Privacy Policy
Last updated: April 28, 2026
1. Who We Are
Mergeline ("we", "us", "our") is a website collaboration platform for agencies and design studios, operated by Concepcion Design, LLC. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform at mergeline.io and all associated subdomains.
Data Controller: Concepcion Design, LLC
Contact: support@mergeline.io
2. What Data We Collect
Account Data
When you create an account or are invited to the platform, we collect:
- Full name and email address
- Password (stored as a salted hash; plaintext passwords are never stored)
- Organization name and portal slug
- Brand settings (logo, color, custom domain) you configure
Client Portal Data
If you are an end-user (client) invited by an agency using Mergeline, they may also store:
- Your name and email address
- Notes and metadata associated with your account
- Comments and approvals you submit on content reviews
GitHub Integration Data
When you connect a GitHub repository, we access:
- Repository metadata (name, branches, pull request titles and descriptions)
- File contents of branches you explicitly link to a site for preview
- Commit and diff data used to generate review summaries
We do not store raw repository file contents beyond what is needed to render the current preview session. We do not access repositories you have not explicitly connected.
AI-Generated Content
When you use AI-assisted review features, your content (diff summaries, branch context) is sent to Anthropic's API to generate descriptions and feedback. We do not use your content to train AI models. See Section 4 (Sub-processors) for details on Anthropic's data handling.
Usage Data
We automatically collect:
- Access logs (login events, page visits, actions taken)
- IP addresses associated with requests
- Browser type and device information
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the platform (authentication, site management, content review) | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (invitations, review notifications, password resets) | Performance of contract (Art. 6(1)(b)) |
| AI-assisted review summaries and diff descriptions | Performance of contract (Art. 6(1)(b)) |
| Security (access logging, rate limiting, fraud prevention) | Legitimate interest (Art. 6(1)(f)) |
| Billing and payment processing | Performance of contract (Art. 6(1)(b)) |
| Responding to support requests | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.
4. Sub-Processors
We use the following third-party services to operate the platform. Each processes data on our behalf under appropriate data processing agreements and Standard Contractual Clauses where applicable:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication | Account data, site metadata, review records, access logs | United States (AWS) |
| Cloudflare R2 | File and asset storage | Uploaded files, site assets | United States |
| Vercel | Application hosting | Request logs, IP addresses | United States (edge network) |
| Stripe | Payment processing | Billing data (name, email, payment method) | United States |
| Mailgun (Sinch) | Transactional email | Recipient email addresses, email content | United States |
| Anthropic | AI-assisted review generation | Branch diff content, PR descriptions (no PII) | United States |
| GitHub | Source repository integration | Repository metadata, branch content, pull request data | United States |
All sub-processors maintain SOC 2 or equivalent certifications. Where data is transferred outside the European Economic Area (EEA) or UK, transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while your account is active; deleted within 30 days of deletion request |
| Site and review records | Retained while your account is active; deleted with the account |
| Access logs | Up to 12 months for security and audit purposes |
| Billing data | As required by tax and accounting regulations (typically 7 years) |
| AI generation inputs | Not retained beyond the API call; Anthropic's zero-retention policy applies |
6. Your Rights
Under the GDPR and UK GDPR, you have the following rights:
- Right of access (Art. 15): request a copy of all personal data we hold about you.
- Right to data portability (Art. 20): request your data in a machine-readable format.
- Right to rectification (Art. 16): request corrections to inaccurate data.
- Right to erasure (Art. 17): request deletion of your account and all associated data. We will fulfil the request within 30 days.
- Right to restrict processing (Art. 18): request that we limit how we process your data.
- Right to object (Art. 21): object to processing based on legitimate interest.
To exercise any of these rights, contact us at support@mergeline.io. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (UK: ico.org.uk; EU: edpb.europa.eu).
7. Data Security
We implement the following security measures:
- Encryption in transit: All data is transmitted over HTTPS/TLS.
- Encryption at rest: Database (AES-256 via Supabase/AWS) and file storage (Cloudflare R2).
- Authentication: Secure password hashing, session management via secure HTTP-only cookies.
- Access control: Row-level security (RLS) enforced at the database level. Tenants cannot access other tenants' data.
- Rate limiting: Authentication and administrative endpoints are rate-limited to prevent brute-force attacks.
- GitHub token isolation: Each connected repository's access token is scoped and stored encrypted.
8. Cookies
We use the following essential cookies required for the platform to function:
- Authentication cookies, which keep you signed in across pages.
- CSRF tokens, which protect against cross-site request forgery.
- Session cookies, which maintain your active session state.
We do not currently use analytics or advertising cookies. If this changes, we will update this policy and obtain your consent before setting any non-essential cookies.
9. International Data Transfers
Our platform infrastructure is primarily located in the United States. If you are located in the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States. We ensure all international transfers are protected by Standard Contractual Clauses (SCCs) and Data Processing Agreements with all sub-processors.
10. Children's Privacy
Mergeline is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@mergeline.io and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, for significant changes affecting your rights, by email.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights:
Email: support@mergeline.io
Please include "Privacy" or "Data Request" in your subject line to ensure prompt handling.