Legal

Privacy Policy

Last updated: 2025-04-11

Introduction

At Releasy (operated by Peltek, an individual business), protecting your personal data is a priority. This policy transparently describes what data we collect, why, how we use it and what rights you have over it.

Releasy is a SaaS platform that automatically generates release notes from Git metadata (commits, pull requests, issues). We never access your source code — only the metadata needed for generation.

By using the Service, you accept the practices described in this policy, in accordance with the GDPR (EU 2016/679).

Data controller

Peltek – Individual Business, 200 rue de la Croix Nivert, 75015 Paris, France — SIRET 942 968 330 00012
Contact: [email protected]

1. Data We Collect

1.1 – Account data

When creating your account or via OAuth:

Email address
First and last name (if provided)
Organisation or team name
GitHub or GitLab username (via OAuth)

1.2 – Billing data

Payment information processed directly by Stripe (Releasy stores no raw banking data)
Billing address and country
Transaction and subscription history

1.3 – Git metadata

To generate release notes, Releasy accesses the following metadata in read-only mode via the official GitHub and GitLab APIs:

Commit messages
Pull request / merge request titles and descriptions
Linked issue titles
Branch and tag names
Commit author names (as set in Git)

No source code

Releasy never accesses the content of modified files (diffs, source code). Only descriptive metadata from commits and PRs is processed.

1.4 – Usage data

Compute Unit (CU) consumption per generation
Generation history
Saved presets
API and webhook access logs
Anonymised navigation data (pages visited, browser type)

2. Purposes and Legal Bases for Processing

Purpose	Legal basis
Providing the Service (generating release notes)	Contract performance
Account and billing management	Contract performance
Technical support	Contract performance
Legal and accounting obligations	Legal obligation
Service improvement (aggregated data)	Legitimate interest
Transactional communications (invoices, alerts)	Contract performance
Marketing communications	Consent

3. Data Retention

Account data: duration of active subscription + 3 years after cancellation, unless early deletion is requested
Generated content (release notes): retained until account deletion or explicit request
Processed Git metadata: deleted after generation; not stored long-term
Billing data: 10 years (legal accounting obligation)
Access logs: 12 months
Anonymised navigation data: maximum 13 months

4. Data Sharing and Sub-processors

4.1 – Our sub-processors

Releasy uses the following providers, bound by contractual confidentiality obligations:

Cloudflare, Inc. – CDN, DDoS protection, DNS (US, SCC certified)
Stripe, Inc. – payment processing (PCI-DSS Level 1 certified)
GitHub, Inc. / GitLab Inc. – OAuth access to repository metadata
AI provider(s) – inference for content generation (data transmitted as anonymised metadata)
Cloud infrastructure – application hosting and database (EU)

4.2 – No data selling

Releasy never sells, rents or transfers your personal data to third parties for commercial purposes.

4.3 – International transfers

Some sub-processors (Cloudflare, Stripe, AI providers) are based outside the European Union. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection.

5. Data Security

5.1 – Technical measures

Encryption of data in transit (TLS 1.2+)
Encryption of sensitive data at rest
Git repository access strictly limited to read-only via OAuth
Data isolation between customers
Regular encrypted backups
Access logging for sensitive resources
Payments processed exclusively by Stripe (PCI-DSS Level 1)

5.2 – Incident management

In the event of a data breach likely to create a risk to your rights and freedoms, Releasy commits to:

Notifying the CNIL (French DPA) within 72 hours of becoming aware of the incident
Informing affected individuals without undue delay if the risk is high
Documenting the incident and corrective measures taken

6. Cookies and Similar Technologies

6.1 – Cookies used

Essential cookies: authenticated session management, CSRF protection, preference storage (theme, language) — not subject to consent
Analytical cookies: anonymised audience measurement — subject to your prior consent

6.2 – Consent management

You can accept, reject or modify your preferences at any time via the consent banner on the site or from your browser settings. Refusing non-essential cookies does not affect access to the Service.

7. Your Rights

In accordance with the GDPR, you have the following rights over your personal data:

Right of access: obtain a copy of your data
Right of rectification: correct inaccurate or incomplete data
Right to erasure: request deletion of your data (subject to legal obligations)
Right to portability: receive your data in a structured, readable format
Right to restriction: restrict processing in certain cases
Right to object: object to processing based on legitimate interest or marketing
Withdrawal of consent: withdraw previously given consent at any time

To exercise these rights, send your request to [email protected]. We commit to responding within one month.

Complaint to the supervisory authority

If you believe that the processing of your data does not comply with regulations, you have the right to lodge a complaint with the relevant data protection authority (in France: CNIL — www.cnil.fr).

8. Policy Changes

Releasy reserves the right to modify this policy to keep it compliant with regulatory changes or Service evolution. In the event of a substantial modification, users will be notified by email at least 30 days before the changes take effect.

Effective date

This Privacy Policy takes effect on 11 April 2025.

9. Contact

For any questions regarding this policy or the exercise of your rights, contact us at: [email protected]

Peltek – 200 rue de la Croix Nivert, 75015 Paris, France