MergeLoom Customer-hosted ticket-to-code
Start free Log in
MergeLoom Customer-hosted ticket-to-code
Menu
Start free Log in

Data policy

How MergeLoom separates website and controller data from customer-controlled code, ticket, context, and execution data.

Last updated: 30 April 2026

Purpose of this data policy

This policy explains the main data boundaries in MergeLoom: website data, controller data, customer worker data, repository data, ticket data, context, model calls, validation output, and audit information.

Website and contact data

The marketing website may process contact forms, live chat messages, business emails, analytics signals, security logs, and ordinary operational data needed to run the website and respond to requests.

Controller data

The MergeLoom controller stores and coordinates account, workspace, plan, integration, worker enrollment, repository catalog, workflow rule, job state, and review request metadata needed to operate the service.

Customer-hosted execution data

  • Repository checkout happens on the customer worker.
  • Ticket context and run context assembly happen on the customer worker.
  • Model calls are made from the worker path configured by the customer.
  • Setup, test, validation, repair, branch push, and PR or MR preparation happen from the customer environment.
  • Customer secrets should be stored in the customer's worker, Kubernetes Secret, environment secret store, or approved secret workflow.

What the controller should not contain

Customers should not intentionally put unnecessary secrets, full repository contents, large proprietary data dumps, production credentials, or unrelated personal data into the MergeLoom controller. Use the worker and approved secret stores for sensitive execution data.

Logs, traces, and audit records

MergeLoom is designed to provide visible workflow state and auditability. Customers should configure trace retention, log access, and worker storage according to their own security and compliance requirements.

AI providers and integrations

Customers choose and configure their approved AI providers, code hosts, work trackers, and models. Those third-party tools may process data under their own terms and customer agreements.

Data security responsibilities

MergeLoom secures the website and controller components it operates. Customers are responsible for securing their worker infrastructure, repository access, identity provider, AI provider credentials, network access, and secret management.

Contact

For data handling questions, email support@mergeloom.ai.