Sign in Book a demo
Legal

Privacy Policy

Last updated: January 2026. We’re engineers — we wrote this in plain English.

The short version: Your code stays yours. We never train foundation models on customer data. We’re SOC 2 Type II, ISO 27001, and GDPR-compliant. You can delete your data at any time and we’ll confirm in writing within 30 days.

1. Information we collect

1.1 Account data

Name, email, company, and authentication identifiers (SSO IDs). Used to operate your account and provide support.

1.2 Repository data

Source code, pull requests, comments, and metadata that you authorize us to read via our GitHub / GitLab / Bitbucket app. Stored encrypted at rest with per-tenant KMS keys. Never used to train foundation models.

1.3 Runtime telemetry

If you connect Datadog, Sentry, PagerDuty, or similar, we ingest the specific telemetry you grant scope to. We never read PII fields and we redact at ingress using Microsoft Presidio + custom filters.

1.4 Product usage

Anonymous events about feature usage, latency, and error rates to improve the product. You can opt out under Settings → Privacy.

2. How we protect your data

  • SOC 2 Type II — audited annually
  • ISO 27001 certified
  • Per-tenant data isolation at compute, data, and model level
  • Per-customer encryption keys (BYOK on Enterprise)
  • Secrets in HashiCorp Vault / AWS KMS — never in env files
  • Annual penetration testing + public bug bounty via HackerOne
  • Immutable append-only audit log of every agent action

3. AI training and your data

Your code is never used to train foundation models — full stop. Per-customer fine-tunes (Enterprise tier) are isolated and stored under your own encryption keys. Aggregated, anonymized metrics may inform model improvements; raw code never does.

4. Subprocessors

We use a small list of audited subprocessors: AWS, Cloudflare, Stripe, WorkOS, Anthropic, OpenAI, Datadog. The current list is at /subprocessors. We notify you 30 days before any change.

5. Data Processing Agreement

A signable DPA, EU Standard Contractual Clauses, and UK addendum are available at any plan tier. Contact legal@mergic.ai to request.

6. Your rights (GDPR / CCPA)

You can access, port, correct, or delete your data at any time. Email privacy@mergic.ai — we respond within 30 days.

7. Retention

Account data is retained for the life of the account. Repository indices are retained for 90 days after last access. Audit logs are retained per your plan (30 days Starter, 1 year Growth, custom Enterprise).

8. International transfers

Data is processed in the region you select (US, EU, UK, AU, JP). EU customers can pin processing to EU-only on the Growth tier and above.

9. Changes

We’ll email you 30 days before any material change to this policy. The current version always lives here.

10. Contact

Privacy questions: privacy@mergic.ai. Security: security@mergic.ai. Mailing address: Mergic, Inc., 548 Market St #61294, San Francisco, CA 94104.