Overview and scope

Deepmerge is a shared workspace that your AI tools, like ChatGPT, Claude, Cursor, and others, read from and write to on your behalf. You create an account, connect the tools you want, and those tools save content such as notes, findings, decisions, files, and links into your workspace.

Our guiding principle is to collect only what we need to run the service, keep it secure, and bill for it. We do not sell your personal information, we do not share it for advertising, and we do not use your content to train AI models. The content in your workspace belongs to you.

This policy covers the Deepmerge website and application. It does not cover the separate AI tools you connect. Those tools are run by other companies under their own terms and privacy policies, and you should review them before connecting a tool.

Who we are and who controls your data

In this policy, "Deepmerge", "we", "us", and "our" refer to the operator of the Deepmerge service. We are based in Toronto, Ontario, Canada.

For the personal information described here, Deepmerge acts as the data controller. For the content your connected tools save into your workspace, Deepmerge acts as a processor handling that content on your behalf and on your instructions.

If you have questions about this policy or how we handle your information, contact us at support@deepmerge.ai.

Information you provide

When you create an account, we collect the information needed to set it up and identify you:

Your name.
Your email address.
Your password, which is stored only as a secure hash, or, if you choose Google sign-in, an identifier from Google instead of a password.
Billing details if you subscribe to a paid plan, which are handled by our payment processor. We do not store full card numbers on our systems.

If you contact us for support, we also keep the messages you send and our replies so we can help you and keep a record of the request.

Content your connected tools save

The core of the service is the content your connected AI tools create on your behalf. This includes notes, findings, decisions, files, links, and similar items, along with the text you and your tools put into them.

This content is yours. We store it so your workspace works, we index it so it can be searched, and we keep a history of changes so you can see how it evolved. We do not read your content to build profiles, we do not use it for advertising, and we do not use it to train AI models.

Because connected tools write content on your behalf, that content may include information about other people if you or your tools choose to save it. You are responsible for making sure you have the right to save such information in your workspace.

Activity log and technical data

To run and secure the service and to give you a clear record of what your tools did, we keep an activity log. It records what each connected tool read and wrote and when.

We also collect basic technical information that is normal for running a web service:

Your IP address.
Your browser type and device information.
Dates, times, and basic details of requests made to the service.

We use this information to operate the service, diagnose problems, prevent abuse, and protect the security of your account and our systems.

How search works

To let you and your tools find saved content quickly, we turn that content into a private search index. To build the index we send content to a third-party embeddings provider through its API, which returns a numeric representation we store and search against.

This index is private to your workspace. The embeddings provider processes the data only to return the result we asked for, and that data is not used to train its models.

Cookies and similar technologies

We use cookies and similar technologies only to keep you signed in and to keep your session secure. These are necessary for the service to work.

We do not use advertising cookies, and we do not track you across other websites for advertising. Because we only use cookies that are needed to run the service, there is nothing to opt out of for advertising.

How we use your information

We use the information described above for a limited set of purposes:

To provide the service, including storing your content, running search, and keeping a history of changes.
To create and manage your account and authenticate you when you sign in.
To let your connected tools read and write content on your behalf and to record that activity.
To process payments and manage subscriptions for paid plans.
To send service messages, such as sign-in, billing, and security notices.
To secure the service, detect and prevent abuse, and troubleshoot problems.
To comply with our legal obligations and enforce our terms.

We do not use your information for advertising, we do not sell it, and we do not use your content to train AI models.

Legal bases for processing

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR to process your personal information:

Performance of a contract, to provide the service you signed up for and to process payments.
Legitimate interests, to keep the service secure, prevent abuse, troubleshoot problems, and operate our business, where those interests are not overridden by your rights.
Consent, where we ask for it, such as for optional Google sign-in, which you can withdraw at any time.
Legal obligation, to meet requirements such as tax, accounting, and responding to lawful requests.

How connected tools and access work

When you connect an AI tool, we issue that tool a scoped, revocable access token. The token lets the tool act in your workspace within the limits you grant, such as reading content, writing content, or both.

You can review which tools are connected and revoke a tool's access at any time from your account. Revoking access stops that tool from reading or writing further. Content the tool already saved stays in your workspace until you change or delete it.

Every action a connected tool takes is recorded in the activity log, so you always have a record of which tool read or wrote what.

Service providers and subprocessors

We use a small number of trusted service providers, sometimes called subprocessors, to run the service. They process information only to provide their service to us and are bound to protect it. We use the following categories of provider:

A cloud hosting provider, to run the application and store data.
A payment processor, to handle subscription billing.
A transactional email provider, to send service messages such as sign-in and billing notices.
An embeddings provider, to turn saved content into the private search index.
Google, only if you choose to sign in with Google.

We do not sell your personal information or your content, we do not share it for advertising, and we do not use your content to train AI models. We do not allow our providers to use your information for their own purposes.

International data transfers

We are based in Canada, and our service providers may store or process information in Canada, the United States, or other countries. This means your information may be transferred to and processed in a country different from where you live.

When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that does not have an equivalent level of protection, we rely on appropriate safeguards, such as Standard Contractual Clauses, to protect that information.

Data retention

We keep your account information and your content for as long as your account is open, so the service works as you expect. When you delete content, or close your account, we delete the associated information from our active systems within a reasonable period, except where we must keep some of it to meet a legal, tax, or security obligation.

How long we keep your activity history depends on your plan:

On the Free plan, we keep activity history for 30 days.
On the Team plan, we keep activity history for the life of your account.

Backups are kept for a limited period and then overwritten on a rolling basis.

How we secure your data

We take reasonable measures to protect your information. We encrypt data in transit, store passwords only as secure hashes, scope and limit the access tokens we issue to connected tools, and restrict internal access to what is needed to run the service.

No method of storage or transmission is completely secure, so we cannot guarantee absolute security. If we become aware of a security incident that affects your personal information, we will notify you and the relevant authorities where the law requires it.

Your rights and choices

You have rights over your personal information. Depending on where you live, these may include the right to access your information, correct it, export a copy, delete it, object to or restrict certain processing, and withdraw consent you have given.

Some of these are available directly in the product: you can edit your account details, manage connected tools, and change or delete content at any time. For access, correction, export, or deletion that you cannot complete yourself, email us at support@deepmerge.ai and we will help.

We will respond within the time the applicable law requires. We will not discriminate against you for exercising your rights. If you are in the EEA or the UK, you also have the right to complain to your local data protection authority.

California privacy notice

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights. You have the right to know what personal information we collect and how we use and disclose it, to request access to and deletion of your personal information, to correct inaccurate information, and to be free from discrimination for exercising these rights.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes that would require an opt-out under California law.

To exercise your California rights, email us at support@deepmerge.ai. We will verify your request before acting on it, and you may use an authorized agent to make a request on your behalf.

Canadian privacy notice

We are based in Canada, and we handle personal information in line with the Personal Information Protection and Electronic Documents Act, known as PIPEDA, and applicable provincial privacy laws.

You have the right to access the personal information we hold about you and to ask us to correct it if it is inaccurate or incomplete. To make a request, email us at support@deepmerge.ai, and we will respond within the time PIPEDA requires. If you are not satisfied with how we handle a privacy concern, you may contact the Office of the Privacy Commissioner of Canada.

Children

The service is not directed to children, and it is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16.

If you believe a child under 16 has provided us with personal information, contact us at support@deepmerge.ai and we will delete it.

Changes to this policy

We may update this policy from time to time as the service evolves or the law changes. When we do, we will revise the effective date at the top, and for significant changes we will provide a more prominent notice, such as by email or in the product.

Your continued use of the service after a change takes effect means you accept the updated policy.

Contact us

If you have any questions, concerns, or requests about this policy or your personal information, email us at support@deepmerge.ai.

We will do our best to resolve any concern you raise directly with us.