Privacy Policy
Last updated: May 12, 2026
This Privacy Policy explains how Mercure Technologies (“we”, “us”, “DiffSight”) collects, uses and protects your personal data when you use the DiffSight desktop application, the website at diffsight.dev and any related services (the “Service”).
We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data controller
The data controller is:
- Mercure Technologies
- 8 rue du Parc, 92300 Levallois-Perret, France
- SIRET: 818 540 478 00059
- Contact: support@diffsight.dev
We have not appointed a Data Protection Officer (DPO) because we are not legally required to. For any data protection question, you can contact us at the email address above.
2. A few important things to know first
Before listing the details, here are the principles we follow:
- DiffSight runs locally on your device. Your code, diffs, files and any content you analyze stay on your machine. We do not receive, store or process the content of your repositories.
- Your AI API keys are stored locally. When you connect DiffSight to OpenAI or Anthropic, you provide your own API keys. These keys are stored locally on your device and never transmitted to our servers.
- We only collect what we need to operate your account, validate your license, deliver updates, send transactional emails and improve the Service.
- We do not sell your personal data. Ever.
3. What personal data we collect
3.1 Data you provide to us directly
When you create an account or use the Service, we collect:
| Data | Purpose |
|---|---|
| First name and last name | Identifying you in the Service and in invoices |
| Email address | Account login, transactional emails (license, password reset, account changes) |
| Password (hashed) | Authentication (we use a one-way cryptographic hash; we never store passwords in plaintext) |
| Company (optional) | Personalization, B2B usage statistics |
| Job title / position (optional) | Personalization, B2B usage statistics |
| Authentication provider data | If you sign in with GitHub or Google, we receive your name, email and provider user ID |
3.2 Data collected automatically
When you use the Service, we automatically collect:
| Data | Purpose |
|---|---|
| IP address | Security, abuse prevention, rough geolocation for compliance |
| Browser type, device type, OS | Service compatibility, debugging |
| Pages viewed, referrer | Understanding how users discover and use the website |
| Server logs (timestamp, endpoint, response code) | Security, debugging, abuse prevention |
| License activation data (machine identifier, activation date) | License enforcement, anti-fraud |
3.3 Payment data
When you purchase a subscription, payment data (credit card details, billing address, VAT number) is collected and processed directly by Lemon Squeezy, our Merchant of Record. We do not see or store your credit card information. We only receive the minimum information necessary to associate your subscription with your DiffSight account (email, subscription status, plan).
3.4 What we do NOT collect
We do not collect:
- The content of your code, pull requests, diffs or repositories.
- Your OpenAI, Anthropic, GitHub or GitLab API keys or tokens.
- Any content you analyze with DiffSight on your device.
DiffSight communicates with GitHub, GitLab, OpenAI and Anthropic directly from your device, not through our backend.
4. Why we process your data (legal bases)
Under the GDPR, we process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR): to provide the Service, manage your account, validate your license and process your subscription.
- Legitimate interests (Article 6(1)(f) GDPR): to secure the Service, prevent fraud and abuse, debug issues, and improve DiffSight. We make sure that these interests do not override your fundamental rights.
- Legal obligation (Article 6(1)(c) GDPR): to comply with our legal obligations, including accounting and tax laws.
- Consent (Article 6(1)(a) GDPR): for optional analytics and marketing communications, where applicable. You can withdraw your consent at any time.
5. How long we keep your data
We keep your personal data only for as long as necessary for the purposes described in this Policy:
| Data | Retention |
|---|---|
| Account data (name, email, etc.) | While your account is active, plus 30 days after deletion |
| Server logs | 12 months maximum |
| Billing-related data | 10 years (French legal obligation for accounting) |
| Marketing emails opt-in | Until you unsubscribe |
| Waitlist email (if you signed up before release) | Until product launch + 12 months, or until you unsubscribe |
After these retention periods, your data is deleted or anonymized.
6. Who we share your data with
We share your personal data with third-party service providers (“sub-processors”) that help us operate the Service. Each sub-processor processes your data on our behalf, under a contractual agreement (Data Processing Agreement) and with appropriate safeguards.
| Sub-processor | Role | Location | Data shared |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of our backend and database | Germany or Finland (EU) | All account and license data |
| Vercel Inc. | Hosting of our landing page (diffsight.dev) | United States (with EU region option) | IP address, browser data of website visitors |
| Cloudflare Inc. | Storage and delivery of application updates (R2) | United States (multi-region) | IP address, requested file, timestamp |
| Lemon Squeezy (Paddle.com Market Ltd.) | Payment processing, Merchant of Record, license keys | United States | Email, billing data, payment details, subscription status |
| PostHog | Product and website analytics (consent-based) | EU (Frankfurt, Germany) — PostHog Cloud EU | Pseudonymous usage events, page views, device and browser information, anonymous identifier |
| Vercel Analytics | Website traffic analytics | United States | Pseudonymous page view data |
We may add new sub-processors over time. We will update this list when we do.
We do not sell your personal data to third parties.
7. International data transfers
Some of our sub-processors are based in the United States (Vercel, Cloudflare, Lemon Squeezy).
When we transfer your personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- EU-US Data Privacy Framework (DPF) certification, where the sub-processor is certified.
You may request a copy of these safeguards by contacting us at support@diffsight.dev.
8. Security
We take reasonable technical and organizational measures to protect your personal data, including:
- HTTPS encryption in transit for all communications with our backend.
- Hashed passwords (we never store passwords in plaintext).
- Restricted access to the database and infrastructure.
- Regular software updates and security monitoring.
- Backups of our database.
However, no security measure is 100% effective. We cannot guarantee absolute security of your data. If we ever become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority (the French CNIL) in accordance with the GDPR.
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — You can ask us what data we hold about you and request a copy.
- Right to rectification — You can ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — You can ask us to delete your data, subject to legal retention obligations (e.g. accounting).
- Right to restriction of processing — You can ask us to limit how we use your data in certain circumstances.
- Right to data portability — You can request a machine-readable copy of the data you provided to us.
- Right to object — You can object to certain processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent — Where processing is based on your consent, you can withdraw it at any time.
- Right to lodge a complaint — You can lodge a complaint with the French data protection authority (CNIL: https://www.cnil.fr) or your local supervisory authority.
To exercise these rights, contact us at support@diffsight.dev. We will respond within one month.
10. Cookies and similar technologies
On our website (diffsight.dev), we use a limited number of cookies and similar technologies. For a full and up-to-date list, see our Cookie Policy.
- Strictly necessary cookies — required for the site to function and to remember your cookie consent choice. These do not require consent.
- Vercel Analytics — privacy-friendly audience measurement. Vercel Analytics does not use cookies or persistent identifiers; it computes a hash from the incoming request and discards session data after 24 hours. Because no information is stored on or read from your device, this measurement falls within the audience-measurement exemption of the ePrivacy Directive and does not require prior consent. You can opt out at any time from our Cookie Policy page.
- PostHog (analytics, consent-based) — PostHog is hosted on PostHog Cloud EU (Frankfurt, Germany). PostHog is loaded only after you accept tracking through our consent banner. It uses first-party cookies and similar storage to measure usage and improve the Service. You can withdraw your consent at any time from our Cookie Policy page.
The DiffSight desktop application does not use cookies in the traditional sense, but stores local configuration data (license, settings, your AI API keys) on your device.
11. Children
DiffSight is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at support@diffsight.dev and we will delete it.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be posted at diffsight.dev/privacy with a new “Last updated” date.
For material changes, we will notify you by email or through the Service. Continued use of the Service after the effective date constitutes acknowledgement of the updated Policy.
13. Contact us
For any question about this Privacy Policy or our processing of your personal data:
- Email: support@diffsight.dev
- Postal address: Mercure Technologies, 8 rue du Parc, 92300 Levallois-Perret, France
You can also lodge a complaint with the French data protection authority:
- CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — https://www.cnil.fr