Privacy

The releasepls service ("releasepls," "we," "us") is the data controller for the personal information described below. To contact us about privacy — including data-subject requests under GDPR or CCPA — email hello@releasepls.com.

• Account — your GitHub email, name, avatar, and username when you sign in.
• GitHub installation data — the installation ID and selected repos you grant access to. We use this to read merged pull-request metadata (title, description, commits, diff). We never write to your repos.
• Generated content — the AI-drafted release notes, your edits, and publish/skip decisions.
• Subscriber emails— addresses people enter into your changelog page's subscribe form, with double-opt-in confirmation. Unsubscribe links use HMAC-signed tokens so a leaked database cannot be used to forge subscription changes.
• Billing data — Lemon Squeezy customer ID and current subscription status. We never receive your card details.
• Operational logs — webhook delivery audit records, aggregated page views, link clicks, and error events for your analytics and admin dashboards. These include IP address, user agent, and referer for up to 90 days.

• We don't track you across sites. No third-party analytics, no ad pixels.
• We don't read source code outside of the diff included with a merged PR.
• We don't sell, rent, or share data with anyone for advertising.

For visitors in the EEA, UK, and Switzerland, we process personal data on these bases under Article 6 GDPR:

• Contract — to provide the service you signed up for: account, changelog generation, billing, subscriber notifications.
• Legitimate interests— to keep the service secure, prevent abuse, debug errors, and operate basic analytics. We've balanced this against your privacy and limit what we store accordingly.
• Consent — for subscriber emails (double-opt-in) and any future marketing communications. You can withdraw consent at any time via the unsubscribe link in any email.
• Legal obligation — to comply with tax, anti-fraud, and other applicable laws.

We use the processors below. Each receives only the data needed to provide its service to you.

• GitHub (United States) — authentication and the GitHub App installation that lets us read merged PRs you opt in to.
• Anthropic (United States) — Claude API for drafting release notes. PR title, description, commits, and diff are sent at draft time only.
• Resend (United States) — transactional email (welcome, subscriber confirmation, publish notifications).
• Lemon Squeezy (United States) — billing and subscription management. They process card data; we store only the customer ID.
• Vercel (United States) — hosting, edge delivery, and cron.
• Crunchy Bridge (United States) — managed Postgres.
• Upstash (Global) — Redis for rate limiting; stores IP-keyed counters with sub-hour TTLs.

Our processors are based in the United States. When we transfer personal data out of the EEA, UK, or Switzerland, we rely on the appropriate transfer mechanism (Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, or the UK Addendum). You can request a copy of the relevant terms by emailing the address below.

You have the following rights regarding your personal information:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — delete your account; we purge all associated data within 30 days.
• Portability — request your changelog entries and account data in a portable JSON format.
• Objection / Restriction — object to or restrict processing grounded in our legitimate interests.
• Withdraw consent — unsubscribe from emails at any time via the one-click link.
• Complaint — lodge a complaint with your local data-protection authority (e.g. the ICO in the UK or your member-state authority in the EU).

For California residents under the CCPA/CPRA, you additionally have the right to know, the right to delete, the right to correct, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for advertising.

To exercise any right, email hello@releasepls.com. We respond within 30 days.

Active accounts: data is retained while your account is active. Deleted accounts: all data is purged within 30 days. Operational logs (webhook events, page views, link clicks, error events) are kept for 90 days, then automatically deleted by a scheduled cleanup job.

We use one strictly necessary cookie for authenticated sessions (HTTP-only, secure, SameSite=Lax). No advertising or analytics cookies. Because the only cookie is strictly necessary for the service you requested, no cookie banner is required under ePrivacy guidance.

releasepls is a developer tool not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe we have collected such data, contact us and we'll delete it.

We protect personal data with: HTTPS-only transport (HSTS preload), TLS-pinned Postgres connections, HMAC-signed unsubscribe tokens, signed webhooks, and per-route rate limits. No system is perfect — if we ever become aware of a breach affecting your data, we'll notify you within 72 hours as required by law.

If we make a material change to this policy, we'll email account holders and update the date at the top of this page. Continued use after a material change means you accept the new policy.

Privacy questions or data-subject requests: email hello@releasepls.com. For non-privacy questions, see our Terms of Service.