Legal

Privacy Policy

Last updated: 10 July 2026. This policy describes how Mergent (“we”, “us”) handles data when you install the Mergent GitHub App, subscribe to a plan at mergent.polsia.app, or otherwise interact with our services.

1. Data we collect

When you install the Mergent GitHub App, GitHub grants us access to the repositories and metadata covered by your installation scopes. We collect: pull request metadata (title, author, base/head refs, changed file list, diff hunks, review comments); check-run status and CI signal references needed to evaluate merge readiness; the installation identifier and account login used to scope your workspace; and audit data we generate as a result (review verdicts, risk scores, merge decisions).

When you sign up at mergent.polsia.app we collect your email address, display name, and authentication tokens issued by our identity provider. When you subscribe to a paid plan, LemonSqueezy processes billing details on our behalf; we store only the customer identifier and subscription status, never your card number.

2. How we use data

We use the data above to: (a) generate and post code reviews and check runs on the pull requests you author; (b) compute a merge-risk score and, where configured and permitted, perform an auto-merge against your repository; (c) deliver Slack and email notifications you opt into; (d) maintain an audit log you can replay from the dashboard; (e) operate, secure, and improve the service. We do not train our underlying model on your private code.

3. Marketplace installs and billing

Mergent on GitHub Marketplace is installed through GitHub’s OAuth flow and is billed entirely by GitHub. We do not process a separate card payment for Marketplace installs, and we do not share your repository data with LemonSqueezy when you install via the Marketplace. If you additionally subscribe on mergent.polsia.app (the marketing site), LemonSqueezy handles that subscription independently; the two flows do not share billing instruments.

4. Third-party processors

We share data only with vetted processors: GitHub (host of your repositories and the OAuth identity provider), our managed PostgreSQL host (data at rest, encrypted), LemonSqueezy (billing only on the mergent.polsia.app direct-billed flow), and our notification providers (Slack and email). A current subprocessor list is available on request.

5. Retention

Pull-request review artifacts (comments, summaries, findings, risk scores) and audit log entries are retained for the lifetime of your installation. On uninstall we delete installation-scoped data within 30 days, except where retention is required for legal, accounting, or fraud-prevention reasons. Billing records are retained for seven years.

6. Your rights (GDPR & CCPA)

You can request access to, correction of, or deletion of your personal data, and you can object to or restrict our processing. Email mergent@polsia.app and we will respond within 30 days. EU and UK representatives are listed in our DPA, available on request.

7. Security

Data in transit is protected by TLS 1.2+. Data at rest is encrypted in our managed Postgres. Webhook payloads are verified with HMAC-SHA256 against a per-app secret. GitHub App access tokens are short-lived and minted on demand. We publish security advisories at the GitHub repository linked from mergent.polsia.app.

8. Children

The service is not directed at children under 16 and we do not knowingly collect data from them.

9. Changes to this policy

Material changes are announced at least 14 days in advance by email to active subscribers and by an in-app banner; non-material changes (typos, clarifications) are reflected in the “Last updated” date above.

10. Contact

Questions, complaints, and data-subject requests: mergent@polsia.app.