Last updated: 2026-06-23
Short version: MergeChain has no backend server. It stores your GitHub credential locally in your browser and talks only to GitHub (github.com and api.github.com). Nothing is sent to the developer or any third party. The extension has no analytics, tracking, or ads.
chrome.storage.local on your own device. It is never synced to any cloud and never transmitted anywhere except GitHub's own API over HTTPS.chrome.storage.local.The extension's background service worker is the only component that holds the token; the GitHub web pages you browse never receive it.
https://api.github.com and https://github.com, authenticated with your token, to read pull requests, read the open-PR list, and update a pull request's description (to store the dependency marker). These go directly from your browser to GitHub. The developer receives none of it.The extension and this website are separate. The extension contains no analytics. The website (mergechain.dev) uses privacy-friendly analytics to count visits: Cloudflare Web Analytics (cookieless) and Google Analytics. Those run only on the website, never inside the extension or on the GitHub pages you browse. This privacy-policy page is served without any analytics.
storage: to save your token and settings locally.github.com and api.github.com: to read and update PR dependency data and to inject the dependency UI on PR pages. No other hosts are requested; verify in chrome://extensions > Details > site access.Uninstalling the extension removes all locally stored data (token and settings). Dependency markers already written into PR descriptions remain in those PRs; edit a PR description on GitHub to remove them, or use the extension's remove controls before uninstalling. You can revoke the token any time from GitHub > Settings > Applications.
Questions about this policy: @oleg-koval on GitHub.