Legal

Privacy Policy

Effective date: March 1, 2025  ·  Last updated: March 14, 2026

MergeMeter, Inc. ("MergeMeter," "we," "us," or “our”) operates the MergeMeter platform (the “Service”). This Privacy Policy describes what information we collect, how we use it, how we protect it, and your rights with respect to it. By using the Service you agree to the practices described here.

1. Information We Collect

We collect only the minimum information necessary to deliver the Service.

Account and identity data

  • GitHub username, display name, avatar URL, and primary email address — obtained via GitHub OAuth at sign-in.
  • Organization name and GitHub organization login, captured when you connect a GitHub organization.
  • Email addresses of additional team members you invite to your MergeMeter organization.

Engineering activity data

  • Pull request metadata: repository name, PR number, merge commit SHA, merge timestamp, and the GitHub login of the author.
  • Developer survey responses: numeric confidence scores and optional free-text comments submitted after a merge.
  • Aggregate metrics: PR volume, response rates, and confidence trend data derived from the above.

Billing data

  • Subscription plan and status.
  • Payment card data is collected and stored exclusively by our PCI-DSS-compliant payment processor — we never receive, transmit, or store raw card numbers.

Usage and operational data

  • Server-side request logs (IP address, HTTP method, path, status code, latency) retained for security and debugging.
  • Error traces captured by our application monitoring service for reliability purposes.

2. How We Use Your Information

  • Operate, maintain, and improve the Service.
  • Authenticate users and enforce access controls.
  • Deliver survey links to developers after a merge event.
  • Compute confidence scores, trend reports, and monthly summaries for engineering leaders.
  • Send transactional emails (survey invitations, monthly reports, billing notifications).
  • Manage subscriptions and process payments through our payment processor.
  • Detect, investigate, and remediate security incidents.
  • Comply with applicable legal obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use your engineering activity data to train machine-learning models sold to or shared with third parties.

3. How We Protect Your Data

Security is a first-class concern in MergeMeter’s architecture. The following controls are in place across every layer of the stack.

Encryption at rest — AES-256

All data stored in our database is encrypted at rest using AES-256, provided by a SOC 2 Type II certified cloud database platform. Sensitive configuration values — such as repository ingest secrets — are additionally encrypted at the application layer using AES-256-GCM before they are written to the database, so that even direct database access yields only ciphertext.

Encryption in transit — TLS 1.3

All data transmitted between your browser and our servers, and between our servers and the database, is protected by TLS 1.3. Unencrypted HTTP connections are rejected; HTTPS is enforced at the network edge with HSTS headers.

Tenant isolation — org-scoped data access

Every database query in MergeMeter is parameterized and includes an organization-ID filter. No route handler, background job, or report query can access data belonging to a different organization — this isolation is enforced in code, not only by application logic. Raw SQL is used with parameterized inputs throughout; no ORM or query builder can silently bypass these filters.

Least-privilege database access

The application connects to the database using a role granted only the permissions it requires — read and write on specific tables. Administrative operations (schema migrations, data exports) use separate, separately credentialed roles that are not accessible from the running application.

Authentication — GitHub OAuth 2.0

MergeMeter does not store passwords. All authentication is delegated to GitHub via OAuth 2.0. We store only an opaque session token bound to your GitHub identity — no raw GitHub access tokens are persisted beyond the OAuth handshake.

Role-based access control

Every authenticated request is verified against an organization membership record before data is returned. Three roles — Owner, Admin, and Member — enforce least-privilege access within an organization. Billing operations require the Owner role; read-only dashboard access is available to Members.

Webhook integrity verification

Inbound webhook payloads from our payment processor are verified using HMAC-SHA256 signature validation before any processing occurs. Payloads that fail signature verification are rejected with a 400 response and logged as a security event.

Idempotent write paths

All ingest and billing write operations are designed to be idempotent — the same event delivered multiple times produces the same result without duplication. This prevents data corruption from retry storms or network replay events.

Edge network security

The Service is delivered through a globally distributed edge network with built-in DDoS mitigation, automatic SSL certificate provisioning and renewal, and geographic request routing. No origin infrastructure is directly exposed to the public internet.

Payment card data — PCI compliance

MergeMeter does not collect, process, or store payment card data. All payment flows are handled directly by a PCI-DSS Level 1 certified payment processor. Our servers never receive raw card numbers.

Audit logging

Security-relevant events — authentication, permission denials, billing state changes, and administrative actions — are written to structured logs retained for a minimum of 90 days to support incident investigation.

Despite these controls, no system can guarantee absolute security. We encourage you to use a strong, unique GitHub password and to enable two-factor authentication on your GitHub account, as that credential gates access to MergeMeter.

4. Data Retention

  • Active account data — retained for the lifetime of your organization’s account.
  • PR and survey data — retained for the duration of your subscription plus a 30-day grace period following cancellation to allow for data export.
  • Request logs — retained for 90 days, then automatically purged.
  • Billing records — retained for 7 years as required by applicable financial regulations.

Upon written request to the email address below, we will delete your organization’s data subject to the retention minimums described above.

5. Data Sharing and Subprocessors

We engage a limited set of third-party subprocessors to operate the Service. Each is bound by a data processing agreement and appropriate security obligations:

  • Cloud infrastructure provider — hosts the application and serves web traffic. SOC 2 Type II certified.
  • Database provider — managed Postgres service providing AES-256 encryption at rest and SOC 2 Type II certification.
  • Payment processor — handles all payment card transactions. PCI-DSS Level 1 certified.
  • Transactional email provider — delivers survey invitations and monthly reports on our behalf.
  • Application monitoring service — receives error traces and performance telemetry for reliability purposes.

We do not share personal data with any other third party except where required by law (e.g., a valid court order or government request), in which case we will notify you to the extent permitted by law.

6. GitHub OAuth Permissions

MergeMeter requests the minimum GitHub OAuth scopes required to operate:

  • read:user — to read your GitHub username, display name, and avatar.
  • user:email — to read your primary verified email address.
  • read:org — to verify your membership in the GitHub organizations you connect to MergeMeter.

MergeMeter does not request write access to your repositories, the ability to act on your behalf, or any broader GitHub permissions.

7. Cookies and Tracking

MergeMeter uses a single, HttpOnly, Secure, SameSite=Lax session cookie to maintain your authenticated session. No third-party advertising or behavioral tracking cookies are used. No cross-site tracking pixels are embedded in the application.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Request deletion of your personal data (subject to legal retention obligations).
  • Object to or restrict certain processing activities.
  • Receive a machine-readable export of your data (portability).

To exercise any of these rights, email us at the address below. We will respond within 30 days.

9. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to organization owners at least 14 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact Us

For privacy questions, data subject requests, or security disclosures, contact:

MergeMeter, Inc.
Privacy & Security Team
privacy@mergemeter.com

For security vulnerability disclosures specifically, please email security@mergemeter.com. We aim to acknowledge security reports within 24 hours and to provide an initial assessment within 72 hours.