MergeGuard

Last updated: January 2026

Privacy Policy

This Privacy Policy explains how Chaincode Tecnologia Ltda ("Company", "we", "us", or "our") collects, uses, and processes personal data in connection with MergeGuard ("Service"), a GitHub App designed to enforce pull request review policies. We are committed to protecting your privacy and complying with applicable data protection laws, including Brazil's LGPD, the EU GDPR, and the CCPA/CPRA.

Company Information (Data Controller)

  • Legal name: Chaincode Tecnologia Ltda
  • CNPJ: 35.150.620/0001-91
  • Registered address: Brasilia, Area Especial 4 Modulo G - Bloco B - Apt. 1607 - Olympique, Brazil
  • Contact email: [email protected]
  • Chaincode Tecnologia Ltda is the Data Controller.

Data We Access and Process

MergeGuard operates exclusively through GitHub's APIs and processes only the minimum data required to provide its functionality.

3.1 Data Accessed from GitHub

  • Organization name and identifier
  • Repository name and identifier
  • Pull request numbers and metadata
  • Pull request diffs and changed file paths
  • Commit identifiers (SHAs)
  • Review status and approval state
  • Organization membership and team membership information

MergeGuard does not store pull request diffs, file contents, commits, user emails, IP addresses, or activity logs.

3.2 Data Stored Persistently

  • GitHub organization name and ID
  • Repository names
  • Pull request numbers

No personal contact data is persisted.

3.3 Data We Do Not Collect

  • Email addresses
  • Real names beyond GitHub usernames
  • IP addresses
  • Behavioral tracking data
  • Cookies or analytics identifiers

Sources of Data

All data processed by MergeGuard comes exclusively from GitHub APIs as authorized during installation of the GitHub App. We do not collect data directly from individuals through forms or user input.

Purpose of Processing

  • Enforcing pull request review and merge policies
  • Evaluating pull request merge readiness
  • Posting comments and status checks on pull requests
  • Managing subscriptions and billing
  • Providing customer support
  • Processing is limited to what is strictly necessary to deliver the Service.

Legal Bases for Processing

  • Performance of a contract (GDPR Art. 6(1)(b), LGPD Art. 7(V))
  • Legitimate interest in providing a repository governance service
  • Compliance with legal obligations, including accounting and billing

Data Sharing

We share data only with the following service providers, strictly as necessary:

  • GitHub - to operate the GitHub App
  • Stripe - for subscription billing and payment processing

We do not sell, rent, or share personal data for advertising or marketing purposes.

International Data Transfers

MergeGuard is hosted in the United States, so data may be processed outside Brazil and the European Union. When required, international transfers are safeguarded through standard contractual clauses and adequate security and access controls.

Data Retention

  • Repository and pull request references are retained while the Service is active.
  • Data is deleted within 30 days after the GitHub App is uninstalled.
  • Billing and transactional records are retained as required by law.

Security Measures

  • Restricted access controls
  • Secure infrastructure
  • Least-privilege API usage

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to or restrict processing
  • Request data portability

Requests can be made by contacting [email protected].

California Privacy Rights (CCPA/CPRA)

MergeGuard does not sell or share personal data as defined by California law. California residents may request disclosure of collected data categories and deletion of personal data.

Children's Privacy

The Service is intended for individuals 18 years or older. We do not knowingly process data of minors.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last updated" date.