GDPR Policy

MergeLoom acts as a data controller for website visitor data, account and registration data, billing and Stripe data, support conversations through Crisp, demo bookings through Cal.com, website analytics through Google Analytics, email delivery through Resend, and business contact data.

MergeLoom acts as a data processor for customer workspace and product data submitted to the platform, including ticket and work item content, repository context, Cloud Hosted execution data, Context Engine and Context Vault material, and audit evidence generated on the customer's behalf. The customer is the controller for that data.

Customer-enabled integrations (such as Jira, Confluence, GitHub, GitLab, Azure DevOps, monday.com, Linear, Slack, and Microsoft Teams) and customer-selected AI providers used in Self Hosted deployments are under the customer's own controller relationship with those vendors.

We process personal data based on contractual necessity to deliver the service, legitimate interests in operating, securing, and improving the platform, consent where required (for example for certain analytics in some jurisdictions), and compliance with legal and regulatory obligations.

Subject to applicable law, data subjects have rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decisions with legal or similarly significant effects. Decisions to merge and deploy code at the customer always require human review by the customer.

Requests can be sent to support@mergeloom.ai. Where MergeLoom acts as a processor, we will route the request to, and assist, the relevant customer controller.

Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms, together with supplementary technical and organisational measures where required.

MergeLoom uses a limited set of subprocessors to operate the website, controller, billing, support, email, analytics, Cloud Hosted AI execution, and scheduling. The current list is published on the Subprocessors page and is updated as the service evolves.

We apply administrative, technical, and organisational measures appropriate to the risk, including tenant isolation, least-privilege connector permissions, role-based access controls, encryption in transit, encryption at rest for MergeLoom-managed components, and audit logging. MergeLoom is working toward SOC 2 readiness; a SOC 2 report is not currently available.

Where MergeLoom becomes aware of a personal data breach affecting customer data we process, we will notify the affected customer without undue delay, in line with applicable law and the relevant data processing terms, and will cooperate in good faith on investigation and remediation.

Personal data is retained only for as long as necessary for the purposes described in the Privacy Policy and to meet legal, accounting, and audit obligations. Cloud Hosted temporary execution data is deleted after the run completes; other run-related artefacts are retained according to plan type and workspace settings.

For GDPR-related enquiries, including data subject requests and questions about international transfers, contact support@mergeloom.ai.