Legal
Privacy Policy
Last updated: 5 June 2026
Overview
MergeMe ("we", "us") operates mergeme.dev, a service that mirrors pull request and merge request activity from GitHub and GitLab into Slack. This policy explains what personal data we collect, why we use it, and your choices.
We are based in the United Kingdom. If you have questions, contact us at hello@mergeme.dev.
What we collect
Account data. When you sign in with Google, we store your email address, display name, and profile picture. We do not store passwords.
Session data. We set an httpOnly cookie to keep you signed in. Short-lived cookies are used during the OAuth sign-in flow.
Workspace and integration data. When a workspace admin connects GitHub, GitLab, or Slack, we store configuration needed to run the service - for example workspace name, connected account identifiers, project-to-channel mappings, and Git-username-to-Slack-user mappings (which may include Slack display names and email addresses when available). OAuth tokens and webhook secrets are stored encrypted at rest.
Webhook and notification data. To deliver Slack notifications, we receive and process webhook payloads from the git and messaging platforms you connect. These payloads contain pull request activity - for example titles, status changes, comments, usernames, and project identifiers. They do not include your source code. We store webhook payloads in our database while processing them and for operational debugging.
Notification state. We store links between pull requests and Slack messages (for example project ID, PR number, and Slack message timestamp) so we can update a single card per PR instead of posting duplicates.
Team membership. If you invite colleagues, we store invite email addresses and workspace roles.
Billing data. Paid plans are handled by a third-party payment processor. We store customer and subscription identifiers, plan status, and seat count. Payment card details are collected and processed by that provider, not by us.
Analytics. We use third-party analytics services to understand how the dashboard is used and to monitor service reliability. These tools collect aggregated usage data and are configured to avoid sending names, emails, or message content where possible.
What we do not access
Just to be clear, MergeMe cannot and does not access, clone, download, or store your repository source code.
We are not a code host and we do not read your files, branches, commits, or repository contents.
The git platforms you connect send us webhook notifications about pull request and merge request events only - metadata such as titles, reviewers, comments, and status. That is the full extent of repository-related data we receive. We cannot pull code from your repos and never request permissions to do so.
We do not sell your personal data or use it for advertising.
How we use your data
We use the data above to:
- Provide, maintain, and improve the service
- Authenticate you and manage workspace access
- Route PR/MR events to the correct Slack channels and authors
- Process subscriptions and enforce plan limits
- Monitor reliability, security, and product usage
- Respond to support requests
Legal basis (UK GDPR)
Where UK data protection law applies, we rely on:
- Contract - to provide the service you signed up for
- Legitimate interests - to secure our systems, prevent abuse, and understand how the product is used
- Consent - where required for optional integrations you connect (GitHub, GitLab, Slack)
Third-party services
We use third-party providers to run MergeMe, including for sign-in, the integrations you choose to connect, payment processing, hosting, and analytics. We share data with those providers only as needed to deliver the service.
When you connect a git or messaging platform, data flows between that platform and MergeMe as directed by your workspace configuration. Your use of connected platforms remains subject to their own terms and privacy policies.
A current list of sub-processors is available on request - email hello@mergeme.dev.
International transfers
Some providers may process data outside the UK. Where required, we rely on appropriate safeguards such as standard contractual clauses offered by those providers.
Retention and deletion
We keep account and workspace data while your account or workspace is active. Workspace owners can delete a workspace from dashboard settings; this removes workspace configuration, mappings, integration tokens, and related notification state. Some webhook processing records may be retained in an orphaned form for operational debugging.
If you want your user account removed or have questions about retention, email hello@mergeme.dev.
Security
Integration tokens and secrets are encrypted at rest. Traffic is served over HTTPS. Access to production systems is restricted to people who need it to operate the service.
Your rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing. UK residents can also complain to the Information Commissioner's Office (ICO).
To exercise your rights, contact hello@mergeme.dev.
Children
MergeMe is not intended for anyone under 16, and we do not knowingly collect their data.
Changes
We may update this policy from time to time. The "Last updated" date at the top of this page will change when we do. Continued use of the service after changes means you accept the updated policy.
See also our Terms of Service.