Privacy Policy

Effective date: April 1, 2026 | Last updated: May 2, 2026

1. Introduction

Merov AI Inc. (“Merov AI,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our engineering intelligence platform at merov.ai and app.merov.ai.

2. What Data We Collect

From your integrations:

  • Pull request metadata: titles, descriptions, timestamps, status, author, reviewers, branch names, merge status.
  • Ticket metadata: summaries, status, assignees, priority, sprint associations, created/updated dates.
  • Code review data: review comments (metadata only), approval/rejection status, review timing.
  • Commit metadata: commit messages, timestamps, author information, file change counts.
  • User information: names, email addresses, and usernames from your connected tools.

From your account:

  • Email address (for authentication and communication).
  • Organization name and team structure.
  • Billing information (processed by Stripe; we do not store payment card details).
  • Preferences and settings.

Automatically collected:

  • Usage analytics (page views, feature usage) via Vercel Analytics.
  • Performance data via Vercel Speed Insights.
  • Browser type, device type, and IP address.

From the demo waitlist:

If you submit our public demo's “notify me when this is live” or “don't see your tool?” form, we collect:

  • Email address you provide.
  • Which integration you're interested in (the integration you clicked, or free-text you typed).
  • Language preference at submission time, so we can email you in the same language when the integration ships.
  • Hashed identifiers for abuse prevention only: your IP address and browser user-agent string are hashed (HMAC-SHA256 with a server-side salt) before storage. We do not store the raw values.
  • Consent record: the timestamp and version of the consent text you agreed to when submitting.
  • Referring URL (truncated) for attribution.

You may withdraw consent and request deletion at any time by emailing privacy@merov.ai. See “GDPR Rights” below.

3. What We Do NOT Collect

We explicitly do not collect:

  • Source code contents. We read file change counts and commit messages, never the actual code.
  • Private messages. No Slack DMs, email contents, or private communications.
  • Keystroke or screen monitoring data. We are not a surveillance tool.
  • Browsing history outside of our own platform.
  • Biometric data of any kind.

4. How We Use Your Data

  • AI analysis: We process integration data through our AI pipeline to generate team-level insights, reports, and briefings.
  • Report generation: Daily briefs, weekly rollups, monthly reports, 1:1 prep sheets, and custom reports.
  • Risk detection: Identifying blocked PRs, review bottlenecks, and delivery risks.
  • Product improvement: Aggregate, anonymized usage patterns to improve the Service.
  • Communication: Account notifications, product updates, and support correspondence.

We do not sell your data. We do not use your data to train AI models outside of providing the Service to you.

5. Data Retention

Data retention periods vary by plan:

  • Free: 7 days of processed data.
  • Team: 90 days of processed data.
  • Business: 1 year of processed data.
  • Enterprise: Custom retention period.

Upon account deletion, all your data is permanently deleted within 30 days. You may request an export of your data before deletion.

Demo waitlist data:

Email addresses captured via the demo's “notify me” forms are retained until you unsubscribe or request deletion, OR until 24 months have passed since you last engaged with one of our notifications — whichever comes first. Hashed identifiers (IP/UA) used for abuse prevention are deleted within 25 hours of capture.

6. GDPR Rights

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing of your personal data.

To exercise any of these rights, contact us at privacy@merov.ai. We will respond within 30 days.

7. Cookies

We use the following categories of cookies:

  • Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
  • Preference cookies: Remember your settings (language, theme, timezone). Optional.
  • Analytics cookies: Help us understand how you use the Service (Vercel Analytics). Optional.

We do not use advertising cookies or third-party tracking cookies. You can manage your cookie preferences through the cookie consent banner displayed on first visit.

8. Third-Party Services

We use the following third-party services to operate the Service:

  • Supabase: Database hosting, authentication, and file storage (PostgreSQL, hosted in AWS).
  • Anthropic (Claude API): AI inference for generating insights and reports, and for translating non-English demo waitlist submissions into English so we can respond in the submitter's language. Data sent to Claude is not used to train Anthropic's models.
  • Vercel: Application hosting, analytics, and edge delivery.
  • Stripe: Payment processing. We do not store payment card information.
  • Resend: Transactional email delivery.

Each of these services has their own privacy policies. We select providers that meet our security and privacy standards.

9. Data Security

We protect your data with:

  • Encryption at rest and in transit (TLS 1.2+).
  • Row-level security (RLS) on every database table, scoped to your tenant.
  • OAuth-based integrations (no stored passwords for third-party tools).
  • Regular security audits and dependency scanning.
  • SOC 2 Type II certification (in progress, expected Q3 2026).

10. Children's Privacy

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

12. Contact Us

For privacy-related questions or to exercise your data rights, contact us at:

Merov AI Inc.
Email: privacy@merov.ai