Privacy Notice
This Privacy Notice explains how MergeScope ("we", "us", or "our") collects, uses, and protects information when you use the MergeScope mobile application and web service ("Service"). We are committed to handling your data responsibly and transparently.
1. Data Controller
MergeScope is the data controller for personal data processed in connection with the Service. You can contact us at hello@mergescope.io with any privacy-related queries.
2. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, name (from Google Sign-In) | Authentication and account management |
| Payment | Subscription status, transaction ID (via Paddle) | Billing and plan entitlement |
| Usage | App crash reports, anonymous feature usage | Service stability and improvement |
| Device | Push notification token | Delivering push notifications |
Your GitLab Personal Access Token is stored only on your device using encrypted local storage. It is never transmitted to our servers.
GitLab project data (merge request titles, comments, pipeline status) is fetched directly from your GitLab instance by your device. We do not store this data on our servers.
3. How We Use Your Data
- To authenticate you and maintain your account session.
- To determine your subscription plan and grant access to Pro features.
- To send push notifications about merge request activity (only if you have granted notification permission).
- To diagnose technical issues and improve the Service.
4. Legal Bases for Processing (GDPR)
Where GDPR applies, we process your data on the following legal bases:
- Contract performance — to provide the Service you have subscribed to.
- Legitimate interests — for service stability monitoring and fraud prevention.
- Legal obligation — where required by applicable law.
5. Third-Party Services
Paddle — Payment processing. Paddle acts as the Merchant of Record for all transactions. When you make a purchase, Paddle collects payment and billing information directly. Paddle's privacy policy is available at paddle.com/legal/privacy.
Supabase — Authentication and user account data (email, name) is stored securely on Supabase infrastructure hosted in the EU.
Google — If you sign in with Google, Google's authentication service processes your login. See Google's Privacy Policy.
Expo / EAS — Push notification delivery. Device push tokens are managed through Expo's notification infrastructure.
6. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. financial records).
7. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Object to or restrict certain processing.
- Data portability.
- Lodge a complaint with a supervisory authority (in the UK: the ICO at ico.org.uk).
To exercise any of these rights, contact us at hello@mergescope.io.
8. Security
We use industry-standard security practices including HTTPS for all data in transit, encrypted storage for authentication tokens, and access controls on our infrastructure. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
9. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18.
10. Changes to This Notice
We may update this Privacy Notice from time to time. We will post the updated notice on this page with a revised date. For material changes we will notify you via email or in-app notice.
11. Contact
For privacy-related questions or to exercise your rights, contact us at hello@mergescope.io.