Privacy Policy

1. Ownership and Editorial Responsibility

The website is edited by Mergify, a simplified joint-stock company with a capital of 50,000 €, whose head office is located at 15 rue Pierre Lauzeral -- 31400 Toulouse, France, registered in the Toulouse Trade and Companies Register under number 849 599 477 (hereinafter "Mergify"). VAT number: FR59849599477.

As part of the provision of the Site and the processing of Orders, Mergify may collect Personal Data. The confidentiality of Personal Data is important to Mergify, which has implemented strict rules and procedures to protect it.

The Client is informed that the personal data and the processing relating thereto are subject to the legal and regulatory provisions of the Data Protection Act of January 6th, 1978 as amended and of the General Data Protection Regulation (GDPR) of April 27th, 2016 n°2016/679.

2. Definitions

For the purposes of this Privacy Policy, the following definitions shall apply to all capitalized terms, singular and plural:

- Client is the client of Mergify, who Orders Services on the Site;

- Order is any order of Services by the Client, with Mergify;

- Account is the account of the Client on the Site, accessible by his login and password, and containing his personal information and his history on the Site;

- GitHub is a hosting and management service for software development (https://github.com);

- Party designates Mergify and/or the Client;

- Privacy Policy the present document, accessible on the Site;

- Service(s) are the services marketed by Mergify and notably detailed on the Site at the following address: https://mergify.com/pricing;

- Site the Mergify site and its components (computer code, graphic elements, databases, documentation, etc.) published by the Mergify company, as well as any other means of displaying the site (for example a mobile application);

- Users means any person authorized by the Client to connect to the Software and benefit from the Services in accordance with the provisions of the contract.

3. Scope and Modification of the Privacy Policy

This Privacy Policy governs the collection, processing, and disclosure of Personal Data by Mergify in the context of the use of the Site by the Clients, and the processing of their Orders. It also details the modalities of exercise of their rights by all persons concerned by the Personal Data. The Client must read the entire Privacy Policy and accept it without reservation.

Mergify reserves the right to modify the Privacy Policy at any time by publishing a new version on its Site. The modified version must be accepted before any next Order. Otherwise, the Client will not be able to place an Order on the Site.

The Mergify site may contain links to a third-party site. The latter may have a different privacy policy and Mergify will not be held liable for them.

4. How is personal data collected?

Mergify may collect Personal Data from the Customer in different ways:

- By an Order placed by the Client on the Site;

- During the processing of payments by Mergify and its payment provider;

- For any contact with Mergify related to a problem of the use of the Site or during an Order;

- During any contact with Mergify.

5. What personal data is collected and for what purposes

In accordance with the principle of minimization, Mergify collects and processes Personal Data to fulfill its contractual obligations towards the Client, and to comply with its legal obligations, in particular, to fight against fraud.

The Client has however the possibility to refuse to provide some of these Personal Data, being understood that this may have an impact on the proper functioning of the Site. Mergify may collect and process the following Personal Data if they have been provided:

- Contact details and information of the Client (first and last name, e-mail address, telephone number, address).
This information is necessary for the proper processing and follow-up of the Orders, as well as for all exchanges between the Client and Mergify. With the Client's express agreement, they can also be used for marketing purposes.

- Customer's bank and payment information (last 4 digits of the credit card).
This information is necessary for the proper processing and tracking of Orders, and to process refunds.

- GitHub connection information (OAuth token).
The use of the Software and the Services requires the Client to have an account on the Github platform and Mergify to access it via the Software. For this purpose Mergify collects an OAuth token from GitHub, allowing to request data from the GitHub API on behalf of the Client. This OAuth token is stored encrypted and secure in our database and is protected against unauthorized access.

6. Payment Information

All transactions are carried out by a payment provider that complies with the obligations applicable to this activity. Mergify will not have access to the payment information as it only passes through the Mergify payment provider.

The payment provider of Mergify is: Stripe. The general terms and conditions of the payment provider are available at the following address: https://stripe.com/privacy.

7. Cookies

Mergify avoids using cookies as much as possible. We only use the following cookies on the Site:

- Internal cookies store dashboard session and information entered in forms. They are mandatory for the proper functioning of the site.

- Chatbox cookie that store your chat identifier session.

Those technical cookies cannot be refused, as they are necessary for the proper functioning of the Site.

8. Subprocessors

To provide its services, Mergify may engage third parties to carry out data-processing activities involving customer data access.

As a condition to permitting a Subprocessor to process Personal Data, Mergify will enter into a written agreement with the Subprocessor containing data protection obligations no less protective than Mergify's with respect to Customer Personal Data.

Mergify will restrict its Subprocessors' access to only what is necessary to maintain the Services or to provide the Services to Customers and Users.

Mergify reserves the right to engage and substitute Subprocessors as it deems appropriate, but shall: (a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Subprocessors undertaken in connection with Mergify's performance of this agreement to the same extent Mergify would be liable if performing the Services directly.

These subprocessors are identified on our trust center portal with their locations and the types of services they provide to Mergify.

You can request to be notified of subprocessors' changes by opening a ticket at support@mergify.com.

9. Disclosure of Personal Data

Personal Data will never be transferred to a third party without the prior consent of the Client.

Mergify may however transfer the Personal Data under the following conditions:

- If Mergify is acquired by a third party, in which case the Personal Data will be transferred to the buyer, who will be substituted to Mergify in the application of this Privacy Policy.

- If Mergify is required to transmit Personal Data in response to a legal obligation.

Mergify uses service providers (subprocessors), who can have access to the Personal Data, which the Customer accepts.

These service providers are committed to Mergify to respect their legal and regulatory obligations regarding personal data. The Personal Data may also be transmitted to any administrative authority requesting it, or in the application of the law or a court order.

10. Security of Personal Data

Mergify ensures that Personal Data is stored in conditions that respect industry standards. Mergify commits itself to respect the regulations applicable to the security of Personal Data and cannot exclude its responsibility in this respect.

The terms of security of the Site are detailed on the following page: https://mergify.com/security

Mergify ensures that its employees and service providers in charge of processing Personal Data are subject to an appropriate confidentiality obligation.

In the event of a breach of Personal Data, Mergify will inform the Client as soon as possible. Mergify will store the Personal Data for the duration necessary to achieve the purpose pursued without exceeding the duration of the business relationship increased by the prescription periods and after exhaustion of the means of appeal. In this case, Mergify will delete all Personal Data, except those strictly necessary to maintain its commercial accounting and to respect its legal obligations.

11. Rights of the Data Subject

In accordance with the French Data Protection Act and the GDPR, any data subject has the following rights at any time and without charge for all Personal Data transmitted to Mergify:

- right of access;

- right of rectification, modification;

- right to limit the processing;

- right of opposition;

- right to erasure;

- right of portability.

It is possible to exercise these rights by contacting Mergify at the following contact address: support@mergify.com with proof of identity. In accordance with its legal obligations, Mergify will comply within a maximum period of one (1) month from the receipt of the request.

Failing this, the Customer has the possibility of lodging a complaint with the competent control authority, the CNIL, either online or by post.

12. Applicable law and disputes

The law applicable is French law.

The Customer may submit to the CNIL any dispute relating to the execution or interpretation of the Privacy Policy that has not been resolved amicably between the Parties. It may also be submitted to the competent court within the jurisdiction of the Court of Appeal of Toulouse, including in the case of summary proceedings, an appeal under warranty or multiple defendants, and regardless of the country of origin of the Customer.

Updated: 1st March 2024