Privacy Policy

Last updated: April 28, 2026

1. Who we are (Data Controller)

This privacy policy applies to ReleaseBell, a changelog hosting service operated by Zeroject (trading as ReleaseBell), Herstedvang 8, 2620 Albertslund, Denmark, Denmark.
Contact: privacy@releasebell.io
We do not have a Data Protection Officer (DPO) as we are not required to appoint one under GDPR Art. 37. For all data protection enquiries, contact us at the email address above.

2. What data we collect and why

We process two distinct categories of people:

A. Product owners (account holders)

When you create a ReleaseBell account, we collect:

Email address — to authenticate you and send account notifications
Username — to create your public changelog URL (releasebell.io/p/username)
Product and entry data — the changelogs you publish
Usage data — subscriber counts, publish history

Legal basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (our Terms of Service) you enter into when you create an account.

Retention: We retain your account data for the duration of your subscription. On account deletion, all products, entries, and subscriber lists are permanently deleted within 30 days. We may retain anonymised aggregate statistics (e.g. total subscriber counts) indefinitely.

B. Subscribers (end users who subscribe to product changelogs)

When you subscribe to a product's changelog, we collect:

Email address — to send you the confirmation email and future changelog updates
Consent record — timestamp, IP address, and form version displayed at time of subscription (for GDPR compliance)
Confirmation timestamp — when you clicked the confirmation link

Legal basis: Art. 6(1)(a) GDPR — your freely given, specific, informed, and unambiguous consent, collected via a double opt-in confirmation email.

Retention: Your email address is retained for as long as you remain subscribed. Unconfirmed subscriptions (where the confirmation email was not clicked) are automatically deleted after 30 days. When you unsubscribe, your record is permanently deleted immediately.

Note on the controller: The product owner whose changelog you subscribe to is the data controller for your subscription. ReleaseBell acts as a data processor on their behalf. See Section 8 for the processor/controller relationship.

3. How we use your data

To create and manage your account
To deliver changelog notification emails to subscribers
To send double opt-in confirmation emails
To enforce fair-use limits (subscriber caps per tier)
To respond to support requests
To comply with legal obligations

We do not use your data for advertising, profiling, or sell it to third parties.

4. Who we share your data with (Sub-processors)

We share personal data only with the following sub-processors, each of whom has agreed to GDPR-compliant data processing terms:

Sub-processor	Country	Purpose	Transfer mechanism
Supabase Inc.	USA (EU region available)	Database hosting, authentication	EU–US Data Privacy Framework (DPF) + SCCs
Resend Inc.	USA	Transactional email delivery	Standard Contractual Clauses (SCCs)
Vercel Inc.	USA (EU Edge Network)	Application hosting	EU–US Data Privacy Framework (DPF) + SCCs

We will notify you of any material changes to our sub-processor list at least 30 days in advance via email or in-app notification, giving you the right to object.

5. International data transfers

Some sub-processors are based in the United States. We rely on the EU–US Data Privacy Framework (DPF) adequacy decision (adopted July 2023) and/or Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Art. 46(2)(c) as the legal mechanism for these transfers. Copies of applicable SCCs are available on request.

Where possible, we configure our services to process data within the European Economic Area (EEA).

6. Cookies and tracking

ReleaseBell uses only technically necessary cookies:

Authentication session cookies (set by Supabase) — required to keep you logged in. These are first-party, session-scoped, and strictly necessary for the service to function.
Server logs— Vercel's infrastructure logs IP addresses and request metadata for security and performance monitoring. These are processed by Vercel under their DPA.

We do not use analytics cookies, advertising cookies, or any tracking pixels. No cookie consent banner is required as we only use strictly necessary cookies.

7. Your rights under GDPR

You have the following rights regarding your personal data (Arts. 15–21 GDPR):

Right of access (Art. 15) — you can request a copy of all personal data we hold about you
Right to rectification (Art. 16) — you can ask us to correct inaccurate data
Right to erasure (Art. 17) — you can request deletion of your data
Right to restriction (Art. 18) — you can ask us to restrict processing in certain circumstances
Right to data portability (Art. 20) — you can request your data in a structured, machine-readable format
Right to object (Art. 21) — you can object to processing based on legitimate interests
Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you can withdraw it at any time (e.g. by unsubscribing)

To exercise any of these rights, contact us at privacy@releasebell.io. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. For EU residents, a list of national DPAs is available at edpb.europa.eu.

8. ReleaseBell as a data processor

When product owners use ReleaseBell to collect and manage subscriber email addresses, the product owner is the data controller and ReleaseBell is the data processorunder GDPR Art. 28. We process subscriber data only on the product owner's instructions (publishing an entry triggers email notifications; deleting a product deletes all associated subscriber records).

Our Data Processing Agreement (DPA) governs this relationship and is incorporated by reference into our Terms of Service.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including: encrypted connections (TLS), access controls, token-based unsubscribe mechanisms, and double opt-in consent for all subscriber sign-ups. We conduct security reviews periodically.

In the event of a personal data breach, we will notify affected individuals and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.

10. Changes to this policy

We may update this policy from time to time. We will notify account holders of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the date of the most recent revision. Continued use of ReleaseBell after the effective date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions, data subject access requests, or complaints:
Zeroject (trading as ReleaseBell)
Herstedvang 8, 2620 Albertslund, Denmark
privacy@releasebell.io