Privacy
A short, plain-English version of how we handle your data.
Who we are
Notelog is a small product built and operated by an indie maker. You can reach us at hello@notelog.dev for any privacy question.
What we collect
When you create an account we store your email address. When you publish content we store the changelog entries you create. When subscribers sign up to your changelog we store their email and confirmation status. When you upgrade to a paid plan we store a customer reference from our payment processor — we do not store card details.
How we use it
Email is used to sign you in (magic link), to send subscription confirmations to your readers, and to notify your subscribers when you publish a new entry. Content is used to render your public changelog page and embed widget. We do not sell your data, train models on it, or share it with advertisers.
Third-party processors
We rely on a small set of vendors to run the service:
— Supabase (auth + database)
— Resend (transactional email)
— Polar (Merchant of Record for payments)
— Vercel (hosting)
— Upstash (rate limiting)
— Anthropic (AI inference provider — used by the AI generator if you opt to draft entries from your pull requests; processes only the content you submit)
— GitHub (if you connect your account; we access your public profile, repo list, and read pull requests / commits from the repo you bind)
— Sentry (error tracking; receives stack traces and may include your user ID, IP, and request metadata when an error occurs)
Each vendor processes only the minimum data needed for its function.
Cookies
We use cookies to keep you signed in. We do not use analytics cookies or third-party tracking.
Your rights under GDPR
If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:
— Right of access: request a copy of the data we hold about you.
— Right to rectification: ask us to correct inaccurate data.
— Right to erasure: ask us to delete your data ("right to be forgotten").
— Right to restrict processing: ask us to limit how we use your data.
— Right to data portability: receive your data in a structured, machine-readable format.
— Right to object: object to processing based on legitimate interests.
— Right to withdraw consent: withdraw consent at any time, where processing relies on consent.
— Right to lodge a complaint: file a complaint with your local supervisory authority.
To exercise any of these rights, email hello@notelog.dev with the address on your account. We respond within thirty days.
California residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to opt out of any "sale" or "sharing" of personal information.
We do not sell or share personal information, including for cross-context behavioral advertising. You are entitled to non-discriminatory treatment if you exercise any of these rights. To submit a request, email hello@notelog.dev.
Data retention
We retain data only as long as needed to run the service or meet legal obligations:
— Account email and profile: until you delete the account, then thirty days.
— Magic link tokens: one hour after issuance.
— Projects, entries, drafts: until you delete the project or account, then thirty days.
— Subscriber emails: until the subscriber unsubscribes, then removed within thirty days.
— Billing customer references (Polar ID): up to seven years for accounting and tax records.
— Application logs: up to thirty days.
— Webhook event payloads: up to ninety days.
After these periods, data is irreversibly deleted from our active systems. Encrypted backups may persist for an additional thirty days before being overwritten.
Security
Data is encrypted in transit (TLS) and at rest (provider-managed). Access to the database is restricted to authenticated services and the operator. We use row-level security policies on Supabase so each user can only access their own data. If we ever discover a breach affecting your data, we will notify you within seventy-two hours where required by law.
Changes
If we update this policy in a meaningful way we will email you before the change takes effect.