Privacy Policy

This policy covers mergeloom.ai, the MergeLoom controller and web application, Cloud Hosted execution operated by MergeLoom, Self Hosted worker deployments operated by the customer, and the integrations and AI provider paths that MergeLoom or the customer configure.

• Website Visitor Data: IP address, user agent, page views, referrer, device and browser information, approximate location, and interaction events from the public website.
• Account And Registration Data: name, email address, workspace name, organisation details, and authentication state.
• Email Verification Data: verification tokens and delivery metadata used to confirm sign-up.
• Billing And Payment Data: billing contact, payment method metadata, transactions, invoices, subscription and plan status, and Stripe customer, session, and payment identifiers. Card numbers are processed by Stripe and not stored by MergeLoom.
• Workspace And Tenant Data: workspace records, user roles, plan state, worker enrollment, and workspace settings.
• Integration Configuration Data: connector state and tokens issued to MergeLoom for Jira, Confluence, GitHub, GitLab, Azure DevOps, monday.com, Linear, Slack, and Microsoft Teams where configured by the customer.
• Repository Catalog Metadata: identifiers, names, default branches, and high-level metadata for repositories the customer has connected.
• Ticket And Work Item Metadata: identifiers, titles, statuses, and the content needed to run an approved ticket.
• Cloud Hosted Execution Data: prompts, AI inputs and outputs, validation outcomes, Quality Agent results, and run cost metadata. Temporary execution data is deleted after the run completes; prompts, logs, traces, and audit records are retained according to plan type and workspace settings.
• Self Hosted Worker Data: repository checkout, context assembly, AI execution, tests, validation, repair attempts, branch push, worker-local traces, worker-local audit, and Code Audit evidence stay within the customer-controlled worker boundary.
• Context Engine And Context Vault Data: manifests, relationship evidence, Context Vault documents, snippets, context packs, unresolved questions, and audit evidence describing what context shaped a run.
• Audit And Run Evidence: Agent Timeline entries, Ticket Audit, Code Audit, validation results, and PR/MR handoff details.
• Support And Chat Data: messages and contact details exchanged through the Crisp live chat widget on the website.
• Demo Booking Data: name, email, company, meeting time, and scheduling metadata submitted through Cal.com.
• Analytics Data: aggregated website usage metrics collected through Google Analytics (measurement ID G-14WPGGRNTV).
• Advertising And Conversion Data: campaign, page visit, device, referrer, and conversion measurement data collected through Reddit Pixel (pixel ID a2_j13w493szg26) and LinkedIn Insight Tag (partner ID 9182018).
• Email Delivery Data: transactional emails, verification emails, and signup notifications delivered through Resend.

To operate, secure, and support the MergeLoom platform, including ticket intake, Context Engine, Quality Agents, validation, audit evidence, cost visibility, and PR/MR handoff.

To authenticate users, verify email addresses, and manage workspace and worker enrollment.

To process payments, subscriptions, AI credit purchases, and billing through Stripe.

To deliver transactional, account, and notification emails through Resend.

To provide live chat and customer support through Crisp.

To schedule product demos through Cal.com.

To measure and improve website performance through Google Analytics.

To measure MergeLoom ad campaigns and conversion paths through Reddit Pixel and LinkedIn Insight Tag.

To prevent abuse and protect the platform through Cloudflare and Turnstile.

To meet legal, accounting, audit, and regulatory obligations.

Cloud Hosted uses Anthropic as the current AI model provider through MergeLoom. AI credits for Cloud Hosted execution are supplied and billed through MergeLoom.

Self Hosted customers select and configure their own provider path, which may include Codex CLI, Claude Code CLI, Codex API, Claude / Anthropic API, OpenAI-compatible private endpoints with tool and function calling, Google Vertex AI, AWS Bedrock, or Azure AI Foundry.

MergeLoom does not train foundation models on customer source code. AI provider calls are bounded by the configured provider path and the customer's tenant scope.

MergeLoom does not sell personal data. We share data only with the vetted subprocessors required to operate the service, with the integrations the customer connects, and where required by law. See the Subprocessors page for the current list.

MergeLoom is designed for tenant isolation. Customer data, integration credentials, code-derived evidence, and run artefacts are scoped to the customer's tenant. Access controls, encryption in transit, encryption at rest for MergeLoom-managed components, and least-privilege connector permissions are applied across the platform. MergeLoom is working toward SOC 2 readiness; a SOC 2 report is not currently available.

Personal data may be processed in the regions where MergeLoom, its subprocessors, and customer-selected providers operate. Where transfers cross jurisdictions, we apply appropriate safeguards including standard contractual clauses and equivalent mechanisms.

Account, billing, and workspace records are retained while the subscription is active and for the period required for legal, tax, audit, and contractual purposes. Cloud Hosted temporary execution data is deleted after the run completes. Prompts, logs, traces, and audit records are retained according to plan type and workspace settings. Self Hosted customers control retention of worker-local traces and Code Audit evidence stored in their environment.

Depending on your jurisdiction you may have rights to access, correct, export, restrict, object to, or delete personal data, and to withdraw consent. To exercise these rights, contact support@mergeloom.ai. Where MergeLoom acts as a processor on behalf of a customer, we will route requests to the relevant customer controller.

MergeLoom is a business platform and is not directed to children. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or by email. The 'Last Updated' date reflects the most recent revision.