Privacy Policy

This Privacy Policy describes how DeepMerge ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use our website at deepmerge.ai and our AI operations platform (the "Service"). By using the Service, you consent to the practices described in this policy.

1. Overview

DeepMerge is an AI operations platform that helps DTC e-commerce brands automate operational workflows. We process your data to provide the Service, improve our platform, and communicate with you. We do not sell your personal information to third parties.

2. Data We Collect

Information you provide

Account information: Email address, first name, last name, company name, and account description when you register or update your profile
Profile images: Avatar photos uploaded directly or imported from Google when you sign in with Google OAuth
Procedure instructions: The natural language descriptions and policies you write for your procedures
Messages and conversations: All messages exchanged between you and the AI agent during chat sessions
Feedback: Comments and sentiment feedback you provide about procedure performance
Approval decisions: Your responses when reviewing actions proposed by the AI agent
File uploads: Any files you attach to conversations or your account

Information collected automatically

Session data: IP address and browser user agent string, collected when you sign in
Usage data: Chat duration, credit consumption, procedure run history, and feature usage patterns
Device information: Browser type, operating system, and device identifiers derived from your user agent string

Information from third parties

Google OAuth: When you sign in with Google, we receive your name, email address, and profile photo
Stripe: Subscription status, billing period, and payment event data (we do not receive or store your credit card numbers)
Connected integrations: When AI agents execute tasks, they retrieve data from your connected tools. This data passes through DeepMerge during execution but is not permanently stored beyond the conversation record

3. How We Use Your Data

We use your data for the following purposes:

Providing the Service: Processing your procedure instructions, executing workflows, managing your account, and enabling AI agent functionality
Knowledge and learning: Creating vector embeddings of your procedures, decisions, and outcomes to enable contextual retrieval within your account
Billing: Tracking credit consumption, processing subscription payments, and generating usage reports
Communication: Sending transactional emails including magic link sign-in codes, account invitations, and billing alerts
Security: Detecting unauthorized access, verifying sessions, and protecting against fraud
Improvement: Analyzing aggregate usage patterns to improve the Service

4. AI Data Processing

The core of our Service involves sending your data to third-party AI providers for processing.

AI providers we use

Anthropic (Claude): Primary AI provider for agent reasoning, decision-making, and task execution
OpenAI: Used for generating text embeddings that power knowledge retrieval
Perplexity: Used for web-grounded research when agents need current information

Data sent to AI providers

Your procedure instructions and policies
Conversation messages (the context of the current task)
Data retrieved from your connected integrations during task execution
Past decisions and knowledge base entries relevant to the current task

Data NOT sent to AI providers

Your payment method details or credit card numbers
OAuth tokens or API keys for your connected integrations
Your account password or session tokens

We use these AI providers' APIs in configurations that opt out of model training where such options are available. We do not use your data to train AI models.

We share your data with third parties only as necessary to provide the Service:

AI providers (Anthropic, OpenAI, Perplexity) — as described in Section 4
Stripe — for payment processing
SendGrid — for sending transactional emails
Pipedream — for managing integration connections
Google Analytics — for website analytics and usage measurement (see Section 7)
Cloud infrastructure providers — for hosting and file storage

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

6. Connected Integrations

When you connect third-party tools to DeepMerge:

Authentication credentials (OAuth tokens) are stored and managed by Pipedream, not on DeepMerge servers
During procedure execution, AI agents access data from your connected tools in real time. This data is included in the conversation record
If you configure a custom integration (via MCP), any credentials you provide are encrypted at rest using AES-256 encryption
You may disconnect any integration at any time

7. Cookies & Analytics

We use a minimal cookie approach:

Session cookie: A single signed, HTTP-only cookie (session_token) that identifies your active session. Not accessible to JavaScript. Uses SameSite=Lax for CSRF protection
Analytics cookies: We use Google Analytics (GA4) to measure website usage, including page views, traffic sources, and device information. Google Analytics uses cookies to distinguish users. Google may process this data on servers in the United States. You can opt out using the Google Analytics opt-out browser add-on
No advertising cookies: We do not use advertising or retargeting cookies
No fingerprinting: We do not use browser fingerprinting or similar tracking technologies

Sessions expire after 14 days of inactivity. You can end your session at any time by signing out.

8. Data Storage & Security

Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS (TLS)
Encryption at rest: Sensitive fields are encrypted using Rails Active Record Encryption (AES-256-GCM)
Multi-tenancy isolation: All database queries are scoped to your account at the application level
Access controls: Role-based access control (owner, admin, member)
Sensitive data filtering: API keys, tokens, and credentials are automatically filtered from application logs
File storage: Uploaded files are stored in encrypted cloud storage (S3-compatible) and served over HTTPS

9. Data Retention

Account data: Retained for the lifetime of your account. Upon deletion, we delete your data within 30 days. Backups may retain data for up to 90 days
Conversation records: Retained while your account is active for audit trail and billing verification
Deleted chats: Soft-deleted. Messages are permanently destroyed. Metadata is retained for billing
Webhook records: Automatically purged after 14 days
Sessions: Expired sessions are cleaned up automatically

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate personal data
Deletion: Request deletion of your personal data
Portability: Request your data in a portable, machine-readable format
Objection: Object to certain processing of your personal data
Withdrawal of consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@deepmerge.ai. We will respond within 30 days.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

12. International Data Transfers

DeepMerge is based in Canada. Your data may be processed in Canada, the United States, or other countries where our service providers operate. AI processing through Anthropic, OpenAI, and Perplexity occurs on servers located in the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect.

14. Contact

If you have questions about this Privacy Policy, contact us at:

DeepMerge
Email: privacy@deepmerge.ai

For general inquiries: hello@deepmerge.ai