Effective as of February 25, 2022
Key changes: We have added Google Cloud Platform as a third party service provider.
What personal data do we store and why?
For people who have logged in via GitHub on our website, we store these things in our database:
- Your username or full name from GitHub. This is so we can display information about who has implemented a merge freeze. This gets shown in the web control panel, GitHub status and Slack (if you have installed the Slack integration).
- Your avatar from GitHub. This is so you can see where your user settings are in our web control panel.
- The email address that you type in when you log in for the first time. This is so we can inform you of security alerts and other important notices as well as provide information and marketing materials to you about our services.
- The names of any GitHub accounts and repositories you have installed the Merge Freeze app on. This is so we can inform you of what repositories you have installed the app on in our web control panel.
- The branch names that you type in when setting up a new freezable branch. This is so we know which branch to freeze/unfreeze.
- Links to the settings page of your Merge Freeze GitHub app installation. This is so we can provide you a link to manage the app inside of GitHub.
For people who have interacted with Merge Freeze via the Slack integration, we store these things in our database:
- Your username or display name from your Slack profile. This is so we can display information about who has implemented a merge freeze. This gets shown in the web control panel and GitHub status.
- Your avatar from Slack. This may be used for display purposes in the web control panel when showing who has implemented a merge freeze.
- The Slack team name and channel that was provided during the setup stage of installing the Slack integration. This is so we can inform you which Slack team and channel has been tied to which freezable branch.
- The Slack configuration url that was provided to us from Slack during the setup stage of installing the Slack integration.
- Your IP address and web request information which may include any of the above information may be stored temporarily in our server logs. This is for debugging purposes and is archived for 12 months.
- We use Google Analytics to better understand how visitors use our website, however this is anonymous analytical data which cannot be used to identify individuals.
- Legal reasons. If for any legal or law enforcement reasons, we may have to disclose your personal information to comply with the law.
- Merger, sale or acquisition. In the event of a sale, merger or acquisition, change of ownership, we will ensure that your personal information is kept confidential and we may have to disclose your information to the prospective seller or buyer.
How we share information we collect
We do not sell your personal information, irrespective of where you are located.
We do use certain third-party providers to deliver and perform services for us and we may share certain information with these service providers:
- Papertrail (Log storage and display. Server logs as outlined above)
- Rollbar Error Monitoring (Error monitoring services. Web request data may be processed)
- Heroku (Server infrastructure and database provider. Processes web requests, stores data in a Postgres database, stores logs in addition to Papertrail)
- Google Analytics (Anonymous website usage statistics)
- Google Cloud Platform (Secondary storage of database backups)
- GitHub (Provides identity information and GitHub related data and services)
- Slack (Provides identity information and Slack related data and services)
- Mailchimp (Sends informative emails)
- Mailgun (Sends transactional emails)
- Cloudflare (DNS and asset caching services)
- Twilio (Toll-free number for privacy rights requests from Californian residents)
- Fomo (Social proof tool that shows recent app usage from public, open source repository
Security and storage
The following security measures are in place:
Application servers and databases are managed by Heroku, a subsidiary of Salesforce.com.
Heroku is compliant with industry best-practice security standards including: ISO 27001 security management controls, SOC 2 security, availability & confidentiality reports, and regular security penetration testing.
- Communication between application servers and the Merge Freeze customer database are performed on a secure internal network managed by Heroku. External connections to the database require SSL encryption to ensure a high level of security and privacy.
- All data is encrypted at rest with AES-256, block-level storage encryption.
How do you get all of your personal data deleted from our system?
Your email address, GitHub username and avatar are deleted from our system when you delete your user in the user settings panel of the web UI.
Your Slack display name and avatar are deleted from our system when your Slack user no longer belongs to any Slack accounts that are linked to a Merge Freeze project. To delete this information at an earlier time please send a request via email to [email protected].
Your GitHub account name, repository names and branch names are deleted from our system when the Merge Freeze app is uninstalled from your GitHub account.
We retain an encrypted copy of the app’s log files for up to 12 months. At the end of this period, we will delete all information except that which we are obligated to retain by law.
Your data rights
You may have the right to:
- know what personal information we collect about you, and how it is processed;
- update or correct any personal information we hold about you;
- request a copy of any personal information we hold about you;
- request any personal information we hold about you be deleted; and
- restrict or object to our use of your personal information, while retaining the right to use your information for your own purposes,
by emailing us at [email protected]. If you are a California resident you may also contact us toll-free at +1 833 660 0046.
You will not be discriminated against for exercising any of your privacy rights.
That said, where our customer is an organisation we receive and process information under the direction of our customer. In such circumstances:
- we have no direct relationship with any individual user that has been authorised to access and use our app (and whose personal information we may hold); and
- we recommend that any such individual direct their query to the applicable organisation and we will respond to the customer’s request within a reasonable timeframe.
In order to protect your information, upon receiving a request to exercise your privacy rights we will verify your identity by a method appropriate to the type of request you are making.
Data processing agreement
In accordance with data processing regulation compliance we have a pre-signed Data Processing Agreement available to download from https://www.mergefreeze.com/mergefreeze-DPA.pdf. Once signed please email us a copy at [email protected] for our records.
Changes to this policy
Occasionally we may make changes to this policy. If we do we'll communicate the change by either displaying a notice in the UI of the Merge Freeze web app or by direct communication to the app manager (including by email).
Who should you contact if you have a complaint?
- You can contact us directly by emailing us at [email protected].
- If you are a European resident you can make a complaint to your national data protection authority.
- If you are a resident of California then you may make a consumer complaint to the California’s Attorney General.