~/pullnotes · privacy policy

Last updated: 4 July 2026

This Privacy Policy explains what personal data pullnotes (Daniel Yates, trading as pullnotes, of [Registered address — TBD]) collects when you use pullnotes.dev (the “Service”), why we collect it, and the rights you have over it.

1. What we collect

  • Account data — your email address and authentication identifiers, via Clerk.
  • GitHub data — your GitHub username and an OAuth access token (encrypted at rest with AES-256-GCM), plus the repository metadata and merged pull request content you authorize us to read, in order to generate changelog entries.
  • Changelog content — the entries you generate, edit, and publish, and the project/slug configuration for each changelog.
  • Billing data — plan tier and Stripe customer/subscription identifiers. Card details are handled entirely by Stripe; we never see or store full card numbers.
  • Subscriber emails — if visitors subscribe to email updates on a published changelog, we store their email address and confirmation status for that project.
  • Usage data — request logs and rate-limit counters (via Upstash Redis) used to enforce plan limits and keep the Service reliable.

We don’t run analytics or advertising trackers on pullnotes.dev today. If that changes, we’ll update this section and, where required, ask for your consent first.

2. Why we process it (legal basis)

  • Contract — to create your account, connect your repository, generate and host your changelog, and process your subscription.
  • Legitimate interests — to secure the Service, prevent abuse, and enforce rate/plan limits.
  • Consent — for subscriber email opt-ins on a published changelog (subscribers confirm via a double opt-in link).
  • Legal obligation — where we need to retain billing records for tax/accounting purposes.

3. Who we share it with

We use the following subprocessors to operate the Service. Each only receives the data it needs to perform its function:

  • Clerk — authentication and session management.
  • GitHub — OAuth authorization and repository/pull-request data access, on your behalf.
  • Stripe — payment processing and subscription billing.
  • Neon (Postgres) — primary database hosting for account, project, and changelog data.
  • Upstash — Redis-backed rate limiting.
  • Resend — transactional email delivery (e.g. subscriber confirmations).
  • Anthropic — the AI model used to draft changelog entries from your pull request content.
  • [Hosting provider — TBD] — application hosting/infrastructure.

We don’t sell your personal data, and we don’t share it with third parties for their own marketing purposes.

4. Cookies

pullnotes currently sets only the strictly-necessary session/authentication cookies required to keep you signed in, managed by Clerk. We don’t use analytics, advertising, or tracking cookies. If we introduce any non-essential cookies in future, we’ll update this section and present a consent banner where required by law.

5. Data retention

We keep account and changelog data for as long as your account is active. If you delete your account, we delete the associated account record and cascade-delete your projects, changelog entries, and subscriber lists shortly afterward (see Section 6). Billing records may be retained longer where required for tax/accounting purposes.

6. Your rights

If you’re in the UK or EU, you have rights under UK/EU GDPR, including the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erasure — delete your account and associated data. Deleting your account through your account settings triggers automatic deletion of your account record and everything linked to it (projects, entries, subscribers).
  • Portability — request an export of your data in a portable format.
  • Object to or restrict certain processing.

Until a fully self-serve export tool exists in the dashboard, send erasure or export requests to support@pullnotes.dev and we’ll handle them manually, normally within 30 days. UK residents can also complain to the Information Commissioner’s Office if you believe we’ve mishandled your data.

7. International transfers

Some of our subprocessors may process data outside the UK/EEA. Where they do, we rely on their standard contractual clauses or equivalent safeguards.

8. Children

pullnotes is not directed at children under 16, and we don’t knowingly collect their data.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or an in-app notice before they take effect.

10. Contact

Questions about this policy or your data: support@pullnotes.dev. See also our Terms of Service.