Privacy Policy

We collect the following categories of information:

Account Information

When you create an account, we collect your name, email address, and organizational affiliation. Authentication is handled through Clerk (for SaaS deployments) or your organization's identity provider via OIDC (for self-hosted deployments).

Usage Data

We collect information about how you interact with the Service, including pages visited, features used, and actions taken within the dashboard. This data helps us improve the platform and provide better support.

GitHub, Jira, and Slack Data

When you connect your GitHub, Jira, or Slack accounts, we collect data necessary to generate compliance evidence. This includes pull request metadata, code review information, ticket references, CI/CD pipeline results, and linked Slack thread summaries. We only access data from repositories and channels you explicitly authorize.

We use the information we collect to:

• Provide the Service — Create Decision Evidence Records (DERs), evaluate compliance against frameworks such as SOC 2, FedRAMP, HIPAA, and others, and seal evidence in the cryptographic vault.
• Generate compliance evidence — Extract evidence from pull requests, code reviews, tickets, CI/CD pipelines, and Slack discussions to produce audit-ready documentation.
• AI-powered analysis — Analyze change risk, generate audit summaries, and detect scope creep using large language models.
• Improve the platform — Understand usage patterns to enhance features, fix bugs, and develop new capabilities.
• Communicate with you — Send notifications about compliance gaps, audit readiness changes, and service updates.

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption — All data is encrypted at rest and in transit using TLS 1.2 or higher.
• Evidence sealing — All compliance evidence is cryptographically sealed using SHA-256 hashing at merge time, creating tamper-proof records that can be independently verified.
• SOC 2 compliant infrastructure — Our production environment runs on infrastructure that meets SOC 2 Type II requirements.
• Access controls — Role-based access control (RBAC) ensures that users can only access data within their organization. All data is isolated by organization ID at the database level.

We integrate with the following third-party services to provide the Service. Each integration is optional and requires your explicit authorization:

• Clerk — Authentication and user management for SaaS deployments. Clerk processes your name, email, and organizational membership.
• GitHub — Pull request metadata, code reviews, CI/CD status, and deployment information for evidence generation.
• Jira — Ticket references and issue metadata for compliance evidence enrichment.
• Slack — Linked thread summaries for contextual evidence. We do not perform broad channel scraping.
• Anthropic — AI-powered analysis of code changes for risk assessment and audit summaries. Code content is sent to Anthropic's API for processing. You may opt out of AI analysis at any time.

Compliance evidence, Decision Evidence Records, and vault-sealed data are retained for the duration specified by your subscription plan. Retention periods vary by tier to meet different regulatory requirements.

Upon account termination, you may export all your data (including audit bundles, DERs, and vault records) for a period of 30 days. After this export window, all data associated with your organization is permanently deleted from our systems.

Audit logs and activity records are retained according to compliance framework requirements, typically for a minimum of one year.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete personal data.
• Deletion — Request deletion of your personal data, subject to legal retention requirements.
• Data portability — Export your compliance evidence, DERs, audit bundles, and vault records in standard formats (JSON, PDF, ZIP, OSCAL).

To exercise any of these rights, contact us at privacy@mergewhy.com. We will respond to your request within 30 days.

MergeWhy offers a self-hosted deployment option for organizations with strict data residency or sovereignty requirements. When you deploy MergeWhy on your own infrastructure:

• All data remains entirely on your infrastructure. No compliance evidence, DERs, or user data is transmitted to MergeWhy servers.
• Authentication is handled by your own identity provider (via OIDC), with no dependency on Clerk or any MergeWhy-managed auth service.
• AI analysis can be performed using a local Ollama instance, eliminating the need to send data to external LLM providers.
• You are responsible for securing, backing up, and managing access to your self-hosted MergeWhy instance in accordance with your organization's policies.

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: