Privacy Policy

Welcome to Opensmith ("Company," "we," "our," or "us"). Opensmith LLC, a Limited Liability Company organized under the laws of Delaware and operating in North Carolina, USA, is committed to protecting your privacy and personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered release notes platform, including our website, software, and services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Service.

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Children's Online Privacy Protection Act (COPPA).

2.1 Information You Provide Directly

We collect information that you provide directly to us:

• Account Information: Email address, name, and password when you create an account
• Payment Information: Payment details processed securely by our payment provider (Clerk/Stripe) for Pro Plan subscriptions
• Profile Information: GitHub username and repository access tokens when you connect your GitHub account
• User Content: Release notes, project descriptions, and other content you create or upload
• Communications: Information you provide when contacting our support team

2.2 Information Collected Automatically

When you access or use our Service, we automatically collect:

• Usage Data: Pages viewed, features used, time spent on the Service, and interaction patterns
• Device Information: Browser type, operating system, device identifiers, and IP address (hashed using SHA-256 for privacy)
• Log Data: Access times, pages requested, referring URLs, and error logs
• Analytics Data: Information collected through Google Analytics and our internal analytics systems
• Cookie Data: Information stored in cookies and similar tracking technologies (see Section 4)

2.3 Information from Third-Party Sources

We may receive information from third-party services:

• GitHub Data: Repository information, commit history, pull requests, issues, contributor data, and branch information when you connect your GitHub account
• Authentication Providers: Profile information from Clerk authentication services
• Payment Processors: Transaction and subscription status information from Stripe (via Clerk)

We use the information we collect for the following purposes:

3.1 Service Provision

• Create and manage your account
• Provide, operate, and maintain the Service
• Process transactions and manage subscriptions
• Generate AI-powered release notes based on your GitHub repository data
• Display your public release notes hubs
• Sync and update your project information

3.2 Communication

• Send transactional emails (account, billing, security)
• Respond to your inquiries and support requests
• Notify you of important service updates or changes to our policies
• Send security alerts and technical notifications

3.3 Service Improvement

• Analyze usage patterns and user preferences
• Improve and develop new features
• Conduct research and analytics
• Monitor and analyze trends and usage
• Troubleshoot technical issues

3.4 Security and Legal Compliance

• Detect, prevent, and address fraud or security issues
• Protect against malicious or illegal activity
• Enforce our Terms of Use
• Comply with legal obligations and law enforcement requests

We use cookies and similar tracking technologies to collect and store information about your use of the Service.

4.1 Types of Cookies We Use

4.2 Managing Cookies

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. However, disabling essential cookies may prevent you from using certain features of the Service.

To manage cookies, you can adjust your browser settings or use browser extensions that block tracking technologies.

We use trusted third-party service providers to help us operate the Service. These providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information.

5.1 Service Providers

• Clerk: Authentication, user management, and payment processing (uses Stripe for payments)
• GitHub: Repository data access and OAuth authentication
• Google Analytics: Website analytics and usage tracking (GA ID: G-XF0F7N7JCJ)
• OpenRouter: AI model access for generating release notes
• Database Hosting: PostgreSQL database services for data storage
• Resend: Transactional email delivery services

5.2 When We Share Your Information

We may share your information in the following circumstances:

• With Your Consent: When you explicitly authorize us to share information
• Service Providers: With third-party vendors who perform services on our behalf
• Public Content: Release notes and hubs you choose to make public are accessible to anyone with the link
• Legal Requirements: When required by law, court order, or government regulation
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Protection of Rights: To protect our rights, property, or safety, or that of our users or the public

5.3 We Do Not Sell Your Personal Information

Opensmith does not sell, rent, or trade your personal information to third parties for monetary consideration. We do not share your personal information with third parties for their direct marketing purposes.

6.1 Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. When you delete your account, we will delete your personal information from our active systems.

However, some information may be retained in our backup systems for disaster recovery purposes and may take additional time to be fully removed. We may also retain certain information as required by law or for legitimate business purposes, such as transaction records for accounting and tax compliance.

6.2 Security Measures

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit using SSL/TLS protocols
• Encryption of sensitive data at rest
• IP address hashing using SHA-256 for privacy-compliant analytics
• Secure authentication using industry-standard protocols
• Regular security assessments and updates
• Access controls and authentication requirements
• Employee training on data protection practices

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain data protection rights under the General Data Protection Regulation (GDPR):

7.1 Your Rights Include

• Right of Access: Request a copy of the personal information we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal information ("right to be forgotten")
• Right to Data Portability: Request transfer of your data to another service in a structured, machine-readable format
• Right to Restrict Processing: Request limitation on how we use your information
• Right to Object: Object to processing of your information for certain purposes
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 Exercising Your Rights

To exercise any of these rights, please contact us. We will respond to your request within 30 days as required by GDPR.

7.3 Legal Basis for Processing

We process your personal information based on the following:

• Contract: Processing necessary to provide the Service you requested
• Consent: You have given explicit consent for specific processing activities
• Legitimate Interests: Processing necessary for our legitimate business interests
• Legal Obligation: Processing required to comply with legal requirements

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.

8.1 Your California Rights

• Right to Know: Request information about the personal information we collect, use, and disclose about you
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of your personal information (we do not sell personal information)
• Right to Non-Discrimination: Equal service and pricing, even if you exercise your privacy rights

8.2 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email address, IP address, GitHub username)
• Commercial information (subscription status, payment history)
• Internet activity (browsing history, usage patterns, page views)
• Professional information (GitHub repositories, commit history)
• User-generated content (release notes, project data)

8.3 Business Purposes for Collection

We collect personal information for:

• Providing and improving the Service
• Processing payments and transactions
• Customer support and communication
• Security and fraud prevention
• Analytics and service optimization
• Legal compliance

8.4 Do Not Sell My Personal Information

We do not sell your personal information as defined by the CCPA. We do not share your personal information with third parties for monetary or other valuable consideration.

8.5 Exercising Your California Rights

To exercise your CCPA rights, contact us or use your account settings. We will verify your identity and respond within 45 days.

Our Service requires users to be at least 13 years of age. Users between 13 and 18 years old (or the age of majority in their jurisdiction) may only use the Service with parental or guardian consent.

9.1 Parental Consent

If you are a parent or guardian and believe your child under 13 has provided us with personal information without parental consent, please contact us immediately, and we will delete that information.

9.2 Parental Rights

Parents and guardians have the right to:

• Review the personal information collected from their child
• Request deletion of their child's personal information
• Refuse to allow further collection of their child's data
• Consent to the collection and use of their child's information

Your information may be transferred to and processed in the United States or other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

When we transfer personal information from the EEA, UK, or Switzerland to other countries, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the EU Commission
• Data processing agreements with service providers
• Appropriate technical and organizational security measures
• Compliance with applicable data protection regulations

By using the Service, you consent to the transfer of your information to the United States and other countries for processing and storage.

11.1 Internal Analytics

We collect and analyze usage data to improve the Service. This includes:

• Page views and navigation patterns (with hashed IP addresses)
• Feature usage and interaction metrics
• Release notes hub views and engagement
• Performance metrics and error tracking

We use SHA-256 hashing on IP addresses to protect user privacy while still being able to track unique visitors and prevent abuse.

11.2 Google Analytics

We use Google Analytics to understand how users interact with our website. Google Analytics uses cookies to collect information such as how often users visit the site, what pages they visit, and what other sites they used prior to coming to our site.

You can opt-out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

We send transactional emails only. These emails are necessary for the operation of your account and the Service.

12.1 Types of Emails We Send

• Account-Related: Account creation, password resets, verification emails
• Billing: Payment confirmations, subscription updates, billing issues
• Security: Suspicious activity alerts, unauthorized access attempts
• Service Updates: Critical service announcements, feature updates, maintenance notices

12.2 Email Preferences

You cannot opt-out of transactional emails as they are necessary for the Service. However, you can manage your email preferences for non-critical service updates through your account settings.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Updating the "Last Updated" date at the top of this page
• Sending an email notification to your registered email address
• Posting a notice on our website or in the Service

Your continued use of the Service after the changes take effect constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: