Privacy Policy

MergeControl

Last updated: 01.01.2026

This Privacy Policy explains how MergeControl, operated by Nodion ("we", "us", "our"), processes personal data when you use our Git hosting and collaboration services ("Service"). We take data protection seriously and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection laws.

1. Controller

The data controller responsible for processing your personal data is:

Nodion GmbH
Königstraße 27
70173 Stuttgart
team@nodion.com

2. Scope of This Policy

This Privacy Policy applies to:

the MergeControl website
the MergeControl application and APIs
all related services operated by Nodion

It does not apply to third-party services you may integrate with MergeControl.

3. Principles

We follow these core principles:

No tracking for advertising
No sale of personal data
Data minimization
All data hosted in Germany
EU jurisdiction

4. Data We Process

4.1 Account and Usage Data

When you create and use an account, we may process:

name or username
email address
authentication credentials (hashed)
repository metadata (names, access rights, timestamps)
IP address (for security and abuse prevention only)

4.2 Repository Content

You may upload source code and related data ("Content").

You retain full ownership of your Content

We process Content only to provide the Service

We do not analyze Content for advertising or profiling

4.3 CI/CD and Logs

For operational and security purposes, we may process:

build and job logs
system and error logs
access logs

Logs are retained only as long as necessary for:

security
debugging
legal compliance

5. What We Do Not Do

We explicitly do not:

track users across websites
use advertising or marketing trackers
sell or rent personal data
create user profiles for advertising
use data for AI training without explicit consent

6. Legal Bases for Processing

We process personal data under the following GDPR legal bases:

Art. 6(1)(b) GDPR — performance of a contract
Art. 6(1)(c) GDPR — legal obligations
Art. 6(1)(f) GDPR — legitimate interests (security, abuse prevention)

7. Data Location and Transfers

All data is stored and processed in Germany
We do not transfer personal data outside the EU by default
If transfers are required, they are safeguarded under GDPR requirements

8. Data Retention

We retain personal data only as long as necessary to:

provide the Service
comply with legal obligations
ensure security and integrity

You may delete repositories or accounts at any time. Data will be deleted or anonymized within a reasonable period, unless legal retention obligations apply.

9. Your Rights

Under the GDPR, you have the right to:

access your personal data
rectify inaccurate data
erase personal data ("right to be forgotten")
restrict processing
data portability
object to processing

To exercise your rights, contact us at:
team@nodion.com

10. Security Measures

We implement appropriate technical and organizational measures, including:

encryption in transit
access controls
separation of customer data
regular security reviews

No system is completely secure, but we take reasonable steps to protect your data.

11. Processors and Subprocessors

We may use trusted service providers ("processors") for infrastructure and operations.

All processors:

are contractually bound under GDPR Art. 28
process data only on our instructions
are located within the EU or adequately safeguarded

A list of subprocessors can be provided upon request.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

Changes will be published on this page and become effective upon publication. Continued use of the Service constitutes acceptance of the updated policy.

13. Contact and Complaints

If you have questions or concerns about data protection, contact:

Nodion GmbH
Königstraße 27
70173 Stuttgart
team@nodion.com