Privacy Policy
Last updated: January 25, 2026
Merge Combinator LLC ("Merge Combinator," "we," "our," or "us") operates the mergecombinator.com website and related digital services, including the Defense Builders platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.
Summary: We collect only the information necessary to provide our services. We do not sell your personal data. You have rights to access, correct, and delete your information.
1. Information We Collect
Information You Provide Directly
When you interact with our services, you may provide us with:
- Account Information: Name, email address, and other identifiers when you create an account or authenticate through our identity provider (VIA)
- Profile Information: Professional information, company affiliation, and role when you complete your Defense Builders profile
- Application Information: Information submitted when applying to programs such as SigmaBlox or requesting platform access
- Communications: Messages, feedback, or inquiries you send to us
Information Collected Automatically
When you use our services, we automatically collect:
- Device Information: Browser type, operating system, device type, and screen resolution
- Usage Data: Pages visited, features used, time spent on pages, and navigation patterns
- Log Data: IP address, access times, referring URLs, and error logs
- Session Data: Authentication state and session identifiers
Information from Third Parties
We may receive information from:
- Authentication Providers: When you sign in using Google or other Single Sign-On (SSO) providers, we receive your name, email, and profile picture
- Partner Platforms: Information from SigmaBlox, Airtable, or other integrated services about your participation in our programs
2. How We Use Your Information
We use your information to:
- Provide Services: Authenticate your identity, display the Defense Builders directory, and enable platform features
- Process Applications: Evaluate program applications and communicate with applicants
- Improve Our Services: Analyze usage patterns to enhance user experience and fix issues
- Communicate: Send service updates, security alerts, and (with consent) newsletters and announcements
- Maintain Security: Detect and prevent fraud, abuse, and unauthorized access
- Comply with Law: Meet legal obligations and respond to lawful requests
3. Authentication and VIA
We use VIA (Verified Identity Access), our authentication system powered by Authentik, to secure access to protected features of our platform.
Data Processed During Authentication
| Data Type | Purpose | Retention |
|---|---|---|
| Email address | Account identification | Duration of account |
| Display name | Personalization | Duration of account |
| OAuth tokens | Session management | Session duration (typically 24 hours) |
| Session cookies | Authentication state | Session duration |
| Login timestamps | Security auditing | 90 days |
Third-Party SSO Providers
When you authenticate using Google or other SSO providers, those providers share limited profile information with us according to their own privacy policies. We encourage you to review:
4. Cookies and Tracking Technologies
Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Authentication, security, and site functionality | Session or up to 7 days |
| Preference Cookies | Remember your settings and preferences | Up to 1 year |
| Analytics Cookies | Understand usage patterns and improve services | Up to 2 years |
Managing Cookies
Most web browsers allow you to control cookies through their settings. You can:
- Block all cookies
- Accept only first-party cookies
- Delete cookies when you close your browser
Note that blocking essential cookies may prevent you from accessing authenticated features of our platform.
Do Not Track
We honor Do Not Track (DNT) signals from your browser. When DNT is enabled, we limit data collection to essential functionality only.
5. Information Sharing and Disclosure
We do not sell your personal information.
We may share your information with:
- Service Providers: Third parties that help us operate our services (hosting, email delivery, analytics) under strict data protection agreements
- Partners: With your consent, we may share information with program partners (e.g., SigmaBlox cohort organizers, Defense Builders network members)
- Legal Requirements: When required by law, court order, or government request
- Business Transfers: In connection with a merger, acquisition, or sale of assets
- Safety: To protect the rights, safety, and property of Merge Combinator, our users, or the public
Service Providers
Our key service providers include:
- Cloudflare: Content delivery and security (Privacy Policy: cloudflare.com/privacypolicy)
- Google Cloud: Infrastructure and services
- Airtable: Data management for program participants
6. Data Retention
We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods include:
- Account Data: Retained while your account is active and for 3 years after deletion request
- Application Data: Retained for 5 years for program alumni records
- Usage Logs: Retained for 90 days
- Session Data: Deleted upon session end or within 24 hours
7. Data Security
We implement industry-standard security measures to protect your information, including:
- Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3
- Access Controls: Strict access controls limit who can access personal data
- Infrastructure Security: Our services are hosted on secure, compliant cloud infrastructure
- Authentication Security: Multi-factor authentication available for all accounts
- Regular Audits: We regularly review and update our security practices
While we take reasonable precautions, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.
8. Your Rights and Choices
You have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Portability: Request your data in a machine-readable format
- Opt-Out: Unsubscribe from marketing communications at any time
- Restrict Processing: Request that we limit how we use your information
To exercise these rights, contact us at privacy@mergecombinator.com. We will respond to your request within 30 days.
9. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
- Right to Delete: You can request that we delete your personal information, subject to certain exceptions
- Right to Opt-Out: You can opt out of the "sale" of your personal information. Note: We do not sell personal information as defined by the CCPA
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Categories of Information Collected
In the past 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, IP address)
- Professional information (company, role)
- Internet activity (browsing history, usage data)
- Inferences drawn from the above
10. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):
- Legal Basis: We process your data based on consent, contract performance, legitimate interests, or legal obligations
- Data Subject Rights: You have rights to access, rectification, erasure, restriction, portability, and objection
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
- Right to Lodge a Complaint: You may file a complaint with your local data protection authority
Data Controller
Merge Combinator LLC is the data controller for your personal information. For GDPR inquiries, contact our Data Protection contact at privacy@mergecombinator.com.
11. International Data Transfers
We are based in the United States and process data primarily in the US. If you access our services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate.
For transfers from the EEA, UK, or Switzerland, we use appropriate safeguards including:
- Standard Contractual Clauses approved by the European Commission
- Data processing agreements with our service providers
12. Children'''s Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@mergecombinator.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will:
- Update the "Last updated" date at the top of this policy
- Notify registered users via email
- Display a notice on our website
We encourage you to review this policy periodically for any changes.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@mergecombinator.com
- Mail: Merge Combinator LLC, Privacy Inquiries, San Francisco, CA
For security-related concerns, please contact security@mergecombinator.com.
This Privacy Policy applies to mergecombinator.com and its subdomains. For the SigmaBlox platform privacy policy, please visit sigmablox.com/privacy.