RelezrRelezr
Get started

Relezr · Legal

Privacy Policy

Effective May 5, 2026

This Privacy Policy describes how Relezr collects, uses, and shares personal data when you use our service. We've written it in plain language and kept it as short as we honestly can.

1. Who we are

Relezr ("we", "us", "our") is operated by Vedran Vučić as a sole proprietor. The service is hosted in the European Union (Frankfurt, Germany). For privacy questions or to exercise your rights, contact us at the contact channel listed in your account settings.

2. Information we collect

We collect three categories of data, all minimised to what we need to provide the service:

2.1 Account data (you)

  • GitHub user ID, username, display name, public profile avatar URL, primary verified email — provided by GitHub when you sign in.
  • OAuth access token issued by GitHub, used solely to call repository endpoints on your behalf.
  • Plan tier, billing identifiers (Stripe customer ID, subscription state) when you subscribe.

2.2 Project data (from GitHub)

  • Repository metadata (name, description, default branch) for repos you connect via the GitHub App.
  • Commit messages, pull request titles and descriptions, release notes from connected repositories.
  • GitHub App installation IDs and webhook delivery records.

2.3 Subscriber data (from your readers)

  • Email addresses of people who subscribe to a public changelog you publish, plus opt-in confirmation timestamp and unsubscribe token.

We do not collect cookies for advertising or third-party analytics. The only cookies we set are essential session cookies issued by our authentication provider (Supabase) for keeping you signed in.

3. Legal bases (GDPR)

  • Contract — to provide the service you signed up for (account, projects, billing).
  • Legitimate interests — to operate, secure, and improve the service, including signature verification on webhooks and abuse prevention.
  • Consent — for marketing emails (we don't send marketing emails today; if we ever do, it will be opt-in).
  • Legal obligation — when required to retain billing records for tax purposes.

4. How we use your data

  • Authenticating you via GitHub OAuth.
  • Reading repository commit and pull-request metadata to generate AI-summarised changelog drafts.
  • Sending changelog digest emails to your subscribers from your address (or our shared sender), each containing a one-click unsubscribe link.
  • Processing payments and managing subscriptions through Stripe.
  • Diagnosing service issues and protecting against abuse.

5. AI processing

To generate changelog drafts, we send commit messages and pull request titles/descriptions from your connected repositories to Anthropic's Claude API. Anthropic acts as a sub-processor. Per Anthropic's terms, commercial API content is not used to train their models. We do not send your subscribers' email addresses, billing data, or unrelated repositories to the AI provider.

6. Sub-processors

We use a small set of vetted providers to operate the service:

  • Supabase — primary database, authentication, storage. Hosted in the EU (Frankfurt).
  • Vercel — application hosting. Edge requests may transit through nearby regions.
  • Stripe — payment processing. Card data is handled by Stripe directly; we never see it.
  • Anthropic — AI summarisation (see Section 5).
  • Resend — transactional email delivery (changelog digests, subscription confirmations).
  • GitHub — source of repository data via OAuth and the Relezr GitHub App.
  • Inngest — durable background job execution.

We will update this list before adding any new sub-processor that handles personal data.

7. International transfers

Some sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on the provider's compliance with the EU–US Data Privacy Framework or on Standard Contractual Clauses approved by the European Commission.

8. Retention

  • Account data — kept while your account is active. Deleted within 30 days of account closure, except where law requires longer retention.
  • Project data — kept while the project exists in your account. Soft-deleted projects are purged within 30 days.
  • Webhook delivery records — kept for up to 90 days for diagnostics and idempotency.
  • Subscriber emails — kept until the subscriber unsubscribes or the underlying project is deleted.
  • Billing records — kept for the period required by applicable tax law (typically up to 11 years).

9. Your rights

If you are in the EEA, UK, or another jurisdiction with similar laws, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Export your data in a portable format.
  • Object to or restrict our processing.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

Email the contact channel listed in your account settings from the address linked to your account; we will respond within 30 days.

10. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is limited and authenticated. Webhook payloads are signature-verified before processing. We follow the principle of least privilege when scoping integration tokens. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you within 72 hours of confirming it.

11. Children

The service is not directed to people under 16, and we do not knowingly collect personal data from minors.

12. Changes to this policy

We will revise this policy as the service evolves. The "Effective" date above will reflect the latest revision. For material changes, we will notify active account holders by email at least 14 days before the change takes effect.

13. Contact

Vedran Vučić · the contact channel listed in your account settings
See also our Terms of Service.