Privacy Policy

1. Introduction

Welcome to MergeFund. We are committed to protecting your privacy and being transparent about how we collect, use, and safeguard your personal information.

This Privacy Policy explains our practices regarding data collection and use when you use our service. By using MergeFund, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information from GitHub Sign-In (OAuth)

When you sign in with GitHub, we receive certain account information from GitHub, which may include:

• Username and display name
• Email address (depending on your GitHub account settings and permissions)
• Profile image (avatar)
• GitHub user ID
• Access tokens (used to authenticate your session and connect features to your GitHub account)

We only request the permissions needed to operate the Service. We do not access private repositories unless you explicitly authorize access.

2.2 Information You Provide

Depending on how you use the Service, you may provide:

• Account and profile information: display name, username, profile details, and preferences
• Project and contribution information: repositories you link, issues you post, proposals, comments, pull request links, and other collaboration content
• Bounty-related information (if enabled): bounty listings, submission details, acceptance notes, dispute messages, and related communications
• Support communications: messages you send to support, including attachments you choose to share

2.3 Information from Connected Repositories and GitHub Activity (If Enabled)

If you connect repositories or enable GitHub-based features, we may collect and store information necessary to provide the Service, such as:

• Repository metadata (name, URL, description, default branch)
• Issue and pull request metadata (titles, links, labels, status)
• Commit and contribution metadata (links and identifiers)

We generally store references and metadata (for example links, IDs, titles, and timestamps) rather than copying full repository contents, unless a feature requires it.

2.4 Automatically Collected Information

We may collect certain information automatically when you use the Service, such as:

• Device and browser information (browser type, operating system)
• IP address (for security, abuse prevention, and basic analytics)
• Usage data (pages viewed, clicks, navigation patterns, referral sources)

3. How We Use Your Information

We use the information we collect for the following purposes:

• Authentication: to verify your identity and manage your account
• Service operation: to provide core features like projects, issues, contributions, and collaboration workflows
• Bounties and payments (if enabled): to support bounty listings, submissions, acceptance, dispute handling, and payout coordination
• Service improvement: to analyze usage patterns and improve the Service
• Communication: to respond to your inquiries and provide customer support
• Security: to protect against fraud, abuse, spam, and security threats
• Legal compliance: to comply with applicable laws and lawful requests

4. Payments and Financial Information (Stripe)

If the Service offers bounty funding or payouts, payments are processed through Stripe or other payment processors we may use from time to time.

• We do not store full payment card numbers on our servers.
• Stripe may collect information required to process payments and comply with legal requirements, including identity verification where applicable.
• We may store limited payment-related metadata needed to operate the Service (for example, payout status, transaction identifiers, amounts, and timestamps).
• Your use of Stripe is governed by Stripe's terms and privacy practices.

5. Data Storage and Security (Supabase)

We store user and application data using Supabase, which acts as our data processor for hosting, authentication/session support (where applicable), and database storage.

We use reasonable safeguards designed to protect your information, including:

• Encryption of data in transit (HTTPS/TLS)
• Access controls and authentication
• Database security controls (including row-level security where applicable)
• Least-privilege access for internal systems

No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we work to apply appropriate best practices.

6. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service.

If you request account deletion, we will delete or anonymize your personal information within 30 days, except where we are required or permitted to retain it for legal, security, dispute, tax, or compliance purposes.

7. Data Location

Data that we collect and process is stored on servers located in the United States.

Some information we receive originates from third-party services that operate their own infrastructure, including GitHub, Stripe, and other providers we integrate with. That data is initially collected and processed by those providers in accordance with their own policies and may be stored in locations determined by them before it is transmitted to us.

If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We take reasonable measures to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it originates.

8. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information.

We may share your information only in the following circumstances:

8.1 Service Providers / Processors

We may share information with trusted service providers who process data on our behalf to operate the Service. These may include, but are not limited to:

• GitHub (authentication and repository integrations)
• Supabase (database storage and related infrastructure)
• Stripe (payment processing, if enabled)
• Hosting providers and security services (as needed to operate and secure the Service)

These providers act as processors under our instructions and are subject to confidentiality and data protection obligations.

8.2 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests.

8.3 Business Transfers

If the Company is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.

8.4 Safety and Enforcement

We may disclose information when we believe it is reasonably necessary to investigate, prevent, or take action regarding fraud, abuse, security incidents, or illegal activity, protect the rights and safety of the Company and others, or enforce our Terms of Service.

9. Your Rights and Choices

Depending on your location, you may have rights regarding your personal information, including:

• Access to information we hold about you
• Correction of inaccurate information
• Deletion of your account and associated data
• Data export of certain account data

To exercise these rights, contact us at support@mergefund.org.

You can also manage authorized applications in your GitHub settings to revoke OAuth access.

10. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at support@mergefund.org.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated Privacy Policy and update the "Last updated" date. You are advised to review this Privacy Policy periodically for changes.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: support@mergefund.org
Company: MergeFund