Privacy Policy
Last Updated: November 2, 2025
1. Introduction
ReleaseRay ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, company name when you create an account
- Payment Information: Billing details processed securely through Stripe (we do not store credit card numbers)
- Repository Data: PR titles, descriptions, labels, and metadata from connected GitHub/GitLab repositories
- Support Communications: Any information you provide when contacting support
2.2 Automatically Collected Information
- Usage Data: Pages visited, features used, time spent (via Plausible Analytics - cookieless)
- Technical Data: IP address (hashed), browser type, device information
- Log Data: Server logs for security and error monitoring
3. How We Use Your Information
- Provide, operate, and maintain our services
- Process transactions and send billing notices
- Generate AI-powered release notes from your repository data
- Send product updates, security alerts, and support messages
- Improve and optimize our services
- Detect, prevent, and address technical issues or security threats
- Comply with legal obligations
4. Data Sharing and Disclosure
We do not sell your personal information. We may share your data with:
4.1 Service Providers (Sub-Processors)
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| OpenAI | AI generation | PR/issue text (anonymized) | United States |
| Supabase | Database & authentication hosting | All application data | United States |
| Upstash | Redis/queues | Job metadata | US, EU |
| Stripe | Payment processing | Billing info (tokenized) | United States |
| Resend | Email delivery | Email addresses, names | United States |
| Supabase | Authentication | Auth tokens, user IDs | United States |
Data Processing Addendum (DPA): Enterprise customers may request a DPA. Contact legal@releaseray.com
4.2 OpenAI Data Processing (Important)
Your repository data is sent to OpenAI's API for AI-powered release note generation:
- No Training: OpenAI does NOT use your data to train their models (per OpenAI Enterprise Agreement)
- Transient Processing: Data is processed transiently and not stored by OpenAI beyond 30 days for abuse monitoring
- Sensitive Data Filtering: We strip sensitive patterns (API keys, tokens, passwords) before sending to OpenAI
- Opt-Out: You can configure what data is processed (contact support)
Learn more: OpenAI Enterprise Privacy
4.3 Legal Requirements
We may disclose information if required by law, court order, or to protect rights and safety.
5. Data Retention
- Account Data: Retained while your account is active
- Repository Data: Retained as long as repositories are connected
- Billing Records: 7 years (tax compliance)
- Consent Logs: 2 years (GDPR requirement)
- Support Tickets: 3 years
You may request deletion at any time (see Section 7).
6. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.3) and at rest
- Regular security audits and penetration testing
- Access controls and authentication
- Automated backup systems
However, no method of transmission over the Internet is 100% secure.
7. Your Rights (GDPR & CCPA)
You have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing of your data
- Restriction: Request limited processing
- Opt-Out: Unsubscribe from marketing emails
To exercise these rights, contact us at privacy@releaseray.com. We will respond within 30 days.
8. Cookies and Tracking
We use cookies and similar technologies. See our Cookie Policy for detailed information. You can manage cookie preferences at any time via our Cookie Settings.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. We ensure adequate safeguards are in place (Standard Contractual Clauses, Privacy Shield where applicable).
10. Children's Privacy
Our services are not directed to children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice on our website. Continued use after changes constitutes acceptance.
12. Data Breach Notification
In the event of a data breach that affects your personal information:
- We will notify you within 72 hours of discovery
- Notification will include: what happened, what data was affected, and steps we're taking
- We will report to relevant authorities as required by law (GDPR, CCPA)
- We will provide guidance on steps you can take to protect yourself
13. Contact Us
For privacy questions or to exercise your rights, contact us at:
Email: privacy@releaseray.com
Address: ReleaseRay Inc.
[Your Company Address]
[City, State ZIP]
Data Protection Officer: Contact via privacy@releaseray.com
This privacy policy is compliant with GDPR, CCPA, COPPA, and other applicable data protection laws. Last reviewed: November 2, 2025.