Pull Review Logo
Pull Review

Privacy Policy

Last updated: February 26, 2026

1. Introduction & Data Controller Identity

Welcome to Pull Review. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website at getpullreview.com, use our early access waitlist, interact with our live chat, or use our Pull Review Slack bot integration with GitHub.

Pull Review is currently a pre-incorporation entity operating under the product name “Pull Review.” For the purposes of this Privacy Policy and applicable data protection legislation, Pull Review acts as the data controller in respect of personal data collected through the website and waitlist, and as a data processor in respect of workspace and repository metadata processed on behalf of teams that install the Pull Review Slack bot.

Contact Information:

We do not currently have a designated Data Protection Officer (DPO). If you have any questions or concerns about how we handle your personal data, please contact us directly at support@getpullreview.com. We will update this policy upon incorporation and DPO appointment, and will notify users of any material changes as described in Section 14.

We are committed to protecting your privacy and handling your data in a transparent, lawful, and responsible manner consistent with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the UK Data Protection Act 2018, and other applicable privacy laws.

2. Scope

This Privacy Policy applies to:

  • All visitors to getpullreview.com and any subdomains we operate
  • Individuals who submit their email address or other information via our early access waitlist or any other form hosted on or linked from our website
  • Individuals who interact with our Tawk.to live chat widget on our website
  • Team administrators, workspace owners, and individual users whose Slack workspaces have installed or are evaluating the Pull Review Slack bot integration
  • GitHub users whose pull request metadata is processed through the Pull Review GitHub API integration, where that integration has been authorized by a workspace administrator

This Policy does not apply to:

  • Third-party websites, platforms, or services that we link to. Those third parties have their own privacy policies and we are not responsible for their data practices.
  • The internal Slack or GitHub platforms themselves. Slack's and GitHub's own privacy policies govern your use of those platforms directly.

If you are a resident of the European Economic Area (EEA), the United Kingdom, Switzerland, Brazil, Canada, or California, please pay particular attention to Sections 5, 9, 11, and 15, which contain information specifically relevant to your jurisdiction.

3. What Personal Data We Collect

We collect the minimum data necessary to operate our product and improve our services. Below is a detailed breakdown organized by source.

3.1 Website Visitors (General)

When you visit getpullreview.com, our hosting infrastructure (Vercel) automatically receives standard server log data, which may include: IP address, browser type and version, operating system, referring URL, pages visited and time spent, date and time of visit, and HTTP request headers.

3.2 Early Access Waitlist (Fillout.com Forms)

When you submit our early access waitlist form hosted via Fillout.com, we collect:

  • Email address — the primary field we request and require
  • Any additional fields you voluntarily complete if present on the form
  • Submission timestamp
  • Form submission metadata collected by Fillout (see Section 8 for Fillout's role as a sub-processor)

3.3 Live Chat (Tawk.to Widget)

Our website embeds a live chat widget provided by Tawk.to. If you initiate or engage with a chat session, the following data may be collected: your name (if voluntarily provided), your email address (if voluntarily provided), the content of your chat messages and the full chat transcript, your IP address, browser and device information, geographic region (derived from IP), and session duration.

Even if you do not initiate a chat, the Tawk.to widget script loads on our pages and may set cookies in your browser if you have accepted cookies. Please see Section 7 for full details.

3.4 Slack Bot Integration

When a Slack workspace administrator installs the Pull Review Slack bot, we collect and process:

Workspace-Level Data: Slack workspace ID, workspace name, bot access token (stored securely), channel names and IDs, webhook URLs.

User-Level Data: Slack user display names and user IDs. We do not collect Slack profile photos, email addresses from Slack, phone numbers, or any other profile fields beyond display name and user ID.

Message Content: We send formatted messages to authorized Slack channels. We do not store the content of messages sent by human users in Slack channels.

3.5 GitHub API Integration

Pull Review integrates with the GitHub API to retrieve pull request metadata. We explicitly do not access, read, store, or transmit source code. Our GitHub integration accesses only: PR titles, descriptions, authors (GitHub usernames), requested and assigned reviewers, PR status, CI/pipeline status, number of files changed, lines added/removed, PR labels, and comment counts (number, not content).

3.6 Future Analytics (Planned)

We intend to implement web analytics at a future date. When we do, we will update this Privacy Policy before implementation and provide appropriate notice and consent mechanisms.

4. How We Collect Personal Data

Directly from you:

  • When you complete and submit a form on our website
  • When you initiate or participate in a live chat session
  • When you contact us by email
  • When a Slack workspace administrator installs Pull Review

Automatically through technical systems:

  • Server and infrastructure logs collected by Vercel
  • Cookies set by the Tawk.to widget (see Section 7)
  • Slack API data returned following installation
  • GitHub API data returned following authorization

We do not purchase personal data from data brokers. We do not obtain personal data from social media platforms. We do not scrape public profiles or directories.

5. Legal Basis for Processing (GDPR Article 6)

This section is specifically relevant to individuals in the European Economic Area, the United Kingdom, and Switzerland.

5.1 Providing the Pull Review Service

Legal Basis: Article 6(1)(b) — Performance of a Contract. Processing of Slack workspace data, channel data, user display names, and GitHub PR metadata is necessary to deliver the service.

5.2 Early Access Waitlist Communications

Legal Basis: Article 6(1)(a) — Consent. When you submit your email address, you provide explicit consent for us to contact you about Pull Review's launch and product updates. You may withdraw consent at any time.

5.3 Responding to Live Chat and Support Inquiries

Legal Basis: Article 6(1)(f) — Legitimate Interests. Our legitimate interest is in providing customer support and answering product questions.

5.4 Website Security and Infrastructure Logs

Legal Basis: Article 6(1)(f) — Legitimate Interests. We process IP addresses and server log data to maintain security and prevent abuse.

5.5 Compliance with Legal Obligations

Legal Basis: Article 6(1)(c) — Legal Obligation. We may process personal data where necessary to comply with applicable law.

6. How We Use Personal Data

6.1 Delivering Pull Review Functionality

We use Slack workspace data, channel IDs, user display names, and GitHub PR metadata to identify which PRs require review, determine the appropriate Slack channel, format and deliver PR summary messages, provide CI/pipeline status alerts, and identify assigned reviewers. Legal basis: Performance of contract (Section 5.1).

6.2 Waitlist and Product Launch Communications

We use your email to confirm your waitlist submission, notify you when Pull Review launches, and share material product updates. You can unsubscribe at any time via the link in any email or by emailing us. Legal basis: Consent (Section 5.2).

6.3 Customer Support

We use data you provide in live chat or email to respond to questions, troubleshoot issues, and improve our product. Legal basis: Legitimate interests (Section 5.3).

6.4 Security and Abuse Prevention

We use server log data and IP addresses to detect and block malicious traffic, monitor uptime, and investigate security incidents. Legal basis: Legitimate interests (Section 5.4).

6.5 What We Do Not Do

  • We do not sell your personal data to any third party
  • We do not use your data to build advertising profiles
  • We do not share your data with advertising networks or data brokers
  • We do not access GitHub source code
  • We do not process your data for automated decision-making that produces legal or similarly significant effects

7. Cookies & Tracking Technologies

This section also serves as our Cookie Policy. We do not maintain a separate cookie policy page.

7.1 What Are Cookies

Cookies are small text files placed on your device by a website you visit. They may be “session cookies” (deleted when you close your browser) or “persistent cookies” (which remain for a set period or until deleted).

7.2 Cookies We Use

Category 1: Strictly Necessary Cookies

Vercel may set session-level identifiers for routing and load balancing. These do not contain personally identifiable information and are deleted at the end of your session.

Category 2: Functional Cookies (Tawk.to Live Chat)

These cookies enable the live chat widget. They are only set if you accept cookies via our consent banner. Tawk.to sets cookies including:

  • TawkConnectionTime — Chat session connection timestamp. Duration: session.
  • ss — Session identifier. Duration: session.
  • tawk_uuid_{widgetID} — Unique visitor identifier. Duration: up to 6 months.
  • twk_idm_key — Identity management token. Duration: session.
  • _tawk_meta_{widgetID} — Widget metadata. Duration: session.

For a complete list of Tawk.to's data collection practices, refer to Tawk.to's Privacy Policy.

Category 3: Analytics Cookies (Not Yet Implemented)

We do not currently set analytics cookies. When we implement analytics, we will update this policy and will not set non-essential analytics cookies without obtaining your prior consent where required by law.

Category 4: Marketing and Advertising Cookies

We do not use marketing or advertising cookies. We do not run retargeting campaigns or use ad networks.

7.3 Managing Your Cookie Preferences

You can manage cookies through our cookie consent banner shown on your first visit. You can also control cookies via your browser settings. Note that disabling cookies may affect live chat functionality.

Do Not Track: Our website does not currently respond to “Do Not Track” browser signals. Global Privacy Control (GPC): For California residents, we are evaluating GPC signal compliance.

8. Data Sharing & Third-Party Processors

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share data only as follows:

8.1 Named Sub-Processors

Vercel, Inc. — Website hosting and deployment infrastructure. Processes server logs, IP addresses, page visit data. Location: United States (with global CDN). Privacy Policy

Fillout, Inc. — Form hosting for early access waitlist. Processes email addresses and voluntary form fields. Location: United States. Privacy Policy

Tawk.to Inc. — Live chat widget infrastructure. Processes chat transcripts, names, emails, IP addresses, cookies. Location: United States. Privacy Policy

Slack Technologies, LLC — Platform through which Pull Review is delivered. An independent data controller with respect to your Slack data. Privacy Policy

GitHub, Inc. — Platform from which Pull Review reads PR metadata. An independent data controller with respect to your GitHub data. Privacy Policy

Future Email Platform (TBD) — Transactional and product update email delivery (planned). We will update this Policy before migrating email data.

8.2 Other Disclosures

Legal requirements: We may disclose personal data where required by applicable law. Business transfers: If Pull Review is acquired or merged, personal data may be transferred with notice to you. Professional advisors: We may share data with attorneys, accountants, and auditors subject to confidentiality obligations.

9. International Data Transfers

Our primary service providers — Vercel, Fillout, Tawk.to — are based in the United States. When you use our services, your personal data is transferred to and processed in the United States.

9.1 Transfers from the EEA and UK

We rely on Standard Contractual Clauses (SCCs) for transfers to US-based sub-processors. Where applicable, we also rely on the EU-US Data Privacy Framework (DPF) certifications held by our sub-processors. We conduct transfer impact assessments and implement supplementary technical measures (encryption in transit and at rest).

9.2 Transfers from Brazil (LGPD)

We rely on standard contractual clauses approved by the ANPD, or equivalent contractual safeguards.

9.3 Transfers from Canada (PIPEDA)

Transfers are conducted in accordance with PIPEDA's accountability principle, under which we remain responsible for data transferred to third parties.

9.4 Geographic Location of Data Processing

  • Website hosting (Vercel): US and global CDN edge nodes
  • Form submissions (Fillout): United States
  • Live chat (Tawk.to): United States
  • Slack integration: Processed within your workspace's data residency configuration and on our servers
  • GitHub integration: Processed in our hosting environment (Vercel, US)

10. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.

  • Waitlist email addresses: Until you unsubscribe or request deletion, or until 24 months after product launch (whichever comes first).
  • Live chat transcripts: 12 months from the date of the chat session.
  • Server/infrastructure logs (Vercel): 30–90 days per Vercel's policies.
  • Slack bot configuration data: Duration of active installation. Deleted within 30 days of uninstallation.
  • GitHub integration metadata: Processed in-flight; configuration data deleted within 30 days of disconnection.
  • Slack user display names: Looked up at runtime via the Slack API; not stored long-term.
  • Support correspondence (email): 36 months.

We may retain data longer where required by law or to establish, exercise, or defend legal claims. When retention periods expire, we delete or anonymize data using secure deletion procedures.

11. Your Privacy Rights

11.1 Rights Under the GDPR (EEA, UK, Switzerland)

  • Right of Access (Art. 15): Obtain confirmation and a copy of your personal data.
  • Right to Rectification (Art. 16): Have inaccurate data corrected.
  • Right to Erasure (Art. 17): Request deletion of your data in certain circumstances.
  • Right to Restriction (Art. 18): Request that we restrict processing in certain cases.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

11.2 Rights Under the CCPA/CPRA (California)

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

11.3 Rights Under the LGPD (Brazil)

Brazilian residents have rights including: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion of data processed with consent, information about shared data, revocation of consent, and review of automated decisions. Contact us at support@getpullreview.com. You may also file a complaint with the ANPD at gov.br/anpd.

11.4 Rights Under PIPEDA (Canada)

Canadian residents have the right to know whether we hold personal information, access and correct it, challenge our compliance, and withdraw consent. You may file a complaint with the Office of the Privacy Commissioner of Canada.

11.5 How to Exercise Your Rights

Email support@getpullreview.com with the subject line “Privacy Rights Request.” Include: your name (if applicable), email address associated with your account or waitlist submission, the specific right(s) you wish to exercise, and any information that helps us identify your data.

Response timeframes:

  • GDPR/UK GDPR: 30 days (extendable by 60 days for complex requests)
  • CCPA/CPRA: 45 days (extendable by 45 days)
  • LGPD: 15 days
  • PIPEDA: 30 days

12. Data Security

12.1 Technical Measures

  • Encryption in transit: All data is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Personal data stored in our systems is encrypted using AES-256 or equivalent.
  • Access controls: Role-based access restricted to authorized personnel on a need-to-know basis. Multi-factor authentication for administrative access.
  • API token security: Slack and GitHub credentials stored using secrets management best practices.

12.2 Organizational Measures

We follow the principle of least privilege, select sub-processors who maintain appropriate security standards, and follow secure development practices including code review.

12.3 Breach Notification

In the event of a personal data breach likely to result in risk to your rights:

  • GDPR/UK GDPR: Supervisory authority notified within 72 hours; individuals notified without undue delay for high-risk breaches.
  • CCPA/CPRA: Affected California residents notified per California Civil Code Section 1798.82.
  • Other jurisdictions: Applicable breach notification laws will be followed.

13. Children's Privacy

Pull Review is a business tool designed for software engineers, technical leads, and technology decision-makers. It is not directed at children. We do not knowingly collect personal data from individuals under the age of 16.

If you are a parent or guardian and believe your child under 16 has provided personal data to us, please contact us immediately at support@getpullreview.com. We will promptly delete such data.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, applicable law, or our business operations. The “Last Updated” date at the top indicates when this policy was most recently revised.

For material changes — changes that significantly affect your rights or how we process your data — we will provide at least 30 days' advance notice via email to waitlist subscribers, via bot message to active workspace administrators, and via a prominent website notice.

Material changes include: adding new categories of personal data, adding sub-processors that process sensitive data, changing legal bases in ways that limit your rights, significantly changing retention periods, introducing automated decision-making, or changes to breach notification procedures.

We maintain a version history of prior versions. Contact support@getpullreview.com to review a prior version.

15. Contact Us & Complaints

15.1 How to Contact Us

For questions, concerns, or requests related to this Privacy Policy, contact us at:

Pull Review
Privacy Inquiries
Email: support@getpullreview.com
Website: getpullreview.com

We aim to respond within 5 business days and to resolve requests within the timeframes specified in Section 11. Please include “Privacy” or “Data Request” in the subject line.

15.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

15.3 EU & UK Representatives

As a pre-incorporation entity, we are assessing whether Article 27 GDPR requires us to appoint an EU representative, and similarly for the UK. If applicable, we will appoint representatives and update this Policy with their contact details. For now, please direct all privacy inquiries to support@getpullreview.com.