generate review comments. We do not permanently store raw diffs.
  • Billing data: Plan type and subscription status only. Payment details (card numbers, etc.) are handled exclusively by Paddle and never touch our servers.
  • Usage logs: Timestamps and anonymised event counts (e.g., number of reviews run) for debugging and capacity planning.

3. How We Use Your Data

  • +Authenticate you and enforce access control
  • +Post review comments on pull requests you open in enrolled repositories
  • +Provide and improve the review quality of the service
  • +Send transactional emails (receipts, plan changes) — no marketing without consent
  • +Detect abuse and enforce our Terms of Service

4. Third-Party Services

  • GitHub: OAuth authentication and GitHub App API. Governed by GitHub's privacy policy.
  • Anthropic / Claude API: Pull request diffs are sent to Anthropic to generate review text. Anthropic does not train on API inputs by default. See Anthropic's usage policies.
  • Paddle: Payment processing and subscription management. Paddle is the merchant of record. We receive only subscription status — no raw payment data.

5. Data Retention

We retain your account data for as long as your account is active. Pull request diffs are processed in memory and not written to long-term storage. Usage logs are retained for 90 days. You can request deletion of your account and associated data at any time by emailing team.mergewell@gmail.com.

6. Security

All data in transit is encrypted with TLS 1.2+. Database at rest is encrypted. Access to production systems is restricted to authorised personnel and protected by MFA. We do not sell your data to any third party.

7. Your Rights

Depending on your jurisdiction you may have rights to access, correct, export, or delete your personal data. To exercise any of these rights, email team.mergewell@gmail.com. We will respond within 30 days.

8. Changes to This Policy

We may update this policy. Material changes will be announced via email or an in-app notice at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance.

9. Contact

Questions about this policy? Email team.mergewell@gmail.com.