Privacy Policy

1. Introduction

ShipJournal.dev ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

By using ShipJournal.dev, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our services.

2. Information We Collect

2.1 Account Information

When you create an account via GitHub OAuth, we collect:

• Your name and email address
• GitHub username and profile URL
• GitHub avatar image
• OAuth access tokens (stored securely, never shared)

2.2 Repository Data

When you connect a repository, we access:

• Repository name, description, and metadata
• Commit messages and commit metadata (author, date, SHA)
• Code diffs between releases or commits
• Branch and tag information
• Pull request titles and descriptions (if applicable)

Important: We process code diffs to generate release notes but do not permanently store your source code. Code is temporarily held in memory during AI processing and discarded immediately after.

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive only: transaction IDs, subscription status, and billing email.

2.4 Usage Data

We automatically collect:

• IP address and approximate location
• Browser type and version
• Pages visited and features used
• Time and date of access
• Referring website

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: To generate release notes, host changelogs, and provide our core functionality.
• AI Processing: To send repository data to AI providers (Anthropic, OpenAI) to generate human-readable summaries.
• Account Management: To authenticate you, manage subscriptions, and process payments.
• Communication: To send service updates, security alerts, and respond to support requests.
• Improvement: To analyze usage patterns and improve our services.
• Legal Compliance: To comply with applicable laws and regulations.

4. AI Processing and Third-Party Data Sharing

4.1 How AI Processing Works

When you generate release notes, we send commit messages and code diffs to AI providers (currently Anthropic and/or OpenAI) via their APIs. These providers process the data to generate summaries and return the results to us.

Data sent to AI providers includes: commit messages, code diffs, repository names, and contextual metadata needed to generate accurate release notes.

Data NOT sent to AI providers: your email, payment information, or full source code files.

4.2 Third-Party Service Providers

We share data with the following third-party services:

• Clerk (authentication): Stores your login credentials and session data.
• Stripe (payments): Processes subscriptions and payments.
• Vercel (hosting): Hosts our application and processes requests.
• Anthropic/OpenAI (AI): Processes repository data to generate release notes.
• Neon (database): Stores application data.

Each provider is bound by their own privacy policies and data processing agreements. We only share the minimum data necessary for each service to function.

4.3 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Ever.

5. Data Retention

• Account Data: Retained while your account is active, deleted within 30 days of account deletion.
• Generated Release Notes: Retained until you delete them or close your account.
• Repository Data: Code diffs are processed in memory and not stored. Commit metadata may be cached for up to 24 hours to improve performance.
• Payment Records: Retained for 7 years as required for tax and legal compliance.
• Usage Logs: Retained for 90 days, then anonymized or deleted.

6. Cookies and Tracking

6.1 Cookies We Use

• Essential Cookies: Required for authentication and security. Cannot be disabled.
• Analytics Cookies: Help us understand how you use our service. Can be disabled.

6.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using our service.

7. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest
• Secure OAuth token storage
• Regular security audits
• Access controls and monitoring

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

8. Your Rights

8.1 Rights for All Users

Regardless of your location, you can:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Export your data
• Disconnect GitHub repositories

8.2 GDPR Rights (EEA/UK Residents)

If you are in the European Economic Area or United Kingdom, you have additional rights under GDPR:

• Legal Basis: We process your data based on: (a) your consent, (b) contractual necessity to provide our services, and (c) our legitimate interests in improving our services.
• Right to Object: You may object to processing based on legitimate interests.
• Right to Restrict: You may request we limit how we use your data.
• Right to Portability: You may request your data in a machine-readable format.
• Right to Withdraw Consent: You may withdraw consent at any time.
• Right to Complain: You may lodge a complaint with your local data protection authority.

International Transfers: Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses and service provider certifications to ensure adequate protection.

8.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA/CPRA:

• Right to Know: You may request what personal information we collect, use, and disclose.
• Right to Delete: You may request deletion of your personal information.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

Categories of Information Collected: Identifiers (name, email, GitHub username), commercial information (subscription history), internet activity (usage data), and inferences (service preferences).

To exercise your rights, email us at privacy@shipjournal.dev or use the account settings in your dashboard.

9. Public vs. Private Repositories

Public Repositories: Release notes generated from public repositories may be publicly accessible at your ShipJournal URL. You control the visibility settings.

Private Repositories: Data from private repositories is treated with the same confidentiality. Generated release notes default to private unless you explicitly make them public.

10. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of our service after such notice constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

• Email: privacy@shipjournal.dev
• Support: support@shipjournal.dev

For GDPR inquiries, you may also contact our data protection representative at the email above.