Privacy Policy

Last updated: May 11, 2026

This Privacy Policy explains what data PRMergeSafe (“we”, “us”, “the Service”) collects when you install our GitHub App and use the PRMergeSafe dashboard, how we use it, and your rights over that data.

1. What we collect

  • Identity data: Your GitHub login, GitHub user ID, email address (only if your GitHub email is public), and avatar URL — collected when you sign in through GitHub OAuth.
  • Repository metadata: Repo names, default branches, primary language, and the list of repos you authorized the GitHub App to access. We do not clone, mirror, or store the full contents of your repositories.
  • Pull-request data: For each PR analyzed, we read the diff and the current contents of the changed files via GitHub's API. We store the diff metadata, our analysis result (risk score, findings), and a reference to the PR. We do not permanently store the full file contents.
  • Usage data: Billing-cycle credit counts, plan tier, and timestamps of analyses.

2. How we use it

  • To analyze pull requests and post comments on them on your behalf.
  • To enforce plan limits and bill correctly.
  • To display your analysis history in the dashboard.
  • To send the diff and file contents to Anthropic (Claude API) for AI analysis. Anthropic processes this data under their own privacy terms and does not train models on API data.

3. Third parties

We share data with the following processors, strictly to operate the service:

  • Anthropic — AI model inference
  • GitHub — source of PRs and target for comments / checks
  • Stripe — payment processing (if you upgrade)
  • Sentry — error monitoring
  • Cloud hosting providers (Vercel, Railway, Supabase, Upstash) for infrastructure

We do not sell your data. We do not share it for advertising.

4. Data retention

Analysis results are retained for as long as you have an active installation. If you uninstall the GitHub App, we retain your data for 30 days in case of reinstallation, then delete it. You can request immediate deletion at any time by emailing the contact below.

5. Your rights

You can: access your data through the dashboard, export your analysis history (contact us), correct your data, or request deletion. EU residents have additional rights under GDPR including data portability and the right to lodge a complaint with a supervisory authority.

6. Security

All traffic is HTTPS-encrypted. JWTs expire after 7 days. Production databases are encrypted at rest. GitHub access tokens are stored encrypted and only used to call GitHub on your behalf.

7. Contact

For privacy questions or data requests, email privacy@prmergesafe.com.